William Blankenship

Locking Down DNS

This guide walks you through getting PiHole setup with DNS over HTTPS on a Raspberry Pi.

PiHole is like an ad-blocker for your entire network! It works by intercepting DNS requests (the thing that takes human readable domain names like www.google.com and turns them into ip addresses 172.217.164.110) and refuses to "resolve them" (tell your computer the ip address) when the domain name is for an advertiser.

On top of this awesomeness, this guide will also ensure all of your DNS requests are encrypted. DNS was never really designed to have privacy by default. Because of this, anybody looking at your network traffic (i.e. Comcast, AT&T, your neighbor who figured out your wifi password, etc.) can see what websites you visit! What we are going to do is, instead of doing a real DNS request when the computers on your network try to resolve DNS values, we are going to instead do an HTTPS request (the thing websites use) to fetch the values instead. This encrypts all of your traffic, so only you and cloudflare will know what you are browsing.

It's worth noting that we are trusting cloudflare in this setup. It's possible they will abuse this privilage, though we have pretty strong guarentees that they wont since they have annual external audits.

So let's get started!

Note: this tutorial is written for Debian, if you are using another system you may need to modify some steps

Getting a Pi

Grab a $25 Raspberry Pi 3 A+, a 5.2v power cord, and a SD card from Adafruit (or anywhere, but Adafruit is awesome and you should consider supporting them!).

If you do go with Adafruit, ordering the SD card from them too makes sense and is convienent. Though I have found some great deals on brand name SD cards on Amazon (i.e. 32GB Samsung SD card for $5.99). Worth looking there if you are wanting to buy multiple SD cards for other projects!

Installing Raspbian

$ transmission-cli https://downloads.raspberrypi.org/raspbian_lite_latest.torrent

ctrl-c once the download finishes

$ unzip *-raspbian-*.zip

Download etcher, select the downloaded .img file, select your SD card, and then flash it!

Mucking with files before boot

This is needed for setting up wifi and ssh

$ mkdir pi_boot pi_rootfs
$ lsblk -f # identify the sdcard based on the device names
$ sudo mount /dev/sdb1 pi_boot
$ sudo mount /dev/sdb2 pi_rootfs

You can now edit the files on the pi directly from your computer!

When you are done editing:

$ sudo sync # super important, don't forget this!
$ sudo umount pi_boot
$ sudo umount pi_rootfs

Setup WIFI and SSH

https://www.raspberrypi.org/documentation/configuration/wireless/headless.md

No need for WIFI if plugging directly into the router

Now boot up the pi. You will need to find it's IP address, the easiest way to do this is through your routers DHCP table, which is probably displayed in your router's UI as something like "connected devices"

Configure Pi

$ sudo raspi-config
  1. Set your locale
  2. Change your password
  3. Change hostname (I use pihole)

SSH Keys

Probably best to use ssh key-pairs for ssh, if your system supports it, use ed25519

$ scp ~/.ssh/id_ed25519.pub pi@[ip_address]:/home/pi/.ssh/authorized_keys

Static IP

At this point, you need to hop on your router and give your raspberrypi a static ip address.

Setup PiHole

https://github.com/pi-hole/pi-hole/#one-step-automated-install

Setup DNS over HTTPS

I originally had just used cloudflared, but have since switched to DNSCrypt. DNSCrypt has a large pool up no-log DNS providers that it can rotate through, meaning there is no single point of failure for your upstream DNS, whereas I had seen issues with cloudflared resolving https://1.1.1.1.

First setup DNSCrypt for your Pi-Hole here:
https://github.com/jedisct1/dnscrypt-proxy/wiki/installation

If you want to use DNSSec (I tried, but saw huge latencies) there is a checkbox at the bottom of the Pi-Hole DNS configuration page in the web-admin panel. Be sure to set require_dnsec = true in your dnscryhpt-proxy file if you check that box! Once enabled, you can verify it is working by going here: http://dnssec.vs.uni-due.de/

Add additional block lists

There is a great compilation of blocklists here: https://firebog.net/

Be sure to read what the checkmarks and arrows mean. There is also a list of commonly used services that you may want to white list at the bottom of the page. There are some domains which are blocked (for good reason) in some of these lists that provide services that are relatively common for people to use (Google, bit.ly link shortners, etc.), you will probably be sad if you don't white-list these.

Configure Router

At this point, you need to hop on your router and setup your raspberry pi as your exclusive upstream DNS server.

Creative Commons License This work by William Blankenship is licensed under a Creative Commons Attribution-ShareAlike 4.0 International License.