As Sunday draws to a close we can finish up this weekend project by installing Pi-hole. What is Pi-hole I hear your ask? Well copied and pasted straight from the Pi-hole website, “The Pi-hole® is a DNS sinkhole that protects your devices from unwanted content, without installing any client-side software.”
Previouly I wrote the first 2 parts of this guide on my Macbook Air, but this final post I have written on my PC, please excuse any formatting of commands between Terminal & Putty.
To begin installing Pi-hole run the below command on you rPi;
paz@raspberrypi:~ $ wget -O basic-install.sh https://install.pi-hole.net
paz@raspberrypi:~ $ sudo bash basic-install.sh
The installer is very handsoff, it preforms a bunch of checks and then installs the whole process was done in a couple of minutes. One of the questions asked by Pi-hole installer is which DNS provider you would wish to use. You can choose any at this time as we will change it to Cloudflared (DNS over HTTPS) later on. The installer also asks if you would like to install a webGUI, this is optional I choose to have the GUI as over the initial weeks I intend to see how everything is going, so having a GUI is nice rather than trawling through endless logs. Once the installer is completed take note of your Pi-hole GUI web address and admin password as we will need this to login.
What is DNS over HTTPS, again copied directly from the Pi-hole website to save me having to type out my own explantaion.
DNS-Over-HTTPS is a protocol for performing DNS lookups via the same protocol you use to browse the web securely: HTTPS.
With standard DNS, requests are sent in plain-text, with no method to detect tampering or misbehaviour. This means that not only can a malicous actor look at all the DNS requests you are making (and therefore what websites you are visiting), they can also tamper with the response and redirect your device to resources in their control (such as a fake login page for internet banking).
DNS-Over-HTTPS prevents this by using standard HTTPS requests to retrieve DNS information. This means that the connection from the device to the DNS server is secure and can not easily be snooped, monitored, tampered with or blocked. It is worth noting however, that the upstream DNS-Over-HTTPS provider will still have this ability.
To start installing Cloudflared we need to pull down the Cloudflared files with wget
tar -zxf cloudflared-stable-linux-arm.tgz
sudo cp ./cloudflared /usr/local/bin
sudo chmod +x /usr/local/bin/cloudflared
Next we will create a cloudflared user to have the cloudflared service running sepratly from our VPN on our Pi, This user will be for cloudflared only and will not have a SHELL or any login password to prevent other utalising the account.
udo useradd -s /usr/sbin/nologin -r -M cloudflared
Next create a file in /etc/default/cloudflared and paste the below into the file;
Commandline args for cloudflared CLOUDFLARED_OPTS=--port 5053 --upstream https://188.8.131.52/dns-query --upstream https://184.108.40.206/dns-query CLOUDFLARED_OPTS=--port 5054 --upstream https://220.127.116.11/dns-query
Change ownership of the cloudflared files to the cloudflared user
paz@raspberrypi:/etc/default $ sudo chown cloudflared:cloudflared /etc/default/cloudflared
paz@raspberrypi:/etc/default $ sudo chown cloudflared:cloudflared /usr/local/bin/cloudflared
Create the below file in /etc/systemd/system/cloudflared.service to allow automatic startup of the cloudflared service.
[Unit] Description=cloudflared DNS over HTTPS proxy After=syslog.target network-online.target [Service] Type=simple User=cloudflared EnvironmentFile=/etc/default/cloudflared ExecStart=/usr/local/bin/cloudflared proxy-dns $CLOUDFLARED_OPTS Restart=on-failure RestartSec=10 KillMode=process [Install] WantedBy=multi-user.target
Once the file has been created as per above, enable cloudflared in systemctl
paz@raspberrypi:/etc/default $ sudo systemctl enable cloudflared
Created symlink /etc/systemd/system/multi-user.target.wants/cloudflared.service → /etc/systemd/system/cloudflared.service.
paz@raspberrypi:/etc/default $ sudo systemctl start cloudflared
paz@raspberrypi:/etc/default $ sudo systemctl status cloudflared
● cloudflared.service - cloudflared DNS over HTTPS proxy
Loaded: loaded (/etc/systemd/system/cloudflared.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2020-01-26 09:34:51 GMT; 3s ago
Test the service is functioning as expected, you should recieve a response from bbc.co.uk similar to the below;
paz@raspberrypi:/etc/default $ dig @127.0.0.1 -p 5053 bbc.co.uk
; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> @127.0.0.1 -p 5053 bbc.co.uk
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12841
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
; PAD: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ("………………….")
;; QUESTION SECTION:
;bbc.co.uk. IN A
;; ANSWER SECTION:
bbc.co.uk. 226 IN A 18.104.22.168
bbc.co.uk. 226 IN A 22.214.171.124
bbc.co.uk. 226 IN A 126.96.36.199
bbc.co.uk. 226 IN A 188.8.131.52
Query time: 26 msec
;; SERVER: 127.0.0.1#5053(127.0.0.1)
;; WHEN: Sun Jan 26 09:36:56 GMT 2020
;; MSG SIZE rcvd: 164
Now that we have configured Cloudflared its time to head over to the Pi-hole GUI to remove Google DNS and point to Cloudflared DNS servers. Login to your Pi-hole GUI using the username and password provided before. Once you login you should see something similar to this;
Head down to Settings then choose the DNS Tab, un-check Google DNS, add 127.0.0.1#5053 & 127.0.0.1#5054 to the Upstream DNS servers section and finally check ‘Listen on all interfaces’
Everything should now be working, you can use your Pi-hole dashboard to see hosts connected to Pi-hole, see how much has been blocked. You can test if you are using DNS-over-HTTPS here!
This brings me to the end of this weekend project, I could have rattled through all the comands myself in an afternoon, but writing these blog post added extra time. Until next time, happy surfing!