Weekend Project: Part 3 – Installing Pi-hole

As Sunday draws to a close we can finish up this weekend project by installing Pi-hole. What is Pi-hole I hear your ask? Well copied and pasted straight from the Pi-hole website, “The Pi-hole® is a DNS sinkhole that protects your devices from unwanted content, without installing any client-side software.”

Previouly I wrote the first 2 parts of this guide on my Macbook Air, but this final post I have written on my PC, please excuse any formatting of commands between Terminal & Putty.

To begin installing Pi-hole run the below command on you rPi;

paz@raspberrypi:~ $ wget -O basic-install.sh https://install.pi-hole.net
paz@raspberrypi:~ $ sudo bash basic-install.sh

The installer is very handsoff, it preforms a bunch of checks and then installs the whole process was done in a couple of minutes. One of the questions asked by Pi-hole installer is which DNS provider you would wish to use. You can choose any at this time as we will change it to Cloudflared (DNS over HTTPS) later on. The installer also asks if you would like to install a webGUI, this is optional I choose to have the GUI as over the initial weeks I intend to see how everything is going, so having a GUI is nice rather than trawling through endless logs. Once the installer is completed take note of your Pi-hole GUI web address and admin password as we will need this to login.

Installing Cloudflared

What is DNS over HTTPS, again copied directly from the Pi-hole website to save me having to type out my own explantaion.

DNS-Over-HTTPS is a protocol for performing DNS lookups via the same protocol you use to browse the web securely: HTTPS.

With standard DNS, requests are sent in plain-text, with no method to detect tampering or misbehaviour. This means that not only can a malicous actor look at all the DNS requests you are making (and therefore what websites you are visiting), they can also tamper with the response and redirect your device to resources in their control (such as a fake login page for internet banking).

DNS-Over-HTTPS prevents this by using standard HTTPS requests to retrieve DNS information. This means that the connection from the device to the DNS server is secure and can not easily be snooped, monitored, tampered with or blocked. It is worth noting however, that the upstream DNS-Over-HTTPS provider will still have this ability.

To start installing Cloudflared we need to pull down the Cloudflared files with wget

wget https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-arm.tgz
tar -zxf cloudflared-stable-linux-arm.tgz
sudo cp ./cloudflared /usr/local/bin
sudo chmod +x /usr/local/bin/cloudflared

Next we will create a cloudflared user to have the cloudflared service running sepratly from our VPN on our Pi, This user will be for cloudflared only and will not have a SHELL or any login password to prevent other utalising the account.

sudo useradd -s /usr/sbin/nologin -r -M cloudflared

Next create a file in /etc/default/cloudflared and paste the below into the file;

Commandline args for cloudflared
CLOUDFLARED_OPTS=--port 5053 --upstream --upstream
CLOUDFLARED_OPTS=--port 5054 --upstream

Change ownership of the cloudflared files to the cloudflared user

paz@raspberrypi:/etc/default $ sudo chown cloudflared:cloudflared /etc/default/cloudflared
paz@raspberrypi:/etc/default $ sudo chown cloudflared:cloudflared /usr/local/bin/cloudflared

Create the below file in /etc/systemd/system/cloudflared.service to allow automatic startup of the cloudflared service.

Description=cloudflared DNS over HTTPS proxy
After=syslog.target network-online.target

ExecStart=/usr/local/bin/cloudflared proxy-dns $CLOUDFLARED_OPTS


Once the file has been created as per above, enable cloudflared in systemctl

paz@raspberrypi:/etc/default $ sudo systemctl enable cloudflared
Created symlink /etc/systemd/system/multi-user.target.wants/cloudflared.service → /etc/systemd/system/cloudflared.service.
paz@raspberrypi:/etc/default $ sudo systemctl start cloudflared
paz@raspberrypi:/etc/default $ sudo systemctl status cloudflared
● cloudflared.service - cloudflared DNS over HTTPS proxy
Loaded: loaded (/etc/systemd/system/cloudflared.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2020-01-26 09:34:51 GMT; 3s ago

Test the service is functioning as expected, you should recieve a response from bbc.co.uk similar to the below;

paz@raspberrypi:/etc/default $ dig @ -p 5053 bbc.co.uk

; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> @ -p 5053 bbc.co.uk
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12841
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

; EDNS: version: 0, flags:; udp: 1452

; PAD: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ("………………….")
;bbc.co.uk. IN A

bbc.co.uk. 226 IN A
bbc.co.uk. 226 IN A
bbc.co.uk. 226 IN A
bbc.co.uk. 226 IN A

;; Query time: 26 msec
;; WHEN: Sun Jan 26 09:36:56 GMT 2020
;; MSG SIZE rcvd: 164

Now that we have configured Cloudflared its time to head over to the Pi-hole GUI to remove Google DNS and point to Cloudflared DNS servers. Login to your Pi-hole GUI using the username and password provided before. Once you login you should see something similar to this;

Head down to Settings then choose the DNS Tab, un-check Google DNS, add & to the Upstream DNS servers section and finally check ‘Listen on all interfaces’

Everything should now be working, you can use your Pi-hole dashboard to see hosts connected to Pi-hole, see how much has been blocked. You can test if you are using DNS-over-HTTPS here!

This brings me to the end of this weekend project, I could have rattled through all the comands myself in an afternoon, but writing these blog post added extra time. Until next time, happy surfing!

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.