Pi Hole Extended - Part 2

In the previous post in this guide I covered how to make a router and filtering DNS server. In this second post I’ll cover updating, preventing DNS over HTTPS, extra filter lists and forcing all DNS traffic through your filter (such as Kindles and Chromecasts).

Updates

I wrote this guide for Pi-hole v4, however Pi-hole v5 is now out, including per-client filtering. To update:

  • Take a backup
  • SSH into the Pi
  • Run pihole -up

Simple.

Secure DNS

Secure DNS is great for your external internet connection (more on this later), however it causes issues if you want to run your own DNS server. You may need to disable web browser direct DNS over HTTPS (DoH).

For Firefox this is done automatically for all devices in Pi-hole v4.4+. You can also disable this in individual browsers in network settings (at the bottom of the general section in preferences).

If you really need to use Chrome, you should disable the async DNS resolver experiment. But maybe this is a good time to try Firefox (again), it’s fast and the screenshot functionality (Ctrl + Shift + s) is pretty cool.

If you are using Android 9 (Pie) or later then you may want to disable Private DNS (bottom of Network & Internet in Settings). However, unfortunately you can’t turn this off just for WiFi (or just for certain networks) on an unmodified vendor install.

Blocking

You will likely want to tweak your block-lists or individual domains.

You can add extra block lists (Settings > Blocklists) e.g. hosts.oisd.nl, or disable ones that are not available over HTTPS. The lists are automatically downloaded and updated once a week, early on sunday morning.

A domain you may wish to add to the Blacklist is polling.bbc.co.uk. This blocks the breaking news popup on the BBC News website (for all browsers on your network).

You may also want to block certain sites to #StopFundingHate or #StopFundingHeat.

Enforcement

The benefit of the Pi-hole being set up as a router is that you can force all DNS requests through your local resolver, even if devices think they are talking to an external DNS server. For example, you can blocks ads when watching catchup TV on a Google Chromecast.

To do this we need to add a couple more routing rules (for both TCP and UDP). This transparently redirects all traffic destined for a DNS server (port 53) to the local resolver.

sudo iptables -t nat -A PREROUTING -p udp --dport 53 -j REDIRECT
sudo iptables -t nat -A PREROUTING -p tcp --dport 53 -j REDIRECT

Check that you can see new devices in your Pi-hole admin console Network overview and that your internet connection is still working fine, then save the rules so that they survive a reboot.

sudo sh -c "iptables-save > /etc/iptables.ipv4.nat"

Future

In future posts I’ll cover improving the security and privacy of connections leaving your network.


This blog is treeware! If you found it useful then please plant a tree.
Donate a treeDonate a tree🌳🌳