So I built: Pi-hole

black3dynamite

If this is just a DNS thing, what prevents someone from just changing the DNS settings on their device to bypass it? I am asking because I am actually curious.

Have your firewall only to allow pihole dns

scottalanmiller

@Donahue said in So I built: Pi-hole:

If this is just a DNS thing, what prevents someone from just changing the DNS settings on their device to bypass it? I am asking because I am actually curious.

DNS based security is for preventing honest mistakes or blocking malicious sites. It's not for stopping malicious employees looking for work arounds. Honestly, nothing really stops those, not in the real world. So trying to stop it is a lost cause and mostly just presents a challenge to people to look for ways around it. HR stops malicious stuff, this is to prevent accidents and is all normal businesses need.

You can easily, though, stop people from changing their DNS and limit DNS traffic only to the Pi-Hole, though, if you want another step.

Donahue

I am guessing this is only part of a complete solution. What I want to be able to do is filter specific types of content, specifically torrent and similar, from my network from devices I am not able to control otherwise.

scottalanmiller

@Donahue said in So I built: Pi-hole:

I am guessing this is only part of a complete solution. What I want to be able to do is filter specific types of content, specifically torrent and similar, from my network from devices I am not able to control otherwise.

Filtering TYPES of things requires deep packet inspection. Totally different kind of thing and use case.

Donahue

@scottalanmiller said in So I built: Pi-hole:

@Donahue said in So I built: Pi-hole:

I am guessing this is only part of a complete solution. What I want to be able to do is filter specific types of content, specifically torrent and similar, from my network from devices I am not able to control otherwise.

Filtering TYPES of things requires deep packet inspection. Totally different kind of thing and use case.

right, this seems more like a web filter, which is still nice to have from time to time. But I would agree that web filters are more like a bandaid for HR issues. I say that also having mine turned on with my Fortigates.

scottalanmiller

@Donahue said in So I built: Pi-hole:

@scottalanmiller said in So I built: Pi-hole:

@Donahue said in So I built: Pi-hole:

I am guessing this is only part of a complete solution. What I want to be able to do is filter specific types of content, specifically torrent and similar, from my network from devices I am not able to control otherwise.

Filtering TYPES of things requires deep packet inspection. Totally different kind of thing and use case.

right, this seems more like a web filter, which is still nice to have from time to time. But I would agree that web filters are more like a bandaid for HR issues. I say that also having mine turned on with my Fortigates.

I feel like filters are generally a bandaid, yes. But I like the Pi-Hole approach because it stops accidental things. Its' not like locking things down and freaking out about people doing things that they shouldn't be doing. It's about stopping Betty in accounts from clicking the wrong link on Google and being taken to a hijacked advertisement, or lowering the bandwidth used on the network by not allowing DoubleClick tracking ads through, or not having so many unnecessary images load on web pages... things like that.

Pi-Hole is "make life easier for your users" level security, not "distrust your users and lock them down" security.

gjacobse

@JaredBusch said in So I built: Pi-hole:

@gjacobse said in So I built: Pi-hole:

@NerdyDad said in So I built: Pi-hole:

@hobbit666 Point your home DNS to your pihole on vultr.

Correct. This is all that is needed. @scottalanmiller has a PiHole setup for NTG,.. All that was needed post setup is to replaced the first DNS entry in my ERL router to the IP of the instance.

However that said.. down the road I could see MY needing to update this as I don't have a static IP. It may or may not change post restarts months down the road.

Change what? Did you setup some kind of firewall rule to only allow your IP to access it? Because there is no restriction by default.

No - nothing like that. I just expect that when rebooted the IP may change.

JaredBusch

@gjacobse said in So I built: Pi-hole:

@JaredBusch said in So I built: Pi-hole:

@gjacobse said in So I built: Pi-hole:

@NerdyDad said in So I built: Pi-hole:

@hobbit666 Point your home DNS to your pihole on vultr.

Correct. This is all that is needed. @scottalanmiller has a PiHole setup for NTG,.. All that was needed post setup is to replaced the first DNS entry in my ERL router to the IP of the instance.

However that said.. down the road I could see MY needing to update this as I don't have a static IP. It may or may not change post restarts months down the road.

Change what? Did you setup some kind of firewall rule to only allow your IP to access it? Because there is no restriction by default.

No - nothing like that. I just expect that when rebooted the IP may change.

Vultr is a VPS provider. They don't change IP addresses of deployed systems.

What are you talking about?

gjacobse

@JaredBusch said in So I built: Pi-hole:

@gjacobse said in So I built: Pi-hole:

@JaredBusch said in So I built: Pi-hole:

@gjacobse said in So I built: Pi-hole:

@NerdyDad said in So I built: Pi-hole:

@hobbit666 Point your home DNS to your pihole on vultr.

Correct. This is all that is needed. @scottalanmiller has a PiHole setup for NTG,.. All that was needed post setup is to replaced the first DNS entry in my ERL router to the IP of the instance.

However that said.. down the road I could see MY needing to update this as I don't have a static IP. It may or may not change post restarts months down the road.

Change what? Did you setup some kind of firewall rule to only allow your IP to access it? Because there is no restriction by default.

No - nothing like that. I just expect that when rebooted the IP may change.

Vultr is a VPS provider. They don't change IP addresses of deployed systems.

What are you talking about?

Having not used them before - yes @NTG and @scottalanmiller does. but not myself. I didn't know. If it doesn't change,.. it doesn't. Nothing else I need to do.... moving on.

gjacobse

so - I have this show up.. since my system is open.

0_1540851467593_2018-10-29 18_16_20-Window.png

0_1540851512657_2018-10-29 18_18_15-Window.png

Should they be blacklisted? or allowed?

JaredBusch

@gjacobse said in So I built: Pi-hole:

so - I have this show up.. since my system is open.

Should they be blacklisted? or allowed?

That's not what that blacklist means. I am assuming those IP addresses are not yours.

gjacobse

@JaredBusch said in So I built: Pi-hole:

@gjacobse said in So I built: Pi-hole:

so - I have this show up.. since my system is open.

Should they be blacklisted? or allowed?

That's not what that blacklist means. I am assuming those IP addresses are not yours.

They are not. And you are right. In this case, not blacklist.. FW maybe..

JaredBusch

@gjacobse said in So I built: Pi-hole:

@JaredBusch said in So I built: Pi-hole:

@gjacobse said in So I built: Pi-hole:

so - I have this show up.. since my system is open.

Should they be blacklisted? or allowed?

That's not what that blacklist means. I am assuming those IP addresses are not yours.

They are not. And you are right. In this case, not blacklist.. FW maybe..

Correct. If that is what you want, then you need to look at restricting access to the Pi-Hole instance in the first place.

There is a thread on that here somewhere. But That is more work than it is worth IMO.

What I would do is setup the Vultr Firewall and add an allow for your network. Use ARIN to look up the range your ISP uses. Then add a drop all for all other traffic on port 53.

If you expand this to family, add their IP block as well.

Not 100% solid, but much less likely to be randomly hit.

Alex Sage

@JaredBusch said in So I built: Pi-hole:

There is a thread on that here somewhere.

https://mangolassi.it/topic/15008/pihole-for-friends-and-family @gjacobse

JaredBusch

@aaronstuder said in So I built: Pi-hole:

@JaredBusch said in So I built: Pi-hole:

There is a thread on that here somewhere.

https://mangolassi.it/topic/15008/pihole-for-friends-and-family @gjacobse

That thread. Don’t do it, as it is too much of a pain in the ass.

Just whitelist the CIDR of your ISP.

BRRABill

Where is @scottalanmiller to chime in that isn't the purpose of DNS?

travisdh1

@BRRABill said in So I built: Pi-hole:

Where is @scottalanmiller to chime in that isn't the purpose of DNS?

Careful, sounds like he's already infected you!

Alex Sage

This post is deleted!

BRRABill

@travisdh1 said in So I built: Pi-hole:

@BRRABill said in So I built: Pi-hole:

Where is @scottalanmiller to chime in that isn't the purpose of DNS?

Careful, sounds like he's already infected you!

Yes but I can't yell at people as good as him.