Block ads trackers and malware with Raspberry Pi
Block ads, trackers and malware with Raspberry Pi and Pi-hole https: //cryptoaustralia. org. au Nick Kavadias nick@cryptoaustralia. org. au
Self promotion! • Crypto. AUSTRALIA is a not-for-profit started by security and privacy enthusiast. • Finding practical ways of dealing with the modern privacy and security challenge.
We know how to internet. . @Crypto. Australia #cryptoaus http: //chat. cryptoaustralia. org. au
NOTICES 1. I will tolerate some interruptions. So call out questions. 2. The night is split into two parts 1. First preso ppt death (40 min? ) 2. Then the workshop (the rest)
What we will be covering… 1. 2. 3. 4. 5. 6. Why block the internet? What is a DNS blackhole/sinkhole; Pi-hole hardware and software supported; My home Pi-hole install; Advanced topics on DNS, lists and VPNs Workshop with RPi / VM
Instructions (for later) • Have RPi (or like) device use: https: //cryptoa. us/centaurus • Virtual. Box or VMWare Fusion use: https: //cryptoa. us/fornax Link to download VM in these instructions, we do have a local copies on usb
Can’t you just leave the internet alone? No! Flash ads which hijack pages; Pop-up and pop-under ads; Ads which stalk me on all my devices; Ad networks which track and profile me; Ads that tell me I’ve won stuff; and, Malvertising…
Tech support scams! how do they work? Check out Jim Browning’s You. Tube channel
Pi-hole, the solution to all your problems?
No! No such thing as a silver bullet! But. . • Good job blocking ads and trackers out of the box • Not You. Tube video ads, but you can do with some tinkering • It is easy to setup and configure; • network based; • It is not a traffic filter. • Act as a second line of defence for malware/viruses • I still use browser extensions • … and antivirus
How DNS works normally https: //go. gliffy. com/go/publish/12358860
How DNS works with Pi-hole https: //go. gliffy. com/go/publish/12358867
Pi-Hole, not just for blocking ads and tracking • Out of the ‘box’ ads/trackers & C&C blacklists ; • Many additional lists which are well maintained by security community; • Upstream DNS services (power user!)
What a blocked page site looks like What about: • Images? • Java. Script? • Https? V 3. 2 now lets you customise block page
Do I need Raspberry Pi Hardware? NOT Raspberry Pi exclusive Well tested on Raspberry Pi SBCs ARM, or Intel x 86/x 64 Will work with a Pi Zero and a ethernet dongle Works on other SBCs, like Orange-Pi, see this write-up. • Works on crappy old Intel desktops too • • •
What OS will Pi-hole run on? • Will work on any modern Linux OS. Officially supported Linux distributions are:
How did I set Pihole up at my place?
Hardware I used: • Raspberry Pi 3 model B+ (overkill? ) • 2 GB micro. SD card (smallest!) • micro. USB cable for power into back of router • USB Y cables useful. • WARNING on underpowering: https: //www. raspberrypi. org/help/faqs/#power. Reqs
Software I used • Software: • Windows 10 & Etcher. io for prepping card https: //etcher. io/ • Raspbian Lite https: //www. raspberrypi. org/downloads/raspbian/ • Pi-hole – installed by piping URL to bash!
And you can too, with my easy 5 Step Plan. .
Step 1: Put image on SD Card • Format SD • Etcher. io • touch /boot/ssh Windows will try reformat unknown card because ext 4. IGNORE IT
Step 2: Plug into network • Patch into home router • Power with micro. USB • if you don’t have a USB slot close by, an old 1 amp USB charger will do.
Step 3: Figure out IP address of RPi? This is the hardest part of the whole process! There a few methods to try….
Step 3: Method 0 - PING If you’re feeling lucky, try PING ping raspberrypi
Step 3: Method 1 - DHCP table on router?
Step 3: Method 2 - Network Scanning • Good ol’ IP scanning. Pick one: • Nmap sudo apt install nmap • Angry IP Scanner http: //angryip. org/download/ • Masscan https: //github. com/robertdavidgraham/mass can • Arp-scan https: //github. com/royhills/arpscan • Scan before, and after. See what’s new!
Angry. IP Scanner
Step 3: Method 3 • Plug RPi into a monitor and boot!
Step 4: Run installer • ssh pi@raspberry • curl -s. SL https: //install. pihole. net | bash Bad idea? Read why
Pi-hole is up and running. . But not a for all devices… yet • Connect to web admin using http: //pi. hole/admin • Pi-hole over-take DHCP, (disable on your router) I’ve done this on my setup because: • network printer • Get actual hostnames in your Pi-hole log
(Optional) Test it out? • Reconfigure a test computer to use the IP address of Pi-Hole for its DNS.
Step 5: Re-configure router DNS settings • Log into your router. • No idea how? Find your default gateway IP and try connecting with browser, e. g. http: //192. 168. 1. 1 • ipconfig or ifconfig • To get all devices on your network to use Pi-hole for DNS, you have to make a choice…
You have two choices for router config Change IP for DNS Server Disable DHCP & have Pihole do it Questions? ?
Changing IP for DNS on my home router
Or. . . Disable DHCP on router
…and turn on DHCP Server on Pi-hole
Blocklists • Default blocklists in /etc/pihole/adlists. list • Blocklist collection here: https: //wally 3 k. github. io/ • Your Pi-hole has a cronjob which runs pihole update. Gravity once a week. • Refer to our blog post Crypto. AUSTRALIA's Favourite Block Lists
Blocklists using the web admin interface You can: - whitelist hosts - temporarily disable all blocks with a timer/ manually You cannot: - Make exceptions for local devices
Setting up Pi-hole away from home • If you roll your own VPN on a VPS, you can setup Pi-hole on it. Then you can run it anywhere! • https: //github. com/pi-hole/wiki/Pi-hole---Open. VPN-server
Are you a Pi-hole Power User? • Self-hosted DNS • Advanced Upstream DNS • Response Policy Zone (RPZ) • We have blog posts covering these topics! Note: You don’t need to necessarily use these with Pi. Hole
1. Your Own DNS Server • No DNS requests go to third-parties • Run your DNS server in the cloud • Pi-hole <--- DNSCRYPT ---> DNS server • More details in a blog post Build a Privacy-Respecting and Threat. Blocking DNS Server
2. Advanced Upstream DNS • Third-party DNS servers • Complements Pi-Hole • Blocks malware and phishing • Admin panel • Block categories (adult, drugs, gambling, social media …) • DNS query logging and reporting • Manual blocking / whitelisting • Integration with real-time Threat Intelligence feeds ($$$ feature)
2. Advanced Upstream DNS • Strongarm https: //strongarm. io • Comodo Dome Shield https: //cdome. comodo. com/shield • Open. DNS https: //signup. opendns. com/homefree • Quad 9 https: //www. quad 9. net
Which is the best threat blocking DNS provider? More info? https: //blog. cryptoaustralia. org. au/2017/12/23/ best-threat-blocking-dns-providers/
Response Policy Zone (RPZ) • The previous two combined: • Use your own DNS server • Download RPZ-based block list • Register Strongarm business account (free) • Download BIND 9. 10+ config from https: //app. strongarm. io/settings/rpz/
Done! Let Workshop it! • If you’ve brought along a RPi, use these instructions: https: //cryptoa. us/centaurus • If you’ve going to play along on the virtual machine, use these instructions: https: //cryptoa. us/fornax • Join us on #Slack https: //chat. cryptoaustralia. org. au/
Where to get help after workshop Crypto. AUSTRALIA Slack channel #pi-hole-workshop-help https: //chat. cryptoaustralia. org. au/ Pi-Hole website https: //pi-hole. net/ Has links to Discourse(!) , sub. Reddit, You. Tube channel https: //blog. cryptoaustralia. org. au
- Slides: 50