====== Pi-Hole DNS Sinkhole and Ad Blocker ======

<note tip>It may just be easier to use free AdGuard DNS servers...

https://adguard-dns.io/en/public-dns.html
</note>

https://pi-hole.net/

https://github.com/pi-hole/pi-hole

https://discourse.pi-hole.net/t/hardware-software-requirements

https://docs.pi-hole.net/main/prerequesites/

https://discourse.pi-hole.net/t/seven-things-you-may-not-know-about-pi-hole

https://freek.ws/2017/03/18/public-pi-hole/

**CLI**: https://discourse.pi-hole.net/t/the-pihole-command-with-examples/738

**Blocklist List**: https://firebog.net/

===== Flush DNS Cache =====

<file>
pihole restartdns reload-lists
</file>

===== Update =====

<file>
pihole -up
</file>

===== Install =====

<file>
curl -sSL https://install.pi-hole.net | bash
</file>

===== Password =====

Change the ''pihole'' user password used to log in to the web interface:

<file>
pihole -a -p
</file>

===== Firewall =====

Pi-Hole seems to work fine with only **port 53 (TCP and UDP)** exposed publicly.

Port 80 needs to be open for the web administration, and probably SSH as well.

In the CSF firewall, **we do not globally open these ports**, we only open them up to the US using:

<file>
CC_ALLOW_PORTS = US
CC_ALLOW_PORTS_TCP = 53,22
CC_ALLOW_PORTS_UDP = 53
</file>

==== Botnet Attack ====

=== IP Address List ===

:!: You can use this with Mikrotik routers and other devices.

Create an IP list from the last two days using ''ELDERJUSTICE'' as the search term:

<file>
cat /var/log/pihole.log |grep query |grep -v 127.0.0.1 |grep ELDERJUSTICE | cut -d" " -f9 |sort | uniq > evildoers.txt
cat /var/log/pihole.log.1 |grep query |grep -v 127.0.0.1 |grep ELDERJUSTICE | cut -d" " -f9 |sort | uniq >> evildoers.txt
</file>

=== CSF ===

We use CSF firewall for bastion hosts.

:!: ''LF_SELECT = 0'' means that the rule will block all ports.

RegEx to find IP of attacker of ELDERJUSTICE.GOV:

<file>
^\S+\s+\d+\s+\S+ \S+ query\[[A-Z]+\] ELDERJUSTICE.GOV from (\d+\.\d+\.\d+\.\d+)
</file>

<file>
vim /usr/local/csf/bin/regex.custom.pm
</file>

Inserting this will temporarily block the attacker for one week (604800 seconds): 

<file>
# Pihole
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ query\[[A-Z]+\] ELDERJUSTICE.GOV from (\d+\.\d+\.\d+\.\d+)/)) {
return ("DNS attack from",$1,"mydnsmatch","3","53","604800");
}
</file>

<file>
vim /etc/csf/csf.conf
</file>

Change:

<file>
CUSTOM1_LOG = "/var/log/pihole.log"
</file>

Restart CSF:

<file>
csf -ra
</file>

===== Recursive DNS =====

<note important>Add recursion **after** your Pi-Hole is already up and running to your satisfaction.</note>

https://docs.pi-hole.net/guides/unbound/

The default Pi-Hole is a **forwarding** DNS server.  It forwards queries to upstream DNS servers.

The All Around DNS Solution adds **recursion**.   This is important in certain circumstances where queries are limited by IP address, such as free DNSBLs.

===== Exclude Some Clients =====

:!: Use the **firewall** to block abusive external (recursive) clients.

https://www.vikash.nl/exclude-client-devices-with-pi-hole-5/

===== Troubleshooting =====

If the admin web interface gets wonky, try this as a temporary fix:

<file>
pihole -f
</file>

Also try giving PHP more RAM.  The default is 128M, but you can give a lot more depending on your server's physical resources:

<file>
vim /etc/php/7.2/cgi/php.ini

memory_limit = 1024M
</file>