How To Secure Your Home Network - Pi-hole // DNS Sinkhole

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Captions

so you just bought a new router and you're setting it all up and you're told to change that default wi-fi name that default wi-fi password and that default administrator password to help protect you from hackers well i hate to say it but that only protects you from the tip of the iceberg most hackers aren't driving around trying to connect to your wi-fi and break in most of them are trying to get in through the internet or through online by using bad websites so what is the best protections that we have available to us well in my opinion first it's your behavior if you can recognize and be cautious or suspicious of these bad websites you can better protect yourselves by not going to them to begin with but we're all human and sometimes we accidentally click a bad link is it game over then not necessarily there are systems that you could put in place to help protect you against that and in this video i'm going to show you how you can protect yourself from that bad click welcome back to dev odyssey a developer's journey through it where i cover tutorials and reviews of it tools and technologies i'm your host orest and in this episode we're going to set up pihole a dns sinkhole so let's cover our bases what is dns well dns stands for domain name system and i like to think of it as the internet's phone book just as you look up a person's name to get a phone number to call them dns does the same thing where it looks up a website name to get an ip address to connect to it so what is dns sync holding well let's say that phone book knows that some of those names are bad names when you look up a bad name instead of the phone book giving you a phone number you get nothing back dns sync holding works the same way the dns server will know that that website you're looking up is a bad website and instead of giving you an ip address to connect to it it gives you nothing and effectively you don't connect to that website protecting you from that bad click so now that we know a little bit about dns sync holding let's draw a diagram to see how a pi hole would work on your network in this diagram we'll be going over three scenarios the first scenario is using your router as the local dns server going to a good website such as good.com the second scenario is with dns sinkholing using piehole going to a bad website such as bad.com and the third scenario is using piehole and going to a good website such as good.com in this scenario your client laptop will send the dns request to the router then the router will forward that dns request to an external dns server the external dns server will then respond back with the ip address of good.com making its way back to the client laptop then the client laptop will attempt to connect to this ip address through the router once the server receives the connection it will respond back with the appropriate data back to the client in this scenario the data loads successfully on the client laptop in the second scenario the client laptop will send the dns request to the local pi hole server then the local pile server will check to see if the website is on a blacklist in this case it is if you remember the beginning of my video i mentioned how a dns sinkhole responds with nothing for a bad website well that's almost true what happens is the dns sinkhole will respond back with a sinkhole ip address then the client laptop will attempt to connect to the sinkhole ip address through the router however that sinkhole ip address doesn't have a server behind it it doesn't exist and therefore the connection fails as a result the data doesn't load on the client and therefore it protects us from that bad click in this scenario the client laptop will send the dns request to the pihole server the pi hole will then check to see if this website is in a block list then it'll check to see if it has an ip address for this website if it does not it'll reach out to an external dns server to get it the external dns server will then respond back with the ip address of this website making its way through the router through the pi hole and back to the client laptop next the client laptop will attempt to connect to this ip address through the router then the server on the other end of that ip will respond back with the appropriate data in this scenario the data successfully loads just as it did in the first scenario all right so now we better understand what a pie hole is and what dns sinkholing does so what are the benefits well just as i said earlier it prevents you from going to those bad and malicious websites therefore protecting you but pie hole or dns sinkholing is also used for ad blocking pile will actually increase your network bandwidth because it's not loading those ads that would normally take up those resources pyhal also protects you from data collection from those advertisers therefore protecting your privacy as a result lastly pihol is very configurable where you can set up groups of clients blacklists whitelists and more that'll help tailor your network configuration and blocking configuration just as you'd like it there are some cons to this setup one is that piho cannot protect you if your clients use dns over https or doh and that's because the dns is encrypted there and pi hole can't read that encrypted dns by default you can add a plugin to help configure this but that's a little more advanced and we're not going to cover that next your clients can be manually configured to use whatever dns server they want so if you don't have your clients set up to use pyhol as your dns server it'll just use the isp's dns server and therefore you're losing those protections as well another downfall is that pyhol isn't foolproof because hackers are always changing these website names or dns names and so you'll have to keep piehole and those lists up to date to make sure it's protecting you from those new bad websites lastly pile does require some manual maintenance and configuration however once you have it tuned in there's minimal maintenance that's really required to keep the pie hole running now there are some alternatives to pile that you can use such as open dns or safe dns where you pay them a monthly fee and they allow you to configure what you want to block and what you want to allow into your network included with some default blocking however those do require a monthly fee to maintain so if you want to go with a free option i would recommend using cloudflare they don't allow you to do much configuration but by default they'll block bad things for you which in my opinion is a win so now that we've gotten that all out of the way what do we need to set up well in my case i'm going to be using a raspberry pi 4b where i'll install raspbian on it and then the pi hole service however if you don't have a raspberry pi laying around but you have a computer that's not in use you can use that too as long as you install a compatible linux distribution and then pi hole on top of it so now that we know everything that we need let's go ahead and configure dns sinkholding on our pi hole for this demonstration i'm going to be using a raspberry pi model 4b with 8 gigabytes of ram definitely not what you need for this video it's probably overkill but it's what i had laying around if you don't use a raspberry pi and you plan to use a virtual machine or an old pc then all you'll have to do is install a compatible linux distribution such as ubuntu and then set it up with the network via ethernet or wi-fi and then you can jump to the next portion of this video where i talk about installing and configuring pi home so to begin we first need to flash raspberry pi os onto an sd card in this case i'll be using this 32 gigabit micro sd card that i got with my kit and to plug it into my computer i'll be using this microsd adapter to usb now that i've plugged in my sd card into my computer first we're going to need to download raspberry pi os in my case i've already downloaded raspberry pi os lite however you can use raspberry pi os with desktop or with desktop and recommended software i'm just going to be showing you how to do this with a headless setup next we'll need to open up our flashing software in this case i'll be using ballena etcher to flash raspberry pi os onto the sd card however you can use raspberry pi os imager or you can use other flashing software that you have i'll link a couple in the description below then i need to open belana etcher and in my case running on a mac i'll need to run it with sudo so that it has permissions to flash onto external media now that blana etcher is up and running first i'm going to select my image and i'll use the raspberry and buster arm hf light image open that mass storage looks like it's chosen correctly for this sd card then i'll click flash so now that that's completed we can go ahead and exit out of elena etcher and then we'll find a boot partition has been mounted onto our system here we're going to need to change to that directory and add a couple of files so that we can connect to it once it's on the network now in my case it doesn't look like the sd card mounted onto my mac as i expected it to so i went ahead and removed it and plugged it back in and now we should be able to find that boot partition that we need to get into and as you can see this is the boot partition that will be read when the raspberry pi os starts up so we need to do one or two things depending on how you connect to the raspberry pi first we need to start ssh on boot we can tell it to do that by simply creating an empty ssh file next if you plan on connecting your raspberry pi using wireless networking then you'll have to create a wpa underscore supplicant.conf file so that the raspberry pi knows what wi-fi name to connect to and the password in order to get it running on boot i'm not going to be doing that since in my case i'll be using a ethernet cable to connect it to the router but i'll show you how that file looks and i'll copy it in here for you just so you understand how it works so this is how it looks you just need to add the country code for your country the ssid and the psk and you're basically ready to go along with some update config and control interface i'm going to delete it since i don't need it now that we have done that all we need to do is then unmount it and then plug it into our raspberry pi into the microsd slot and then for my case plug in the ethernet cable and then plug in the power cable and then start it up so if you have a raspberry pi you see that the bottom right here that's the slot for the micro sd card next if you're on a raspberry pi model 4 you'll notice that the usbc is the power so that's what i'll be plugging into here and then lastly i'll be plugging in the networking through the ethernet jack next we need to find the ip address so that we can connect to the raspberry pi over ssh here is where we'll need to log into our router to find the ip address for a raspberry pi it should be fairly obvious i believe the host name is something like raspberry pi and you'll have an ip address and then you can log in so let's go ahead and do that now all right looks like i've logged in and i didn't need to put my credentials because i logged in earlier we're going to scroll down and see the hostname for raspberry pi and then the ip address so now we're going to go ahead and back to our terminal window and ssh into it the default username is pi and then you use the ip address accept the fingerprint and then the default password is raspberry now you've logged into your raspberry pi now that we've logged in we need to do a couple of configuration items before we install pi hole we'll do that by running the sudo raspy config command here we're going to do three things expand the file system change the host name and change the user's password first we'll expand the file system under advanced options click expand file system then click ok next we'll change the password and the hostname you can find those options under system options first we'll do the password now that we've changed that we're going to go ahead and change the hostname to pihole now that we've completed that we're going to go ahead and finish and then reboot the raspberry pi now that some time has passed i'm going to go ahead and try and relog in using the same ip address as it's likely that dhcp gave it the same ip address on boot now i'll put in the new password and there you have it now you'll notice that also the hostname is changed to piho so we're ready to get started and installing pi hole first we're going to go to the github repository where pihole is where they have plenty of documentation and instructions on how to install i recommend checking it out later to get more information if you ever want to expand your uses of pie hole or you need to learn how to do other things in pie hole now within here if you scroll down you'll see that there is a script that we can use you can also install it through other means however this script is the easiest way to do it so go ahead and copy that paste it in there and let it do its thing now we're ready to begin the actual gui installer of this process so go ahead and click ok and click ok as well next we're going to set the static ip address this is important because we want our devices to always know where to reach their dns server or in this case pi hole next we're going to change what our upstream dns provider is in my case i'm going to choose cloudflare next we're going to use a default list that pi hold has for blocking this will include ad blocking this will include malicious links and phishing links although in this video i'm going to add a couple other lists for extra malicious and phishing blocking so for here we're going to click ok in my case i only want ipv4 but for this sake we could do ipv4 and ipv6 so i'll go ahead and click ok to continue this is what i'll use as my static ip address and then after this i'm going to go into my router and set it as static just to be sure that no one else gets that ip address we'll click yes here it's just talking about an ip conflict if you don't set it as static so that's why i recommend after this section you go to your router and set this ip address as static to this mac address or to this raspberry pi we definitely want to install a web interface so we'll click on we definitely want the web interface to use this web server light http next log queries sure we'll show everything sure and then the install will continue looks like it's done installing so you want to remember this information which it'll also show you after you click ok here we get a default admin password that is chosen randomly for us we're going to use this to log in and then change our password you may have noticed actually before the install or right as the install was starting pai hall recommended that we update our raspberry pi os you could do that now if you wanted to however i'm not going to do this because it might be a long process however i do recommend that you update your raspberry pi os after this video if you haven't updated it before we start it before we log in first i'm going to set that ip is static in my router so here we have pi hole i'm going to go ahead and click set static we'll do save and apply and there we have it now it's static next i'll return to the terminal and we're going to go ahead and change the password so that we can log in with our own password here we'll run the command as follows pi hole hyphen a hyphen p all right now we have a new password for our pile next we're going to go ahead and log into our pi hole here we're going to copy this url paste it in here and now we're here so first we just got to log in now we've logged in so next we're going to go ahead and add some lists to block and in my case we're going to be using malicious lists and phishing lists we can add a list by going to group management on the left and then clicking add lists so here you'll see we have the default list from steven black but i'd like to add a couple of my own so at the top here we have a url that we can use i have a couple of list aggregators that i'll share with you in the links in the description in this video where you can see a bunch of different lists that you can look at for bad websites for ad websites or anything else of that nature first i'm going to use these that i found from trainx.github.io this we're going to copy this link for malware go back to our pi hole we're going to add it and then for my comment i'll call it malware then i'll click add then we're going to add a phishing list as well copy this link paste it in here and then we'll call this phishing for the comment now we can also create group assignments so in my case i'm going to be using default but you could actually create new groups for this to apply to such as a malware group or a fishing group and you can make these groups full with clients and atlas as well so you can get really custom tuned here but for now we're going to go ahead and then update our pi hole by using this command pihole hyphen g or you could do it online in this case i'm going to do it online for you so i'll open this in a new link and then we click update all right let's look at the log to be sure everything was successful and looks like these lists were able to get uploaded so that's great we can also check in our group management and add lists just to be sure that they have a check mark next to them which indicates that they were successfully loaded into pi hold we'll go back to the dashboard and next we need to do some dns configuration on our router there are three ways that we can configure our clients on our network to use pi hole as a dns server one we can configure the router's dns server to be this pie hole now that's the most convenient and easy way to get all the clients to use this pie hole however the problem with that is that all the queries that the dns server sees will be coming from the router itself because all the clients first go to the router for dns request then the router will send it to the pi hole for a dns request so you don't have that log detail that you may want to see but you will get the protections that you want the second way to do this is to manually configure every single client on your network with the dns ip being this pie hole so that's kind of a lot of work and then some iot devices may not have an easy way to set the dns server to be this pie hole and if any of them restart they may not use this dns ip anymore on reboot that's a little bit of work and it's a lot more maintenance the third way you can do this is by changing the dhcp settings in your router to hand out the pi holes ip address as the dns server this is by far the easiest solution where every time a client connects to the network it'll always use the raspberry pi as the dns server the sad part about this is that most consumer grade routers do not have this as a feature available you can only change the dns server on the router or the wan connection but not on the dhcp side that's a bummer but in this video i'm going to be showing you how to do it on the dhcp side if you run a open source firmware or a more advanced firmware such as openwrt ddwrt etc first we're going to go into openwrt and then we're going to go to network and then interfaces on the interfaces side we're going to go ahead and edit the lan interface then we're going to go to the dhcp tab then we're going to go to advanced settings and then dhcp options here you'll notice under here we have a question mark where it says define additional dhcp options for example 6 comma ip address ip address which advertises different dns servers to clients this is exactly what we want in this case so if we do six comma and then the ip address of our pi hole which will be 192.168.1.115 click the plus sign and now we've added it as the dns server for dhcp we'll go ahead and click save then we'll do save and apply all right now that's ready so next what i'm going to do is unplug and replug in my ethernet cable just so that it gets a new dns server upon connecting so now i've opened up my network interfaces and then we're going to look at the thunderbolt ethernet here and you'll notice that the dns server is 192.168.1.115. so this is perfect next i'm going to do one more change on the router and that's for any of you who don't have this option available to you we're going to go ahead and set the router's dns server to be this pi hole in here we're going to go to network and interfaces once more then under wan we're going to click edit then under advanced settings we're going to go ahead and use custom dns servers this will be 192.168.1.115. we'll click plus save and then save and apply what this does for us is in case someone decides to manually configure the dns server away from the pi hole and let's say to the router the router will just end up using the pi hole anyway this is going to be the option for those who do not have advanced firmware on their router and thereby they'll get those protections from pihol just without extra logging features that i talked about earlier now let's go back to pi hole and we're gonna go to our dashboard let's go ahead and run some queries first we're just gonna go to google.com so now we went to google and we should be able to see within our logs that we went to google.com so if we look at the client at the bottom here we can see a bunch of things that went through so in this case we have a bunch of google domains that were allowed through which basically you can see that shows us that we actually went to google.com and the better part is is that we know it's for our client or for this macbook that i'm using next let's try to go to a website that we know will be blocked in this case i know that doubleclick.net is a black domain in one of the default lists that's available through pihole so back to this google tab here we're going to go ahead and change this to doubleclick.net now we're going to go check that this block happened in pi hole if we go back to pi hole and then we go to dashboard we're going to scroll all the way to the bottom and then we'll see top clients blocked only if we click this ip address which is the ip address of this macbook you'll see that doubleclick.net was blocked and therefore you'll know that pi hole is working now i have one extra bonus for you for those who have a more configurable router such as openwrt one way that people can get around pi hole is by simply changing the dns server manually on their device to an external dns server or any other ip address so that really makes pyhole kind of useless however a way you can get around that is by creating firewall rules that deny traffic to external dns servers so let's go ahead and set that up right now in openwrt we're going to go to network firewall then we're going to go to traffic rules now in here we just need two rules one to allow the pi hole to contact external dns servers because we still want to use that and two to deny external dns servers to our other clients next we're going to go to add then in here we're going to call this pihole external dns allow for our protocol we only need udp for our source zone we're going to change this to lan then our source address we're going to change this to pihole.lan which should be 192.168.1.115. our source port will leave as any the destination zone will do as when then for our destination address we're going to use cloudflare's ip address which is 1.1.1.1 then the destination port will be 53 and that's because that is the default port for dns lastly we want the action to be accept we'll click save there then we're going to add one more rule here we're going to call it external dns block next the protocol is going to be udp next we'll change our source zone to lan we'll leave our source address as blank and by this we want to allow all lan zone ips then the source port will be any the source destination will be when the destination address will leave as blank because we want to block more than one dns server and here most importantly we want to block port 53 then on action we're going to do drop once we do this we'll click save and then lastly at the bottom we're going to click save and apply what this does for us now is it allows pi hole to contact external dns servers in this case specifically the cloudflare dns server and then everything else will be blocked by all clients for external dns servers or specifically udp connections going out on port 53. now let's try and test this out by changing our dns ip manually on this macbook to something other than the pi hole and then seeing if we can load up a website first we're going to go back to system preferences and then we're going to go to advanced then for dns we're going to go ahead and click plus here we're going to use an example of quad9 9.9.9.9 we'll go ahead and click enter click ok click apply and then we can minimize this so now let's see if we can actually reach the internet here we'll go to google.com once more now you'll notice that nothing is happening and that's because that block rule is blocking us from getting the ip address for google.com so for the sake of time i'm going to go ahead and close this out we're going to go back to system preferences we're going to go to advanced we're now going to change our dns back to the default dns server that we have with pihole we'll go ahead and click ok click apply minimize this and then we're going to try google.com once more and you'll see that it load up successfully so that about covers it for all this configuration for pihole there's much more that you can do and i'll leave it to you to figure out what other ways you would like to use pi home thanks for following me in my journey i really appreciate it if you got some value out of this video go ahead and give it a thumbs up and if you like this type of content and other content around it tools and technologies networking security and more go ahead and subscribe to my channel and click that bell for notifications so you don't miss the next video so i want you to tell me what would you use pihole for what would you block what would you allow how would you configure your clients let me know in the description below and i'd be happy to have a conversation on it thanks again and i'll see you in the next video you

Info

Channel: Dev Odyssey

Views: 5,433

Rating: undefined out of 5

Keywords: dns sinkhole, dns sinkhole explained, how to make your home network more secure, how to secure home network, how to secure home network from hackers, how to set up pihole on raspberry pi, openwrt firewall rules, improve home network security, pihole tutorial, how to block malware, how to block phishing sites, how to block phishing websites, how to block ads, how to block pop ups, prevent ransomware attack, network security best practices, ad blocking, adblock

Id: XTk8eZ4NmFc

Channel Id: undefined

Length: 27min 20sec (1640 seconds)

Published: Thu Aug 26 2021