Announcement

Collapse
No announcement yet.

Pi-Hole Stats and gotchas

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Pi-Hole Stats and gotchas

    I've heard PiHole come up a few times in the podcasts and thought this would be an interesting place to put some information together around it. I recently put one in and I've been really impressed with its simplicity.

    So for my setup, I had already used my RasperryPI for the CanaryPI project, so instead of another rasperry PI I implemented a new home Ubuntu Server on a cheap home lab I have ( a discussion point for another post!). That ubuntu server runs ddclient for my upstream OpenDNS account, the PiHole services, and the Unifi Controller for my AP's and USG firewall.

    The upstream OpenDNS account is what I really want to talk about. I've used that for a few years and you can do DNS based blocking in that account (free for home users and I think small businesses). Between that, and ad blocking extensions in my home browsers... I actually didn't see ANY difference in the sites I visited once I implemented the PiHole. But I still love it, and here is why.

    What I did see was a significant drop in the number of upstream DNS requests that were made. OpenDNS tracks this data and my home network would consistently make 50k to 60k DNS requests daily. The instant that I implemented a PiHole, my upstream DNS requests dropped to 20k a day. That's 40,000 DNS requests that are filtered out every ... friggen.... day... I personally love it when technology works sooo good and you barely notice a difference after implementing it. It's effective, without being an administrative nightmare.

    I attached a screenshot of the trend for my requests that week. I thought it was really cool to see.

    One major GOTCHA with the PiHole that I haven't really corrected yet is the way your clients respond. When you setup a PiHole, you point your internal clients to use the PiHole as the primary DNS server. DON'T SETUP A SECONDARY.

    The PiHole will blackhole any DNS requests that it's designed to block... but the client will see this, and say "got nothing there??? oh well.. I'll just check with the secondary DNS server". So my initial implementation actually had all of my clients "doubling-down" on garbage DNS requests. If you're not paying attention to this, you'll actually just be introducing a tool that makes all of your requests take twice as long to load!

    The downfall is that rebooting the PiHole will take down your internet connection with no secondary DNS server setup on your clients.... my wife notices I'm thinking that long term, I might implement a second PiHole so I have that redundancy without losing the effectiveness.


  • #2
    Hey there,

    Wow, you kind of broke my brain with this:

    One major GOTCHA with the PiHole that I haven't really corrected yet is the way your clients respond. When you setup a PiHole, you point your internal clients to use the PiHole as the primary DNS server. DON'T SETUP A SECONDARY.
    That makes total sense, yet I've always setup a secondary in my Pihole deployments. I think it's time to setup a second Pihole!

    Thank you galoryber !
    Brian Johnson
    7 Minute Security
    Podcaster | Security Consultant

    Comment


    • #3
      Could you share your blacklist?
      I mainly use this one: https://firebog.netbut I had to whitelist 4 or 5 domains to allow my Office 365 to sync on all devices

      Comment


      • #4
        So far I haven't used anything but the canned lists. Maybe galoryber as further ideas.

        Also, I'm installing my second Pi-Hole with a spare Rpi zero I found. :-). It already has me thinking, though...what's the best way to configure Pi-Holes in an environment with AD and still honor PiHole's blacklists?
        Brian Johnson
        7 Minute Security
        Podcaster | Security Consultant

        Comment


        • #5
          Canned lists for me too. I just haven't ventured out yet, but I feel like there is a lot of opportunity there. I'll have to check out firebog.

          what's the best way to configure Pi-Holes in an environment with AD and still honor PiHole's blacklists?
          That's an interesting thought... You'd almost have to do AD DNS servers query to PiHole, then PiHole to an Internet DNS provider. That way your internal clients continue to resolve internal services with AD, but any upstream queries still get filtered.

          Comment


          • #6
            Originally posted by galoryber View Post
            Canned lists for me too. I just haven't ventured out yet, but I feel like there is a lot of opportunity there. I'll have to check out firebog.


            That's an interesting thought... You'd almost have to do AD DNS servers query to PiHole, then PiHole to an Internet DNS provider. That way your internal clients continue to resolve internal services with AD, but any upstream queries still get filtered.
            That seems to be the way to do it. You'll have your internal DNS servers for internal names, and forward to pi-hole the rest. The downside is that you cannot tell, from the pi-hole logs, which client is querying what. The only client in the pi-hole log will be the internal DNS server, or, you create a conditional forward on your Pi-hole to serve internal names in you internal DNS,
            1: Client -> Internal DNS -> Pi-Hole -> External DNS
            2: Client -> Pi-Hole -> Internal DNS -> External DNS

            Comment


            • #7
              Hehehhe best laid plans backfired on me. I got the two piholes setup, DISABLED a tertiary server, and all was fine and dandy....

              ...until I realized that both PIs were plugged into a power strip that was connected to an outlet controlled by a lightswitch, and the kids turned off the lights when they left the room.

              No big deal. I did NOT spend a ton of time troubleshooting while Internet was down and did NOT forget that the tertiary DNS was disabled, in case you were wondering (he said sarcastically).

              Brian Johnson
              7 Minute Security
              Podcaster | Security Consultant

              Comment


              • #8
                Originally posted by 7MinSec View Post
                Hehehhe best laid plans backfired on me. I got the two piholes setup, DISABLED a tertiary server, and all was fine and dandy....

                ...until I realized that both PIs were plugged into a power strip that was connected to an outlet controlled by a lightswitch, and the kids turned off the lights when they left the room.

                No big deal. I did NOT spend a ton of time troubleshooting while Internet was down and did NOT forget that the tertiary DNS was disabled, in case you were wondering (he said sarcastically).

                🤣

                You can solve this with some smart lights, like Philips Hue. The light switch will always be on but the light will be off.

                Comment


                • #9
                  Hhaahah, you described how my brain has felt during stay-at-home time. The switch is on but the lights are off.
                  Brian Johnson
                  7 Minute Security
                  Podcaster | Security Consultant

                  Comment


                  • #10
                    I know I'm a month late to the party, but I wanted to clarify that PiHole's blacklists are designed to resolve blacklisted domains to 0.0.0.0, meaning your client should not make any follow-on requests, since your PiHole is answering the query. There should be no need to set up a second PiHole, except for the sole reason of having high-availability.

                    Click image for larger version  Name:	pihole.png Views:	2 Size:	21.9 KB ID:	258

                    I have OpenDNS as my secondary DNS on every device, and I have never seen a request for anything on the Gravity blacklists. Now of course, blacklisted domains can still be visited if the resolution is still cached somewhere in the browser or on the client.
                    Last edited by axl; 05-12-2020, 11:01 AM. Reason: grammar

                    Comment


                    • #11
                      I think you're probably spot on, if DNS is still caching the blackholed address. Unfortunately, if you do an nslookup on some un-cached domain while you have two name servers setup, there is no guarantee that the PiHole will be the one that responds, and as a result, your client might cache a valid record and communicate around the PiHole.
                      https://discourse.pi-hole.net/t/why-...ns-server/3376
                      Not a huge deal for my home network, so I just leave it as the primary and only have one DNS server internally, per their recommendations.
                      I'd be curious to know if the OpenDNS blacklists compare in any way to the PiHole blacklists. Maybe certain domains would be blocked by both utilities.

                      Comment


                      • #12
                        This is all really helpful information. I was just in my Ubnt Dream Machine last night looking through notifications for the first time, and it's interesting to me that the logs are filled with instances of "Pi hole is having trouble resolving DNS requests." I think the "trouble" it's having is it is resolving things to 0.0.0.0 rather than a legit lookup problem, but I should probably check
                        Brian Johnson
                        7 Minute Security
                        Podcaster | Security Consultant

                        Comment


                        • #13
                          I have tried a bunch of blacklists, and whilst some are very cool for blocking everything, I found the wife didn't like some of them "I can't play my facebook game" etc.

                          I'm currently using https://dbl.oisd.nl/ for my blacklists. It's described as the 'wife / girlfriend friendly list' that blocks the bad stuff, but still allows _some_ things through so facebook isn't broken etc.

                          Comment


                          • #14
                            I'll have to tinker more with custom block lists. Will the pihole tell you in the query log which specific list blocked a thing? #lazyweb
                            Brian Johnson
                            7 Minute Security
                            Podcaster | Security Consultant

                            Comment


                            • #15
                              Tools => Query Lists

                              Comment

                              Working...
                              X