The Pi-Hole [Link] is nothing but a DNS server with Blacklist that is automatically updated from the internet.
The blacklist will not resolve the addresses (domains) that are known for being a source of advertisement, spam, and phishing.
Pi-Hole does not require much CPU, RAM, or storage and can be installed in any raspberry pi, even the Zero in parallel with many other applications, and will not affect the performance at all.
It offers a web interface where you can add domains do a blacklist or a whitelist. If there is no HTTP/HTTPS server running it can install the Lighttpd.
There are two main installation methods. On the host OS or in a Docker container. We will install it on the host.
su
After entering on the root account chose one of the methods below:
sudo su curl -sSL https://install.pi-hole.net | bash OR git clone --depth 1 https://github.com/pi-hole/pi-hole.git Pi-hole cd "Pi-hole/automated install/" sudo bash basic-install.sh
Follow the installation instructions, there is no mystery. End get out of the root account.
At the end will be presented the address to the web GUI and a randomly generated password. Better change it immediately:
sudo pihole admin -p
Access on the browser https://pi-hole-ip-address/admin
Or use the command line to manage and monitor as below.
If you need to reconfigure:
sudo pihole reconfigure
Updating the gravity list issue:
sudo pihole updateGravity
See the log of the resolved and blocked in realtime with:
sudo pihole tail
Make it listen on all interfaces:
sudo pihole -a -i all
Updating the Pi-Hole:
sudo pihole updatePihole
BONUS
Consider enabling file system overlay on your raspberry pi to protect the MicroSD card from get corrupted or fail over time.
sudo raspi-config
Navigate Performance Options > Overlay File System > Yes > Yes to enable the write-protect ob both partitions.
Note: it will read the SD card only once on boot and will not retain any data through reboots. It will require disabling the file system overlay before updates or configuration changes then re-enable after manually.
What recursion DNS resolve should I use?
When a DNS queries comes for the very first time or has already expired its TTL, it forwards to the next hop on the DNS chain of trust.
Consider on of the following public DNS servers:
- Unfiltered
- Google (8.8.8.8 and 8.8.4.4)
- OpenDNS (208.67.222.222 and 208.67.220.220)
- OpenNIC (216.87.84.211 and 23.90.4.6)
- Malicious Domain Filter
- Quad9 (9.9.9.9 and 149.112.112.112)
- CloudFlare (1.1.1.1 and 1.0.0.1, or for extra-strength 1.1.1.2)
- dns0.eu (193.110.81.0, or for extra-strength 193.110.81.9)
- CleanBrowsing Security Filter (185.228.168.9)
- Comodo Secure DNS (8.26.56.26 and 8.20.247.20)
What about DNSSEC?
DNSSEC promises to solve issues related to the trust hierarchy within the DNS infrastructure (data integrity, data authentication, cache poisoning, man-in-the-middle attacks) but it does not encrypts the data (there is no privacy enhancement compared to plain DNS).
It is a hustle to set up manually but Pi-Hole has already it implemented and ready to with a simple click. It is definitely worthy to try!