DNSmasq and Pi-hole

For a long time I have been using bind as a LAN DNS server. Just for my local server setup, so that I can use hostnames instead of IP addresses. I found the hosts file to be a bit low-tech, and it was a good chance to learn a little about DNS along the way. 🙂

A short while ago I was watching the Linux Action Show, where the Pi-hole system was introduced. Now being able to block ads before they are even entering the network (or more correctly before they are requested) seems like a super idea to me. So I started reading up on the requirements.

It seems that Pi-hole depends on DNSmasq, so I had to read up on that as well. And the more I read, the more interested I became. Not only because of Pi-hole, but also because DNSmasq would keep a record of the hostnames requesting an IP address from it.
That would be fine for my windows network as well, as samba sharing sometimes will not be visible on the network depending on which of the computers won the election to browse master. It’s actually possible to use DNSmasq as a WINS server as well.

So, so far I had the following features:

  • DHCP server
  • DNS server (referencing also the DHCP clients)
  • WINS server
  • Easy addition of my servers in only the hosts file on the DNS server
  • Ad blocking on the DNS level

Hardware and OS

I elected to use a N3050 based mini-ITX board (ASRock N3050B-ITX) instead of Raspberry-pi. I am not a fan of using SD cards for computer systems that need to run 24/7. The instances that I have used wore out the SD card within a year. There is probably a setting that can solve this, but I didn’t find it. Maybe it’s also better as I prefer the fire and forget solutions.

For the OS I went with Debian, as I want the stability. It’s just my personal preference though. I could just as well have chosen an Ubuntu installation. Or Arch linux for that matter. (It runs my main server).

I will not bore you with how to install Debian. I trust that everyone who has ever setup a server system has used Debian at some point. Lets just quickly summarize which settings I changed for my setup.

  1. Static IP address (/etc/network/interfaces)
  2. Hostname (/etc/hostname and /etc/hosts)
  3. Locale (/etc/locale.gen and /etc/default/locale)

DNSmasq configuration

The following is what I entered in the config file for DNSmasq. Please note I made a new file in the dnsmasq.d folder instead of changing the original.

domain-needed
bogus-priv
local=/localdomain/
listen-address=127.0.0.1
listen-address=192.168.1.2
bind-interfaces
expand-hosts
domain=localdomain

dhcp-range=192.168.1.100,192.168.1.254,255.255.255.0,12h
dhcp-option=option:router,192.168.1.1
dhcp-option=option:dns-server,192.168.1.2

dhcp-option=19,0 # Option IP-forwarding off
dhcp-option=44,0.0.0.0 # set WINS server
dhcp-option=45,0.0.0.0 # Netbios datagram distribution server
dhcp-option=46,8 # Netbios node type
dhcp-option=252,"\n" # send empty WPAD option (for win7)
dhcp-option=vendor:MSFT,2,1i

bogus-nxdomain=64.94.110.11 # disable Verisign re-direct service

dhcp-range=192.168.1.50,192.168.1.99,static,255.255.255.0,12h
dhcp-host=00:11:22:33:44:55,192.168.1.50 # laptop 
dhcp-host=00:22:33:44:55:66,192.168.1.70 # A4 printer

Most of these a self explanatory. But let me highlight one that I know could give you trouble.

As you can see I have two dhcp-ranges defined. The first is the definition for what addresses the dynamic hosts are given. The second is a range that I use to specify special hosts with DHCP given “static” addresses. If this second definition is missing, then the lines starting with dhcp-host will also not work!

That’s pretty much all that is necessary for DNSmasq to be started.

$ service dnsmasq restart

Hosts lookup

Of course we are not finished yet. There is still the matter of the LAN servers that need to be added, as well as Pi-hole.

To add a server (host) to the DNS lookup, just add it to the hosts file on the DNS server.
Below is the content of my hosts file for reference. You can see I have a couple of hosts defined.

127.0.0.1       localhost
#127.0.1.1      ns1.localdomain        ns1

# Network hosts
192.168.1.2      ns1
192.168.1.10      webserver.localdomain www.webserver.localdomain files.webserver.localdomain

# Virtual hosts
192.168.1.20      gitlab.localdomain

# Printers
192.168.1.70      a4.localdomain

# Network devices
192.168.1.1       router.localdomain


# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

And then run the command:
$ service dnsmasq reload

Now you can access the server webserver.localdomain from your client using the domain name instead of the IP address. Easy right?

You can specify as many domain names on one IP address as you need. wildcard domains are not supported. So something like
*.webserver.localdomain
would not be parsed.

Pi-hole

Before we continue, please make absolutely sure your DNSmasq is up an running OK. It’s easier to look for errors afterwards if you know where to look 🙂

Installing Pi-hole is as easy as running a simple command and following the on-screen instructions. The command to run is
$ curl -L https://install.pi-hole.net | bash

You can find more information on the process on the Pi-hole website. (links are at the bottom)

If you check in the dnsmasq.d directory, you will see an additional file placed there by Pi-hole. It contains the settings that Pi-hole needs to work and should not be edited.

If you are curious to see which domains are being blocked by Pi-hole, then check the file /etc/pihole/gravity.list. It contains a very, very long list of domains. Again this file should not be edited manually. If you want to whilelist a domain, then add it to /etc/pihole/whitelist.txt.
My whitelist can be seen below:

raw.githubusercontent.com
adblock.gjtech.net
mirror1.malwaredomains.com
sysctl.org
zeustracker.abuse.ch
s3.amazonaws.com
hosts-file.net

# ekstrabladet
aka-cdn-ns.adtech.de
adserver.adtech.de

# needed for normal surfing
.cloudfront.net
.optimizely.com

# Cnet downloads
dw.cbsi.com

Some are already present when you install Pi-hole, others I have added. The people who made the blocklists used by Pi-hole seem to have gone a little overboard. They block some domains that make web surfing very hard. And you don’t want your wife or kids coming running all the time because their favorite website is not working!

Both cloudfront and optimizely are blocked. But they are used by thousands of websites to deliver content, and thus need to be whitelisted. (At least in my household).

It just happens to be that some of the members of my household can’t live without a certain danish news site. So I have been forced to whitelist some adtech sites as well.

And I ran into an issue when I wanted to download a program from cnet. They apparently need a special site to enable the downloads.

After adding your sites to the whitelist (or blacklist for that matter) you need to run the following command to update the gravity list.
$ pihole -g

Determining domain to whitelist

If you find yourself unable to use a website, and want to see which domains it actually needs to access, there is a handy little extension for Chrome called “Whitelist assistant by DNSthingy” that you can use. It will list all the domains accessed.

Alternatively you can also use something like ghostery or privacy badger to see which domains a blocked. However you might need a clear DNS access to use that. You Pi-hole blocks the domains, so neither of the tools might be aware of them.

There is a webpage that has instructions on how to whitelist domains. It is included at the bottom of this page.

Windows and internet access

After using Pi-hole, my windows 10 machine started to show some weird behaviour. Every time I login, the web browser is launched and show the msn.com website. Rather annoying. It seems that Microsoft in their infinite wisdom found it necessary to check if a computer has access to the Internet, and if not then they launch the web browser just to be sure?!

The page they are polling is msftncsi.com and the solution could be to just whitelist it. However there is a second option. And that is to change the registry to disable this network discovery service. The key needed can be found under
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NlaSvc\Parameters\Internet\EnableActiveProbing
And change value from 1 to 0. Problem solved!

EDIT:
It didn’t last long. I have been forced to whitelist the following addresses, because my crappy (company) windows phone is a dumb piece of BEEP. 🙁

msftncsi.com
www.msftncsi.com
ipv6.msftncsi.com

Additional sources

https://www.linux.com/learn/dnsmasq-easy-lan-name-services – DNSmasq easy LAN name services.
https://pi-hole.net – The home of the Pi-hole project.
https://pi-hole.net/faq/how-do-i-whitelist-or-blacklist-a-webiste-or-domain/ – Whitelisting and blacklisting domains.
http://serverfault.com/questions/695874/default-browser-opens-to-msn-com-when-logging-into-windows-server – windows Internet discovery problem.
http://kx.cloudingenium.com/microsoft/servers/windows-servers/what-is-www-msftncsi-com/ – Details on msftncsi.com.

2 thoughts on “DNSmasq and Pi-hole

  1. Madeye

    I received an email from Jacques via the contact form. Here is the contents:
    Hey,
    I was reading your article on dnsmasq and pi-hole. Awesome article btw. I was planning on setting up dnsmasq and today stumbled on pi-hole. It will be a great addition.

    Anyways I saw you metion that you weren’t using a pi because of the sdcard thing. I moved away from the pi because of that and I wanted a Ethernet port that’s not interfaced via USB (because VPN connections).

    My solution was to go for an odroid from hardkernel (I use the XU4). They have a bit better hardware than pies (better processors, more ram) and have the option of eMMC5.0 flash storage so that you don’t have to use an sd card. They aren’t too expensive either. I figured you would probably like to hear about it.

    Thanks,
    Jacques

Comments are closed.