Table of Contents

Pi-hole DNS Ad-blocking Server

Networkwide ad blocking via your own Linux hardware. No client-side software required

Installation von Docker und Docker-Compose

Step 1 - Update the System and install Docker:

# apt-get update
# apt-get upgrade

# apt-get install docker-ce

Step 2 - Install docker-compose binary:

Neuste Version auf GitHub nachschauen: docker-compose

# curl -L "https://github.com/docker/compose/releases/download/1.23.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose

# chmod +x /usr/local/bin/docker-compose
# curl -L https://raw.githubusercontent.com/docker/compose/$(docker-compose version --short)/contrib/completion/bash/docker-compose -o /etc/bash_completion.d/docker-compose

# docker-compose version

Installation eines gehärteten Unbound DNS-Servers

# apt-get install unbound

# cd /var/lib/unbound/
# wget -O root.hints https://www.internic.net/domain/named.root
# chown unbound:unbound /var/lib/unbound/root.hints

# vim /etc/unbound/unbound.conf.d/blackNET.conf

server:
    verbosity: 1
    port: 5353
    do-ip4: yes
    do-udp: yes
    do-tcp: yes

    # May be set to yes if you have IPv6 connectivity
    do-ip6: no

    # Use this only when you downloaded the list of primary root servers!
    root-hints: "/var/lib/unbound/root.hints"

    # Trust glue only if it is within the servers authority
    harden-glue: yes

    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    harden-dnssec-stripped: yes

    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
    use-caps-for-id: no

    # Reduce EDNS reassembly buffer size.
    # Suggested by the unbound man page to reduce fragmentation reassembly problems
    edns-buffer-size: 1472

    # TTL bounds for cache
    cache-min-ttl: 3600
    cache-max-ttl: 86400

    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    prefetch: yes

    # One thread should be sufficient, can be increased on beefy machines
    num-threads: 1

    # Ensure kernel buffer is large enough to not loose messages in traffic spikes
    so-rcvbuf: 1m

    # Ensure privacy of local IP ranges
    private-address: 192.168.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8

# systemctl restart unbound
# systemctl status unbound

# netstat -tulpn
# dig blackgate.org @127.0.0.1 -p 5353

// -------------------------- TESTING VON DNS-SEC: --------------------------
# dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5353
# dig sigok.verteiltesysteme.net @127.0.0.1 -p 5353

Installation / Deployment von pi-hole

Erstellen der benötigten Files und Verzeichnisse

# mkdir /opt/docker-pihole

Optional: blackGATE custom design! Achtung: falls das custom-design nicht gewünscht wird, die ERSTE markierte Zeile im docker_compose.yml WEGLASSEN sowie auch nachfolgende File und den Ordner nicht erstellen.

# mkdir /opt/docker-pihole/adminCMS
# vim /opt/docker-pihole/adminCMS/pi-hole.css

/* Pi-hole: A black hole for Internet advertisements
*  (c) 2017 Pi-hole, LLC (https://pi-hole.net)
*  Network-wide ad blocking via your own hardware.
*  CSS BY MICHU!!!
*  This file is copyright under the latest version of the EUPL.
*  Please see LICENSE file for your rights under this license. */

/* ---------------------------blackGATE RULES-----------------------------------*/
/* BACKGROUND:*/
body {
    background-color: #232323 !important;
}
.layout-boxed {
    background: url(https://www.blackgate.org/wood.jpg) !important;
}


/* PAGE FORMATING:*/
.skin-blue .main-header .logo {
    background-color: #4a4a4a !important;
}
.skin-blue .main-header .navbar {
    background-color: #383838 !important;
}
.skin-blue .wrapper, .skin-blue .main-sidebar, .skin-blue .left-side {
    background-color: #2b2b2b !important;
}
.skin-blue .sidebar-menu>li.header {
    color: #717171 !important;
    background: #212121 !important;
}
.skin-blue .sidebar-menu>li:hover>a, .skin-blue .sidebar-menu>li.active>a {
    color: #fff;
    background: #383838 !important;
    border-left-color: #b7babb !important;
}
.skin-blue .sidebar-menu>li>.treeview-menu {
    background: #232323 !important;
}
.box {
    background: #eaeaea !important;
    border-top: 3px solid #989898 !important;
    box-shadow: 0 1px 1px rgba(14, 14, 14, 0.31) !important;
}
.box-header.with-border {
    border-bottom: 1px solid #d2d2d2 !important;
}
.table-bordered>thead>tr>th, .table-bordered>tbody>tr>th, .table-bordered>tfoot>tr>th, .table-bordered>thead>tr>td, .table-bordered>tbody>tr>td, .table-bordered>tfoot>tr>td {
    border: 1px solid #cecece !important;
}
.skin-blue .main-header li.user-header {
    background-color: #4a4a4a !important;
}
.navbar-nav>.user-menu>.dropdown-menu>.user-body {
    border-bottom: 1px solid #b1b1b1 !important;
    border-top: 1px solid #cecece !important;
}

/* DELETE SOME STUFF:*/
.navbar-nav>.user-menu>.dropdown-menu>.user-footer {
    display: none;
}
#loginform>.row>.col-xs-12>.box.box-solid.box-info {
    display: none;
}

/*.sidebar-menu>li:last-child {
    display: none;
}*/


/* --------------------------- START of Default RULES (minified) -----------------------------------*/
.small-box{cursor:default;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;-o-user-select:none;user-select:none}.skin-blue .list-group-item:hover{background:#ddd}@-webkit-keyframes Pulse{from,to{color:#630030;-webkit-text-shadow:0 0 2px transparent}50%{color:#e33100;-webkit-text-shadow:0 0 5px #e33100}}@keyframes Pulse{from,to{color:#630030;text-shadow:0 0 2px transparent}50%{color:#e33100;text-shadow:0 0 5px #e33100}}a.lookatme{-webkit-animation-name:Pulse;animation-name:Pulse;-webkit-animation-duration:2s;animation-duration:2s;-webkit-animation-iteration-count:infinite;animation-iteration-count:infinite}.table-responsive{-webkit-overflow-scrolling:touch}#all-queries td:nth-of-type(1),#all-queries td:nth-of-type(5){white-space:nowrap}#all-queries td:nth-of-type(3){min-width:200px;word-break:break-all;white-space:pre-wrap}#all-queries_info{white-space:unset}#all-queries_wrapper .pagination>li>a{padding-left:6px;padding-right:6px;min-width:34px;text-align:center}@media screen and (max-width:500px),screen and (min-width:767px) and (max-width:1000px){#all-queries_wrapper .pagination>li.next,#all-queries_wrapper .pagination>li.previous{display:none}#all-queries_wrapper .pagination>li:nth-of-type(2) a{border-top-left-radius:4px;border-bottom-left-radius:4px}#all-queries_wrapper .pagination>li:nth-last-of-type(2) a{border-top-right-radius:4px;border-bottom-right-radius:4px}}.main-header>.navbar{height:50px}#resetButton{color:red;font-weight:700}.vertical-alignment-helper{display:table;width:100%;height:100%;pointer-events:none}.vertical-alignment-helper>.vertical-align-center{display:table-cell;vertical-align:middle}.vertical-alignment-helper>.vertical-align-center>.modal-content{width:250px;margin-left:auto;margin-right:auto;word-wrap:break-word;pointer-events:all}.alSpinner{top:.1em;left:.1em;width:.8em;height:.8em;border-radius:50%;border:4px solid silver;border-right-color:transparent;-webkit-animation:fa-spin 1s infinite linear;animation:fa-spin 1s infinite linear}
/* --------------------------- END of Default RULES (minified) -----------------------------------*/
END of Optional

Anlegen des docker-compose file für pi-hole

Das verwendete Image ist ausschlisslich für x86_x64 Systeme geeignet. Soll Pi-hole auf einem ARM basierten System dokerisiert installiert werden, kann HIER geschaut werden.

Wichtig: Alle im docker_compose.yml File markierten Stellen sind zu kontrollieren oder bei einer Nichtübereinstimmung anzupassen!

# vim /opt/docker-pihole/docker_compose.yml

version: "3.2"

services:
  # ----------------------------------------------------------------------------
  pihole:
    image: pihole/pihole:latest
    container_name: "pihole-main"
    volumes:
      - /opt/docker-pihole/pihole/:/etc/pihole/
      - /opt/docker-pihole/dnsmasq.d/:/etc/dnsmasq.d/
      - /opt/docker-pihole/adminCMS/pi-hole.css:/var/www/html/admin/style/pi-hole.css
      - /etc/localtime:/etc/localtime:ro
    environment:
      - VIRTUAL_HOST=www.blackgate.org
      - ServerIP=192.168.1.2
      - DNS1=127.0.0.1#5353
      - DNS2=no
      - TZ=Europe/Zurich
      - WEBPASSWORD=MY_LOGIN_PASSWORD
      - WEB_PORT=81
      - INTERFACE=enp1s0
    #ports:
    #  - 53:53/tcp
    #  - 53:53/udp
    #  - 67:67/udp
    #  - 81:80
    #networks:
    #  - local
    restart: always
    network_mode: "host"

# ------------------------------------------------------------------------------
#networks:
#  local:
#    driver: bridge

Erklärung zu den Environment Variablen:

  • VIRTUAL_HOST: Die FQND von welcher später via Web-GUI auf das Pi-hole zugegriffen werden soll.
  • ServerIP: Die Server IP-Adresse des Docker-Hosts. (Ausserhalb des Containers)
  • DNS1: Standard Upstream-DNS-Server von Pi-hole.
  • WEBPASSWORD: Repräsentiert das admin-Passwort welches benötigt wird um sich am Web-GUI anzumelden.
  • WEB_PORT: Der Port auf welchem der Server das Admin-GUI ausliefert.
  • INTERFACE: Das Host-Interface. (Wichtig wenn Standard nicht eth0)

Starten und testen des pi-hole Docker Containers

# docker-compose -f /opt/docker-pihole/docker_compose.yml up -d
# docker ps -a

Weiteres

Wiederherstellen der alten pi-hole Konfiguration (Stand: 06.11.2018)

# docker-compose -f /opt/docker-pihole/docker_compose.yml down
# vim /opt/docker-pihole/dnsmasq.d/01-pihole.conf

01-pihole.conf

01-pihole.conf

# Pi-hole: A black hole for Internet advertisements
# (c) 2015, 2016 by Jacob Salmela
# Network-wide ad blocking via your Raspberry Pi
# http://pi-hole.net
# dnsmasq config for Pi-hole
#
# Pi-hole is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 2 of the License, or
# (at your option) any later version.

###############################################################################
#      FILE AUTOMATICALLY POPULATED BY PI-HOLE INSTALL/UPDATE PROCEDURE.      #
# ANY CHANGES MADE TO THIS FILE AFTER INSTALL WILL BE LOST ON THE NEXT UPDATE #
#                                                                             #
#        IF YOU WISH TO CHANGE THE UPSTREAM SERVERS, CHANGE THEM IN:          #
#                      /etc/pihole/setupVars.conf                             #
#                                                                             #
#        ANY OTHER CHANGES SHOULD BE MADE IN A SEPERATE CONFIG FILE           #
#                        OR IN /etc/dnsmasq.conf                              #
###############################################################################

addn-hosts=/etc/pihole/gravity.list
addn-hosts=/etc/pihole/black.list
addn-hosts=/etc/pihole/local.list


localise-queries


no-resolv



cache-size=10000

log-queries=extra
log-facility=/var/log/pihole.log

local-ttl=2

log-async
server=127.0.0.1#5353
domain-needed
bogus-priv
interface=enp1s0
server=/fritz.box/192.168.1.1
server=/1.168.192.in-addr.arpa/192.168.1.1


# vim /opt/docker-pihole/pihole/blacklist.txt

blacklist.txt

blacklist.txt

bvadtgs.scdn1.secure.raxcdn.com
4b6994dfa47cee4.com
metrics.plex.tv
gebadu.com
pl4518712.puserving.com
analytics.ff.avast.com
p5-3os3pimkl6tg2-ixzsvd47ghupqap6-659208-i1-v6exp3.ds.metric.gstatic.com


# vim /opt/docker-pihole/pihole/whitelist.txt

whitelist.txt

whitelist.txt

raw.githubusercontent.com
mirror1.malwaredomains.com
sysctl.org
zeustracker.abuse.ch
s3.amazonaws.com
hosts-file.net
serials.ws
www.serials.ws
www.googleadservices.com
platform.linkedin.com
cdn.ravenjs.com
public-assets.envato-static.com
ipm-provider.ff.avast.com
www.smartredirect.de


# vim /opt/docker-pihole/pihole/setupVars.conf

setupVars.conf

setupVars.conf

DHCP_START=192.168.1.180
DHCP_END=192.168.1.250
DHCP_ROUTER=192.168.1.1
DHCP_LEASETIME=48
PIHOLE_DOMAIN=local
DHCP_IPv6=true
DHCP_ACTIVE=false
DNS_FQDN_REQUIRED=true
DNS_BOGUS_PRIV=true
DNSSEC=false
CONDITIONAL_FORWARDING=true
CONDITIONAL_FORWARDING_IP=192.168.1.1
CONDITIONAL_FORWARDING_DOMAIN=fritz.box
CONDITIONAL_FORWARDING_REVERSE=1.168.192.in-addr.arpa
PIHOLE_DNS_1=127.0.0.1#5353
PIHOLE_DNS_2=
QUERY_LOGGING=true
INSTALL_WEB_SERVER=true
INSTALL_WEB_INTERFACE=true
LIGHTTPD_ENABLED=
IPV4_ADDRESS=192.168.1.2
IPV6_ADDRESS=
WEBPASSWORD=d295e1c88d5494f1f40cce9be08428e73a79792d37f4ffa6100ac283901479aa
PIHOLE_INTERFACE=enp1s0


# docker-compose -f /opt/docker-pihole/docker_compose.yml up -d
# docker ps

Reverse Proxy Setup Beispiel

# vim /etc/apache2/sites-available/blackgate.org.conf

<VirtualHost *:443>
 ServerName www.blackgate.org
 #
     ServerAdmin ${blackgate_serveradmin}
     Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload"
     SSLEngine on
     SSLCertificateFile ${blackgate_ssl_path}/cert.pem
     SSLCertificateKeyFile ${blackgate_ssl_path}/privkey.pem
     SSLCertificateChainFile ${blackgate_ssl_path}/chain.pem

     ProxyPass /error_docs !
     ErrorDocument 503 /error_docs/ServiceUnavailable.html

     RewriteEngine on
     RewriteRule ^/pi-hole$ /pi-hole/ [R]

     ProxyPass          /pi-hole/ http://127.0.0.1:81/admin/
     ProxyPassReverse   /pi-hole/ http://127.0.0.1:81/admin/

     ProxyPass          / http://192.168.1.21/
     ProxyPassReverse   / http://192.168.1.21/

     <Proxy http://127.0.0.1:81/admin/>
             Order deny,allow
             Allow from all
             Authtype Basic
             Authname "Password Required"
             AuthUserFile /etc/apache2/.htpasswd
             Require valid-user
     </Proxy>
</VirtualHost>