Block ads, trackers and malware with Raspberry Pi and Pi-hole https://cryptoaustralia.org.au Nick Kavadias nick@cryptoaustralia.org.au
Self promotion! • CryptoAUSTRALIA is a not-for-profit started by security and privacy enthusiast. • Finding practical ways of dealing with the modern privacy and security challenge.
We know how to internet.. @CryptoAustralia #cryptoaus http://chat.cryptoaustralia.org.au
NOTICES 1. I will tolerate some interruptions. So call out questions. 2. The night is split into two parts 1. First preso ppt death (40 min?) 2. Then the workshop (the rest)
What we will be covering… 1. Why block the internet? 2. What is a DNS blackhole/sinkhole; 3. Pi-hole hardware and software supported; 4. My home Pi-hole install; 5. Advanced topics on DNS, lists and VPNs 6. Workshop with RPi / VM
Instructions (for later) • Have RPi (or like) device use: https://cryptoa.us/centaurus • VirtualBox or VMWare Fusion use: https://cryptoa.us/fornax Link to download VM in these instructions, we do have a local copies on usb
Can’t you just leave the internet alone? Flash ads which hijack pages; No! Pop-up and pop-under ads; Ads which stalk me on all my devices; Ad networks which track and profile me; Ads that tell me I’ve won stuff; and, Malvertising…
Tech support scams! how do they work? Check out Jim Browning’s YouTube channel
Pi-hole, the solution to all your problems?
No! No such thing as a silver bullet! But.. • Good job blocking ads and trackers out of the box • Not YouTube video ads, but you can do with some tinkering • It is easy to setup and configure; • network based; • It is not a traffic filter. • A ct as a second line of defence for malware/viruses • I still use browser extensions • … and antivirus
How DNS works normally https://go.gliffy.com/go/publish/12358860
How DNS works with Pi-hole https://go.gliffy.com/go/publish/12358867
Pi-Hole, not just for blocking ads and tracking • Out of the ‘box’ ads/trackers & C&C blacklists ; • Many additional lists which are well maintained by security community; • Upstream DNS services (power user!)
What a blocked page site looks like What about: • Images? • JavaScript? • Https? V3.2 now lets you customise block page
Do I need Raspberry Pi Hardware? • NOT Raspberry Pi exclusive • Well tested on Raspberry Pi SBCs • ARM, or Intel x86/x64 • Will work with a Pi Zero and a ethernet dongle • Works on other SBCs, like Orange-Pi, see this write-up. • Works on crappy old Intel desktops too
What OS will Pi-hole run on? • Will work on any modern Linux OS. Officially supported Linux distributions are:
How did I set Pi- hole up at my place?
Hardware I used: • Raspberry Pi 3 model B+ (overkill?) • 2 GB microSD card (smallest!) • microUSB cable for power into back of router • USB Y cables useful. • WARNING on underpowering: https://www.raspberrypi.org/help/faqs/#powerReqs
Software I used • Software: • Windows 10 & Etcher.io for prepping card https://etcher.io/ • Raspbian Lite https://www.raspberrypi.org/downloads/raspbian/ • Pi-hole – installed by piping URL to bash!
And you can too, with my easy 5 Step Plan..
Step 1: Put image on SD Card • Format SD • Etcher.io • touch /boot/ssh Windows will try reformat unknown card because ext4. IGNORE IT
Step 2: Plug into network • Patch into home router • Power with microUSB • if you don’t have a USB slot close by, an old 1 amp USB charger will do.
Step 3: Figure out IP address of RPi? This is the hardest part of the whole process! There are a few methods to try….
Step 3: Method 0 - PING If you’re feeling lucky, try PING ping raspberrypi
Step 3: Method 1 - DHCP table on router?
Step 3: Method 2 - Network Scanning • Good ol’ IP scanning. Pick one: • Nmap sudo apt install nmap • Angry IP Scanner http://angryip.org/download/ • Masscan https://github.com/robertdavidgraham/mass can • Arp-scan https://github.com/royhills/arp- scan • Scan before, and after. See what’s new!
AngryIP Scanner
Step 3: Method 3 • Plug RPi into a monitor and boot!
Step 4: Run installer • ssh pi@raspberry • curl -sSL https://install.pi- hole.net | bash Bad idea? Read why
Pi-hole is up and running.. But not a for all devices… yet • Connect to web admin using http://pi.hole/admin • Pi-hole over-take DHCP, (disable on your your router) I’ve done this on my setup because: • network printer • Get actual hostnames in your Pi-hole log
(Optional) Test it out? • Reconfigure a test computer to use the IP address of Pi-Hole for its DNS.
Step 5: Re-configure router DNS settings • Log into your router. • No idea how? Find your default gateway IP and try connecting with browser, e.g. http://192.168.1.1 • ipconfig or ifconfig • To get all devices on your network to use Pi-hole for DNS, you have to make a choice…
You have two choices for router config Change Disable IP for DHCP & DNS have Pi- Server hole do it Questions????
Changing IP for DNS on my home router
Or...Disable DHCP on router
…and turn on DHCP Server on Pi-hole
Blocklists • Default blocklists in /etc/pihole/adlists.list • Blocklist collection here: https://wally3k.github.io/ • Your Pi-hole has a cronjob which runs pihole updateGravity once a week . • Refer to our blog post CryptoAUSTRALIA's Favourite Block Lists
Blocklists using the web admin interface You can: - whitelist hosts - temporarily disable all blocks with a timer/ manually You cannot: - Make exceptions for local devices
Setting up Pi-hole away from home • If you roll your own VPN on a VPS, you can setup Pi-hole on it. Then you can run it anywhere! • https://github.com/pi-hole/pi-hole/wiki/Pi-hole---OpenVPN-server
Are you a Pi-hole Power User? • Self-hosted DNS • Advanced Upstream DNS • Response Policy Zone (RPZ) • We have blog posts covering these topics! Note: You don’t need to necessarily use these with Pi- Hole
1. Your Own DNS Server • No DNS requests go to third-parties • Run your DNS server in the cloud • Pi-hole <--- DNSCRYPT ---> DNS server • More details in a blog post Build a Privacy-Respecting and Threat- Blocking DNS Server
2. Advanced Upstream DNS • Third-party DNS servers • Complements Pi-Hole • Blocks malware and phishing • Admin panel • Block categories (adult, drugs, gambling, social media …) • DNS query logging and reporting • Manual blocking / whitelisting • Integration with real-time Threat Intelligence feeds ($$$ feature)
2. Advanced Upstream DNS • Strongarm https://strongarm.io • Comodo Dome Shield https://cdome.comodo.com/shield • OpenDNS https://signup.opendns.com/homefree • Quad 9 https://www.quad9.net
Which is the best threat blocking DNS provider? More info? https://blog.cryptoaustralia.org.au/2017/12/23/ best-threat-blocking-dns-providers/
Response Policy Zone (RPZ) • The previous two combined: • Use your own DNS server • Download RPZ-based block list • Register Strongarm business account (free) • Download BIND9.10+ config from https://app.strongarm.io/settings/rpz/
Done! Let Workshop it! • If you’ve brought along a RPi, use these instructions: https://cryptoa.us/centaurus • If you’ve going to play along on the virtual machine, use these instructions: https://cryptoa.us/fornax • Join us on #Slack https://chat.cryptoaustralia.org.au/
Where to get help after workshop CryptoAUSTRALIA Slack channel #pi-hole-workshop-help https://chat.cryptoaustralia.org.au/ Pi-Hole website https://pi-hole.net/ Has links to Discourse(!) , sub- Reddit, YouTube channel https://blog.cryptoaustralia.org.au
Recommend
More recommend
