In this walkthrough, I will show how to install and test the pi-hole on Ubuntu and more specifically, Ubuntu Server. Why Ubuntu instead of a Raspberry Pi? I love Raspberry Pis and I probably own at least 10 of them. But sometimes I want to perform DNS blocking/blackholing and I either a) don’t have a Raspberry Pi in an environment or b) I have a virtual environment where I can add some robustness to the solution.
24July2018 – Originally posted
Why remove advertising?
Advertising is great because it pays content creators for their work. After all, even this site utilizes Google Ads. So why would I create a write-up on blocking ads? Because advertisements are known to carry malicious payloads and it’s impossible to distinguish what’s good and what’s bad. As a result, blocking advertising has become an absolute necessity for those who are security conscious. On a personal note, I’ll happily sacrifice some advertising income for the sake of readers/everyone improving their security! As many have figured out, a side benefit of blocking ads is a better user experience and a substantial drop in bandwidth usage. I’ve written several walkthroughs on how to block ads using different devices such as pfBlockerNG on pfSense. If you own a pfSense, I would strongly suggest using the aforementioned guide to create an experience very similar to the pi-hole. Using pfBlockerNG on pfSense has quite a few additional features such as IP blocking and quite honestly, there is no need to add yet another system to manage.
Installing Ubuntu server is ridiculously easy. Simply download the latest Ubuntu Server LTS ISO and install it as you would any standard OS. You can safely use the defaults throughout the installation, although I would install security updates automatically when given the option. You may also need to install SSH if that is how you plan to access and manage your server remotely (other than the web interface). If you are installing this in a virtual/VMware environment for a fairly small number of devices, I would recommend a 1GB of memory, 1 CPU core, and at least 30GB of hard drive. FWIW, the initial install of Ubuntu and pi-hole (before any logs) is under 5GB of disk space so 30GB should give you some room to grow. You could potentially require more resources if you have a lot of devices or those devices make a ton of DNS requests. That is something you will need to keep an eye on after you get it up and running!
|pi-hole Minimum Requirements|
|1 core||1 GB||30 GB|
After your Ubuntu system finishes the install and reboots, login via an SSH terminal or from the console. You should be greeted with a welcome screen similar to the one below with the exception your package and security update counts may be different.
-- Welcome to Ubuntu 18.04 LTS * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 113 packages can be updated. 51 updates are security updates. --
Once you are logged in and sitting at a terminal prompt, run package updates manually using the command below. Note the command will do the repository update, upgrade the packages, and then reboot in one fell swoop. Grab your favorite beverage and let that process run its course.
$ sudo apt-get update && sudo apt-get upgrade -y && sudo reboot
After the system updates and reboots, log back in via SSH or the console. As you will see on your own install, the packages and security updates should both be at zero.
-- Welcome to Ubuntu 18.04 LTS * Documentation: https://help.ubuntu.com * Management: https://landscape.canonical.com * Support: https://ubuntu.com/advantage 0 packages can be updated. 0 updates are security updates. --
Now it’s time to run the pi-hole install script so just copy/paste the command in the gray box below. Yes, it is a single-lined command. That said, this is extremely dangerous if you are unsure of the source. I would recommend taking a peek at the code before you run it. This is easily done considering the address simply re-directs to “basic-install.sh” script on a GitHub repo. If you can’t read code, that’s ok… At the very least, look at the repo and see if the script has changed recently. If it has, you might consider waiting a few days or at least snoop around some forums to make sure the changes were “expected.”
$ curl -sSL https://install.pi-hole.net | bash
For the most part, you can select the defaults or simply hit “Ok” on most of the screens, however, I want to highlight a few items/recommendations. First, the pi-hole project is donation-based. Be sure to visit their donation page and keep the project going!
During the install, the pi-hole points out it is currently using a DHCP address instead of a static IP address. As stated in the picture below, using a static IP address is highly, highly recommended. Don’t forget that in most cases, you do not want your new static IP address in your current DHCP range. Instead, assign your pi-hole an IP address outside of your current DHCP pool. For instance, if your DHCP pool is 192.168.1.100-192.168.1.200 then you could safely assign your pi-hole 192.168.1.2 (assuming that IP address wasn’t already used).
I’m extremely bullish on Quad9 and I’ve written several articles about Quad9 and configuring it on various devices. Long story short, Quad9 provides another layer of protection and that’s a good thing! For that reason, I would suggest selecting Quad9 as the upstream DNS provider when asked during the pi-hole install.
At the installation complete screen, you should take note of your IP address (if you changed it) and also the randomly generated password. You can change the pi-hole web password as described in the section below.
Change your pi-hole web password
Via the an SSH terminal or the console, type in “pihole -a -p” and hit enter. Type in your new password twice.
$ pihole -a -p Enter New Password (Blank for no password): Confirm Password: [✓] New password set
pi-hole web interface
The pi-hole has a very friendly web interface to manage your device. Using your web browser, go to http://<ip address>/admin and you should see a nice statistics screen as shown below. Click on ‘Login’ and either type in the password provided to you during install (or the password you changed to in the last section).
After you get some clients configured (described below), you can come back to the web admin interface and see how many domains are blocked along with quite a few other stats. The web interface is also where you can add other blacklists, whitelist domains, etc.
How it works – testing from the command line
The easiest way to test whether your pi-hole is going to work is via a command line. I would strongly recommend testing before making the DHCP server or client changes below!
We can use the nslookup command from any machine on the network. The format of the nslookup command is the same whether on Linux or Windows — nslookup <hostname to test> <IP address for your pi-hole>. In my test environment, the pi-hole is 192.168.1.2 and we are testing a well-known Yahoo advertising domain, analytics.yahoo.com. Instead of returning the actual IP address for analytics.yahoo.com, the pi-hole returns the IP address of the pi-hole. This effectively blackholes the hostname via DNS so your system/browser is not able to access it and it is re-directed to the pi-hole instead.
C:\>nslookup analytics.yahoo.com 192.168.1.2 Server: pihole Address: 192.168.1.2 Name: analytics.yahoo.com Address: 192.168.1.2
If we test against a domain that is not blocked, then we receive the actual external IP addresses for the hostname as shown below.
C:\>nslookup walmart.com 192.168.1.2 Server: pihole Address: 192.168.1.2 Non-authoritative answer: Name: walmart.com Addresses: 22.214.171.124 126.96.36.199 188.8.131.52
Client configuration changes
This part of the walkthrough will vary wildly because it changes from one environment to the next. If you can make a change at whatever device or server is handing out DHCP addresses (as shown in the Linksys picture below), then you should absolutely make the change there.
Note: If your system already resolved a domain name, then you may need to clear your local DNS cache, your browser cache, or both. To clear your machine’s cache, from a command line on Windows, type in ‘ipconfig /flushdns’ and that should take care of it. You can run a similar command on a Linux system, although the commands can vary from one installation to the next. More often than not, simply restarting your network interface will work; on most distributions, ‘service networking restart’ or ‘systemctl restart network’ should take care of it for you. Each browser has a slightly different way to clear the cache, however, all of them allow you to pull a new version of the website if you hold down “Shift” while clicking on the refresh/reload button.
If you can’t make the change at the server or router/firewall for whatever reason, then you may need to make the change at each client. Changing each client is an issue if you have a number of IoT devices where you can’t even access the underlying configuration. If you have a number of devices, this would also be extremely cumbersome and quite honestly, it might be worth looking at swapping out equipment. Alternatively, you could also disable the current DHCP server entirely and instead enable the DHCP server on the pi-hole (also via the web interface). If you go the pi-hole DHCP server route, make sure you disable the other DHCP server so you don’t have two servers on the same network.
If the client is the route you want to go and I haven’t talked you out of it… On Windows, go to control panel and drill into your network adapter settings as shown below.
Testing By Browsing
So what does the finished product look like? On many sites like YouTube, you’ll see empty space or a gray box where an ad normally would have been. A browser add-on like uBlock Origin (discussed below) further cleans this up by removing the gray box entirely and it also provides some secondary protections. If you visit Yahoo.com (why? seriously, find a new news site), our pi-hole configuration eliminates the wasteland of ads that you normally see as well (red box below). Many sites will look similar to this with vast regions of white space where ads normally would show and don’t be surprised to find ads intermingled with news on many sites. <- In advertising, it’s all about improving that click through ratio (CTR)!
Browser side blocking – Ublock Origin
I constantly preach defense-in-depth and this is no different. Aside from using pi-hole or other DNS blackholing defenses, I would also strongly suggest using uBlock Origin on all of your browsers. uBlock Origin exists for Chrome, Firefox, etc. so there really isn’t a reason not to have it! While nothing is foolproof, it is another fantastic addition to your overall security.
Dallas Haselhorst has worked as an IT and information security consultant for over 20 years. During that time, he has owned his own businesses and worked with companies in numerous industries. Dallas holds several industry certifications and when not working or tinkering in tech, he may be found attempting to mold his daughters into card carrying nerds and organizing BSidesKC.