DNS at home

[Neal]

Been mucking about with a spare Raspberry Pi and though I'd have a go at setting my own DNS server for educational purposes and curiosity. Played about a bit with bind and dnsmasq but found a really easy to use DNS in the shape of Pi Hole... https://pi-hole.net/

Neat bit of free (donate) s/w that blocks adds at the domain level and allows me to bypass BT's own DNS servers. By default BT won't allow you to set say google as your preferred DNS.

The s/w also has a built in DHCP server and graphical user interface making it really simple to use. I used a fresh SD card with Raspbian PIXEL and used the curl install command line on the Pi-Hole web site. The setup is straight forward. I disabled the DHCP on my BT router and configured an IP range in Pi-Hole. I set the upstream DNS servers as Google and renewed the IP leases on my iPad/Mac other devices etc...bingo all working.

Network response is a touch quicker as the RPi is caching and responding to DNS requests locally plus its now blocking all the bad ad sites out there. You can whitelist or blacklist domains as you wish....

[jack]

Pi-hole is neat, though you should take note of the warning about blindly piping a page to bash - The installation method is kind of cute - using curl in silent mode to pipe an install script to bash...

...however, if someone got to that page, or redirected it via DNS or a 30x response, then what?

using "-L" in the curl command line allows redirects to be accepted - the nominal command line from pi-hole.net is:

Code: Select all

curl -sSL https://install.pi-hole.net | bash

...however, install.pi-hole.net silently redirects via a 301 (Moved Permanently) response to https://raw.githubusercontent.com/pi-ho ... install.sh which is possibly compromisable via git.

Just sayin...

[Neal]

Yup, agreed, however in this case they go to lengths warning of the danger and don't try to cover up anything. The script is there for examination and I felt it was ok to use curl. Ordinarily I'd be extremely cautious as you point out Nick.

After I had the DNS up and running it promptly stopped running.....turns out if you are with BT you must deactivate all parental controls and fraudulent web site settings before you can use an alternative up stream DNS server! Once I done that it worked again and it's blocking all sorts of tracking sites!

[Tony Moore]

There is also an alternative method of installation that doesn't require the stream through bash.

https://github.com/pi-hole/pi-hole#alte ... ll-methods

You still have to trust their install script and stuff it downloads but at least you can "review" it.

I loaded it yesterday onto a spare Pi 2 just to see what all the fuss is about, works a treat, will certainly stick with it.

[Neal]

Nice one Tony. I got a bit over zealous with some of the sites blocking anything remotely suspicious.....managed to kill the families access to most of the web! LOL!

[jack]

Nice one Tony. I got a bit over zealous with some of the sites blocking anything remotely suspicious.....managed to kill the families access to most of the web! LOL!

They could still access anything they wanted, it's just that it'd have to be by explicit IP address rather than by domain name.

[Neal]

I hadn't realised I'd wandered into the pedants room. Yes, 'access' is possible but something like 212.58.246.54 doesn't particularly work that well when there is a wild card blacklist entry for any link with the name in it and to get it to work you would need to know all the other addresses where most of the content is served from. Youtube doesn't work that well if you block its CDN.

[jack]

Sorry about that - not trying to be a pedant, but I spend a fair bit of my day job getting my team to implement systems that hopefully can't be got round easily, so i have a real interest in this...

I'm paid to think like a devious little sh*t (*)

Having said that, I've been playing with pi-hole and like it a lot !

(*) In pedant mode, that really should be "a devious quite tall sh*t"