Pi-Hole: A DNS-based blacklist for ads and tracking for Raspberry Pi

Mattias Geniar, Sunday, October 23, 2016

I just "upgraded" our home network with a Pi-Hole, an interesting project that implements a DNS server with a known-list of ad- and privacy trackers. The result is that everyone on your network that uses that DNS server gets an adblocker for free, without configuration work.

How DNS-based blacklisting works

The idea is simple and powerful: the project acts as your DNS server, so every time your smartphone/tablet/laptop/pc requests the IP for known adtrackers, the Pi-Hole just responds with a bogus IP address.

Instead of connecting to the server for the adtrackers, you connect to your Pi. Since that's running a webserver, it instantly connects and returns an empty reply.

There's no delay in waiting to connect to a non-existent IP address, there's just an instant "blackholed" answer.

Pi-Hole configuration

While I usually don't like curl | bash installers, this one seems pretty safe.

I installed it on a Raspberry Pi, but it actually runs on any Ubuntu/Debian based Linux server. The Pi is just convenient as it's a low-power, easy-to-hide-away little server for your home.

On your Pi, run this;

$ curl -L https://install.pi-hole.net | bash

And you're good to go.

Your entire home gets an adblocker, without the hassle

If you want to protect the members of your home (or: anyone connected to your WiFi), it's usually a bit of a hassle: every device needs an adblocker/privacy blocker, it's a pain to get it to work on iOS, ...

Since Pi-Hole acts as a DNS server, all you need to do is to configure your router to stop handing out the DNS server(s) from your ISP, but to configure it to point to the IP of your Raspberry Pi running the Pi-Hole.

Added bonus: since that Pi-Hole can be configured to use Google's upstream namservers (8.8.8.8 & 8.8.4.4) you automatically bypass DNS based blocks implemented by your provider.

So if your ISP is preventing you from visiting certain websites, that's usually DNS based and the Pi-Hole bypasses that by not using your ISPs' nameservers.

Web interface

This is actually what made me try out Pi-Hole in the first place: their reporting dashboard!

Every DNS query made gets logged: you get graphs, a list of DNS queries, you can add white- or blacklist entries, ...

Graphs

pihole_1

Pie-charts

pihole_2

Top DNS & advertisers

pihole_3

Full DNS query log

pihole_4

Control over convenience

There are already DNS-based blacklist providers you can use (like OpenDNS), but having the DNS server run on your own Raspberry Pi gives you more control and privacy. All the blocking & tracking happens in the comfort of your own home, not by a corporation you don't know.

The downside; you need to configure a Pi and you'll have to troubleshoot why DNS isn't working one day, if the service is stopped/crashed or your Pi has stopped working.

But as a sysadmin, I don't mind -- I'm happy my home gets an adblocker for everyone connected to our WiFi for free.

Give it a try: Pi-Hole, a Black Hole for Internet Advertisers for your Raspberry Pi



Hi! My name is Mattias Geniar. I'm a Support Manager at Nucleus Hosting in Belgium, a general web geek, public speaker and podcaster. Currently working on DNS Spy. Follow me on Twitter as @mattiasgeniar.

I respect your privacy and you won't get spam. Ever.
Just a weekly newsletter about Linux and open source.

SysCast podcast

In the SysCast podcast I talk about Linux & open source projects, interview sysadmins or developers and discuss web-related technologies. A show by and for geeks!

cron.weekly newsletter

A weekly newsletter - delivered every Sunday - for Linux sysadmins and open source users. It helps keeps you informed about open source projects, Linux guides & tutorials and the latest news.

Share this post

Did you like this post? Will you help me share it on social media? Thanks!

Comments

Svenn Monday, October 24, 2016 at 10:02 (permalink)

This is an interesting find, will try, thanks for the tip ! (Finally a reason, to get my Pi from under the dust)

Reply


don Tuesday, October 25, 2016 at 22:48 (permalink)

The instructions given here arent for the general user. It would be nice if there were some dumbed down version of how to implement this into our home. I have a PI, but I do not know how to run the curl command you provided. I do not understand how this is implemented with my current Arris Comcast router. Any help/advice would be greatly appreciated.

Reply


Nathan Friday, October 28, 2016 at 23:53 (permalink)

@ Don

The curl command gets pasted into the terminal (similar to cmd in windows) If you ssh into the pi, you’re already in a terminal after logging in. If you have the pi hooked up to a monitor, look for a terminal in the application menu. I dont use a monitor, so I cant lookup specifics.

Pihole will guide you through setup once you run the command. just remember that space will select a checkbox and enter will hit okay.

As for your router, thats vendor specific. Essentially, you type in the ip of your router, login, then find the dns settings and the first dns to your pis ip address, and the second dns generally to the dns you feel is least evil ( or googles at 8.8.8.8 since its easy to remember). youll also want to make sure your router gives the pi a static ip. The pi will claim its ip, but this will prevent the router from giving that ip to another device accidentally if the pi is offline or anything.

Reply


Nicolas Wednesday, November 2, 2016 at 09:59 (permalink)

Hi. Really interesting technic to solve the problem of too much advertising. Just have to smile a bit when I see a Carbon banner right beneath the title. Isn’t it contradictory to share an ad/analytic-blocker technic while advertising with Carbon and tracking with GG-Analytics on your website?

Reply


Mattias Geniar Wednesday, November 2, 2016 at 10:49 (permalink)

Yes & no: I fully understand the web today is being run by ads. That’s the primary money maker for publishers, such as myself.

But there are 2 kinds of ads: non-intrusive ones, like the Carbon ads on this blog, and the ones that advertise online dating, casino’s and do so in a flashy banner that occasionally drops some malware.

I whitelisted the carbon ads on my own Pi-Hole, they don’t bother me and they’re surprisingly relevant. But I still don’t want to see Google/Doubleclick or other ads. :-)

Reply


Dan Schaper Thursday, November 10, 2016 at 08:00 (permalink)

Hi, Dan from the Pi-hole development team. Thanks Mattias for the great write up, and even though we are all just volunteers collaborating on a project, we stand behind our Pi-hole. If you have any problems, we have many ways to get in touch with us, and we’ll personally walk anyone through getting everything set up on their home routers and systems. All of our contact info is at https://github.com/pi-hole/pi-hole.

Reply


Ethan Sunday, March 19, 2017 at 18:34 (permalink)

Great article. Thanks a lot!

Did you notice an impact on browsing speed when you set up pi-hole? Does the limited capacity of the pi slow down your browsing experience in comparison to a modern browser set up with ad and tracker blockers?

Reply


Jan Tuesday, October 10, 2017 at 17:12 (permalink)

Hi Mattias,

I was wondering how you integrated this setup with your amplifi HD. I setted the ip of the pihole as DNS on the amplifi so it would get configured on every device without manual intervention. The only downside is that in the pihole logs all activity comes from the amplifi itself since the DHCP configures the amplifi’s ip on every client and then he forwards the request on his turn to pihole..

Which works fine but it would have been nice to see those logs related to the devices..

Reply


Leave a Reply

Your email address will not be published. Required fields are marked *

Inbound links