User Tools
This is an old revision of the document!
Pi-Hole DNS Sinkhole and Ad Blocker
https://github.com/pi-hole/pi-hole
https://discourse.pi-hole.net/t/hardware-software-requirements
https://docs.pi-hole.net/main/prerequesites/
https://discourse.pi-hole.net/t/seven-things-you-may-not-know-about-pi-hole
Update
pihole -up
Install
curl -sSL https://install.pi-hole.net | bash
Password
Change the pihole user password used to log in to the web interface:
pihole -a -p
Firewall
Pi-Hole seems to work fine with only port 53 (TCP and UDP) exposed publicly.
Port 80 needs to be open for the web administration.
Attack
We use CSF firewall for bastion hosts.
LF_SELECT = 0 means that the rule will block all ports.
Create an IP list from the last two days:
cat /var/log/pihole.log |grep query |grep ELDERJUSTICE | cut -d" " -f9 |sort | uniq > evildoers.txt cat /var/log/pihole.log.1 |grep query |grep ELDERJUSTICE | cut -d" " -f9 |sort | uniq >> evildoers.txt
RegEx to find IP of attacker of ELDERJUSTICE.GOV:
^\S+\s+\d+\s+\S+ \S+ query\[[A-Z]+\] ELDERJUSTICE.GOV from (\d+\.\d+\.\d+\.\d+)
vim /usr/local/csf/bin/regex.custom.pm
Inserting this will temporarily block the attacker for one week (604800 seconds):
# Pihole
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ query\[[A-Z]+\] ELDERJUSTICE.GOV from (\d+\.\d+\.\d+\.\d+)/)) {
return ("DNS attack from",$1,"mydnsmatch","3","53","604800");
}
vim /etc/csf/csf.conf
Change:
CUSTOM1_LOG = "/var/log/pihole.log"
Reboot needed?
