Augmenting your home network: Part III — Pi-hole, an all-in-one DHCP, DNS, and advert-blocking solution

Using a Raspberry Pi to provide OpenVPN, Dynamic DNS, Local DNS, DHCP, and Advert-blocking

Installing Pi-hole is extremely easy as there is a one-line command to get you started

$ curl -sSL https://install.pi-hole.net | bash

I tend to stick to most, if not all, of the default settings as they are pretty reasonable. Eventually you’ll finish on a screen like this (albeit showing your admin password which you should remember — you can reset it at any time using sudo pihole -a -p).

At this point you should configure your router to use the DNS server on your device. For me this means pointing my DNS to 10.0.0.10

Next, now that all your local devices will, eventually at least, be using the Pi-hole’s DNS, we need to configure the advert-blocking side. Actually, there are a very large number of domains configured by default, but I did find that my LG TV needed a few extras to stop tracking me via adverts in the UK. You can add any additional blocklists by navigating to the Pi-hole’s web interface at either address shown when you finished the installation. You’ll find you can add URLs in Settings -> Blocklists as below.

Whilst your devices will now be using Pi-hole to stop a fair few adverts, you won’t actually be able to tell who are the greatest offenders as you’ll only see a sea of IP addresses in your query log. To fix this, and to likely give you a speed upgrade, we need to configure the Pi as our DHCP server.

First off, navigate to Settings -> DHCP and turn on the server, configuring the IP addresses as you wish, and enabling IPv6 support. I configure a smaller range and then give static IP addresses to most of the devices I use frequently on my network. My settings would only allow 40 DHCP leases on the network at any one time.

Now you need to disable your router’s DHCP server and you’ll find your devices will use Pi-hole when they next refresh their lease. You can also enable DNSSEC should you wish (found below the DHCP settings).

Whilst this all works locally, if you’ve followed Part I of this guide, you’ll notice you now have a few problems in terms of DNS, namely that it might not work. This is because you’re DNS is being routed over the VPN connection, which in turn means it’s trying to access Pi-hole from the tun0 interface on the Pi-hole machine. However, Pi-hole only listens on one interface (normally whichever one you use to connect to your network) and thus won’t allow a connection. To fix this head to Settings -> DNS on the admin interface for Pi-hole and select listen on all interfaces (without permitting all origins).

Optional: Securing your Pi-hole machine

So at this point we’ve installed different services, and opened up our Pi-hole machine to the internet via VPN. We can now secure it so that it can only be accessed in the way we want it to be. We are going to use ufw a firewalling service which is available by default on most Ubuntu distributions.

We need to allow DHCP traffic from anywhere and we enable this for IPv4 and IPv6.

$ sudo ufw allow 67/udp
$ sudo ufw allow 68/udp
$ sudo ufw allow 546/udp
$ sudo ufw allow 547/udp

Once our client machine has an IP address, it’s going to be using the Pi-hole for DNS queries. For this we need to open up port 53 for both UDP and TCP protocols, the latter being used when the response is too large for a UDP packet.

$ sudo ufw allow 53/tcp
$ sudo ufw allow 53/udp

Next we need to allow access to our machine so clients can connect to the VPN.

$ sudo ufw allow 1194/udp

You should end up with something similar to the following (note, I’ve also added SSH on port 22)

ubuntu@pi-hole:~$ sudo ufw status verbose
Status: active
Logging: on (low)
Default: deny (incoming), allow (outgoing), deny (routed)
New profiles: skip
To                         Action      From
--                         ------      ----
22/tcp                     ALLOW IN    Anywhere
53/tcp                     ALLOW IN    Anywhere
53/udp                     ALLOW IN    Anywhere
67/udp                     ALLOW IN    Anywhere
68/udp                     ALLOW IN    Anywhere
546/udp                    ALLOW IN    Anywhere
547/udp                    ALLOW IN    Anywhere
1194/udp                   ALLOW IN    Anywhere
22/tcp (v6)                ALLOW IN    Anywhere (v6)
53/tcp (v6)                ALLOW IN    Anywhere (v6)
53/udp (v6)                ALLOW IN    Anywhere (v6)
67/udp (v6)                ALLOW IN    Anywhere (v6)
68/udp (v6)                ALLOW IN    Anywhere (v6)
546/udp (v6)               ALLOW IN    Anywhere (v6)
547/udp (v6)               ALLOW IN    Anywhere (v6)
1194/udp (v6)              ALLOW IN    Anywhere (v6)

You could also add rules for specific subnets which I’ve omitted, but in general this should be adequate for basic use. One thing I find useful is that you’re defining entry points to your server and therefore if you install anything else you go through a learning process to determine how these things work and the routes they use.

I hope you’ve enjoyed and got something out of this three part series. You’ll hopefully have a much improved network infrastructure and ad-experience and you’re now able to access your home network from afar.