CD Cloud Logix

Pihole is an amazing tool – Protecting your network with Pihole

Olivier Butterbach
Olivier Butterbach

CEO of CD Cloud Logix

Table of Contents

Pihole
Pihole dashboard

Foreword: I’m fascinated by technology and I wanted to share my findings while expirementing with Pihole. I’m not personally against advertisement companies as long as they’re not too intrusive. Pihole is advertised as an ad blocker, but it’s actually an amazing tool for protecting your own network from malwares and so on.

I. Requirement and installation

Starting point of our journey, I will cover this part really quickly as you can find many guideline online for installing Pihole.

I’m personally using Pihole installed on a Raspberry pi, I gave a fixed private IP on my network where I’m redirecting all my DNS queries. You need to have some basic knowledge of Linux command lines for installing Pihole, here is a link to the official documentation from Raspberry pi on how to operate the Terminal.

If you have some experience using Terminal, you can then start Pihole installation by simply using:

curl -sSL https://install.pi-hole.net | bash

This command will proceed automatically to this installation. For more information and guidelines, have a look on the official Pihole documentation.

II. Pihole Dashboard

Another part I will cover quickly, Pihole Dashboard is rather self explanatory. Once you completed the previous installation in part I, open your fav browser the following address:

http://<Pihole IP address>/admin
Pihole Dashboard

The password for login tab is randomised and given after the installation in your terminal, you can always reset it by using in your terminal:

$ pihole -a -p

You will then be presented with this detailed dashboard:

Pihole detail dashboard

This Dashboard would allow to access most of the Pihole controls such as DHCP, DNS configuration and so on as well as reloading the configuration. Dashboard does help troubleshooting and visualising the global amount of dns request traffic, something you will need once we unlock the full potential of Pihole by using the command line in the next following parts.

III. Community filter lists

First step to make the most of your new toy would be to utilise the list of filtered domains already gathered by the community. The website filterlists.com contains the primary main elements for helping you to block:

  • Spyware domains
  • Malware domains
  • Coinmining networks
  • Ransomware domains
  • Phishing domains
  • Trackers and Analyticals domains
Pihole logo is displayed when the filter is compatible with Pihole

To implement one of the filter, select the one you’d like to use and right click on the link “ 🔎 View” and select Copy link location. From there, open your terminal and paste this URL in the /etc/pihole/adlists.list file. Once completed, reload Pihole configuration by using pihole -g command. Here is an example of the output of this command:

[email protected]:~# pihole -g
[i] Pi-hole blocking is enabled
[i] Neutrino emissions detected...
[✓] Pulling blocklist source list into range[i] Target: raw.githubusercontent.com (adservers-and-trackers.txt)
[✓] Status: Retrieval successful

These external filter list are maintained and updated some time to time, I would advise to make use of a Cron job in order to keep these list up to date by using the above command on a weekly basis.

As a starting point, here is my list of filters implemented on my personnal Pihole:

[email protected]:/home/pi# cat /etc/pihole/adlists.list
# Prevent Trackers and Malwares
https://raw.githubusercontent.com/DRSDavidSoft/additional-hosts/master/domains/blacklist/adservers-and-trackers.txt
https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt
https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-blocklist.txt
https://raw.githubusercontent.com/notracking/hosts-blocklists/master/hostnames.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
https://gitlab.com/my-privacy-dns/matrix/matrix/-/raw/master/source/tracking/domains.list
https://raw.githubusercontent.com/r-a-y/mobile-hosts/master/AdguardApps.txt
https://raw.githubusercontent.com/r-a-y/mobile-hosts/master/AdguardMobileAds.txt
https://raw.githubusercontent.com/FadeMind/hosts.extras/master/StreamingAds/hosts
https://raw.githubusercontent.com/w13d/adblockListABP-PiHole/master/Spotify.txt
https://raw.githubusercontent.com/DRSDavidSoft/additional-hosts/master/domains/blacklist/adservers-and-trackers.txt
https://raw.githubusercontent.com/deathbybandaid/piholeparser/master/Subscribable-Lists/ParsedBlacklists/AdAway-Default-Blocklist.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
https://v.firebog.net/hosts/Easyprivacy.txt
https://raw.githubusercontent.com/deathbybandaid/piholeparser/master/Subscribable-Lists/ParsedBlacklists/FadeMind-addSpam.txt
https://raw.githubusercontent.com/mitchellkrogza/The-Big-List-of-Hacked-Malware-Web-Sites/master/hacked-domains.list# Prevent Analytics
https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/AmazonFireTV.txt
https://raw.githubusercontent.com/mitchellkrogza/Stop.Google.Analytics.Ghost.Spam.HOWTO/master/output/domains/INACTIVE/list
https://raw.githubusercontent.com/nickspaargaren/no-google/master/categories/analytics.txt
https://raw.githubusercontent.com/nickspaargaren/no-google/master/categories/analyticsparsed
https://raw.githubusercontent.com/kowith337/PersonalFilterListCollection/master/hosts/hosts_facebook0.txt
https://raw.githubusercontent.com/anudeepND/blacklist/master/facebook.txt# Prevent Spyware
https://raw.githubusercontent.com/r-a-y/mobile-hosts/master/AdguardMobileSpyware.txt
https://raw.githubusercontent.com/XionKzn/PiHole-Lists/master/PiHole_HOSTS_Spyware.txt
https://raw.githubusercontent.com/deathbybandaid/piholeparser/master/Subscribable-Lists/ParsedBlacklists/WindowsSpyBlocker81.txt
https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt# Prevent Coinmining network
https://gitlab.com/ZeroDot1/CoinBlockerLists/raw/master/list.txt
https://gitlab.com/ZeroDot1/CoinBlockerLists/raw/master/list_browser.txt
https://gitlab.com/ZeroDot1/CoinBlockerLists/raw/master/hosts
https://gitlab.com/ZeroDot1/CoinBlockerLists/raw/master/hosts_optional
https://raw.githubusercontent.com/anudeepND/blacklist/master/CoinMiner.txt
https://raw.githubusercontent.com/austinheap/sophos-xg-block-lists/master/nocoin.txt# Prevent Ransomware
https://raw.githubusercontent.com/pirat28/IHateTracker/master/iHateTracker.txt
https://raw.githubusercontent.com/deathbybandaid/piholeparser/master/Subscribable-Lists/ParsedBlacklists/CryptoWall-Ransomware-C2-Domain-blocklist.txt
https://raw.githubusercontent.com/deathbybandaid/piholeparser/master/Subscribable-Lists/ParsedBlacklists/Locky-Ransomware-C2-Domain-Blocklist.txt
https://raw.githubusercontent.com/XionKzn/PiHole-Lists/master/Cerber_Ransomware.txt
https://raw.githubusercontent.com/deathbybandaid/piholeparser/master/Subscribable-Lists/ParsedBlacklists/Ransomware-Domain-Blocklist.txt
https://raw.githubusercontent.com/deathbybandaid/piholeparser/master/Subscribable-Lists/ParsedBlacklists/TeslaCrypt-Ransomware-C2-Domain-Blocklist.txt
https://raw.githubusercontent.com/deathbybandaid/piholeparser/master/Subscribable-Lists/ParsedBlacklists/TeslaCrypt-Ransomware-Payment-Sites-Domain-Blocklist.txt
https://raw.githubusercontent.com/deathbybandaid/piholeparser/master/Subscribable-Lists/ParsedBlacklists/TorrentLocker-Ransomware-C2-Domain-Blocklist.txt
https://raw.githubusercontent.com/deathbybandaid/piholeparser/master/Subscribable-Lists/ParsedBlacklists/TorrentLocker-Ransomware-Payment-Sites-Domain-Blocklist.txt# Prevent Phishing
https://gitlab.com/Kurobeats/phishing_hosts/raw/master/hosts
https://raw.githubusercontent.com/MetaMask/eth-phishing-detect/master/src/hosts.txt

IV. Dynamic DNS naming

For fun and to challenge myself, I wanted to understand how to block Youtube ads on my AmazonFireTV. Youtube streaming service is using “.googlevideo.com” as the main domain name for videos as well as for ads.

Many have been trying and for quite sometime to recognise the pattern used by Youtube to inject Advertisement, (check this Discourse pihole thread started in 2016) and here is little documentation on How to do this.

Update: Youtube Ads are no longer blocked by this method, Youtube integrates their ads within the same stream of data (which means blocking ads with DNS naming is no longer working. There’s perhaps another solution using a proxy for all of your HTTPS traffic that would be decrypt your secure traffic on the flight and denied ads traffic. It does require root access to phone / apps. Some solutions out there are avaible but you end up sending all your sensitive traffic to who knows where. At the end, I just use webapps (different from mobile app) on my phone where I keep control of my data and can deny Ads Traffic 😉

  1. Add Python3 and pip on your pihole device

Install them this way:

$ sudo apt-get install python3.7 python3-pip

Link python3 to your user environment:

$ sudo ln -s /usr/bin/pip3 /usr/local/bin/pip
$ sudo ln -s /usr/bin/python3.7 /usr/local/bin/python

Verify:

$ python --version
Python 3.7.3
$ pip --version
pip 18.1 from /usr/lib/python3/dist-packages/pip (python 3.7)

2. Make use of Sublist3r script:

Create a folder for hosting this Github repo(Instructions are also present there):

$ sudo mkdir /etc/sublist/

Download and unzip this project:

$ cd /etc/sublist/
$ sudo wget https://github.com/aboul3la/Sublist3r/archive/master.zip
[...]$ sudo unzip -o master.zip

This script will help us to retrieve dynamic subdomains created and generated by youtube (googlevideo in this case). I used to get these subdomain by using DNSDumpster but that was limited to only 100 domains (thank you to my readers for pointing that out). With this method, you should get routhly around 700+ subdomains.

3. Final script to implement the magic:

Sublist3r would also require some packages to be installed alongside, (instructions are also on Github), install them as follow

[email protected]:~# apt-get install python-argparse python3-dns python3-requests

You should be able to test this script this way:

[email protected]:/etc/sublist# python /etc/sublist/Sublist3r-master/sublist3r.py -h
usage: sublist3r.py [-h] -d DOMAIN [-b [BRUTEFORCE]] [-p PORTS] [-v [VERBOSE]]
[-t THREADS] [-e ENGINES] [-o OUTPUT] [-n]OPTIONS:
-h, --help show this help message and exit
-d DOMAIN, --domain DOMAIN
Domain name to enumerate it's subdomains
-b [BRUTEFORCE], --bruteforce [BRUTEFORCE]
Enable the subbrute bruteforce module
-p PORTS, --ports PORTS
Scan the found subdomains against specified tcp ports
-v [VERBOSE], --verbose [VERBOSE]
Enable Verbosity and display results in realtime
-t THREADS, --threads THREADS
Number of threads to use for subbrute bruteforce
-e ENGINES, --engines ENGINES
Specify a comma-separated list of search engines
-o OUTPUT, --output OUTPUT
Save the results to text file
-n, --no-color Output without colorExample: python /etc/sublist/Sublist3r-master/sublist3r.py -d google.com

Now, I’m using this script for filtering the desired traffic and adding this to my blacklist file in Pihole (script path: /etc/pihole/youtube-ads.sh):

#!/usr/bin/env bash# Cleanup previous list of domains files
rm /var/log/sublist-youtube-result.txt# Retrieve all .googlevideo.com subdomains
python /etc/sublist/Sublist3r-master/sublist3r.py -d googlevideo.com -n -o /var/log/sublist-youtube-result.txt# Any .googlevideo.com subdomains starting with 'r' would be filtered in a file
grep ^r /var/log/sublist-youtube-result.txt >> /var/log/sublist-youtube-filtered.txt# Any .googlevideo.com subdomains containing 's' from the previous filtered list will be filtered in a file
sed 's/\s.*$//' /var/log/sublist-youtube-filtered.txt >> /var/log/sublist-youtube-ads.txt# Place findings in Pihole blacklist text file
cat /var/log/sublist-youtube-ads.txt > /etc/pihole/blacklist.txt# Get unique values
perl -i -ne 'print if ! $x{$_}++' /etc/pihole/blacklist.txt# Get unique values
chown -R pihole. /etc/pihole# Pipe findings into pihole db
cat /etc/pihole/blacklist.txt | xargs pihole -b

This script is divided in several parts:

  • Retrieve subdomains from Sublist3r
  • Filter them, place findings in blacklist file and curate the results.
  • Use a xargs pipe to populate pihole db based on finding

I’m running this twice a hour with a cronjob (don’t forget to make this script executable with chmod):

[email protected]:/home/pi# crontab -l
*/30 * * * * /etc/pihole/youtube-ads.sh

This configuration has been running for a while and I do have some time some ads on my FireTV or Youtube App on my phone. Overtime, the cronjob would collect subdomains and add them to your pihole file, which would limit the number of ads you’d be expose to.

Feel free to contact me if you want to share your ideas.

V. Regex blacklisting

Final part of this publication, you can also leverage the use of implementing a list of regex matching the domain names that you wish to deny.

used to make use of that in the past with previous versions of Pihole, somehow, blacklisted domains redirected to a whitelisted CNAME were actually bypassing Pihole. I’m not having anymore this issue in Pihole version 5.1:

[email protected]:/home/pi# pihole -v
Pi-hole version is v5.1.1 (Latest: v5.1.1)
AdminLTE version is v5.1 (Latest: v5.1)
FTL version is v5.1 (Latest: v5.1)

Previously, the only way for blocking this traffic was actually the use of Regex, by simply a list of pattern in this /etc/pihole/regex.list file. Here is an example:

[email protected]:/home/pi# cat /etc/pihole/regex.list
^(.+[-_.])??adse?rv(er?|ice)?s?[0-9]*[-.]
^(.+[-_.])??m?ad[sxv]?[0-9]*[-_.]
^(.+[-_.])??telemetry[-.]
^(.+[-_.])??xn--
^adim(age|g)s?[0-9]*[-_.]
^adtrack(er|ing)?[0-9]*[-.]
^advert(s|is(ing|ements?))?[0-9]*[-_.]
^aff(iliat(es?|ion))?[-.]
^analytics?[-.]
^banners?[-.]
^beacons?[0-9]*[-.]
^count(ers?)?[0-9]*[-.]
^pixels?[-.]
^stat(s|istics)?[0-9]*[-.]
^track(ers?|ing)?[0-9]*[-.]
^traff(ic)?[-.]
google-{0,}(analytic|syndication|(ad[a-z0-9]*|tag)-{0,}service)[s]\.[a-z]{2,7}$
google-{0,}(analytics{0,}|(ad|tag)manager)\.[a-z]{2,7}$
double-{0,}clic(k|k[.]*by-{0,}google)\.[a-z]{2,7}$
(google|partner|pub)-{0,}ads{0,}-{0,}(apis{0,})\.[a-z]{2,7}$
(^|\.)facebook\.[A-Za-z0-9]+$
(^|\.)fb\.[A-Za-z0-9]+$
(^|\.)fbcdn\.[A-Za-z0-9]+$
(^|\.)fbsbx\.com$
(^|\.)fbsbx\.com\.online-metrix\.net$
(^|\.)m\.me$
(^|\.)messenger\.com$
(^|\.)tfbnw\.net$
(^|\.)instagram\.com$
(^|\.)whatsapp\.com$
^(.+\.)?amp\..+\.com$
^(.+\.)?ampproject\.org$
^(.+\.)?amp\.cloudflare\.com$
^(.+\.)?cdn\.ampproject\.org$
(.*\.|^)((think)?with)?google($|((adservices|apis|mail|static|syndication|tagmanager|tagservices|usercontent|zip|-analytics)($|\..+)))
([A-Za-z0-9.-]*\.)?clicks\.beap\.bc\.yahoo\.com/
([A-Za-z0-9.-]*\.)?secure\.footprint\.net/
([A-Za-z0-9.-]*\.)?match\.com/
([A-Za-z0-9.-]*\.)?clicks\.beap\.bc\.yahoo(\.\w{2}\.\w{2}|\.\w{2 ,4})/
([A-Za-z0-9.-]*\.)?sitescout(\.\w{2}\.\w{2}|\.\w{2,4})/
([A-Za-z0-9.-]*\.)?appnexus(\.\w{2}\.\w{2}|\.\w{2,4})/
([A-Za-z0-9.-]*\.)?evidon(\.\w{2}\.\w{2}|\.\w{2,4})/
([A-Za-z0-9.-]*\.)?mediamath(\.\w{2}\.\w{2}|\.\w{2,4})/
([A-Za-z0-9.-]*\.)?scorecardresearch(\.\w{2}\.\w{2}|\.\w{2,4})/
([A-Za-z0-9.-]*\.)?doubleclick(\.\w{2}\.\w{2}|\.\w{2,4})/
([A-Za-z0-9.-]*\.)?flashtalking(\.\w{2}\.\w{2}|\.\w{2,4})/
([A-Za-z0-9.-]*\.)?turn(\.\w{2}\.\w{2}|\.\w{2,4})/
([A-Za-z0-9.-]*\.)?mathtag(\.\w{2}\.\w{2}|\.\w{2,4})/
([A-Za-z0-9.-]*\.)?googlesyndication(\.\w{2}\.\w{2}|\.\w{2,4})/
([A-Za-z0-9.-]*\.)?s\.yimg\.com/cv/ae/us/audience/
([A-Za-z0-9.-]*\.)?clicks\.beap/
([A-Za-z0-9.-]*\.)?.doubleclick(\.\w{2}\.\w{2}|\.\w{2,4})/
([A-Za-z0-9.-]*\.)?yieldmanager(\.\w{2}\.\w{2}|\.\w{2,4})/
([A-Za-z0-9.-]*\.)?w55c(\.\w{2}\.\w{2}|\.\w{2,4})/
([A-Za-z0-9.-]*\.)?adnxs(\.\w{2}\.\w{2}|\.\w{2,4})/
([A-Za-z0-9.-]*\.)?advertising\.com/
([A-Za-z0-9.-]*\.)?evidon\.com/
([A-Za-z0-9.-]*\.)?scorecardresearch\.com/
([A-Za-z0-9.-]*\.)?flashtalking\.com/
([A-Za-z0-9.-]*\.)?turn\.com/
([A-Za-z0-9.-]*\.)?mathtag\.com/
([A-Za-z0-9.-]*\.)?surveylink/
([A-Za-z0-9.-]*\.)?info\.yahoo\.com/
([A-Za-z0-9.-]*\.)?ads\.yahoo\.com/
([A-Za-z0-9.-]*\.)?global\.ard\.yahoo\.com/
(^|\.)lgsmartad\.com$
ngfts.lge.com
lgtvonline.lge.com
(^|\.)buffpanel\.com$
(^|\.)bugsnag\.com$
(^|\.)redshell\.io$
(^|\.)treasuredata\.com$
(^|\.)unity(|3d)\.com$
(^|\.)unityads(|\.co)\.com$

VI. What next? (Protecting your network with Pihole)

I will keep this publication up to date with the latest. Things keep moving fast, especially the new implementations such as DNS over HTTPS and I wonder how Pihole would involve and adapt with this technology.

Table of Contents

RELATED

Pihole

Foreword: I’m fascinated by technology and I wanted to share...

Read More
From Heroku Review Apps to AWS App Runner

Moving from Heroku Review Apps to AWS App Runner could...

Read More