This setup is great if you’re tired of ads when surfing the web, and don’t want to rely on browser plugins for ad blocking.
By using a – raspberry pi – in this example, you can get a network wide blocker to deal with this.
(Can also be set up on any computer if you have one laying around, but the guide here is for the Pi).
The result of this is less ads, less tracking, and also a faster web browsing experience since your pulling/sending less data to your screen.
Since it’s network wide, all devices, xbox, tablets and phones also reap the benefits with no work needed on the device itself.
In the end I put a bonus for those feeling the extra need to control privacy, and what data gets in the hand of third parties, so read along
What you need:
- Raspberry board – I’m using the Raspberry Pi3 for this guide. And optionally a case for the Pi, but not needed.
- Micro-sd card and reader.
- USB charger with 5V and 1>2A Output and micro-usb for the Pi.
(I’m using a spare Google Chromecast charger) - Access to your router/DHCP server to set DNS systemwide for all clients on the network.
Or another way to ensure you can set a static ip for use on the Pi – make sure it will stay the same over time.
Prerequisites:
- Download latest Raspbian Lite image here
https://www.raspberrypi.org/downloads/raspbian/ - Download and install Etcher – used to flash sd card here:
https://www.balena.io/etcher/ - Download and install Angry IP Scanner – to find the IP of the PI later
https://angryip.org/
Step-by-step setup:
Extract the downloaded Raspbian image file to your wanted destination
Insert the Sdcard to your reader, start etcher, and click select image:
Click select image
Browse to the image file, select, and click OK.
Click the Flash! button
Wait for the process to finish:
When the process is finished, you may see a dialog box from windows about formating your device – DO NOT CLICK FORMAT DISK – just cancel that box.
This is due to the Raspbian is using ext4 file system, that windows do not recognize.
Your computer should now mount the boot partition on the sdcard – if not unplug and plug the card back in, and again, do not format if windows ask you about this.
To get Raspbian to start SSH daemon on boot, we need to create an empty file called ssh on the boot partition of the sd card.
In windows we can do this via windows explorer, right click in the root folder and create a new text file, call it ssh with no file extention (.txt).
If you dont have the option to remove the file extension, simply open the created file, click file in the top meny, and select save as in the dropdown.
For file name, write “ssh” then click save
You should have a file called ssh in the directory with no extension
You can delete the previous file called ssh.txt in the root of the folder.
Unmount the sd card cleanly
Now put your sd card in your raspberry pi.
Plug the Raspberry Pi onto your network, and instert the power supply to turn it on – Pi has now power button, if it has power, it turns on.
We now need to find the IP address of your PI.
Start Angry IP Scanner, fill out IP from and to (it should autofill the entire network – so most likely leave it as is)
Click scan, and look if a device with hostname Raspberry comes up, take note of the IP address.
Take note of the ip (3)
Now connect to the Pi with a SSH client (PuTTY)
Start PuTTy
Start PuTTY, check SSH box, fill in the PI IP under Hostname, then click open
Answer YES if you get this popup
PuTTY will now ask for the username, default is pi
Now for the password – default is raspberry
You should now be logged in via SSH
Now is a good time to edit the default password, hostname, locale settings etc, if wanted.
To do so issue the following command:
Sudo raspi-config
After making your changes – if you did:
You can now run the installer for Pi-Hole with the following command:
curl -sSL https://install.pi-hole.net | bash
The installer starts:
OK
OK
OK
Select interface for the Pi-Hole (eth0 if you are using cable, wlan0 if you want to use it wirelessly)
The select the upstream DNS resolver you want to use – I’m using Cloudflare, as they have promised never to share DNS data to third parties – good if you value privacy
You can read more about Cloudflare’s privacy statement here:
https://developers.cloudflare.com/1.1.1.1/commitment-to-privacy/
TIP: Another reason I’m using Cloudflare I will put in the end as a bonus – hint: encrypted DNS.
Choose your «blocklists» to be used with Pi-Hole – I accept the default with all selected.
Choose what protocols to use, I accept the default.
Choose if you want to use the PI’s current IP address as a static address –
if so, make sure this is not used elsewhere, you may need to add a reservation in your router/DHCP server for this.
Warning about IP conflicts – again, make sure you dont use the given adress for the PI elsewhere
Choose if you want the Web GUI or not, I choose yes – nice to see how much is getting blocked.
Yes to install the builtin webserver for the admin GUI
OK
Choose the amount of details visible in the logs for Pi-Hole, I accept the default.
Read more about the levels here:
https://docs.pi-hole.net/ftldns/privacylevels/
When installation completes you should see this – wait for it to finish.
Installation complete, take note of the IP, address for the admin GUI and the password.
To login to the Pi-Hole admin page use the link provided in the previous screenshot.
Admin panel looks like this
Setting your DNS provider on the router/computer
Now it’s time to change your DNS server on your Router/DHCP server, to point to the Pi-Hole IP for DNS queries.
If you don’t have access to this, you can change locally on your computer by:
Right click start button > select run > type ncpa.cpl > Press enter. (or windows key+R for the run dialog).
Right click your network adapter>click properties
In the properties dialog:
Find Internet Protocol version 4 in the list > Click Properties > Insert the preferred and alternate DNS servers for IPv4 from above > Click OK.
Find Internet Protocol version 6 in the same list > click properties > insert the preferred and alternate DNS servers for IPv6 from above > Click OK > Click OK.
(Repace the ip in step (3) with the IP of your Pi-Hole, and set a secondary (4) to Cloudflare DNS 1.1.1.1 – just in case your Pi-Hole is off so you don’t lose internet connectivity
Repeat for every network adapter you are using (wifi + cable based)
Change Pi-Hole admin password
To change the password for the pi-hole admin page run the following command:
pihole -a -p
Verify it’s working:
To test its working, you can wait until you have changed dns for all your clients via the router/DHCP server, or you can change the DNS on one client and point to Pi-Hole to see the results.
When its working you should see something like this.
Keep in mind – the above screenshot – is showing the results in under 24H, for 1 person’s devices, + other IoT devices in the network, with minimal use – that’s crazy.
Visiting a local newspaper on the web shows adds are being blocked.
The result will be a faster internet with less ads and tracking 🙂
BONUS: Encrypting DNS network wide with Cloudflared for Pi-Hole
As mentioned, here comes the reason I like to use Cloudflare’s DNS service.
Cloudflare supports DNS over HTTPS – meaning it will encrypt your DNS queries so others sniffing the network cannot see what you’re doing/browsing.
You can read more about the details and why etc about this in a previous blog here: https://dybbugt.no/2019/1210/ – that blog also gives you info about Cloudflare’s 1.1.1.1 app for mobile devices, it’s great – and now also includes WARP (basically a VPN) for free!
Now, how to leverage Cloudflares encrypted DNS via the Pi-Hole?
The actual instructions can be found here:
https://docs.pi-hole.net/guides/dns-over-https/
But I will repeat here with screenshots to make it more easy.
- Start PuTTY, select SSH, type the ip of your raspberry, click OK.
- Copy the following command, and paste in the PuTTY terminal
wget https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-arm.tgz tar -xvzf cloudflared-stable-linux-arm.tgz sudo cp ./cloudflared /usr/local/bin sudo chmod +x /usr/local/bin/cloudflared cloudflared -v
- Copy the following command, and paste in the PuTTY terminal, to create the daemon user for Cloudflared
sudo useradd -s /usr/sbin/nologin -r -M cloudflared
- You now need to create a configuration file for Cloudflared, do so by editing the cloudflared config file with the following command:
sudo vi /etc/default/cloudflaredThe VI editor opens the file, paste the following inside:
# Commandline args for cloudflared CLOUDFLARED_OPTS=--port 5053 --upstream https://1.1.1.1/dns-query --upstream https://1.0.0.1/dns-query
Save and exit the editor by typing :wq on your keyboard
- Update the permissions for the config file and binary for cloudflared with the following command
sudo chown cloudflared:cloudflared /etc/default/cloudflared sudo chown cloudflared:cloudflared /usr/local/bin/cloudflared
- Create system script, and allow the service to run at startup
Open the cloudflared.service file in VI editor
sudo vi /lib/systemd/system/cloudflared.service
Put the following in the file, and use :wq to save and exit
[Unit] Description=cloudflared DNS over HTTPS proxy After=syslog.target network-online.target [Service] Type=simple User=cloudflared EnvironmentFile=/etc/default/cloudflared ExecStart=/usr/local/bin/cloudflared proxy-dns $CLOUDFLARED_OPTS Restart=on-failure RestartSec=10 KillMode=process [Install] WantedBy=multi-user.target
- Enable the system service to run on startup, then start the service and check its status.
Run the following command in the PuTTY terminal:
sudo systemctl enable cloudflared sudo systemctl start cloudflared sudo systemctl status cloudflared
- Test if it’s working with the following command:
dig @127.0.0.1 -p 5053 google.com
Response should look something like this:
- Last step – configure Pi-Hole to use Cloudflared as Upstream DNS server
Login to the Pi-Hole admin GUI by opening a web browser and using the address from before – usually “YourPiIpAddress/admin“, and login with your password.
Head over to “settings->DNS”, remove eny checkboxes on the left sign under “Upstream DNS servers”.
Then fill inn 127.0.0.1#5053 on the right side under “Upstream DNS servers” for “Custom 1 IPv4”
Scroll down and select the box for use DNSSEC – Cloudflare supports this.
The result should look something like this:
Save your settings, and you are done!
Consultant manager & SME @ iteam, localized in Kristiansund, Norway.
Focused on EUC, security, mobility, virtualization, management and a modern workplace. Highly specialized around RDS/Citrix/EUC/Mobility.
