Presentation is loading. Please wait.

Presentation is loading. Please wait.

Block ads, trackers and malware with Raspberry Pi and Pi-hole

Published byMoritz Schmidt Modified over 6 years ago

Similar presentations

Presentation on theme: "Block ads, trackers and malware with Raspberry Pi and Pi-hole"— Presentation transcript:

1 Block ads, trackers and malware with Raspberry Pi and Pi-hole
Nick Kavadias

2 Self promotion! CryptoAUSTRALIA is a not-for-profit started by security and privacy enthusiast. Finding practical ways of dealing with the modern privacy and security challenge.

3 We know how to internet.. @CryptoAustralia #cryptoaus

4 NOTICES I will tolerate some interruptions. So call out questions.
The night is split into two parts First preso ppt death (40 min?) Then the workshop (the rest)

5 What we will be covering…
Why block the internet? What is a DNS blackhole/sinkhole; Pi-hole hardware and software supported; My home Pi-hole install; Advanced topics on DNS, lists and VPNs Workshop with RPi / VM

6 Instructions (for later)
Have RPi (or like) device use: VirtualBox or VMWare Fusion use: Link to download VM in these instructions, we do have a local copies on usb

7 Can’t you just leave the internet alone?
No! Flash ads which hijack pages; Pop-up and pop-under ads; Ads which stalk me on all my devices; Ad networks which track and profile me; Ads that tell me I’ve won stuff; and, Malvertising…

8 Tech support scams! how do they work? Check out Jim Browning’s YouTube channel

9

10 Pi-hole, the solution to all your problems?

11 No! No such thing as a silver bullet! But..
Good job blocking ads and trackers out of the box Not YouTube video ads, but you can do with some tinkering It is easy to setup and configure; network based; It is not a traffic filter. Act as a second line of defence for malware/viruses I still use browser extensions … and antivirus

12 How DNS works normally

13 How DNS works with Pi-hole

14 Pi-Hole, not just for blocking ads and tracking
Out of the ‘box’ ads/trackers & C&C blacklists ; Many additional lists which are well maintained by security community; Upstream DNS services (power user!)

15 What a blocked page site looks like
What about: Images? JavaScript? Https? V3.2 now lets you customise block page

16 Do I need Raspberry Pi Hardware?
NOT Raspberry Pi exclusive Well tested on Raspberry Pi SBCs ARM, or Intel x86/x64 Will work with a Pi Zero and a ethernet dongle Works on other SBCs, like Orange-Pi, see this write-up. Works on crappy old Intel desktops too

17 What OS will Pi-hole run on?
Will work on any modern Linux OS. Officially supported Linux distributions are:

18 How did I set Pi-hole up at my place?

19 Hardware I used: Raspberry Pi 3 model B+ (overkill?)
2 GB microSD card (smallest!) microUSB cable for power into back of router USB Y cables useful. WARNING on underpowering:

20 Software I used Software:
Windows 10 & Etcher.io for prepping card Raspbian Lite Pi-hole – installed by piping URL to bash!

21 And you can too, with my easy 5 Step Plan..

22 Step 1: Put image on SD Card
Format SD Etcher.io touch /boot/ssh Windows will try reformat unknown card because ext4. IGNORE IT

23 Step 2: Plug into network
Patch into home router Power with microUSB if you don’t have a USB slot close by, an old 1 amp USB charger will do.

24 Step 3: Figure out IP address of RPi?
This is the hardest part of the whole process! There are a few methods to try….

25 Step 3: Method 0 - PING If you’re feeling lucky, try PING
ping raspberrypi

26 Step 3: Method 1 - DHCP table on router?

27 Step 3: Method 2 - Network Scanning
Good ol’ IP scanning. Pick one: Nmap sudo apt install nmap Angry IP Scanner Masscan can Arp-scan scan Scan before, and after. See what’s new!

28 AngryIP Scanner

29 Step 3: Method 3 Plug RPi into a monitor and boot!

30 Step 4: Run installer ssh pi@raspberry
curl -sSL hole.net | bash Bad idea? Read why

31 Pi-hole is up and running.. But not a for all devices… yet
Connect to web admin using Pi-hole over-take DHCP, (disable on your your router) I’ve done this on my setup because: network printer Get actual hostnames in your Pi-hole log

32

33 (Optional) Test it out? Reconfigure a test computer to use the IP address of Pi-Hole for its DNS.

34 Step 5: Re-configure router DNS settings
Log into your router. No idea how? Find your default gateway IP and try connecting with browser, e.g. ipconfig or ifconfig To get all devices on your network to use Pi-hole for DNS, you have to make a choice…

35 You have two choices for router config
Change IP for DNS Server Disable DHCP & have Pi-hole do it Questions????

36 Changing IP for DNS on my home router

37 Or...Disable DHCP on router

38 …and turn on DHCP Server on Pi-hole

39

40 Blocklists Default blocklists in /etc/pihole/adlists.list
Blocklist collection here: Your Pi-hole has a cronjob which runs pihole updateGravity once a week. Refer to our blog post CryptoAUSTRALIA's Favourite Block Lists

41 Blocklists using the web admin interface
You can: whitelist hosts temporarily disable all blocks with a timer/ manually You cannot: Make exceptions for local devices

42 Setting up Pi-hole away from home
If you roll your own VPN on a VPS, you can setup Pi-hole on it. Then you can run it anywhere!

43 Are you a Pi-hole Power User?
Self-hosted DNS Advanced Upstream DNS Response Policy Zone (RPZ) We have blog posts covering these topics! Note: You don’t need to necessarily use these with Pi-Hole

44 1. Your Own DNS Server No DNS requests go to third-parties
Run your DNS server in the cloud Pi-hole <--- DNSCRYPT ---> DNS server More details in a blog post Build a Privacy-Respecting and Threat- Blocking DNS Server

45 2. Advanced Upstream DNS Third-party DNS servers Complements Pi-Hole
Blocks malware and phishing Admin panel Block categories (adult, drugs, gambling, social media …) DNS query logging and reporting Manual blocking / whitelisting Integration with real-time Threat Intelligence feeds ($$$ feature)

46 2. Advanced Upstream DNS Strongarm https://strongarm.io
Comodo Dome Shield OpenDNS Quad 9

47 Which is the best threat blocking DNS provider?
More info?

48 Response Policy Zone (RPZ)
The previous two combined: Use your own DNS server Download RPZ-based block list Register Strongarm business account (free) Download BIND9.10+ config from

49 Done! Let Workshop it! If you’ve brought along a RPi, use these instructions: If you’ve going to play along on the virtual machine, use these instructions: Join us on #Slack

50 Where to get help after workshop
CryptoAUSTRALIA Slack channel #pi-hole-workshop-help Pi-Hole website Has links to Discourse(!) , sub- Reddit, YouTube channel

Download ppt "Block ads, trackers and malware with Raspberry Pi and Pi-hole"

Similar presentations

Intel Do-It-Yourself Challenge Networking

Intel Do-It-Yourself Challenge Networking
Presented by W1BAW Bruce Wattendorf. What is a Raspberry PI A $35 computer with out a monitor, keyboard, mouse but they all can be added.

Presented by W1BAW Bruce Wattendorf. What is a Raspberry PI A $35 computer with out a monitor, keyboard, mouse but they all can be added.
Unit 11 Using the Internet & Browsing the Web.  Define the Internet and the Web  Set up & troubleshoot an Internet connection  Categorize webs sites.

Unit 11 Using the Internet & Browsing the Web.  Define the Internet and the Web  Set up & troubleshoot an Internet connection  Categorize webs sites.
Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.

Nada Abdulla Ahmed.  SmoothWall Express is an open source firewall distribution based on the GNU/Linux operating system. Designed for ease of use, SmoothWall.
OAAIS Enterprise Information Security Security Awareness, Training & Education (SATE) Program or 415.514-3333 UCSF Campus VPN.

OAAIS Enterprise Information Security Security Awareness, Training & Education (SATE) Program or UCSF Campus VPN.
Jonas Lippuner. Overview IPCop  Introduction  Network Structure  Services  Addons Installing IPCop on a SD card  Hardware  Installation.

Jonas Lippuner. Overview IPCop  Introduction  Network Structure  Services  Addons Installing IPCop on a SD card  Hardware  Installation.
DIR-505 All-in-One Mobile Companion Greg Quinlan Technical Trainer.

DIR-505 All-in-One Mobile Companion Greg Quinlan Technical Trainer.
Introduction to the Raspberry Pi ® Saman Amighi 10/2013 ® Raspberry Pi Foundation.

Introduction to the Raspberry Pi ® Saman Amighi 10/2013 ® Raspberry Pi Foundation.
A+ Guide to Software, 4e Chapter 11 Supporting Printers and Scanners.

A+ Guide to Software, 4e Chapter 11 Supporting Printers and Scanners.
Technical Training: DIR-615

Technical Training: DIR-615
Linux Operations and Administration

Linux Operations and Administration
Raspberry Pi Training Truman College 10-21-14. Goals of our Training Today Unbox and boot up the Raspberry Pi (RPi) Learn how to access the desktop graphical.

Raspberry Pi Training Truman College Goals of our Training Today Unbox and boot up the Raspberry Pi (RPi) Learn how to access the desktop graphical.
Microsoft Internet Security and Acceleration (ISA) Server 2004 is an advanced packet checking and application-layer firewall, virtual private network.

Microsoft Internet Security and Acceleration (ISA) Server 2004 is an advanced packet checking and application-layer firewall, virtual private network.
Using Virtualization in the Classroom. Using Virtualization in the Classroom Session Objectives Define virtualization Compare major virtualization programs.

Using Virtualization in the Classroom. Using Virtualization in the Classroom Session Objectives Define virtualization Compare major virtualization programs.
Honeypot and Intrusion Detection System

Honeypot and Intrusion Detection System
DSL-2544N Dual Band Wireless N600 Gigabit ADSL2+ Modem Router

DSL-2544N Dual Band Wireless N600 Gigabit ADSL2+ Modem Router
Guide to Linux Installation and Administration, 2e1 Chapter 2 Planning Your System.

Guide to Linux Installation and Administration, 2e1 Chapter 2 Planning Your System.
Microsoft Management Seminar Series SMS 2003 Change Management.

Microsoft Management Seminar Series SMS 2003 Change Management.
1 Copyright © 2015 Pexus LLC Patriot PS Personal Server Installing Patriot PS ISO Image on.

1 Copyright © 2015 Pexus LLC Patriot PS Personal Server Installing Patriot PS ISO Image on.
CTC228 Nov 16 2015. Today... Catching up with group projects URLs and DNS Nmap Review for Test.

CTC228 Nov Today... Catching up with group projects URLs and DNS Nmap Review for Test.

Similar presentations

Ads by Google