For a long time I have been using bind as a LAN DNS server. Just for my local server setup, so that I can use hostnames instead of IP addresses. I found the hosts file to be a bit low-tech, and it was a good chance to learn a little about DNS along the way. :-)
A short while ago I was watching the Linux Action Show, where the Pi-hole system was introduced. Now being able to block ads before they are even entering the network (or more correctly before they are requested) seems like a super idea to me. So I started reading up on the requirements.
It seems that Pi-hole depends on DNSmasq, so I had to read up on that as well. And the more I read, the more interested I became. Not only because of Pi-hole, but also because DNSmasq would keep a record of the hostnames requesting an IP address from it.
That would be fine for my windows network as well, as samba sharing sometimes will not be visible on the network depending on which of the computers won the election to browse master. It's actually possible to use DNSmasq as a WINS server as well.
So, so far I had the following features:
- DHCP server
- DNS server (referencing also the DHCP clients)
- WINS server
- Easy addition of my servers in only the hosts file on the DNS server
- Ad blocking on the DNS level
Hardware and OS
I elected to use a N3050 based mini-ITX board (ASRock N3050B-ITX) instead of Raspberry-pi. I am not a fan of using SD cards for computer systems that need to run 24/7. The instances that I have used wore out the SD card within a year. There is probably a setting that can solve this, but I didn't find it. Maybe it's also better as I prefer the fire and forget solutions.
For the OS I went with Debian, as I want the stability. It's just my personal preference though. I could just as well have chosen an Ubuntu installation. Or Arch linux for that matter. (It runs my main server).
I will not bore you with how to install Debian. I trust that everyone who has ever setup a server system has used Debian at some point. Lets just quickly summarize which settings I changed for my setup.
- Static IP address (/etc/network/interfaces)
- Hostname (/etc/hostname and /etc/hosts)
- Locale (/etc/locale.gen and /etc/default/locale)
The following is what I entered in the config file for DNSmasq. Please note I made a new file in the dnsmasq.d folder instead of changing the original.
domain-needed bogus-priv local=/localdomain/ listen-address=127.0.0.1 listen-address=192.168.1.2 bind-interfaces expand-hosts domain=localdomain dhcp-range=192.168.1.100,192.168.1.254,255.255.255.0,12h dhcp-option=option:router,192.168.1.1 dhcp-option=option:dns-server,192.168.1.2 dhcp-option=19,0 # Option IP-forwarding off dhcp-option=44,0.0.0.0 # set WINS server dhcp-option=45,0.0.0.0 # Netbios datagram distribution server dhcp-option=46,8 # Netbios node type dhcp-option=252,"\n" # send empty WPAD option (for win7) dhcp-option=vendor:MSFT,2,1i bogus-nxdomain=126.96.36.199 # disable Verisign re-direct service dhcp-range=192.168.1.50,192.168.1.99,static,255.255.255.0,12h dhcp-host=00:11:22:33:44:55,192.168.1.50 # laptop dhcp-host=00:22:33:44:55:66,192.168.1.70 # A4 printer
Most of these a self explanatory. But let me highlight one that I know could give you trouble.
As you can see I have two dhcp-ranges defined. The first is the definition for what addresses the dynamic hosts are given. The second is a range that I use to specify special hosts with DHCP given "static" addresses. If this second definition is missing, then the lines starting with dhcp-host will also not work!
That's pretty much all that is necessary for DNSmasq to be started.
$ service dnsmasq restart
Of course we are not finished yet. There is still the matter of the LAN servers that need to be added, as well as Pi-hole.
To add a server (host) to the DNS lookup, just add it to the hosts file on the DNS server.
Below is the content of my hosts file for reference. You can see I have a couple of hosts defined.
127.0.0.1 localhost #127.0.1.1 ns1.localdomain ns1 # Network hosts 192.168.1.2 ns1 192.168.1.10 webserver.localdomain www.webserver.localdomain files.webserver.localdomain # Virtual hosts 192.168.1.20 gitlab.localdomain # Printers 192.168.1.70 a4.localdomain # Network devices 192.168.1.1 router.localdomain # The following lines are desirable for IPv6 capable hosts ::1 localhost ip6-localhost ip6-loopback ff02::1 ip6-allnodes ff02::2 ip6-allrouters
And then run the command:
$ service dnsmasq reload
Now you can access the server webserver.localdomain from your client using the domain name instead of the IP address. Easy right?
You can specify as many domain names on one IP address as you need. wildcard domains are not supported. So something like
would not be parsed.
Before we continue, please make absolutely sure your DNSmasq is up an running OK. It's easier to look for errors afterwards if you know where to look :-)
Installing Pi-hole is as easy as running a simple command and following the on-screen instructions. The command to run is
$ curl -L https://install.pi-hole.net | bash
You can find more information on the process on the Pi-hole website. (links are at the bottom)
If you check in the dnsmasq.d directory, you will see an additional file placed there by Pi-hole. It contains the settings that Pi-hole needs to work and should not be edited.
If you are curious to see which domains are being blocked by Pi-hole, then check the file /etc/pihole/gravity.list. It contains a very, very long list of domains. Again this file should not be edited manually. If you want to whilelist a domain, then add it to /etc/pihole/whitelist.txt.
My whitelist can be seen below:
raw.githubusercontent.com adblock.gjtech.net mirror1.malwaredomains.com sysctl.org zeustracker.abuse.ch s3.amazonaws.com hosts-file.net # ekstrabladet aka-cdn-ns.adtech.de adserver.adtech.de # needed for normal surfing .cloudfront.net .optimizely.com # Cnet downloads dw.cbsi.com
Some are already present when you install Pi-hole, others I have added. The people who made the blocklists used by Pi-hole seem to have gone a little overboard. They block some domains that make web surfing very hard. And you don't want your wife or kids coming running all the time because their favorite website is not working!
Both cloudfront and optimizely are blocked. But they are used by thousands of websites to deliver content, and thus need to be whitelisted. (At least in my household).
It just happens to be that some of the members of my household can't live without a certain danish news site. So I have been forced to whitelist some adtech sites as well.
And I ran into an issue when I wanted to download a program from cnet. They apparently need a special site to enable the downloads.
After adding your sites to the whitelist (or blacklist for that matter) you need to run the following command to update the gravity list.
$ pihole -g
Determining domain to whitelist
If you find yourself unable to use a website, and want to see which domains it actually needs to access, there is a handy little extension for Chrome called "Whitelist assistant by DNSthingy" that you can use. It will list all the domains accessed.
Alternatively you can also use something like ghostery or privacy badger to see which domains a blocked. However you might need a clear DNS access to use that. You Pi-hole blocks the domains, so neither of the tools might be aware of them.
There is a webpage that has instructions on how to whitelist domains. It is included at the bottom of this page.
Windows and internet access
After using Pi-hole, my windows 10 machine started to show some weird behaviour. Every time I login, the web browser is launched and show the msn.com website. Rather annoying. It seems that Microsoft in their infinite wisdom found it necessary to check if a computer has access to the Internet, and if not then they launch the web browser just to be sure?!
The page they are polling is msftncsi.com and the solution could be to just whitelist it. However there is a second option. And that is to change the registry to disable this network discovery service. The key needed can be found under
And change value from 1 to 0. Problem solved!
It didn't last long. I have been forced to whitelist the following addresses, because my crappy (company) windows phone is a dumb piece of BEEP. :-(
msftncsi.com www.msftncsi.com ipv6.msftncsi.com