- Raspberry Pi with SD card & power supply: 35\u20ac single point of failure<\/li>
- Raspbian Lite<\/a>: minimal Raspberry OS to keep the device lite and fast<\/li>
- Laptop with\/and SD card reader: to install OS to SD card<\/li>
- UNetbootin<\/a> or Etcher<\/a>: to burn the Raspbian image to the SD card<\/li>
- Putty: SSH Client to manage the Raspbi remotely<\/li>
- Pi-Hole<\/a>: the ads blocking local DNS server<\/li><\/ul>\n\n\n\n
I have used an old Raspberry Pi 2 model B<\/a> I had purchased in 2015 for my first Eclipse SmartHome project. Since then, this particular Raspbi has gone through quite a few projects, like the RFID Jukebox<\/a> and a Kura gateway<\/a> for an Eclipse Open IoT challenge in 2017<\/a>.<\/p>\n\n\n\n
If you don’t have a Raspberry laying around to spare, you will need a Raspberry Pi (35\u20ac), SD card(7\u20ac<\/a>), Raspberry Case(6\u20ac<\/a>), a CAT5e cable(0.5\u20ac<\/a>) and an USB charger(10\u20ac<\/a>).
This is less than 60\u20ac for improving privacy and internet safety at home.<\/p>\n\n\n\nInstall Raspbian Lite<\/h2>\n\n\n\n
Go to the official Raspbrian site<\/a> and grab the Raspberry Pi OS Lite. Use UNetbootin or Etcher to burn it to the SD card.
BTW, here is an alternative installation using Docker<\/a>, which is also well documented.<\/p>\n\n\n\nEnable SSH<\/h3>\n\n\n\n
Don’t forget to add a single SSH text file, without the “.txt” file extension, this will activate the SSH server on the Raspberry, so you need to do it before you install the SD card into the Raspberry Pi.<\/p>\n\n\n\n
Install Pi-Hole<\/h2>\n\n\n\n
That’s it, the Raspbi is ready. Now we just need to plug it the card in, connect the Raspi to the router and log into the system using SSH.
First thing to do is change the default password and update the OS<\/p>\n\n\n\npasswd\nsudo apt-get update\nsudo apt-get dist-upgrade<\/pre>\n\n\n\n
And install Pi-hole using these two commands<\/p>\n\n\n\n
wget -O basic-install.sh https:\/\/install.pi-hole.net\nsudo bash basic-install.sh<\/pre>\n\n\n\n
The installation process is quite forward, just remember to choose a good upstream DNS for Pi-hole. Tip: you might want to avoid Google.<\/p>\n\n\n\n
You can check your Pi-Hole Admin interface at 192.168.XXX.XXX\/admin<\/p>\n\n\n\n
![\"pi-hole](\"https:\/\/www.mutareb.com\/wp-content\/uploads\/2021\/10\/pi-hole-admin-1024x401.jpg\")
<\/figure>\n\n\n\nChange the DNS in your Router<\/h3>\n\n\n\n
You need to change the primary DNS for the network in your router configuration, so that most devices will use it. I write most, because there are a rising number of applications and devices that have hard coded DNS settings to offset this, read more about it on this Reddit thread<\/a>.<\/p>\n\n\n\n
Setup Log2Ram<\/h3>\n\n\n\n
Log2Ram reduces the number of times that Pi-hole writes to your SD card, which can reduce the lifespan of your SD Card. Check out their GitHub page<\/a> for all the information you need to set it up and customize it.<\/p>\n\n\n\n
DNS-Over-HTTPS<\/h3>\n\n\n\n
If you would like to have an even more secure DNS you can set up your Pi-Hole to run DNS-Over-HTTPS.<\/p>\n\n\n\n
In case you came across DNS-OVER-TLS before and are wondering why I opted for DNS-Over-HTTPS instead, you can read about the difference here on this cloudflare blog post<\/a>.
In short: DOH provides more privacy, as DNS queries are hidden within the larger flow of HTTPS traffic.<\/p>\n\n\n\nInstalling cloudflared<\/h4>\n\n\n\n
The installation is fairly straightforward. We download the precompiled binary and copy it to
\/usr\/local\/bin\/<\/code> to allow execution by the cloudflared user. Then proceed to run the binary with the-v<\/code> flag to check it is all working.<\/p>\n\n\n\nwget https:\/\/bin.equinox.io\/c\/VdrWdbjqyF\/cloudflared-stable-linux-arm.tgz\ntar -xvzf cloudflared-stable-linux-arm.tgz\nsudo cp .\/cloudflared \/usr\/local\/bin\nsudo chmod +x \/usr\/local\/bin\/cloudflared\ncloudflared -v\n<\/pre>\n\n\n\n
We need to create a cloudflared user for the daemon<\/p>\n\n\n\n
sudo useradd -s \/usr\/sbin\/nologin -r -M cloudflared<\/pre>\n\n\n\n
We will create a config file at \/etc\/default\/cloudflared to pass the options to the daemon at startup. It will contain the following command-line options<\/p>\n\n\n\n
# Commandline args for cloudflared\nCLOUDFLARED_OPTS=--port 5053 --upstream https:\/\/1.1.1.1\/dns-query --upstream https:\/\/1.0.0.1\/dns-query<\/pre>\n\n\n\n
And it needs to be owned by the new user<\/p>\n\n\n\n
sudo chown cloudflared:cloudflared \/etc\/default\/cloudflared\nsudo chown cloudflared:cloudflared \/usr\/local\/bin\/cloudflared<\/pre>\n\n\n\n
Now we need to create the
systemd<\/code> script by copying the following in to\/lib\/systemd\/system\/cloudflared.service<\/code>. This will control the running of the service and allow it to run on startup.<\/p>\n\n\n\n[Unit]\nDescription=cloudflared DNS over HTTPS proxy\nAfter=syslog.target network-online.target\n\n[Service]\nType=simple\nUser=cloudflared\nEnvironmentFile=\/etc\/default\/cloudflared\nExecStart=\/usr\/local\/bin\/cloudflared proxy-dns $CLOUDFLARED_OPTS\nRestart=on-failure\nRestartSec=10\nKillMode=process\n\n[Install]\nWantedBy=multi-user.target<\/pre>\n\n\n\n
Now enable the systemd service to run at startup<\/p>\n\n\n\n
sudo systemctl enable cloudflared\nsudo systemctl start cloudflared\nsudo systemctl status cloudflared<\/pre>\n\n\n\n
Now let’s that it’s working<\/p>\n\n\n\n
![\"\"](\"https:\/\/www.mutareb.com\/wp-content\/uploads\/2021\/10\/dig-cloudflared.jpg\")
<\/figure>\n\n\n\nReconfiguring DNS<\/h4>\n\n\n\n
We now have a working DNS-over-HTTPS service, at least locally on the Raspberry. The next steps will cover how to implement the service for network-wide DNS lookups.
Go to the Pi-Hole Admin interface -> Settings ->DNS tab
You will need to disable the selected upstream DNS server and add the new local cloudflared daemon<\/p>\n\n\n\n![\"\"](\"https:\/\/www.mutareb.com\/wp-content\/uploads\/2021\/10\/pihole-dns-settings-https-1024x614.jpg\")
<\/figure>\n\n\n\nKeeping cloudflared updated<\/h4>\n\n\n\n
To keep cloudflared updated, we will need a weekly cron job. Just create the file
\/etc\/cron.weekly\/cloudflared-updater<\/code> with the following update commands<\/p>\n\n\n\nwget https:\/\/github.com\/cloudflare\/cloudflared\/releases\/latest\/download\/cloudflared-linux-arm\nsudo systemctl stop cloudflared\nsudo cp .\/cloudflared-linux-arm \/usr\/local\/bin\/cloudflared\nsudo chmod +x \/usr\/local\/bin\/cloudflared\nsudo systemctl start cloudflared\ncloudflared -v\nsudo systemctl status cloudflared<\/code><\/pre>\n\n\n\nand adjust permissions<\/p>\n\n\n\n
sudo chmod +x \/etc\/cron.weekly\/cloudflared-updater\nsudo chown root:root \/etc\/cron.weekly\/cloudflared-updater<\/code><\/pre>\n\n\n\nThat’s it. You now have a working Pi-Hole running DNS queries over HTTPS. You can test your connection here<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"
The internet has always been invested with a lot of Ads, but the amount of tracking, personalized and intrusive Ads has grown exponentially. While I’ve kept my own devices setup to combat them, the number of smart devices and also users is growing at home. In addition, blocking the ads from displaying or the scripts… Continue reading Pi-Hole on Raspberry Pi<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":76,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[9],"tags":[13,11,12],"series":[7],"class_list":["post-44","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-it-security","tag-privacy","tag-raspberry-pi","tag-security","series-linux-server","entry"],"_links":{"self":[{"href":"https:\/\/www.mutareb.com\/index.php\/wp-json\/wp\/v2\/posts\/44","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mutareb.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mutareb.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mutareb.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mutareb.com\/index.php\/wp-json\/wp\/v2\/comments?post=44"}],"version-history":[{"count":12,"href":"https:\/\/www.mutareb.com\/index.php\/wp-json\/wp\/v2\/posts\/44\/revisions"}],"predecessor-version":[{"id":78,"href":"https:\/\/www.mutareb.com\/index.php\/wp-json\/wp\/v2\/posts\/44\/revisions\/78"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mutareb.com\/index.php\/wp-json\/wp\/v2\/media\/76"}],"wp:attachment":[{"href":"https:\/\/www.mutareb.com\/index.php\/wp-json\/wp\/v2\/media?parent=44"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mutareb.com\/index.php\/wp-json\/wp\/v2\/categories?post=44"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mutareb.com\/index.php\/wp-json\/wp\/v2\/tags?post=44"},{"taxonomy":"series","embeddable":true,"href":"https:\/\/www.mutareb.com\/index.php\/wp-json\/wp\/v2\/series?post=44"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}