Pi-Hole & Unbound: How to have ad-free & safer internet in just few minutes

P

Want to have a better online experience without advertisements and sneaky tracking codes that invade your privacy and monitor your activities ? Wouldn’t it be great that kids playing games on the tablet or phone will not see strange ads, and have a better and enjoyable experience ?

Pi-hole helps you achieve this, being installed once and securing all devices in your home or the organization. This article will show a way to quick install & configure it using DietPi.

pexels-karolina-grabowska-4968506
From Pexels.com @karolina-grabowska

Topics covered

Pi-hole – Network-wide ad blocking

Pi-hole is an open source project, and you can install it for free, offering much more than a pleasant web browsing and gaming experience. It brings safety, and gives ways to avoid ransomware attacks. It may be tempting to open a disguised email, which seems to be received from the bank, school, or a close friend who invite you to click on a certain button or link. Pi-Hole neutralizes these links making them ineffective.

Pi-hole web admin could be accessed from any web browser, and it provides an awesome dashboard to monitor various stats on ad blocking.

Pi-hole web interface dashboard
Pi-hole Web Admin interface

It relies on 3rd party lists, that block ads, trackers, malware link, and other not desired queries from your entire network without needing to install anything on your smartphone, laptop, media player, TV, tablet or any other devices. It improves privacy and security for all your network devices.

Pi-hole and Unbound functional diagram

Unbound

Unbound is a fast and secure DNS server, primarily developed by NLnet Labs.

Essentially Unbound will look up a DNS query by asking TLD servers for DNS in a recursive manner. The major benefit is more security; you do not have to trust an upstream provider with your DNS traffic.

Unbound is helpful in many ways, and here are a few advantages:

  • Privacy – as you’re directly contacting the responsive servers, no server can fully log the exact paths you’re going. As a result you do not have to trust an upstream provider with your DNS traffic. Example: Google DNS servers will only be asked if you want to visit a Google website, and not that you want to see the website of your favorite news provider.
  • Validation – When you want to check the hostname of your bank, you want to make sure that hostname matches you bank’s actual IP address and not some phishing site, somewhere in the world.
  • Caching – A local DNS reduces the traffic across the Internet, by reducing load on authoritative name servers, particularly root name servers. DietPi configures both systems (Pi-hole & Unbound) to use caching, and all the DNS queries are answered quickly, increasing the performance of any application that use DNS.

The only drawback is performance for initial lookups, as they need to traverse and this takes time. But with caching, the speed of running any additional query increases a lot !

Install DietPi

DietPi is a highly optimised & minimal Debian-based Linux distribution. It is extremely lightweight at its core, and also easy to install and use. You can install it:

  • on Single Board Computers (SBC), such as RaspberryPi 4, Pi 400 and all the earlier models (Raspberry 1/2/3), Odroid, RockPi, Asus, NanoPi etc.
  • on Virtual Machines using Virtual Box, Hyper-V or VMware
  • on PC – maybe you have just purchased a mini PC (Intel NUC, Asus Minim PC etc.) or have an unused old laptop

This article assumes that you have installed DietPi OS already. If you have not done yet, start by opening DietPi.com and choose your favorite setup. Then follow the install tutorial, with only 4 steps to follow. It includes also a video tutorial, showing live how to make the installation.

dietpi.com website download section

Install Pi-Hole together with Unbound

To install any of the DietPi Optimised Software run dietpi-launcher from the command line and select DietPi-Software or launch the tool dietpi-software.

DietPi Software

Choose Software Optimised and select Pi-Hole (or use the Search option). Once selected, press space to mark for installation.

Pict22

Pi-hole needs a static IP, and DietPi will help setting it. Unless it is not already enabled, select OK.

DietPi-Software Pi-hole install static IP prompt
DietPi-Software Pi-hole install static IP info

In addition to Pi-hole and Unbound you may select other software titles. Open the DietPi Documentation page to see the description, installation details, or even YouTube videos.

Installing Pi-hole

Most of the software is automatically configured by DietPi, and this applies also for Unbound. Pi-Hole comes with a rich install guide, enabling different options based on your needs.

Pict27

We’re going to change this later, so just hit <Ok>.

Pict28

Pict29

My network supports both protocols. Choose what works for you.

Pict31

Hit <Yes>. We set a static address already.

Pict32

While Pi-Hole could be configured & managed also from the command line, you would probably also want the web admin interface, for simplicity and easiness of access.

Pict33

Logs are half the fun, and I recommend logging.

Pict34

If this is a private network device, I recommend showing everything.

Pict36

When the installation is complete you will get a final screen. Please note that the login password is your DietPi Global Software Password.

Pict38

Installing Unbound

DietPi does the full installation of the Unbound automatically, without any user need. The same also with the initial configuration, as well as starting automatically the service. If you want to find out more about configuration directory, logs, check the documentation page (link).

Configuring devices to use Pi-Hole

To activate the DNS setting, connect to your router and set the DNS value.  All your devices will be protected and you only need to change one setting.

The first step will be to open the router web page (or the administration console). If you are not sure which IP address the router has, check the next page – How to find your router IP address on any device.

The second step,  once you are logged in on the router’s web-based administration console, set the DNS name server to the IP where Pi-Hole is installed.

Changing the DNS server settings on your router may be difficult, since every manufacturer uses a custom interface. If you have issues on setting the DNS, here are the instructions for the most popular router brands – Lifewire article.

Example router DHCP/DNS settings

NOTE 1: Most devices provide at least two DNS name servers. Unless you have two Pi-Hole instances running at home, you will provide one DNS IP address and leave the other (rest) blank as shown above. If you specify a second DNS IP that is not a Pi-Hole server, then ad blocking won’t work on some devices.

NOTE 2: If you’re using an Amplifi HD or any “clever” router, you’ll want to change the setting “Bypass DNS cache” otherwise the Amplifi will still remain the DNS lookup of choice on your network.

Pi-Hole Administration console

Use the next url http://pi.hole/admin/ to open the administration console. Alternatively you could also use the direct IP (example: http://192.168.0.100/admin/). Opening the web page you could view the status of the DNS queries allowed and those blocked.

Pict40

Click on Login and use your DietPi Global Software Password (default: dietpi). Go to Settings and select the Upstream DNS Servers.

Pi-hole web interface Settings button

Check if the upstream DNS is already set to 127.0.0.1#5335 (Unbound local address). If not, enable this setting and press Save.

Pi-hole web interface upstream DNS settings
Menu: Settings > DNS

Pi-hole lists

Now that you have a fast and private DNS setup, it’s time to look at block lists, whitelists, and blacklists.

Block lists are maintained lists of bad domains providing ads, malware, tracking, and other unwanted traffic. I have 2.5 million domains from my various block lists, and some overlap. After installing Pi-hole roughly 30% of the DNS queries heading out of my house were blocked.

As a good starting point, WaLLy3k’s Blocklist collection has several categories of lists. Steven Black’s hosts files does a good job in grouping blocking lists by topics, having them well maintained.

An issue with block lists is that unintended domains will get blocked, preventing you from accessing legitimate content. This is where whitelists come into play. A good resource for whitelists is the commonly whitelisted domain page: https://discourse.pi-hole.net/t/commonly-whitelisted-domains/212 and Anudeep’s whitelist project:  https://github.com/anudeepND/whitelist 

Sometimes will be needed to disable Pi-hole for a few minutes to test, then whitelist certain domains. In a short period you will have it nicely dialed in.

Pi-hole web interface temporary disable duration selection

more secured

While blocking ads bring simplicity in the web browsing, with Pi-hole and Unbound you can achieve more security benefits. For me it’s less about advertising – it’s about just obnoxious tracking cookies and JavaScript.

As the point of entry for 91% of cyber attacks, email is the biggest vulnerability. From malware to malware-less attacks including impersonation attacks, a single malicious email can cause significant personal damage and financial losses.

Blocking certain sites will prevent you from accessing online scams (via emails, online gift cards or ads). Please ensure you have loaded at least one such list – extended list from phishing.army or Malicious Lists from firebog.net. You can read more in APWG’s Phishing Activity Trends Report for Q3 2019.

Updating Pi-Hole

If you need to update Pi-hole, run next command in the console:

pihole -up

More abouT DietPi

You can read more about Pi-hole and Unbound in the DietPi documentation website (link).

DietPi enables to quickly and easily install popular software ! Ready to run and optimised for your system ? Checkout the full list of applications here – DietPi Optimised Software,

Wrap up

Pi-hole and Unbound are great tools. You can use them to help keep your devices, your network, and your business or family safe and secure online.

You may be initially sceptical. Give it a try ! Come back here and tell us about the before-and-after experience. I bet you’ll be amazed on how many requests are blocked !

About the author

Petru Faurescu

2 comments

About Author

Petru Faurescu

DietPi Blog

DietPi is an extremely lightweight Debian-based OS, optimised for minimal resource usage, ensuring your SBC runs at its maximum potential!