UPDATE 14.02.2019: Network-wide Ad Blocking with Pi-hole

Reading Time: 4 minutes

Are you annoyed by all the ads, that become more and more over the whole web? Maybe here’s a way out. Have a look on the Pi-hole project.

What can do Pi-hole for me?

Basically Pi-hole is a piece of software, that is able to run on small computers or single-board computer like a Raspberry Pi. Used in your network at home, it will block all the known Ad-Websites with its integrated and frequently updated Ad-Blacklists.

How does it work?

It is working as an internal DNS server for your home network. Many of you will have your router for doing this job at home. Pi-hole will be placed instead of your current home DNS server and it will intercept all queries for known ad-serving domains, so ads can’t be accessed and will not be displayed on your browsing device.

Supported Operating Systems

Pi-hole is available for a bunch of operating systems like Raspbian, Ubuntu, Fedora, Debian and (not ARM) CentOS. Even a Docker image is available.

Sounds great, how to get it?

I will explain the installation in this example for a Raspberry Pi running Rasbian. Just start a SSH session or open your Terminal. The installation will be started including a wizard by running the following command

curl -sSL https://install.pi-hole.net | bash

It will install all the dependencies (like lighthttp) and guide you through the installation. If you are running a DNS service on the box, where you wan’t to install Pi-hole you need to uninstall it first, as Pi-hole will use Port 53 for its DNS service. During the installation, the setup will ask you what external DNS servers to use. I recommend to use the Cloudflare 1.1.1.1 DNS and Quad9 9.9.9.9 DNS. Both are really fast, and they respect your privacy.
At the end of the installation, the wizard will print a generated password – this can be changed via your Terminal session by typing

pihole -a -p

When everything is finished, your installation will be accessible in the browser under http://ipaddress/admin

Source: chris90.de | GPLv3
Pi-hole dashboard

Option a) Configure your router to use Pi-hole’s DNS

In the most cases, your IP addresses at home will be assigned via DHCP from your local router. Changing the used DNS server is different from router to router. But long story short: Usually your router is accessible via a Web-UI, login there and search for DHCP. In the DHCP settings, you will be able to change the name of the used DNS server.

Option b) Configure your DNS server to use Pi-hole for external DNS requests

In my case, I am using a Synology NAS as home DNS server, all clients are configured to use the NAS IP as DNS server. In that case, I just needed to switch the IP of the forwarders, to use Pi-hole for external requests.

Source: chris90.de | GPLv3
Example: Configure Synology DNS to use Pi-hole

Helpful links

If you need support, you can visit the community forum here.
You can find more information about installing and configuring Pi-hole on their GitHub repo here.

UPDATE 28.01.2019: Add more blocklists to Pi-hole

Just a quick update here. The default package already delivers a bunch of blocklists, but theres the possibility that you wan’t to add more. I’ll show you how to do it.
I recommend to use the list from The Firebog. Its even available as copy/pastable version here. You only need to chose if you wan’t to have the Ticket lists, Non-crossed lists or All lists (thats what I did). In addition I used a few more for German Ads. This URLS needs to be copy/pasted one by one to the adlists.list – but its worth it.
Open a console at your Pi-hole server and edit the file /etc/pihole/adlists.list
Just add your new URLs to the end of the file. Heres my current blocklist – Its blocking about 1,2 Mio. domains at the moment.

#### pihole-package lists
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
https://mirror1.malwaredomains.com/files/justdomains
http://sysctl.org/cameleon/hosts
https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist
https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
https://hosts-file.net/ad_servers.txt
#### firebog lists
https://hosts-file.net/grm.txt
https://reddestdream.github.io/Projects/MinimalHosts/etc/MinimalHostsBlocker/minimalhosts
https://raw.githubusercontent.com/StevenBlack/hosts/master/data/KADhosts/hosts
https://raw.githubusercontent.com/StevenBlack/hosts/master/data/add.Spam/hosts
https://v.firebog.net/hosts/static/w3kbl.txt
https://v.firebog.net/hosts/BillStearns.txt
http://sysctl.org/cameleon/hosts
https://www.dshield.org/feeds/suspiciousdomains_Low.txt
https://www.dshield.org/feeds/suspiciousdomains_Medium.txt
https://www.dshield.org/feeds/suspiciousdomains_High.txt
https://www.joewein.net/dl/bl/dom-bl-base.txt
https://raw.githubusercontent.com/matomo-org/referrer-spam-blacklist/master/spammers.txt
https://hostsfile.org/Downloads/hosts.txt
https://someonewhocares.org/hosts/zero/hosts
https://raw.githubusercontent.com/Dawsey21/Lists/master/main-blacklist.txt
https://raw.githubusercontent.com/vokins/yhosts/master/hosts
http://winhelp2002.mvps.org/hosts.txt
https://hostsfile.mine.nu/hosts0.txt
https://v.firebog.net/hosts/Kowabit.txt
https://adblock.mahakala.is
https://adaway.org/hosts.txt
https://v.firebog.net/hosts/AdguardDNS.txt
https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
https://hosts-file.net/ad_servers.txt
https://v.firebog.net/hosts/Easylist.txt
https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts;showintro=0
https://raw.githubusercontent.com/StevenBlack/hosts/master/data/UncheckyAds/hosts
https://www.squidblacklist.org/downloads/dg-ads.acl
https://v.firebog.net/hosts/Easyprivacy.txt
https://v.firebog.net/hosts/Prigent-Ads.txt
https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-blocklist.txt
https://raw.githubusercontent.com/StevenBlack/hosts/master/data/add.2o7Net/hosts
https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt
https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/android-tracking.txt
https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV.txt
https://v.firebog.net/hosts/Airelle-trc.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt
https://mirror1.malwaredomains.com/files/justdomains
https://hosts-file.net/exp.txt
https://hosts-file.net/emd.txt
https://hosts-file.net/psh.txt
https://mirror.cedia.org.ec/malwaredomains/immortal_domains.txt
https://www.malwaredomainlist.com/hostslist/hosts.txt
https://bitbucket.org/ethanr/dns-blacklists/raw/8575c9f96e5b4a1308f2f12394abd86d0927a4a0/bad_lists/Mandiant_APT1_Report_Appendix_D.txt
https://v.firebog.net/hosts/Prigent-Malware.txt
https://v.firebog.net/hosts/Prigent-Phishing.txt
https://phishing.army/download/phishing_army_blocklist_extended.txt
https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt
https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt
https://ransomwaretracker.abuse.ch/downloads/CW_C2_DOMBL.txt
https://ransomwaretracker.abuse.ch/downloads/LY_C2_DOMBL.txt
https://ransomwaretracker.abuse.ch/downloads/TC_C2_DOMBL.txt
https://ransomwaretracker.abuse.ch/downloads/TL_C2_DOMBL.txt
https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist
https://v.firebog.net/hosts/Shalla-mal.txt
https://raw.githubusercontent.com/StevenBlack/hosts/master/data/add.Risk/hosts
https://www.squidblacklist.org/downloads/dg-malicious.acl
https://raw.githubusercontent.com/HorusTeknoloji/TR-PhishingList/master/url-lists.txt
https://v.firebog.net/hosts/Airelle-hrsk.txt
https://zerodot1.gitlab.io/CoinBlockerLists/hosts
### german lists
https://raw.githubusercontent.com/Akamaru/Pi-Hole-Lists/master/appads.txt
https://raw.githubusercontent.com/Akamaru/Pi-Hole-Lists/master/hbbtv.txt
https://raw.githubusercontent.com/Akamaru/Pi-Hole-Lists/master/adobeblock.txt
https://raw.githubusercontent.com/Akamaru/Pi-Hole-Lists/master/nintendoblock.txt
https://raw.githubusercontent.com/Akamaru/Pi-Hole-Lists/master/nomsdata.txt
https://raw.githubusercontent.com/Akamaru/Pi-Hole-Lists/master/youtube.txt
https://raw.githubusercontent.com/Akamaru/Pi-Hole-Lists/master/jbfake.txt
https://raw.githubusercontent.com/Akamaru/Pi-Hole-Lists/master/gamefake.txt
https://raw.githubusercontent.com/Akamaru/Pi-Hole-Lists/master/fakenewsde.txt
https://raw.githubusercontent.com/Akamaru/Pi-Hole-Lists/master/cryptomine.txt
https://raw.githubusercontent.com/Akamaru/Pi-Hole-Lists/master/other.txt

When you’re done with editing, save the file and execute the following command, to fetch the new lists. I needed to whitelist s3.amazon.com and hosts-file.net afterwards.

pihole -g

UPDATE 06.02.2019 Update Pi-hole

Nearly forgot to mention it. How to update Pi-hole? The webinterface might tell you, that there is an update available. Unfortunately there is no PPA for Debian/Ubuntu at the moment. But luckily its quite easy. Open a shell at your server and just type

pihole -up

It will fetch everything needed from Pi-holes Git-Repo and update your installation automatically. At the moment updating via web-UI is not possible, the update is restarting the webservice and this would break the update process.

UPDATE 14.02.2019 Use SSL certificate and SSL redirect with Pi-holes lighthttpd

Per default, the Pi-hole package is creating a website without any SSL certificates. As you have to type your password here and this would be send via a unencrypted connection its not recommendable to use it in its default configuration.

For lighthttpd you will need to build one combined pem-file. This is really not a big deal, as we are already using a Linux system ­čÖé You need to have your cert, private key and the intermediate-ca. In this example I placed all certs in /etc/lighthttpd/ssl/pihole.example.com/

cat /etc/lighthttpd/ssl/pihole.example.com/privkey.pem \
/etc/lighthttpd/ssl/pihole.example.com/cert.pem | \
tee /etc/lighthttpd/ssl/pihole.example.com/combined.pem

To ensure, lighthttpd is able to read the certificates, we need to change the permissions.

chown -R www-data: /etc/lighthttpd/ssl

Now, edit the /etc/lighthttpd/external.conf (make sure that you replace pihole.example.com with the FQDN of your Pi-hole server, and replace the pemfile and ca-file paths with your paths)

$HTTP["host"] == "pihole.example.com" {

  setenv.add-environment = ("fqdn" => "true")

  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "/etc/lighthttpd/ssl/pihole.example.com/combined.pem"
    ssl.ca-file =  "/etc/lighthttpd/ssl/pihole.example.com/fullchain.pem"
    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"       
  }

  # Redirect HTTP to HTTPS
  $HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
      url.redirect = (".*" => "https://%0$0")
    }
  }
}

Nearly done, just restart the lighthttpd service and everything is done.