I am a big fan of Pi-hole and I recommend it to everyone. It is an amazing piece of software to get rid of advertisement and tracking on a network level and recently Pi-hole version 5 was released. Check my blogpost here if you want to know how to set it up. That blogpost is based on version 4 of Pi-hole but the same applies for version 5. Just follow the steps there to secure your network and take back your online privacy. Pi-hole 5 has a lot of new features but the one I want to talk about is how to exclude client devices with Pi-hole 5.
Use case
Being able to exclude individual client devices can be extreme useful during troubleshooting. There may be times that you want to bypass the ad-blocking capabilities of Pi-hole like for IoT devices. Many IoT devices are connected to some cloud solution, especially if they are using Apple HomeKit. I’ve had many IoT devices go offline because Pi-hole was blocking them and I did not want to have to whitelist all those domains. My IoT devices are on a separate VLAN and I want them to use my Pi-hole as DNS server but I don’t want anything blocked for them. Pi-hole 5 makes that possible without jumping trough any hoops.
Let’s get started
Excluding client devices with Pi-hole 5 is done using Group Management. After installing Pi-hole a default group is created. Blocklists are now called Adlists and all the adlists you add are added to the default group called Default. Check the screenshot below:
As you can see we can now also add a comment to an adlist :). Very nice for documentation purposes. Mine says Migrated from /etc/pihole/adlists.list because my Pi-hole was upgraded from version 4 to version 5. That comment is automatically added during the upgrade proces.
Create a new Group
The first this we need to do is create a new group. Go to Group Management and click on Group. Enter a name and description and click on Add.
Make sure the List of configured groups show the new group you added:
Check group assignment
Now we have to make sure that the new Exclude_Group group we created does not have adlists assigned to it.
Go to Group Management -> Adlists and check the Group Assigment column. In the above screenshot you can see that I have all my adlists assigned to the Default group. Next we can add client devices to the Exclude_Group group. Every client device added to this group will have no adlists because all our adlists are assigned to the Default group.
Adding client devices
Go to Group Management -> Clients. Find the IP address of the client device on the dropdown menu. You can also enter a custom IP address. My client device has IP address 192.168.100.185. Enter a Comment and then click on Add.
Not that after adding the client device it will automatically be added to the Default group:
Change the group to exclude client device
All we have to do now is change the Group assignment for the client device to the group we created earlier on. It is important to deselect the Default group! We only want the client device with IP address 192.168.100.185 be member of the group Exclude_Group. Rember that the Exclude_Group does not have adlists assigned so any member of that group will still use Pi-hole as DNS server without the blocking functionality.
After you have made sure that the client device is only member of the Exclude_Group click on Apply. Your screen should look something like this:
Do some testing
Now that my client device with IP address 192.168.100.185 is excluded we can do some testing. Opening a browser of my client device and visiting https://www.google.com shows the following in the query log of Pi-hole:
Note that the following DNS request is now allowed: adservice.google.com
I know that my exclusion is working because adservice.google.com is on several adlists I use:
If I change the group of this client device back to Default we will observe the following behaviour:
Well, and that is all there is if you want to exclude client devices with Pi-hole 5 blocking especially if you find that after implementing Pi-hole (or adlists) something broke in your network. Really helpful I’d say.
In this blog post I will show you how to enable secure LDAP for Citrix ADC with LDAP signature signing policy in order to tighten security in your network. As most of you know Microsoft will be retiring insecure LDAP communication on domain controllers. Check the Microsoft article here for an in-depth explanation. You can also check the following articles about LDAP signature signing:
CVE-2017-8563 – Windows Elevation of Privilege Vulnerability
ADV190023 – Microsoft Guidance for Enabling LDAP Channel Binding and LDAP Signing
So insecure communications to Active Directory is going away and we all need to switch the components in our network (which are talking to Active Directory for authentication) to use Secure LDAP (LDAPS). LDAPS uses SSL or TLS to encrypt traffic. Because the LDAPS traffic is encrypted we don’t need to worry about someone intercepting the traffic. If you intercept it, it’s encrypted so you won’t be able to read it. This change then is a good thing!
It so happens that a lot of ADC’s out there use insecure insecure LDAP to talk to domain controllers. As you can see in the screenshot below my own ADC has been setup to talk to my domain controller using insecure LDAP on port 389:
The screenshot above shows the basic LDAP server configuration pointing to my Active Directory domain controller. When I click the Test Network Connectivity button you see that everything is fine. This is the way a lot of these ADC’s are setup and when insecure LDAP to domain controllers is not working anymore somewhere during this year, this will break and that means that users will not be able to authenticate on you ADC and login to for instance Access Gateway VPN (if they are using that). In the end it will affect everything the ADC is providing your users with that require authentication from your Active Directory.
That’s why I will show you in this blog post how to get ahead of this change from Microsoft and prepare you Citrix ADC to Enable secure LDAP for Citrix ADC with LDAP signature signing.
What needs to be done
We need to reconfigure the ADC to use Secure LDAP (LDAPS). This can be done using that same insecure LDAP port (port 389) but tell the Citrix ADC to use TLS communication. Or you can choose to communicate to the Active Directory using port 636 and use the SSL option. The Active Directory only listens to LDAP with SSL encrypted traffic on port 636.
What group policy are we talking about
Ok all those articles are fine but let’s get pragmatic and let’s find the policy on the domain controller which will (somewhere this year) block insecure LDAP. In the end you want to know what will cause the problem and how to resolve it. Let me show you. To find the policy start mmc.exe on your Active Directory domain controller. Then click on File -> Add or Remove Snap-ins and find the Group Policy Management Editor. Click on Add:
Click on Browse:
Make sure you doubleclick the Domain Controllers folder here! You will see that the folder has the name of your domain in it. In my case it is Domain Controllers.vikash.nl:
Once you are in the folder you will find the policy we are looking for. The name should be Default Domain Controllers Policy. Select that and click on OK and then Finish. Finally click on OK and you should see the mmc showing you something like this:
The policy setting Microsoft is going to change in order to enforce Secure LDAP is named Domain controller: LDAP server signing requirements. Find it under Computer Configuration -> Policies -> Windows Settings -> Security Settings -> Local Policies -> Security Options:
You can see that the setting here is None. This is the default setting and Microsoft eventually will change this to Require signing and in the basic this is all there is :). So for testing purpose let’s change the setting to Required signing and re-test our LDAP Server setting on the Citrix ADC. Note that when you change the setting to Require signing you will get a popup with a warning message. Click on Yes:
Now the setting is changed and Secure LDAP is being enforced because now it says Require signing. The policy setting will look like this:
Head over to the management webgui on the ADC and go to theAuthentication LDAP Server page and click on Test Network connectivity. It will show an error which basically tells us that the Active Directory domain controller is not accepting insecure LDAP anymore:
Ok now we have the policy on the Active Directory to require LDAP signature signing and the expected error on the ADC when we make a PLAINTEXT LDAP request. Now I will show you how to fix this.
Domain Controller Certificate
Before we can do secure LDAP requests to our Active Directory Domain Controllers we have to make sure that the domain controller is using a Certificate. This is a requirement so make sure that this is working and in place. On my domain controller I am running ADCertificate Authority Role (CA):
The CA role allows me to easily issue certificates in my domain. In the screenshot below you can see that I have a certificate issued and activated on my domain controller:
Note that if you don’t have a certificate on your domain controller installed and active you will not be able to let the Citrix ADC do secure LDAP requests.
Enable Secure LDAP on Citrix ADC
Ok now we have our certificate setup on our domain controller and let’s continue to setup secure LDAP on ADC. You can do secure LDAP on port 389 with TLS or switch to port 636 with SSL. Please keep in mind that, depending on which of the below solutions you choose, you might have to adjust firewall rules.
Secure LDAP using port 389 with TLS
If your ADC is setup to use insecure LDAP it is doing this using port 389. You will see in the management webgui of the ADC that Security Type is set to PLAINTEXT:
So LDAP on port 389 can either be insecure or secure. Now we want it to be secure so the only thing you have to change here is set the Security Type to TLS. You won’t even have to change your firewall rules and everything will be running fine. So set the Security Type to TLS and click on Test Network Connectivity:
You should get all greens now and no errors. Make sure to press OK on the bottom of this screen to save your changes.
Secure LDAP using port 636 with SSL
The other option is to switch over to port 636 for LDAP requests. All LDAP communication on port 636 require encryption unlike LDAP on port 389. So on the ADC management webgui navigate to the LDAP configuration server and not set the Security Type to SSL. You will see that the ADC automatically changes the port to 636. Click on the Test Network Connectivity button and everything should be fine and green:
Note that in the green field it will say that LDAP communication is making use of port 636 now. Make sure to press OK on the bottom of this screen to save your changes.
To sum up
Using Secure LDAP on the Citrix ADC not only gives you a better security but also gives you other advantages like allowing password changes for users. If your users are able to do password changes already then chances are that you already have everything in place for that moment when Microsoft decides to enforce LDAP signature signing. And if not then I hope this blog post has helped you enable secure LDAP for Citrix ADC with LDAP signature signing. Be secure!
In my blog post here I showed you how to setup and configure WireGuard VPN Server side. I that blog post I also tell you what WireGuard is and what the benefits are. Everything in this blog post continues based on the configuration in my previous blog and in this blog post I will show you how to setup WireGuard client on iPhone.
First we need to download WireGuard for iOS from the Apple App Store. You can do that on your iPhone or click on the link here which will take you directly to the WireGuard app in the App Store.
For your iPhone visit the App Store and search and download WireGuard:
Adding the configuration to the iPhone app is a lot less steps compared to the Windows client. We will generate a QR code on the WireGuard server (the DietPi) and simply scan that QR code on the iPhone WireGuard app.
To do that connect to your DietPi server using SSH and go to the /etc/wireguard directory. There you should have the configuration files for you server and your clients if you followed my blog post about setting up your own WireGuard VPN Server. Let check if everything is there with the ls -l command:
As you can see there I named my client configuration file iphone.conf. To generate the QR code typ the following command:
Before you do this you have to make sure that your iPhone is connected to the same network as the WireGuard VPN Server. Open the WireGuard app on your iPhone and tap Add a Tunnel and then select the Create from QR Code option:
Scan the QR code with the camera and give the tunnel a name:
Enter your iPhone pincode to add the tunnel:
The iPhone will now automatically add the VPN tunnel in the settings app and then switch to the WireGuard VPN app. There you will see the VPN tunnel:
That’s all for adding a WireGuard tunnel to your iPhone.
In my blog post here I showed you how to setup and configure WireGuard VPN Server side. I that blog post I also tell you what WireGuard is and what the benefits are. If you want to know more about WireGuard or how to configure WireGuard VPN server, check my blog post here. In this blog post I will show you how to setup WireGuard client on Windows. The Windows installation package is the same for all current Windows operating systems including Windows Server.
First we need to download WireGuard for Windows. The download is the same for server or client and can be downloaded from here. Choose the latest version under Windows:
The installation is very simple. Dubbleclick on the MSI package and WireGuard will install itself and start automatically:
The next part is to download the client configuration (wg0-client.conf) file from the DietPi server. You can do this using a program called WinSCP. You also need to install OpenSSH Server on DietPi for WinSCP to work. Installing OpenSSH on DietPi requires the same steps as WireGuard but instead search for OpenSSH and then select OpenSSH Server:
DietPi default comes with Dropbear SSH server which is a lightweight SSH server. The downside is that it does not support Secure Copy Protocol (SCP) and we need that to download our client configuration file. Just follow the steps on screen to install OpenSSH Server on DietPi. Then install WinSCP on your Windows 10 client and connect to your DietPi server with the following session settings:
You will get a prompt for a Unknown Certificate.Click on Yes to add it:
Once WinSCP is connected to your DietPi server browse to the folder /etc/wireguard. Download the wg0-client.conf file to a location on your Windows 10 machine:
Go back to the WireGuard window and click on Import tunnel(s) from file to import the wg0-client.conf file:
Select the wg0-client.conf file:
Now you will see that WireGuard has created the tunnel on your Windows 10 machine at it is ready to connect. If you click on Activate it will connect the tunnel and you are good to go:
After connecting the tunnel you will see that all traffic from you Windows 10 client now goes trough your WireGuard server:
You can check the status of WireGuard on your DietPi with the following command:
sudo wg show
You will see a screen like this showing the Windows 10 client connected:
That is basically it for running WireGuard client on Windows 10.
Performance tests
In the blog post where I talk about setting up WireGuard server I also said I would do performance tests. I am impressed with WireGuard and as I mentioned in my previous post I am running WireGuard server on a Raspberry Pi 3B:
Check out the load while copying a file over the WireGuard tunnel between my Windows 10 client and the WireGuard server:
It is pulling almost the maximum of 100Mbit without breaking a sweat. It is a beast :).
I’m sold on WireGuard and I hope that it get used more and more in the future. That’s why in this post I will show you how to setup WireGuard VPN server and clients running on iOS and Windows.
WireGuard is another Virtual Private Network (VPN) tech. It is fairly new. Now do we actually need another VPN? Well I think we do if you look at the specs and performance of WireGuard. It literally puts the old guard in the shade in terms of performance. It is build from the bottom to be fast, modern, secure and at the same time lightweight on resource usage. For example when I run OpenVPN on my iPhone my battery drains real quick so I cannot leave it running the whole day. With WireGuard on my iPhone I don’t need to worry about battery drain and I can leave it running the whole day! Recently I just forgot to disable WireGuard and it was running for a couple of days on my iPhone without me noticing it. I benefit from the added security and privacy as it seamlessly switches between mobile data and WiFi. And it is fast too in switching the VPN tunnel between mobile data and WiFi. I know that OpenVPN takes some time to activate when you switch from network and sometime you have to manually restart the process. If you want to read more about WireGuard check out their website here.
In this blog post I only show you how to configure the Server side. For the client configuration check my other blog post:
I will show you how to setup WireGuard on you home network. This will be the server side of WireGuard. Then I will show you how to setup a client on Windows 10 and on iOS. With WireGuard server running at home and your computer and mobile phone running the client you can safely connect to you home network when away from home. And for me the most important benefit from connecting to my home network when I am away is that I can benefit from the added security I have from my Pi-Hole. Check my blog post here about setting up a Pi-Hole on your home network.
Having WireGuard and connecting back to home also means that I don’t have to worry about being tracked or my data leaked when I am on another WiFi network like at a restaurant or in a hotel. Because everything goes trough my WireGuard VPN tunnel to my own network no one will be able to see what is going on because the traffic is completely end-to-end encrypted. That is security and privacy away from home in your pocket right there :).
Requirements
WireGuard is so lightweight that it can even run on a Raspberry Pi. I am running it on a Raspberry Pi 3 Model B and it can easily max out the network speed without breaking a sweat. The max network speed of that type of Raspberry Pi is 100Mbit/sec and I have it pulling about 90Mbit/sec. Wow!
Meet DietPi
On my Raspberry Pi I am using DietPi as my operating system. DietPi is a lightweight Linux distribution aimed at single board computers. Check out their website here. It is optimized for Raspberry Pi, lightweight and it has a software repository which makes it very easy to setup several software packages on the Raspberry Pi. DietPi also takes care of system settings and NAT rules on the local system required for WireGuard. Hey I am all up for automation. I will show you later on how those look.
For this blog post I will use a Hyper-V DietPi version (for demo purposes) but the performance tests I will show you how my production Raspberry Pi performs. It is a beast!.
Install and configure WireGuard server
Start by downloading the correct version of DietPi for your hardware. As you can see in the screenshot below DietPi offers an image for a variety of hardware:
If you download the image for one of the single board computers like the Raspberry Pi, you can use Rufus (or similar software) to write that image on your SD-card and boot the system. Basically that is all you have to do to get DietPi running.
Login using SSH with your favorite program. I am using Putty. You will be greeted with some information about DietPi and some stats. In the screenshot below you can see that I am using a virtual machine for this blog:
Run the following command to start the software selection tool:
dietpi-software
You will see the DietPi-Software utility. Because there are a lot of packages we will search for WireGuard. Select the Search option and hit enter:
Enter wireguard in the search field and select OK:
You will see that is has found wireguard server. Select the package with your spacebar and the hit OK like in the screenshot below:
You will be back at the start screen for the software install utility. Now select the Install option and hit enter:
DietPi will ask you if you would like to begin the installation. Select OK and hit enter:
The setup will start and DietPi will automatically install the required package. Then a screen will popup asking you if you want the machine to be setup as VPN server or client. We will choose Server and hit OK.
The next screen is very important. The setup will ask you to enter the public IP address or domain. That means you WAN IP address or public DNS name. If you WAN IP address is using DHCP (check your internet provider for this) you will want to setup some kind of dynamic DNS name and use that here. There are some free services on the internet like DynDNS or No-IP where you can set this up. If your WAN IP address is static use that. For this blog I will use a LAN IP address and for testing purposes this is fine. So enter your WAN IP address or internet dns name in the screen and hit OK:
Nest the setup will ask you the port number to run WireGuard server on. I leave this at default, which is port 51820 and hit OK.
Now WireGuard server is basically setup. The finish the installation the system will need a reboot. Hit OK to do that now:
Server configuration
After the reboot reconnect again using SSH to your DietPi. DietPi generates the basic configuration for the server and also for one client. The configuration of all those components can be found in the location /etc/wireguard/. There you can see the configuration and the keys used for authentication and traffic encryption. See screenshot below:
Let’s take a look at the server configuration. Open the file wg0.conf (the server file) with nano and you will see that DietPi software installation script has configured everything on the server side for us. It does the iptables rules as well as enabling forwarding of network traffic and it also has generated the configuration for our first client:
The Address 10.9.0.1/24 is automatically added and will be used for WireGuard Server. So the server will be on 10.9.0.1 and the first client will get 10.9.0.2 as you can see in the screenshot above. You can change those but that is beyond the scope of this blog post. If you change those keep in mind that it will affect the WireGuard server setup and you may have to do some troubleshooting there. My advise is to just leave it as is. This works.
Client configuration (first client)
My first client will be my Windows 10 laptop and I will use the automatically generated client configuration wg0-client.conf. Navigate to /etc/wireguard and open this file with nano your favorite terminal editor. You will need to change some setting here like DNS server and enable KeepAlive. My DNS server is my Pi-Hole and that is what I want to use when connecting to my WireGuard server. This setting should point to the IP address of the DNS server you are using in your network. The KeepAlive option is required because my WireGuard server is using NAT and is sitting behind my pfSense firewall. This will be also the case for most of you out there so enable this by uncommenting the line. Note that the WireGuard installer has created the public and private keys for the first client with the names client_private.key and client_public.key.
While you are here make sure that Endpoint is your public IP address or public DNS name.
Client configuration (second client)
The second client I will use WireGuard on is my iPhone. There are some steps involved in generating key pairs and then the client configuration file. Navigate to /etc/wireguard and enter the following commands:
umask 0077
wg genkey > iphone_private.key
wg pubkey < iphone_private.key > iphone_public.key
umask 0022
You can change the names as you like. I named my with the prefix “iphone”. You will see that the private and public key files for my iphone client have been generated:
The next step is to generate the client configuration file using those keys. We will use the wg0-client.conf as base file and clone it with the correct keys. Execute the following commands:
Make sure to use the names correct like in my example above. You can see that I am using iphone.conf as name for my iPhone client and also using iphone_private.key. The IP address part here is also very important. The server is using 10.9.0.1, my Windows 10 client is using 10.9.0.2 and so my iPhone client will use 10.9.0.3. If you add more clients you need to up the IP address every time because WireGuard doesn’t have DHCP yet. If all the commands are ok you should see something like this:
Check to make sure all the information is correct in the configuration file of the iPhone (iphone.conf in my case). See the arrows for the important parts:
If you need to add more clients just follow the same steps as above and make sure you use the next available IP address in the network range of the WireGuard server, so in this case a third client would get 10.9.0.4 as IP etc etc.
Add the clients to the server
After creating the clients keys and configuration files we need to tell WireGuard server what clients are authorized to connect. Login via SSH on your WireGuard server (the DietPi here) and navigate to /etc/wireguard. Open the wg0.conf file and add the clients at the bottom of the file. Add the lines like this:
In a previous blog post of mine here I showed you that I am using Pi-Hole to protect my network and moved away from pfBlockerNG. In this blog post I will show you how to setup Pi-Hole to protect your network and privacy.
What is Pi-Hole?
“Pi-Hole is is a DNS sinkhole that protects your devices from unwanted content, without installing any client-side software.” That is a quote from the documentation website of Pi-Hole and that basically says it all. If you want to know all the details Pi-Hole is then check you their website. Now there is the term “DNS sinkhole”.
DNS sinkhole…what now?
To be able to understand what a DNS sinkhole is you have to first understand what DNS is and does. DNS is short for Domain Name System and it basically does the same thing phonebook does. It translates numbers to names because numbers are a lot harder to memorize. When you want to visit www.vikash.nl your computer will put that request out to a DNS server on your network which will translate that name to the IP address where www.vikash.nl is living. This is also called a DNS query. Pi-Hole is a DNS server so if you setup a Pi-Hole on your network it will answer the DNS queries for all the devices in your network and this means that you can redirect DNS lookup to anywhere you like. You now have the power to redirect DNS queries to ad-serving networks to an alternate IP address basically eliminating those from showing on any device connected to your network :). This process is called DNS sinkhole and also how Pi-Hole works. If you want to read more about it check out this Wikipedia article.
What will Pi-Hole protect you from?
What makes the Pi-Hole unique from your-basic-DNS-server is the fact that it can pull in Blocklists from the internet and based on those build a database of domains which are serving ads, tracking privacy or even serve malware and ransomware! How cool is that. Ads in general are not a problem but nowadays even ads are used to deliver malicious payloads to your computer. Of course you can whitelist websites you want to support and allow Pi-Hole not to block the ads from them.
To sum up the Pi-Hole will use Blocklists to protect your network. Those Blocklists are on the internet and most of them are free. In this blog post I will share the Blocklists I use.
Requirements
Pi-Hole is a magnificent piece of software and it even can run on a Raspberry Pi Zero (hence the name Pi-Hole). If you have a spare raspberry pi laying around set it up. The raspberry pi are running off SD card and those are limited in read and write cycles. That’s why I would suggest to run in on something more robust. I am running it on a Ubuntu 18.04 server virtual machine which is running on Hyper-V 2016 host. This has been rock-solid performance wise and it enables me to make regular virtual machine backups in case something goes wrong like with an update. So my shoppinglist is:
Ubuntu server 18.04 with static IP address
Access to your internet router to change DNS server settings
Let’s get started
I will assume you have setup an Ubuntu server with a static IP address. This static IP address should be in the same network as where the rest of your devices are. Usually this is your normal LAN. So in my case my local network range is 10.100.150.100 to 10.100.150.200. I am using pfSense as my router so for me it looks something like the screenshot below:
Login to your Ubuntu server using SSH and make sure everything is updated. To do this use the following commands:
sudo apt-get update
sudo apt-get upgrade
Basic configuration
Once everything is updated and running it is time to setup Pi-Hole. This process is very simple. Just execute the following command:
sudo curl -sSL https://install.pi-hole.net | bash
You will see the installation of Pi-Hole starting. Hit Enter for OK.
There will be a couple more screen where you just hit Enter for OK. Then you will arrive at the screen below asking you what upstream DNS server you are using. I choose to use Cloudflare. All my traffic is going trough my VPN provider anyway. The reason you need to enter a DNS server here is because Pi-Hole will be used as a caching DNS server on your LAN. So when the Pi-Hole receives a DNS query from a device on your LAN it will check if the hostname requested is in it’s own local DNS database (the one build using the Blocklists). If not then it will forward the request to it’s upstream DNS server which then will answer with the correct IP address. However if the hostname is in the DNS database of Pi-Hole it will sinkhole it.
Now you will be asked what default Blacklists you want to enable. I will not be using the default Blacklists but don’t disable everything here! Enable at least one of the default Blacklists because this create the necessary files for Pi-Hole to work properly. So I just select one and hit Enter for OK:
Select both IPv4 and IPv6 and hit Enter for OK:
Next step it will inform you that you should have the IP address setup as static. Note that this IP address is also the IP address which all your devices will use as their DNS server. We will set that up later. For now just hit Enter for OK:
Choose to install the admin interface. Pretty important for management and configuration. Hit Enter for OK.
On the next screen choose to install lighttpd webserver. This is the webserver where the management UI is running on. Hit Enter for OK.
In the next screen choose to log the DNS queries which will be handled by Pi-Hole. This is one of the major features for me and I think the Pi-Hole UI is way ahead of the competition on how to display what is happening in your network in a easy way. Check my blog post here about why I think that.
In the next screen choose to Show everything. This is one of the biggest features (again).
After some more default OK screen Pi-Hole will retrieve packages and start the setup. When it is finished you will be presented with a screen where the admin password is displayed and also the URL to the admin page. This password is used to login to the Admin Webpage. Just hit Enter for OK.
The first thing you want to do is change this password. At the command line enter the following command to change the password for the Admin Webpage:
sudo pihole -a -p
Advanced configuration
Let’s dive into the advanced configuration settings. Open your webbrowser and login to the Admin Page. Then go to Settings -> Blocklists. This is where the magic will happen and were we will tell Pi-Hole what Blocklists we want to use in order to build the local DNS database for domains we will sinkhole.
A word about Blocklists
Blocklists are used to build the local DNS database and based on that the Pi-Hole will sinkhole certain DNS queries. Be advised that this can (and probably will) break the internet at your home! I want to stress this very much! Depending on what Blocklists you use you will discover that certain websites or apps are not working anymore. I know for example that many Blocklists are blocking all of Facebook or Instagram for privacy reasons and after adding those Blocklists to your Pi-Hole you will not be able to open those websites or use those apps. Luckily (as I mentioned before) we are able to Whitelist certain domains on Pi-Hole. Whitelisting means that regardless of whether a certain domains appear in a Blocklist, it will not be blocked.
That’s why Whitelisting is a major part of implementing Pi-Hole in your network. Especially the first few days / weeks you will have to keep a close eye on the domains which are being sinkholed and add domains to the Whitelist as needed.
My Blocklists
Below are the Blocklists I use. Again, make sure that you understand that this is not a set-it-and-forget-it kind of feature. You will have to “babysit” the Pi-Hole configuration in order to tweak your Whitelist. Below is my Blocklist:
Login to the Admin Webpage and go to Settings and then select the Blocklists tab. Delete the one blocklist feed we have here from the setup earlier. Then enter all the Blocklist feeds from above and click on Save and Update. Wait for it to update.
After a successful update you will be presented with a resume of the Blocklist feeds update and then you are “in business”. Pi-Hole is now ready to protect your network and all the devices on it.
My Whitelist
Managing the Whitelist is very important as I said before. To get you started on a base-Whitelist below you have my own Whitelist. It should give you a very good basic starting point.
To add the above domains to the Whitelist click on Whitelist in the Admin Webpage and enter the list above. When you click on Add here the list is immediately active. So any changes you make here will be immediately active and you don’t need to update anything.
How to whitelist hostnames
Check your Whitelists by clicking the menu on the left of the Admin Webpage:
Just add my Whitelist list and click on Add.
If you encounter a website or app that is not working anymore after setting up Pi-Hole chances are that something is sinkholed (blocked by Pi-Hole). If you click on the Query Log on the menu you will get a very nice overview of the DNS queries which are allowed or blocked. You can even search for queries for a specific device in your network. Very powerfull interface!
The interface explains itself basically. If you see something being blocked and you want to whitelist it, just click on the Whitelist button behind it and all is done! That simple.
Adjust router to serve Pi-Hole as DNS Server
Now you are all set with Pi-Hole and it is time to change your router settings so it tells all the clients in your LAN that Pi-Hole is the DNS server now. I will use pfSense as my example here but in general these steps should also translate to the brand router you have.
The main idea is to go into the DHCP settings in your router and change the DNS server there to the IP address of the Pi-Hole. Make sure that there are no other DNS servers entered there beside the Pi-Hole and soon you will see devices in you LAN querying Pi-Hole for DNS lookups. For pfSense go to Services-> DHCP Server-> LAN. Scroll down to the Servers section and enter the Pi-Hole in the first DNS servers field. Leave the rest blank.
Apply some tweaks
Pi-Hole updates it Blocklists every sunday. I made a change here to update is every day. I do this because domains are constantly being added and removed from several Blocklists I use and by updating them frequently I can make sure that I don’t miss some critical domain updates. When installing Pi-Hole a user is created on your server names pihole. This user has a cron job which updates Pi-Hole Blocklists.
On the command line on your Ubuntu server to edit the cron file for the pihole user:
nano /etc/cron.d/pihole
Edit the line that contains pihole updateGravity . If you want it to run for example every day on 2 AM change the line to this:
Run systemctl restart cron for the changes to take effect. This may be changed back to default when Pi-Hole get’s a system update so you have to watch for that.
Pi-Hole version update
Once in a while Pi-Hole will release a new version. When you login to the Admin Webpage you will get a notification in the bottom of the page like so with the words Update available! glowing in red:
To apply the update you will have to login to your Pi-Hole using SSH and enter the following command:
sudo pihole -up
You will see that everything is updated and you are good to go:
Some cool stats
I have Pi-Hole running for some time now and I want to share some cool stats. Here is the overal stats page which give you a detailed overview of how my Pi-Hole is doing in my network:
Here are the top blocked domains in my network and how Pi-Hole is protecting me against leaking telemetry data to a big tech company.
Wrap up
Overall using Pi-Hole has made me more aware of privacy and gives me the ability to protect all the devices in my network from ads, privacy tracking, malware and ransomware. In order of first-line defense I think this is a valuable addition in protecting your privacy and data.
If you implement Pi-Hole in your network and break the internet I cannot be held responsible for it. I want to stress again that it is very important to keep a close eye on your Query Log to make sure that something isn’t being wrongfully blocked. Pi-Hole has a lot of more options and features but I believe with this blog post I have make sure that you have the basic configuration drilled down in order to keep your network safe and maintain your online privacy.
This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish.AcceptRejectRead More
Privacy & Cookies Policy
Privacy Overview
This website uses cookies to improve your experience while you navigate through the website. Out of these, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may affect your browsing experience.
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
