Open in app

Sign in

Write

Sign in

How to Block Malicious Ads using Pi-hole and a Raspberry Pi

Matt Kmety
The KickStarter
Published in
11 min readJul 3, 2020

Block malicious advertisements, AKA malvertisements, using Pi-hole and a Raspberry Pi.

Photo by Jose Francisco Fernandez Saura from Pexels

Advertising is not inherently malicious. It helps promote new products and businesses, generates revenue for content creators, and increases competition. These benefits are shared among consumers and companies alike.

Unfortunately, bad actors take advantage of advertisements to infect your devices with malware. Malvertising, or malicious advertising, is the use of online, malicious advertisements to spread malware and compromise systems (Samarasinghe, 2020). Clicking a malicious online advertisement can infect your device and compromise your data.

In this article, we will walk through how to use a DNS sinkhole called Pi-hole to block internet advertisements on a Raspberry Pi running Raspberry Pi OS.

Pi-hole acts as a DNS sinkhole for several advertising domains. Some domains are known to be malicious and will be blocked at the network level. This is beneficial since you do not need to configure any settings at the individual device level. Your entire network will benefit from Pi-hole if configured correctly.

Prerequisites

  • Raspberry Pi running Raspberry Pi OS
  • Internet connection
  • Access to your router settings
  • General technology knowledge (this guide will be step-by-step)

Beginners Guide to Installing Raspberry Pi OS on a Raspberry Pi

Raspberry Pi OS is the official Operating System of the Raspberry Pi Foundation.

medium.com

Step 1 — Download Pi-hole

The first step is to download Pi-hole from the Pi-hole GIT repository. Run the following command to clone the repository.

Note: There is “One-Step Automated Install” offered from the vendor. This process involves piping a script from the internet and automatically running it on your machine. This is NOT considered a cybersecurity best practice as it does not allow you to review the scripts that are running. Although this is a trusted resource, it’s best to not get into this habit.

pi@raspberrypi:~ $ git clone --depth 1 https://github.com/pi-hole/pi-hole.git Pi-hole
Cloning into 'Pi-Hole'...
...
Unpacking objects: 100% (98/98), done.
pi@raspberrypi:~ $

Pi-hole should now be downloaded and placed into a newly created directory named Pi-hole. Run the following command to verify the directory has been created.

pi@raspberrypi:~ $ ls -l
total 40
drwxr-xr-x  2 pi pi 4096 May 27 02:18 Bookshelf
drwxr-xr-x  2 pi pi 4096 May 27 02:31 Desktop
drwxr-xr-x  2 pi pi 4096 May 27 02:31 Documents
drwxr-xr-x  2 pi pi 4096 May 27 02:31 Downloads
drwxr-xr-x  2 pi pi 4096 May 27 02:31 Music
drwxr-xr-x  2 pi pi 4096 May 27 02:31 Pictures
drwxr-xr-x 10 pi pi 4096 Jun 30 20:26 Pi-hole
drwxr-xr-x  2 pi pi 4096 May 27 02:31 Public
drwxr-xr-x  2 pi pi 4096 May 27 02:31 Templates
drwxr-xr-x  2 pi pi 4096 May 27 02:31 Videos
pi@raspberrypi:~ $

Run the following command to verify the files are present in the Pi-hole directory.

pi@raspberrypi:~ $ ls -l Pi-hole/
total 124
drwxr-xr-x 6 pi pi  4096 Jun 30 20:26  advanced
drwxr-xr-x 2 pi pi  4096 Jun 30 20:26 'automated install'
-rwxr-xr-x 1 pi pi    20 Jun 30 20:26  autotest
drwxr-xr-x 2 pi pi  4096 Jun 30 20:26 'block hulu ads'
-rw-r--r-- 1 pi pi  2489 Jun 30 20:26  CONTRIBUTING.md
-rwxr-xr-x 1 pi pi 29096 Jun 30 20:26  gravity.sh
-rw-r--r-- 1 pi pi 14204 Jun 30 20:26  LICENSE
drwxr-xr-x 2 pi pi  4096 Jun 30 20:26  manpages
-rwxr-xr-x 1 pi pi 15135 Jun 30 20:26  pihole
-rw-r--r-- 1 pi pi 17213 Jun 30 20:26  README.md
-rw-r--r-- 1 pi pi   105 Jun 30 20:26  requirements.txt
-rw-r--r-- 1 pi pi   107 Jun 30 20:26  setup.py
drwxr-xr-x 2 pi pi  4096 Jun 30 20:26  test
-rw-r--r-- 1 pi pi   384 Jun 30 20:26  tox.ini
pi@raspberrypi:~ $

We are now ready to begin the install.

Step 2 — Install Pi-hole

Installing Pi-hole is quite effortless and only requires us to run the install script located in the Pi-hole/automated\ install directory/.

Run the following command to change into the ‘automated install’ directory.

Note: Files and directories in Linux containing spaces will be escaped using a backslash or wrapped in single quotes.

pi@raspberrypi:~ $ cd Pi-hole/automated\ install
pi@raspberrypi:~/Pi-hole/automated install $

We can validate what directory we are in by either looking after the semi-colon or running the following command.

pi@raspberrypi:~/Pi-hole/automated install $ pwd
/home/pi/Pi-hole/automated install

Let’s list out the contents of this directory using the following command.

pi@raspberrypi:~/Pi-hole/automated install $ ls -l
total 124
-rwxr-xr-x 1 pi pi 116023 Jun 30 20:26 basic-install.sh
-rwxr-xr-x 1 pi pi   7891 Jun 30 20:26 uninstall.sh
pi@raspberrypi:~/Pi-hole/automated install $

There is a basic-install script that we will run to install Pi-hole.

Note: It is best practice to look at the script you are going to run. Although this is a trusted source you should always be aware of what you are going to run on your machine. Use your preferred text editor to view the script.

Run the following command to begin the installation process.

pi@raspberrypi:~/Pi-hole/automated install $ sudo bash basic-install.sh

The script will begin to run some basic checks before it brings us into an installation screen.

[✓] Root user check.;;,.
        .ccccc:,.
         :cccclll:.      ..,,
          :ccccclll.   ;ooodc
           'ccll:;ll .oooodc
             .;cll.;;looo:.
                 .. ','.
                .',,,,,,'.
              .',,,,,,,,,,.
            .',,,,,,,,,,,,....
          ....''',,,,,,,'.......
        .........  ....  .........
        ..........      ..........
        ..........      ..........
        .........  ....  .........
          ........,,,,,,,'......
            ....',,,,,,,,,,,,.
               .',,,,,,,,,'.
                .',,,,,,'.
                  ..'''.[✓] Disk space check
[✓] Update local cache of available packages[i] It is recommended to update your OS after installing the Pi-hole![i] Installer Dependency checks...
  [✓] Checking for dhcpcd5
  [✓] Checking for git
  [✓] Checking for iproute2
  [✓] Checking for whiptail

The Pi-hole automated installer screen will appear.

Select OK.

Pi-hole automated installer

The next screen lets us know that Pi-hole is free and open-source software.

Select OK.

Free and Open Source

The next screen tells us that Pi-hole is a server and needs a static IP address to function properly.

Note: This does not refer to a static public IP address. This refers to the IP addresses on your local network. We will cover this step after the Pi-hole installer has finished.

Select OK.

Static IP Needed

We are now prompted to choose an interface.

It is recommended that your Raspberry Pi is connected via an Ethernet cable instead of WiFi. While WiFi will be slower than Ethernet, I have tested both and have not seen a noticeable performance impact.

Tip: Try switching to Ethernet if you experience performance issues over WiFi.

Select the option beginning with “eth” if you are using a wired connection.

Select the option beginning with “wlan” if you are using a wireless connection.

Choose an Interface

We will now be prompted to select an upstream DNS provider.

An upstream DNS provider is who your Pi-hole will query when it needs to convert domain names to IP addresses. While there are a variety of upstream providers we will choose Google.

Feel free to do your research on DNS providers to make an informed selection.

Select Google (ECS).

Select OK.

Upstream DNS Provider

The next screen displayed allows us to choose which third-party block lists Pi-hole will utilize. You can add custom lists after the installation through the Web user interface (WebUI). We will leave the defaults selected.

Select OK.

Third-Party Block Lists

We will now be prompted to choose IP versions. We will keep the defaults and select both, but feel free to make the selection based on your network.

Select OK.

Protocols

The next screen will ask us if we’d like to keep the current network settings as the static IP address for the Pi-hole.

Static IP Address

The 10.0.0.27/24 address was assigned by DHCP via my router. I’ll need to ensure that this address stays reserved for my Raspberry Pi.

To do this, I need to go into the LAN settings on my router. From there, I can reserve IP addresses for devices on my network. Most routers can do this.

Router LAN Setup

I now have this IP address tied to the MAC address of my Raspberry Pi. If my router or the Raspberry Pi are rebooted this IP address will be reassigned to my Raspberry Pi due to the reservation.

Note: If you do not reserve the IP address chosen in this step for your Raspberry Pi, you may run into issues when your devices reboot. The address may be assigned to another device.

Select Yes on the Pi-hole installer screen.

We are now presented with an IP Conflict screen. Since we already reserved the IP address for our Raspberry Pi we can continue past this screen.

If you were not able to reserve an IP address then read through this screen and take note of the potential issues.

Select OK.

IP Conflict

The next screen will ask if we’d like to install the web admin interface. It is highly recommended you do this so you can see the statistics, logging, and admin user interface through a web browser.

Select OK.

Web Admin Interface

Pi-hole can install a web server that runs the admin interface (lighttpd). It is recommended you select “On” unless you have an existing web server running.

Note: The web interface will only be accessible from your network unless configured otherwise.

Select OK.

Install Web Server

The next screen will ask if we’d like to enable the logging of queries. It is recommended to select “On” to have Pi-hole collect logs.

Select OK.

Log Queries

We will now be asked to select privacy settings for FTL. FTL, or Faster Than Light, is a custom program developed by the Pi-hole team that reads the Pi-hole logs, stores them in RAM, and makes them accessible to the WebUI. This allows queries to be returned very quickly since they are stored in RAM.

Note: More information on FTL can be found at https://docs.pi-hole.net/ftldns/privacylevels/

Your selection depends on your privacy tolerance. If you are okay with allowing Pi-hole to access domain and client information you can select “Show everything”. Otherwise, choose an option that fits your needs. In this guide, we will select “Show everything”.

Select OK.

FTL Privacy Mode

The script will continue to run and install several packages including their dependencies. The required services are automatically enabled.

One last window from the automated installer is now displayed. Key information, including the URL to the web interface and password, are shown on the screen.

Note: Please take note of this information. It is possible to reset your Pi-hole password from the terminal. See additional notes at the end of this article.

The installation is now complete but there are still more steps!

Installation Complete

Step 3 — Updating Your DNS

Pi-hole is running but our internet traffic is still utilizing the DNS server that is configured in our router.

We need to log in to our router and change the DNS server to the IP address that we configured for Pi-Hole.

DNS Server

Be sure to only include your Pi-hole as the primary DNS server. This ensures your requests aren’t being sent through another DNS provider. Remember to always keep your Pi-hole powered on or you’ll lose the ability to query DNS.

Shout out to mr.smashy for correcting a previous version of this article stating to enter in a secondary DNS. Doing so may cause some of your queries to not use your Pi-hole which will have ads.

Our router should now be using the Pi-hole as its DNS server.

Step 4 — Accessing the WebUI

Pi-hole comes with a WebUI that allows us to customize settings and view statistics on domains that were blocked.

Open a web browser and connect to the IP address of your Pi-hole/admin. In this guide, we would connect to http://10.0.0.27/admin/.

The WebUI shows us statistics as soon as we access the page.

Pi-hole Web UI

Pi-hole is showing statistics on the following data:

  • Total Queries — The number of queries Pi-hole has processed. You won’t be able to see this information per device. The 2 clients shown are the Pi-hole itself and your router. All queries will pass through your router.
  • Queries Blocked — The number of queries that were on the default blocklists during installation.
  • Percent Blocked — Queries Blocked divided by Total Queries.
  • Domains on Blocklist — The number of domains on the default blocklists.

Clicking Login allows us to access more information on the Pi-hole. You will be prompted to provide the password created during installation.

Enter your password and click Log In.

Pi-hole Log In

There are several more options available once you log in. We will not go through all of the options and configurations available.

Note: There is a help button at the bottom of the navigation pane that can assist with detailed troubleshooting.

Admin Web UI

Things to Keep in Mind

  1. Not all domains are malicious. Please keep in mind that websites generate ad revenue from you visiting their site. If you frequent a trusted site, please consider adding their domains to the Pi-hole whitelist.
  2. Blocking domains with Pi-hole may cause some sites to not function properly. If this happens, you will need to go into the logs and look for the blocked traffic. There is a button to whitelist domains on-the-fly.
  3. You can revert your router settings to another DNS server if you choose to stop using Pi-hole.
  4. The admin password to the WebUI can be updated by running the following command from the terminal. You will be prompted to type in your new password.
pi@raspberrypi:~/Pi-hole/automated install $ pihole -a -p

Wrapping Up

Congrats! Pi-hole is now officially up and running and is actively blocking domains.

Pi-hole is a great way to keep your data and devices safe from malicious advertising. Following this guide ensures that any devices connected to your network will have these protections applied.

If you have any questions feel free to Tweet or PM me @mrkmety

Raspberry Pi
Cybersecurity
Tech
Privacy
Homelab

--

--

Matt Kmety
The KickStarter

Written by Matt Kmety

162 Followers
Writer for

Cybersecurity Enthusiast | Cloud Security & Information Protection @ Boeing | Trying to pass on knowledge to others | www.thecyberblog.com

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams