The internet is a scary place. Dot-com businesses track you to 'improve' the ads they can push at you, and cybercriminals are trying to scam you and steal your data. Pi-hole is a network-wide ad-blocker that can improve your internet experience by blocking advertising, tracking and even malware.

This Part 1 of 2 of a blog series based on a workshop created by Nick Kavadias for CryptoAustralia's Digital Self-Defence Meetup.

Are you already convinced you need a network-wide ad-blocker and are ready to install Pi-hole? Proceed to read Part 2 of this series.

Do you have a Pi-hole installed and want to learn about how to take advantage of its advanced features? Read our other articles on Pi-hole.

Why Block the Internet?

The internet is a scary place. It is the Wild West of the 21st century, where you can be robbed in a few minutes by criminals if you are not careful and dot-com businesses can track you across different devices and push you highly targeted ads with little or no government regulation.

In my opinion, there are positives to having a 'laissez-faire' internet which can drive innovation and create new markets such as the sharing economy. On the other hand, there are negatives such as the rise of surveillance capitalism.

I do not have a problem with internet advertising in general. As far as I understand, many new business models rely on digital advertising revenue. However, I do have a problem with:

  1. Pop-up and pop-under ads that hi-jack my internet browsing experience;
  2. Ads which follow me around on all my devices, because I searched for a related product 3 days ago on my phone;
  3. Ads which track my location and profile me;
  4. Ads which tell me I have won bogus prizes;
  5. Ads which claim all the 'moms' in my area (by geolocating my IP) are either making thousands of dollars from home every week or are hot and horny and looking for love;

Advertisements in the Hackers’ Toolset

Beside legitimate ads, there is also malware advertisings known as (malvertising). These are malicious ads which are pushed out via legitimate ad network partners. They are:

  • Ads pretending to be error messages and ask you to call a 'tech support' number. If you are curious about how these scams works, check out Jim Browning's YouTube channel.
  • Ads trying to get you to install fake software updates such as Adobe Flash.
  • Ads pretending to be operating system messages telling you that you have a virus.
  • Ads with bogus warnings about Adobe Flash being infected with a virus (yes, seriously).

Then, in addition to everything listed above you have actual viruses, malware and crypto lockers, phishing attacks and cybercriminals.
Typical annoying and malicious internet ads

Enter Pi-hole to the rescue

Pi-hole is network-based ad-blocking software which will run on a Raspberry Pi, which is a popular Single Board Computer (SBC). It uses DNS sinkholing and blocklists as a way of stopping the internet nasties mentioned above.

Pi-hole is:

  • easy to configure and setup.
  • Network-based. So it can remove ads and trackers in places where traditional browser-based ad blocker plug-ins cannot (think smartphones, tablets and IoT).
  • it can act as a second line of defence for malware and viruses as it can block known malware domains and command and control servers (used by botnets).

The other things Pi-hole can do for you are discussed here.

Will Pi-hole remove all of these horrible things on the internet?

Well, no. There is no such thing as a silver bullet with software, especially when it comes to computer security. But, Pi-hole goes a long way in combating all the horrible internet things mentioned. Out of the box, Pi-hole does an excellent job at blocking most ads and trackers.

Additionally, in your family, you may have older devices which are hand-me-downs to your kids, devices which are a few years old and vendors have long ditched you in providing security updates. The typical security patch support for tablets and smartphones is much shorter than traditional desktop computer OSes like Windows and MacOS.

For example, my current phone is a Google Nexus 5X which is still perfectly good phone, but is out of security patch support from September 2018. In other words my current smartphone will be unsafe for everyday use after September 2018, but it may have some life left in it by protecting its operating system with some network level security.

What is a DNS blackhole/sinkhole?

The method by which Pi-hole achieves all of its amazing benefits is by a technique called DNS sinkholing. Pi-hole acts as the local Domain Name System (DNS) resolver on your network. Requests by local devices (i.e. computers, smartphones and tablets on your network) which appear on the Pi-hole's blocklist are not resolved to their real public internet IP address but instead resolved to the Pi-hole itself. For a fancy diagram of how this works with a Pi-hole, refer to this diagram.

How DNS blackholing works

These unwanted destinations that the Pi-hole masks from local devices come from third-party blocklists on the internet. These lists are either made public and regularly updated by security companies or enthusiastic individuals.

Depending on what the request is the Pi-hole will return the following for a blocked address:

  • an empty JavaScript file (in case of unwanted JavaScript asset);
  • a 1x1 white pixel image (for unwanted image files); or
  • a full HTML block page.

The only caveat is that your browser will return a "cannot connect error" when there is a request over https. There are ways to configure Pi-hole to deal with HTTPS more gracefully, which you can read about here. But I've been using a Pi-hole at home and in the office for seven months now, and HTTPS connect errors have not been an issue for me.

Example Pi-hole block screen

Pi-hole supported Hardware and Software

Pi-hole is not software exclusively for Raspberry Pi (RPi), it will run on other SBCs as well. Pi-hole supports ARM and x86 Intel based devices.
Pi-hole has been well tested against Raspberry Pi hardware and will work on almost all Raspberry Pi models, including Pi Zero. The resource requirements for Pi-hole are low, Pi-hole needs a minimum of 512 MB of RAM and 55 MB of free disk space.

P-hole will work on any modern Linux distribution. The officially supported Linux distributions to date are Raspbian, Ubuntu, Debian, Fedora 26 and CentOS.

More distributions are being supported as the Pi-hole community grows. Please refer to this page further details on hardware and software requirements.

What you need to get your own Pi-hole up and running

To create a dedicated device running Pi-hole on your home network, you will need to spend about AU$100 on an RPi board, enclosure, microSD card and power supply. The price-conscious consumer may want to give Orange Pi a try, however, I do not have any personal experience with this device. Here is the breakdown:

  1. A RPi, or other SBC board. I personally used the Raspberry Pi Model B+. Some may say this is overkill and it probably is, but they are cheap enough to buy for a stand-alone use. You can also use a Raspberry Pi Zero W or a Raspberry Pi Zero (which has no wi-fi support so you will will need to buy a USB Ethernet dongle.
  2. A minimum 2 GB microSD card. This was the smallest microSD card I had lying around the house. Larger sized cards work just as well, but it is wasted disk space for a dedicated Pi-hole device.
  3. An official RPi power supply, or a micro USB cable and 2A charger. I have found that running Pi-hole you can get away with underpowering from a single USB port. If you are worried, you can use a USB Y cable to draw power from two USB ports. For more information about underpowering read this warning. If you have a router/switch capable of Power-over-Ethernet (PoE) you should look at purchasing a RPi which is compatible with the RPi PoE HAT.

In addition to the RPi hardware you will also need:

  1. A computer used to prepare the microSD card image and log into the RPi. I used a laptop running Windows 10.
  2. Admin access to your home/office router. To have Pi-hole work on all your devices at home, you will need access to your home router so that you can make a small configuration change. If you need help on how to do this, please refer to this article, or this article. If your ISP sent you a router for your internet connection it may be locked-down or managed by them. Get in contact with your ISP's tech support if you can not log into it.
  3. the following software:

The TL;DR

Make no mistake the internet is not a safe place. Criminals are out to steal your personal and financial data, and dot-com businesses track and profile you for profit. Pi-hole is an open-source software project you can run on your local network to protect you from the perils of the internet. It works best on dedicated Raspberry Pi hardware but can run on any device which supports a modern Linux distribution. Pi-hole is easy to install and blocks ads and malware by using DNS Sinkholing. It is highly configurable and can do a lot more than just block ads.

Ready to get Pi-hole up and running? Read Part 2 of this blog series Instructions for setting up a Pi-hole

Do you have a Pi-hole installed and want to learn about how to take advantage of its advanced features? Read our other articles on Pi-hole.

About CryptoAUSTRALIA

CryptoAUSTRALIA is a leading authority promoting a society where Australians can defend their privacy.

We empower privacy concerned citizens through hands-on education and research relating to digital privacy and online security.

CryptoAUSTRALIA is run by volunteers and we rely on donations from the public to keep our organisation running.

If you have found this article useful please consider donating, or get involved.