Block ads, trackers and malware with Raspberry Pi and Pi-hole - - PowerPoint PPT Presentation

Block ads, trackers and malware with Raspberry Pi and Pi-hole https://cryptoaustralia.org.au

Nick Kavadias nick@cryptoaustralia.org.au

Self promotion!

• CryptoAUSTRALIA is a not-for-profit started by security and privacy

enthusiast.

• Finding practical ways of dealing with the modern privacy and security

challenge.

We know how to internet..

@CryptoAustralia #cryptoaus http://chat.cryptoaustralia.org.au

• 1. I will tolerate some interruptions. So call out

questions.

• 2. The night is split into two parts
• 1. First preso ppt death (40 min?)
• 2. Then the workshop (the rest)

NOTICES

What we will be covering…

• 1. Why block the internet?
• 2. What is a DNS blackhole/sinkhole;
• 3. Pi-hole hardware and software supported;
• 4. My home Pi-hole install;
• 5. Advanced topics on DNS, lists and VPNs
• 6. Workshop with RPi / VM

Instructions (for later)

• Have RPi (or like) device use: https://cryptoa.us/centaurus
• VirtualBox or VMWare Fusion use: https://cryptoa.us/fornax

Link to download VM in these instructions, we do have a local copies

• n usb

Can’t you just leave the internet alone?

No!

Flash ads which hijack pages; Pop-up and pop-under ads; Ads which stalk me on all my devices; Ad networks which track and profile me; Ads that tell me I’ve won stuff; and, Malvertising…

Tech support scams! how do they work? Check out Jim Browning’s YouTube channel

Pi-hole, the solution to all your problems?

No! No such thing as a silver bullet! But..

• Good job blocking ads and trackers out of the box
• Not YouTube video ads, but you can do with some tinkering
• It is easy to setup and configure;
• network based;
• It is not a traffic filter.
• Act as a second line of defence for malware/viruses
• I still use browser extensions
• … and antivirus

How DNS works normally

https://go.gliffy.com/go/publish/12358860

How DNS works with Pi-hole

https://go.gliffy.com/go/publish/12358867

Pi-Hole, not just for blocking ads and tracking

• Out of the ‘box’ ads/trackers & C&C blacklists ;
• Many additional lists which are well maintained by security

community;

• Upstream DNS services (power user!)

What a blocked page site looks like

What about:

• Images?
• JavaScript?
• Https?

V3.2 now lets you customise block page

Do I need Raspberry Pi Hardware?

• NOT Raspberry Pi exclusive
• Well tested on Raspberry Pi SBCs
• ARM, or Intel x86/x64
• Will work with a Pi Zero and a ethernet dongle
• Works on other SBCs, like Orange-Pi, see this

write-up.

• Works on crappy old Intel desktops too

What OS will Pi-hole run on?

• Will work on any modern Linux OS. Officially supported Linux

distributions are:

How did I set Pi- hole up at my place?

Hardware I used:

• Raspberry Pi 3 model B+ (overkill?)
• 2 GB microSD card (smallest!)
• microUSB cable for power into back of router
• USB Y cables useful.
• WARNING on underpowering: https://www.raspberrypi.org/help/faqs/#powerReqs

Software I used

• Software:
• Windows 10 & Etcher.io for prepping card https://etcher.io/
• Raspbian Lite https://www.raspberrypi.org/downloads/raspbian/
• Pi-hole – installed by piping URL to bash!

And you can too, with my easy 5 Step Plan..

Step 1: Put image on SD Card

• Format SD
• Etcher.io
• touch /boot/ssh

Windows will try reformat unknown card because ext4. IGNORE IT

Step 2: Plug into network

• Patch into home router
• Power with microUSB
• if you don’t have a USB slot close

by, an old 1 amp USB charger will do.

Step 3: Figure out IP address of RPi?

This is the hardest part of the whole process! There are a few methods to try….

Step 3: Method 0 - PING

If you’re feeling lucky, try PING ping raspberrypi

Step 3: Method 1 - DHCP table on router?

Step 3: Method 2 - Network Scanning

• Good ol’ IP scanning. Pick one:
• Nmap

sudo apt install nmap

• Angry IP Scanner

http://angryip.org/download/

• Masscan

https://github.com/robertdavidgraham/mass can

• Arp-scan https://github.com/royhills/arp-

scan

• Scan before, and after. See what’s new!

AngryIP Scanner

Step 3: Method 3

• Plug RPi into a monitor and boot!

Step 4: Run installer

• ssh pi@raspberry
• curl -sSL https://install.pi-

hole.net | bash Bad idea? Read why

Pi-hole is up and running.. But not a for all devices… yet

• Connect to web admin using http://pi.hole/admin
• Pi-hole over-take DHCP, (disable on your your router) I’ve done this
• n my setup because:
• network printer
• Get actual hostnames in your Pi-hole log

(Optional) Test it out?

• Reconfigure a test computer to use the IP address of Pi-Hole for its

DNS.

Step 5: Re-configure router DNS settings

• Log into your router.
• No idea how? Find your default gateway IP and try connecting with browser,

e.g. http://192.168.1.1

• ipconfig or ifconfig
• To get all devices on your network to use Pi-hole for DNS, you have

to make a choice…

You have two choices for router config

Change IP for DNS Server Disable DHCP & have Pi- hole do it

Questions????

Changing IP for DNS on my home router

Or...Disable DHCP on router

…and turn on DHCP Server on Pi-hole

Blocklists

• Default blocklists in /etc/pihole/adlists.list
• Blocklist collection here: https://wally3k.github.io/
• Your Pi-hole has a cronjob which runs pihole updateGravity
• nce a week.
• Refer to our blog post CryptoAUSTRALIA's Favourite Block Lists

Blocklists using the web admin interface

You can:

• whitelist hosts
• temporarily disable

all blocks with a timer/ manually You cannot:

• Make exceptions

for local devices

Setting up Pi-hole away from home

• If you roll your own VPN on a VPS, you can setup Pi-hole on it. Then

you can run it anywhere!

• https://github.com/pi-hole/pi-hole/wiki/Pi-hole---OpenVPN-server

Are you a Pi-hole Power User?

• Self-hosted DNS
• Advanced Upstream DNS
• Response Policy Zone (RPZ)
• We have blog posts covering

these topics!

Note: You don’t need to necessarily use these with Pi- Hole

• 1. Your Own DNS Server
• No DNS requests go to third-parties
• Run your DNS server in the cloud
• Pi-hole <--- DNSCRYPT ---> DNS server
• More details in a blog post Build a Privacy-Respecting and Threat-

Blocking DNS Server

• 2. Advanced Upstream DNS
• Third-party DNS servers
• Complements Pi-Hole
• Blocks malware and phishing
• Admin panel
• Block categories (adult, drugs, gambling, social media …)
• DNS query logging and reporting
• Manual blocking / whitelisting
• Integration with real-time Threat Intelligence feeds ($$$ feature)

• 2. Advanced Upstream DNS
• Strongarm https://strongarm.io
• Comodo Dome Shield

https://cdome.comodo.com/shield

• OpenDNS https://signup.opendns.com/homefree
• Quad 9 https://www.quad9.net

Which is the best threat blocking DNS provider?

More info? https://blog.cryptoaustralia.org.au/2017/12/23/ best-threat-blocking-dns-providers/

Response Policy Zone (RPZ)

• The previous two combined:
• Use your own DNS server
• Download RPZ-based block list
• Register Strongarm business account (free)
• Download BIND9.10+ config from

https://app.strongarm.io/settings/rpz/

Done! Let Workshop it!

• If you’ve brought along a RPi, use these

instructions: https://cryptoa.us/centaurus

• If you’ve going to play along on the virtual

machine, use these instructions: https://cryptoa.us/fornax

• Join us on #Slack

https://chat.cryptoaustralia.org.au/

Where to get help after workshop

CryptoAUSTRALIA Slack channel #pi-hole-workshop-help https://chat.cryptoaustralia.org.au/ Pi-Hole website https://pi-hole.net/ Has links to Discourse(!) , sub- Reddit, YouTube channel https://blog.cryptoaustralia.org.au