Introducing Pi-Hole to my parent's home network

Some Information might be out-of-dated

About Pi-Hole

Pi-Hole is an implementation of a DNS sinkhole for small networks, licensed under the EUPL, consisting of its own FTLDNS forked from dnsmasq and a small WebUI.

It is a software that allows you to block ads in your entire home network.

Although it is being developed as an ad blocker, it can also be used as a simple cache DNS server because the domains to be blocked are completely arbitrary.

Motivation

I sometimes feel out of touch with the world at large when I completely block ads on the Web.

Recently, I was shocked when I was shown my father’s smartphone. An unusual amount of ads filled 2/3 of the screen, and I had to look for a space to tap to scroll. Not only the quantity, but also the content was problematic; I would literally go crazy if I had to look directly at that kind of thing every day.

But my father is stubbornly refusing to use an ad blocker. I think he is rather IT literate because he has worked in the telecommunications industry for many years, but it may be because of his sense of duty. But even if he has a strong sense of duty, is there any room for compassion in the current state of Web advertising business? They deceive and intentionally harm the viewer, wasting time and computing resources.

If they have the freedom to business, we have the freedom to choose what we see.

I decided to take a measure upstream of the network. This is because I have a de facto control of the network at my parents’ house.

Envoronment

Network

The router is a Yamaha NVR700W, connected directly from the gateway provided by NTT, and I am considering applying to NTT to switch to the latest SFP+ type small ONU.

I decided to connect to the L2 switch directly under the router because it is not good to be too far away from the router. The machine needs to be fanless for the quiet living room.

Computer

I use HP t420 Thin Client that I bought in Akihabara¹.

Thin clients are getting to be out of fashion these days, but they often have low-power CPUs and are highly reliable because they are for industrial use. If you looking for a small server computer, I recommend them more than RPi or cheap mini-PCs. Not to mention, they’re cheap.

2GB of RAM is onboard and not expandable.

The miniPCIe port is unfortunately not in full-spec and does not support mSATA SSDs.

The USB SSD is SSD-PSTA/N which I got at Akihabara. It was twice the price of the t420. I DO NOT recommend installing on a USB flash drive because I/O speed is important.

I chose Debian for the OS, which is officially supported, and install directly without Docker to make it a dedicated machine.

According to the official document, 512MB RAM and 2GB disk space are the minimum requirement so RPi Zero 2 W is also enough. How lightweight!

Install

Proceed Linux installation as usual. This time, I named the host pi-hole, but be careful NEVER to use pihole as the user name because a user:group named pihole:pihole will be created later.

Fix IP address

Before installing Pi-Hole, it is necessary to fix an IP address on the network interface.

You can fix an IP address by changing the router’s configuration to associate the MAC address with the IP address. (This function is provided by DHCP server, but most home routers are also responsible for it). Small network like this case, it is also possible to set a fixed IP address outside the DHCP distribution range on your own. In the case of my parents’ home, the DHCP distribution range is set to 192.168.100.30 ~ 192.168.100.191, so I can use 192.168.100.2 ~ 192.168.100.29 as I like.

On Debian, fix the IP address by changing dhcp to static in /etc/network/interfaces.

# This file describes the network interfaces available on your system
# and how to activate them. For more information, see interfaces(5).

source /etc/network/interfaces.d/*

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface
allow-hotplug enp1s0
iface enp1s0 inet static
    address 192.168.100.2
    netmask 255.255.255.0
    gateway 192.168.100.1

# This is an autoconfigured IPv6 interface
iface enp1s0 inet6 auto

If you manage network by other methods like nmcli, leave minimum config.

auto lo
iface lo inet loopback

If your upstream DNS server supports IPv6, you can enable IPv6. I left it at auto as I don’t think IPv6 is something to be fixed and used. You had better block connections from outside of the home network to WebUI, SSH, etc. with a firewall.

Run installer

According to the official document, there are three methods and Docker are presented, all of which are almost the same at the point of running the installer. If you want to take the most cautious way, I recommend “git clone” or “wget”.

It will not function as a DNS unless you change the router settings, so you can put off the detailed settings until later. After installation, you will be issued a WebUI password, which you should write down (you can also change it from the command line).

WebUI can be accessed at http://pi.hole/. If you just put pi.hole in the address field of your browser, it is often searched, so you need to put it in the hosts file or start typing from http:// in the address field. mDNS or IP address directly typed will not be redirected to the login page for some reason, so use http://pi-hole.local/admin or http://192.168.100.2/admin.

Set up upstream DNS

Pi-Hole does not have a way to “automatically set the upstream DNS server to an address delivered by the provider via DHCP”, so the address must be specified directly.

There are many articles recommending open resolvers such as Google’s 8.8.8.8, 8.8.4.4, Cloudflare’s 1.1.1.1, 1.0.0.1, etc. However, open resolvers are often considered a problem themselves, so I think it is better to specify the DNS from the provider. I personally dislike Big Tech, which does not even try to hide its ambition to dominate the Internet, but I also think that any service provided free of charge, not limited to DNS, always takes something in return, including users’ information. However, there are some who say that providers’ DNS is so lame that they change it for performance, and that three Japanese ISPs, especially NTT Group companies, have implemented DNS blocking, we are not inclined to speak ill of them².

Set Pi-Hole as a DNS

After you do this, Pi-Hole will finally start working as a cache DNS server.

If you have a general home router, you can specify the address of Pi-Hole (192.168.100.2 in this case) in the DNS configuration.

In case of Yamaha’s NVR, execute dns server 192.168.100.2 and dns notice order dhcp server me by running the command, because just specifying the relay destination DNS server from GUI generates extra traffic³. So, it is necessary to distribute the address of Pi-Hole by DHCP for efficient network construction. By setting server me, I have NVR700W’s DNS server as a backup in case Pi-Hole goes down⁴. As long as I do this, I don’t have to touch any of the settings on my PC or phone. If you check the DNS from the “Network Settings” on your phone or PC and it is in the order of 192.168.100.2 192.168.100.1, it is a great success.

For example, if you use nmcli to manage your network, and you set the method to manual to fix the IP address in the LAN, it ignores DHCP, so you can use the command ipv4.dns 192.168.100.2 192.168.100.1 It is the same as rewriting /etc/resolvd.conf, but if there is a comment # Generated by NetworkManager, it is better not to write it directly.

If there is still an infidel in your LAN who ignores the Pi-Hole distributed by DHCP, you have to take direct action against him. You may think that IoT devices do not need to block advertisements, but the Pi-Hole is most useful for devices that cannot be configured in detail. Even if there are no advertisements, they may be secretly sending usage statistics, and only those devices that do so cannot be disabled from the settings.

Check privacy setting

You must respect the privacy of others. If the network is used by people other than yourself, information about what kind of request was made from which device should not be visible after debugging is complete. However, even if the information is hidden from the Web UI, it will remain in the log of the main unit.

Add blocklists

However, I think it is somewhat better that the rules are too loose and they slip through rather than too strict and useless, so I’ve not changed from the Pi-Hole default StevenBlack / hosts. Besides, it is safer to adapt to the majority of users because too much customization of this kind of thing will result in fingerprinting.

Even if ads can be erased, YouTube ads cannot be erased by DNS blocking, and ads on the Web may soon be made impossible to erase. And since I can’t use it when I’m away from home, I think it should be controlled on the device side. If I have to use a VPN to relay my home when I am out of the house, it will become more and more difficult to understand, and security will be beyond the control of an amateur.

Conclusion

The battle against advertising is almost like a battle against technology itself. Every day we are beaten to a pulp by the technology produced by the front-line engineers of giant corporations.

I feel that Pi-Hole is not a means to “win” such an impossible war, but at least a means to prolong the life of a network that is infested with inconvenience and to bring back the good old freedom.

If you like computers and networking and want to try something new, why not install one in your home? Let’s look at “blocked” and “cached” and grin.