My Pi-Hole Setup

What in the world is a Pi-Hole you may ask? Pi-Hole is a software package whose primary purpose is to block ads, spyware, phishing, malware, and other undesirable traffic on your network. It runs on pretty much any distro of Linux and for my setup, I’m currently running it on a Raspberry Pi 3, but you can also run it in a VM such as VMWare or Virtualbox as well as on dedicated hardware, or even by using pre-built Docker images. In this blog post I’m going to document how I have designed my setup with the main objective of having all traffic on my home network go through the Pi-Hole to keep all of the common trash of web browsing off all of the devices that my family uses.

My home network consists of an ISP wireless modem/router with the standard four Ethernet jacks that is part of the WOW ISP whole home wireless where they include a dedicate EERO router with little Wi-Fi amplifiers that I have dispersed in various areas of my house to boost the signal for greater coverage. This introduces a challenge for routing all of the traffic to the Pi-Hole since the main modem and EERO router service out DHCP on different networks. The way around this is to configure the EERO router in bridge mode so all of the traffic is forwarded to the main WOW modem/router, so all of the devices are on the same class C network. The next step is getting the main WOW modem/router to forward DHCP requests to the Pi-Hole device. This part isn’t actually a requirement and you can get away with just setting your WOW DNS server to be the IP of the Pi-Hole device, but you when you are looking at the metrics in the Pi-Hole dashboard, you will only get IP addresses and not hostnames. In order to get hostnames, you need to forward DHCP requests from your main ISP modem/router to the Pi-Hole device, which also acts as a DHCP server. In order to accomplish this most ISP routers include a setting to do port forwarding in which you would create a rule to forward all DHCP traffic, which would be UDP/67 & UDP/68 to the Pi-Hole IP.  

The standard Pi-Hole installation is covered on their site along with various tutorials you can find on Youtube and the like, so I’m not going to cover that here. The initial setup is pretty easy and straightforward. One of the key features of the Pi-Hole is that you can add custom block lists in the form of URL’s that can be updated by means of a nightly cron job. You just need to run pihole -g to update the lists. The following are the URL’s that I’m currently leveraging as blocklists that have worked very well for me:

  • http://someonewhocares.org/hosts/zero/hosts
  • http://v.firebog.net/hosts/AdguardDNS.txt
  • http://v.firebog.net/hosts/BillStearns.txt
  • http://v.firebog.net/hosts/Easylist.txt
  • http://v.firebog.net/hosts/Shalla-mal.txt
  • http://winhelp2002.mvps.org/hosts.txt
  • https://adaway.org/hosts.txt
  • https://bitbucket.org/ethanr/dns-blacklists/raw/8575c9f96e5b4a1308f2f12394abd86d0927a4a0/bad_lists/Mandiant_APT1_Report_Appendix_D.txt
  • https://dbl.oisd.nl/
  • https://mirror.cedia.org.ec/malwaredomains/immortal_domains.txt
  • https://mirror1.malwaredomains.com/files/justdomains
  • https://openphish.com/feed.txt
  • https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt
  • https://raw.githubusercontent.com/Dawsey21/Lists/master/main-blacklist.txt
  • https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews-gambling/hosts
  • https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
  • https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt
  • https://raw.githubusercontent.com/piwik/referrer-spam-blacklist/master/spammers.txt
  • https://raw.githubusercontent.com/vokins/yhosts/master/hosts
  • https://reddestdream.github.io/Projects/MinimalHosts/etc/MinimalHostsBlocker/minimalhosts
  • https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
  • https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt
  • https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txtEnabledDisabledDefaultWideOpenDefault
  • https://www.dshield.org/feeds/suspiciousdomains_Low.txt
  • https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt

Yes, I know it’s a lot of lists, but you can never be too safe, right? Another benefit to running P-Hole on your network is also acts as a DNS caching server, which will speed up your network considerably. 

Additional Resources