Virtual Architects Support Wiki

User Tools

Site Tools

You are here: start » internet » security » pihole
Trace: public_dns otc pihole
internet:security:pihole

This is an old revision of the document!

Table of Contents

Pi-Hole DNS Sinkhole and Ad Blocker

https://pi-hole.net/

https://github.com/pi-hole/pi-hole

https://discourse.pi-hole.net/t/hardware-software-requirements

https://docs.pi-hole.net/main/prerequesites/

https://discourse.pi-hole.net/t/seven-things-you-may-not-know-about-pi-hole

https://freek.ws/2017/03/18/public-pi-hole/

CLI: https://discourse.pi-hole.net/t/the-pihole-command-with-examples/738

Blocklist List: https://firebog.net/

Flush DNS Cache

pihole restartdns

Update

pihole -up

Install

curl -sSL https://install.pi-hole.net | bash

Password

Change the pihole user password used to log in to the web interface: 

pihole -a -p

Firewall

Pi-Hole seems to work fine with only port 53 (TCP and UDP) exposed publicly.

Port 80 needs to be open for the web administration, and probably SSH as well.

In the CSF firewall, we do not globally open these ports, we only open them up to the US using: 

CC_ALLOW_PORTS = US
CC_ALLOW_PORTS_TCP = 53,22222
CC_ALLOW_PORTS_UDP = 53

Botnet Attack

We use CSF firewall for bastion hosts.

:!: LF_SELECT = 0 means that the rule will block all ports.

Create an IP list from the last two days: 

cat /var/log/pihole.log |grep query |grep -v 127.0.0.1 |grep ELDERJUSTICE | cut -d" " -f9 |sort | uniq > evildoers.txt
cat /var/log/pihole.log.1 |grep query |grep -v 127.0.0.1 |grep ELDERJUSTICE | cut -d" " -f9 |sort | uniq >> evildoers.txt

RegEx to find IP of attacker of ELDERJUSTICE.GOV: 

^\S+\s+\d+\s+\S+ \S+ query\[[A-Z]+\] ELDERJUSTICE.GOV from (\d+\.\d+\.\d+\.\d+)
vim /usr/local/csf/bin/regex.custom.pm

Inserting this will temporarily block the attacker for one week (604800 seconds): 

# Pihole
if (($lgfile eq $config{CUSTOM1_LOG}) and ($line =~ /^\S+\s+\d+\s+\S+ \S+ query\[[A-Z]+\] ELDERJUSTICE.GOV from (\d+\.\d+\.\d+\.\d+)/)) {
return ("DNS attack from",$1,"mydnsmatch","3","53","604800");
}
vim /etc/csf/csf.conf

Change: 

CUSTOM1_LOG = "/var/log/pihole.log"

Reboot needed?

All Around DNS Solution

Add recursion after your Pi-Hole is already up and running to your satisfaction.

https://docs.pi-hole.net/guides/unbound/

The default Pi-Hole is a forwarding DNS server. It forwards queries to upstream DNS servers.

The All Around DNS Solution adds recursion. This is important in certain circumstances where queries are limited by IP address, such as free DNSBLs.

Troubleshooting

If the admin web interface gets wonky: 

pihole -f
internet/security/pihole.1612646224.txt.gz · Last modified: 2021/02/06 14:17 by gcooper

Page Tools

Except where otherwise noted, content on this wiki is licensed under the following license: CC Attribution-Share Alike 4.0 International
CC Attribution-Share Alike 4.0 International Donate Powered by PHP Valid HTML5 Valid CSS Driven by DokuWiki