Pi-hole DNS Ad-blocking Server
Networkwide ad blocking via your own Linux hardware. No client-side software required
Installation von Docker und Docker-Compose
Step 1 - Update the System and install Docker:
# apt-get update # apt-get upgrade # apt-get install docker-ce
Step 2 - Install docker-compose binary:
Neuste Version auf GitHub nachschauen: docker-compose
# curl -L "https://github.com/docker/compose/releases/download/1.23.2/docker-compose-$(uname -s)-$(uname -m)" -o /usr/local/bin/docker-compose # chmod +x /usr/local/bin/docker-compose # curl -L https://raw.githubusercontent.com/docker/compose/$(docker-compose version --short)/contrib/completion/bash/docker-compose -o /etc/bash_completion.d/docker-compose # docker-compose version
Installation eines gehärteten Unbound DNS-Servers
# apt-get install unbound # cd /var/lib/unbound/ # wget -O root.hints https://www.internic.net/domain/named.root # chown unbound:unbound /var/lib/unbound/root.hints # vim /etc/unbound/unbound.conf.d/blackNET.conf
server: verbosity: 1 port: 5353 do-ip4: yes do-udp: yes do-tcp: yes # May be set to yes if you have IPv6 connectivity do-ip6: no # Use this only when you downloaded the list of primary root servers! root-hints: "/var/lib/unbound/root.hints" # Trust glue only if it is within the servers authority harden-glue: yes # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS harden-dnssec-stripped: yes # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details use-caps-for-id: no # Reduce EDNS reassembly buffer size. # Suggested by the unbound man page to reduce fragmentation reassembly problems edns-buffer-size: 1472 # TTL bounds for cache cache-min-ttl: 3600 cache-max-ttl: 86400 # Perform prefetching of close to expired message cache entries # This only applies to domains that have been frequently queried prefetch: yes # One thread should be sufficient, can be increased on beefy machines num-threads: 1 # Ensure kernel buffer is large enough to not loose messages in traffic spikes so-rcvbuf: 1m # Ensure privacy of local IP ranges private-address: 192.168.0.0/16 private-address: 172.16.0.0/12 private-address: 10.0.0.0/8
# systemctl restart unbound # systemctl status unbound # netstat -tulpn # dig blackgate.org @127.0.0.1 -p 5353 // -------------------------- TESTING VON DNS-SEC: -------------------------- # dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5353 # dig sigok.verteiltesysteme.net @127.0.0.1 -p 5353
Installation / Deployment von pi-hole
Erstellen der benötigten Files und Verzeichnisse
# mkdir /opt/docker-pihole
Optional: blackGATE custom design!
Achtung: falls das custom-design nicht gewünscht wird, die ERSTE markierte Zeile im docker_compose.yml WEGLASSEN sowie auch nachfolgende File und den Ordner nicht erstellen.
# mkdir /opt/docker-pihole/adminCMS # vim /opt/docker-pihole/adminCMS/pi-hole.css
/* Pi-hole: A black hole for Internet advertisements * (c) 2017 Pi-hole, LLC (https://pi-hole.net) * Network-wide ad blocking via your own hardware. * CSS BY MICHU!!! * This file is copyright under the latest version of the EUPL. * Please see LICENSE file for your rights under this license. */ /* ---------------------------blackGATE RULES-----------------------------------*/ /* BACKGROUND:*/ body { background-color: #232323 !important; } .layout-boxed { background: url(https://www.blackgate.org/wood.jpg) !important; } /* PAGE FORMATING:*/ .skin-blue .main-header .logo { background-color: #4a4a4a !important; } .skin-blue .main-header .navbar { background-color: #383838 !important; } .skin-blue .wrapper, .skin-blue .main-sidebar, .skin-blue .left-side { background-color: #2b2b2b !important; } .skin-blue .sidebar-menu>li.header { color: #717171 !important; background: #212121 !important; } .skin-blue .sidebar-menu>li:hover>a, .skin-blue .sidebar-menu>li.active>a { color: #fff; background: #383838 !important; border-left-color: #b7babb !important; } .skin-blue .sidebar-menu>li>.treeview-menu { background: #232323 !important; } .box { background: #eaeaea !important; border-top: 3px solid #989898 !important; box-shadow: 0 1px 1px rgba(14, 14, 14, 0.31) !important; } .box-header.with-border { border-bottom: 1px solid #d2d2d2 !important; } .table-bordered>thead>tr>th, .table-bordered>tbody>tr>th, .table-bordered>tfoot>tr>th, .table-bordered>thead>tr>td, .table-bordered>tbody>tr>td, .table-bordered>tfoot>tr>td { border: 1px solid #cecece !important; } .skin-blue .main-header li.user-header { background-color: #4a4a4a !important; } .navbar-nav>.user-menu>.dropdown-menu>.user-body { border-bottom: 1px solid #b1b1b1 !important; border-top: 1px solid #cecece !important; } /* DELETE SOME STUFF:*/ .navbar-nav>.user-menu>.dropdown-menu>.user-footer { display: none; } #loginform>.row>.col-xs-12>.box.box-solid.box-info { display: none; } /*.sidebar-menu>li:last-child { display: none; }*/ /* --------------------------- START of Default RULES (minified) -----------------------------------*/ .small-box{cursor:default;-webkit-user-select:none;-moz-user-select:none;-ms-user-select:none;-o-user-select:none;user-select:none}.skin-blue .list-group-item:hover{background:#ddd}@-webkit-keyframes Pulse{from,to{color:#630030;-webkit-text-shadow:0 0 2px transparent}50%{color:#e33100;-webkit-text-shadow:0 0 5px #e33100}}@keyframes Pulse{from,to{color:#630030;text-shadow:0 0 2px transparent}50%{color:#e33100;text-shadow:0 0 5px #e33100}}a.lookatme{-webkit-animation-name:Pulse;animation-name:Pulse;-webkit-animation-duration:2s;animation-duration:2s;-webkit-animation-iteration-count:infinite;animation-iteration-count:infinite}.table-responsive{-webkit-overflow-scrolling:touch}#all-queries td:nth-of-type(1),#all-queries td:nth-of-type(5){white-space:nowrap}#all-queries td:nth-of-type(3){min-width:200px;word-break:break-all;white-space:pre-wrap}#all-queries_info{white-space:unset}#all-queries_wrapper .pagination>li>a{padding-left:6px;padding-right:6px;min-width:34px;text-align:center}@media screen and (max-width:500px),screen and (min-width:767px) and (max-width:1000px){#all-queries_wrapper .pagination>li.next,#all-queries_wrapper .pagination>li.previous{display:none}#all-queries_wrapper .pagination>li:nth-of-type(2) a{border-top-left-radius:4px;border-bottom-left-radius:4px}#all-queries_wrapper .pagination>li:nth-last-of-type(2) a{border-top-right-radius:4px;border-bottom-right-radius:4px}}.main-header>.navbar{height:50px}#resetButton{color:red;font-weight:700}.vertical-alignment-helper{display:table;width:100%;height:100%;pointer-events:none}.vertical-alignment-helper>.vertical-align-center{display:table-cell;vertical-align:middle}.vertical-alignment-helper>.vertical-align-center>.modal-content{width:250px;margin-left:auto;margin-right:auto;word-wrap:break-word;pointer-events:all}.alSpinner{top:.1em;left:.1em;width:.8em;height:.8em;border-radius:50%;border:4px solid silver;border-right-color:transparent;-webkit-animation:fa-spin 1s infinite linear;animation:fa-spin 1s infinite linear} /* --------------------------- END of Default RULES (minified) -----------------------------------*/
END of Optional
Anlegen des docker-compose file für pi-hole
Das verwendete Image ist ausschlisslich für x86_x64 Systeme geeignet. Soll Pi-hole auf einem ARM basierten System dokerisiert installiert werden, kann HIER geschaut werden.
Wichtig: Alle im docker_compose.yml File markierten Stellen sind zu kontrollieren oder bei einer Nichtübereinstimmung anzupassen!
# vim /opt/docker-pihole/docker_compose.yml
version: "3.2" services: # ---------------------------------------------------------------------------- pihole: image: pihole/pihole:latest container_name: "pihole-main" volumes: - /opt/docker-pihole/pihole/:/etc/pihole/ - /opt/docker-pihole/dnsmasq.d/:/etc/dnsmasq.d/ - /opt/docker-pihole/adminCMS/pi-hole.css:/var/www/html/admin/style/pi-hole.css - /etc/localtime:/etc/localtime:ro environment: - VIRTUAL_HOST=www.blackgate.org - ServerIP=192.168.1.2 - DNS1=127.0.0.1#5353 - DNS2=no - TZ=Europe/Zurich - WEBPASSWORD=MY_LOGIN_PASSWORD - WEB_PORT=81 - INTERFACE=enp1s0 #ports: # - 53:53/tcp # - 53:53/udp # - 67:67/udp # - 81:80 #networks: # - local restart: always network_mode: "host" # ------------------------------------------------------------------------------ #networks: # local: # driver: bridge
Erklärung zu den Environment Variablen:
VIRTUAL_HOST
: Die FQND von welcher später via Web-GUI auf das Pi-hole zugegriffen werden soll.ServerIP
: Die Server IP-Adresse des Docker-Hosts. (Ausserhalb des Containers)DNS1
: Standard Upstream-DNS-Server von Pi-hole.WEBPASSWORD
: Repräsentiert das admin-Passwort welches benötigt wird um sich am Web-GUI anzumelden.WEB_PORT
: Der Port auf welchem der Server das Admin-GUI ausliefert.INTERFACE
: Das Host-Interface. (Wichtig wenn Standard nicht eth0)
Starten und testen des pi-hole Docker Containers
# docker-compose -f /opt/docker-pihole/docker_compose.yml up -d # docker ps -a
Weiteres
Wiederherstellen der alten pi-hole Konfiguration (Stand: 06.11.2018)
# docker-compose -f /opt/docker-pihole/docker_compose.yml down # vim /opt/docker-pihole/dnsmasq.d/01-pihole.conf
# vim /opt/docker-pihole/pihole/blacklist.txt
# vim /opt/docker-pihole/pihole/whitelist.txt
# vim /opt/docker-pihole/pihole/setupVars.conf
# docker-compose -f /opt/docker-pihole/docker_compose.yml up -d # docker ps
Reverse Proxy Setup Beispiel
# vim /etc/apache2/sites-available/blackgate.org.conf
<VirtualHost *:443> ServerName www.blackgate.org # ServerAdmin ${blackgate_serveradmin} Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" SSLEngine on SSLCertificateFile ${blackgate_ssl_path}/cert.pem SSLCertificateKeyFile ${blackgate_ssl_path}/privkey.pem SSLCertificateChainFile ${blackgate_ssl_path}/chain.pem ProxyPass /error_docs ! ErrorDocument 503 /error_docs/ServiceUnavailable.html RewriteEngine on RewriteRule ^/pi-hole$ /pi-hole/ [R] ProxyPass /pi-hole/ http://127.0.0.1:81/admin/ ProxyPassReverse /pi-hole/ http://127.0.0.1:81/admin/ ProxyPass / http://192.168.1.21/ ProxyPassReverse / http://192.168.1.21/ <Proxy http://127.0.0.1:81/admin/> Order deny,allow Allow from all Authtype Basic Authname "Password Required" AuthUserFile /etc/apache2/.htpasswd Require valid-user </Proxy> </VirtualHost>