Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » internet » security » pihole
Trace: pihole
internet:security:pihole

Table of Contents

Pi-Hole DNS Sinkhole and Ad Blocker

It may just be easier to use free AdGuard DNS servers…

https://adguard-dns.io/en/public-dns.html

https://pi-hole.net/

https://github.com/pi-hole/pi-hole

https://discourse.pi-hole.net/t/hardware-software-requirements

https://docs.pi-hole.net/main/prerequesites/

https://discourse.pi-hole.net/t/seven-things-you-may-not-know-about-pi-hole

https://freek.ws/2017/03/18/public-pi-hole/

CLI: https://discourse.pi-hole.net/t/the-pihole-command-with-examples/738

Blocklist List: https://firebog.net/

Flush DNS Cache

pihole restartdns reload-lists

Update

pihole -up

Install

curl -sSL https://install.pi-hole.net | bash

Password

Change the pihole user password used to log in to the web interface: 

pihole -a -p

Firewall

Pi-Hole seems to work fine with only port 53 (TCP and UDP) exposed publicly.

Port 80 needs to be open for the web administration, and probably SSH as well.

In the CSF firewall, we do not globally open these ports, we only open them up to the US using: 

CC_ALLOW_PORTS = US
CC_ALLOW_PORTS_TCP = 53,22
CC_ALLOW_PORTS_UDP = 53

Botnet Attack

IP Address List

:!: You can use this with Mikrotik routers and other devices.

Create an IP list from the last two days using ELDERJUSTICE as the search term: 

cat /var/log/pihole.log |grep query |grep -v 127.0.0.1 |grep ELDERJUSTICE | cut -d" " -f9 |sort | uniq > evildoers.txt
cat /var/log/pihole.log.1 |grep query |grep -v 127.0.0.1 |grep ELDERJUSTICE | cut -d" " -f9 |sort | uniq >> evildoers.txt

CSF

We use CSF firewall for bastion hosts.

:!: LF_SELECT = 0 means that the rule will block all ports.

RegEx to find IP of attacker of ELDERJUSTICE.GOV: 

^\S+\s+\d+\s+\S+ \S+ query\[[A-Z]+\] ELDERJUSTICE.GOV from (\d+\.\d+\.\d+\.\d+)
vim /usr/local/csf/bin/regex.custom.pm

Inserting this will temporarily block the attacker for one week (604800 seconds): 

# Pihole
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ query\[[A-Z]+\] ELDERJUSTICE.GOV from (\d+\.\d+\.\d+\.\d+)/)) {
return ("DNS attack from",$1,"mydnsmatch","3","53","604800");
}
vim /etc/csf/csf.conf

Change: 

CUSTOM1_LOG = "/var/log/pihole.log"

Restart CSF: 

csf -ra

Recursive DNS

Add recursion after your Pi-Hole is already up and running to your satisfaction.

https://docs.pi-hole.net/guides/unbound/

The default Pi-Hole is a forwarding DNS server. It forwards queries to upstream DNS servers.

The All Around DNS Solution adds recursion. This is important in certain circumstances where queries are limited by IP address, such as free DNSBLs.

Exclude Some Clients

:!: Use the firewall to block abusive external (recursive) clients.

https://www.vikash.nl/exclude-client-devices-with-pi-hole-5/

Troubleshooting

If the admin web interface gets wonky, try this as a temporary fix: 

pihole -f

Also try giving PHP more RAM. The default is 128M, but you can give a lot more depending on your server's physical resources: 

vim /etc/php/7.2/cgi/php.ini

memory_limit = 1024M
internet/security/pihole.txt · Last modified: 2023/02/03 11:00 by gcooper

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki