Unlock the full potential of Pihole

Pihole dashboard

Foreword: I’m fascinated by technology and I wanted to share my findings while expirementing with Pihole. I’m not personally against advertisement companies as long as they’re not too intrusive. Pihole is advertised as an ad blocker, but it’s actually an amazing tool for protecting your own network from malwares and so on.

I. Requirement and installation

I’m personally using Pihole installed on a Raspberry pi, I gave a fixed private IP on my network where I’m redirecting all my DNS queries. You need to have some basic knowledge of Linux command lines for installing Pihole, here is a link to the official documentation from Raspberry pi on how to operate the Terminal.

If you have some experience using Terminal, you can then start Pihole installation by simply using:

curl -sSL https://install.pi-hole.net | bash

This command will proceed automatically to this installation. For more information and guidelines, have a look on the official Pihole documentation.

II. Pihole Dashboard

http://<Pihole IP address>/admin
Pihole Dashboard

The password for login tab is randomised and given after the installation in your terminal, you can always reset it by using in your terminal:

$ pihole -a -p

You will then be presented with this detailed dashboard:

Pihole detail dashboard

This Dashboardwould allow to access most of the Pihole controls such as DHCP, DNS configuration and so on as well as reloading the configuration. Dashboard does help troubleshooting and visualising the global amount of dns request traffic, something you will need once we unlock the full potential of Pihole by using the command line in the next following parts.

III. Community filter lists

  • Spyware domains
  • Malware domains
  • Coinmining networks
  • Ransomware domains
  • Phishing domains
  • Trackers and Analyticals domains
Pihole logo is displayed when the filter is compatible with Pihole

To implement one of the filter, select the one you’d like to use and right click on the link “ 🔎 View” and select Copy link location. From there, open your terminal and paste this URL in the /etc/pihole/adlists.list file. Once completed, reload Pihole configuration by using pihole -g command. Here is an example of the output of this command:

root@raspberrypi:~# pihole -g
[i] Pi-hole blocking is enabled
[i] Neutrino emissions detected...
[✓] Pulling blocklist source list into range
[i] Target: raw.githubusercontent.com (adservers-and-trackers.txt)
[✓] Status: Retrieval successful

These external filter list are maintained and updated some time to time, I would advise to make use of a Cron job in order to keep these list up to date by using the above command on a weekly basis.

As a starting point, here is my list of filters implemented on my personnal Pihole:

root@raspberrypi:/home/pi# cat /etc/pihole/adlists.list
# Prevent Trackers and Malwares
https://raw.githubusercontent.com/DRSDavidSoft/additional-hosts/master/domains/blacklist/adservers-and-trackers.txt
https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt
https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-blocklist.txt
https://raw.githubusercontent.com/notracking/hosts-blocklists/master/hostnames.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
https://gitlab.com/my-privacy-dns/matrix/matrix/-/raw/master/source/tracking/domains.list
https://raw.githubusercontent.com/r-a-y/mobile-hosts/master/AdguardApps.txt
https://raw.githubusercontent.com/r-a-y/mobile-hosts/master/AdguardMobileAds.txt
https://raw.githubusercontent.com/FadeMind/hosts.extras/master/StreamingAds/hosts
https://raw.githubusercontent.com/w13d/adblockListABP-PiHole/master/Spotify.txt
https://raw.githubusercontent.com/DRSDavidSoft/additional-hosts/master/domains/blacklist/adservers-and-trackers.txt
https://raw.githubusercontent.com/deathbybandaid/piholeparser/master/Subscribable-Lists/ParsedBlacklists/AdAway-Default-Blocklist.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
https://v.firebog.net/hosts/Easyprivacy.txt
https://raw.githubusercontent.com/deathbybandaid/piholeparser/master/Subscribable-Lists/ParsedBlacklists/FadeMind-addSpam.txt
https://raw.githubusercontent.com/mitchellkrogza/The-Big-List-of-Hacked-Malware-Web-Sites/master/hacked-domains.list
# Prevent Analytics
https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/AmazonFireTV.txt
https://raw.githubusercontent.com/mitchellkrogza/Stop.Google.Analytics.Ghost.Spam.HOWTO/master/output/domains/INACTIVE/list
https://raw.githubusercontent.com/nickspaargaren/no-google/master/categories/analytics.txt
https://raw.githubusercontent.com/nickspaargaren/no-google/master/categories/analyticsparsed
https://raw.githubusercontent.com/kowith337/PersonalFilterListCollection/master/hosts/hosts_facebook0.txt
https://raw.githubusercontent.com/anudeepND/blacklist/master/facebook.txt
# Prevent Spyware
https://raw.githubusercontent.com/r-a-y/mobile-hosts/master/AdguardMobileSpyware.txt
https://raw.githubusercontent.com/XionKzn/PiHole-Lists/master/PiHole_HOSTS_Spyware.txt
https://raw.githubusercontent.com/deathbybandaid/piholeparser/master/Subscribable-Lists/ParsedBlacklists/WindowsSpyBlocker81.txt
https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt
# Prevent Coinmining network
https://gitlab.com/ZeroDot1/CoinBlockerLists/raw/master/list.txt
https://gitlab.com/ZeroDot1/CoinBlockerLists/raw/master/list_browser.txt
https://gitlab.com/ZeroDot1/CoinBlockerLists/raw/master/hosts
https://gitlab.com/ZeroDot1/CoinBlockerLists/raw/master/hosts_optional
https://raw.githubusercontent.com/anudeepND/blacklist/master/CoinMiner.txt
https://raw.githubusercontent.com/austinheap/sophos-xg-block-lists/master/nocoin.txt
# Prevent Ransomware
https://raw.githubusercontent.com/pirat28/IHateTracker/master/iHateTracker.txt
https://raw.githubusercontent.com/deathbybandaid/piholeparser/master/Subscribable-Lists/ParsedBlacklists/CryptoWall-Ransomware-C2-Domain-blocklist.txt
https://raw.githubusercontent.com/deathbybandaid/piholeparser/master/Subscribable-Lists/ParsedBlacklists/Locky-Ransomware-C2-Domain-Blocklist.txt
https://raw.githubusercontent.com/XionKzn/PiHole-Lists/master/Cerber_Ransomware.txt
https://raw.githubusercontent.com/deathbybandaid/piholeparser/master/Subscribable-Lists/ParsedBlacklists/Ransomware-Domain-Blocklist.txt
https://raw.githubusercontent.com/deathbybandaid/piholeparser/master/Subscribable-Lists/ParsedBlacklists/TeslaCrypt-Ransomware-C2-Domain-Blocklist.txt
https://raw.githubusercontent.com/deathbybandaid/piholeparser/master/Subscribable-Lists/ParsedBlacklists/TeslaCrypt-Ransomware-Payment-Sites-Domain-Blocklist.txt
https://raw.githubusercontent.com/deathbybandaid/piholeparser/master/Subscribable-Lists/ParsedBlacklists/TorrentLocker-Ransomware-C2-Domain-Blocklist.txt
https://raw.githubusercontent.com/deathbybandaid/piholeparser/master/Subscribable-Lists/ParsedBlacklists/TorrentLocker-Ransomware-Payment-Sites-Domain-Blocklist.txt
# Prevent Phishing
https://gitlab.com/Kurobeats/phishing_hosts/raw/master/hosts
https://raw.githubusercontent.com/MetaMask/eth-phishing-detect/master/src/hosts.txt

IV. Dynamic DNS naming

Many have been trying and for quite sometime to recognise the pattern used by Youtube to inject Advertisement, (check this Discourse pihole thread started in 2016) and here is little documentation on How to do this.

Update: Youtube Ads are no longer blocked by this method, Youtube integrates their ads within the same stream of data (which means blocking ads with DNS naming is no longer working. There’s perhaps another solution using a proxy for all of your HTTPS traffic that would be decrypt your secure traffic on the flight and denied ads traffic. It does require root access to phone / apps. Some solutions out there are avaible but you end up sending all your sensitive traffic to who knows where. At the end, I just use webapps (different from mobile app) on my phone where I keep control of my data and can deny Ads Traffic ;)

  1. Add Python3 and pip on your pihole device

Install them this way:

$ sudo apt-get install python3.7 python3-pip

Link python3 to your user environment:

$ sudo ln -s /usr/bin/pip3 /usr/local/bin/pip
$ sudo ln -s /usr/bin/python3.7 /usr/local/bin/python

Verify:

$ python --version
Python 3.7.3
$ pip --version
pip 18.1 from /usr/lib/python3/dist-packages/pip (python 3.7)

2. Make use of Sublist3r script:

Create a folder for hosting this Github repo(Instructions are also present there):

$ sudo mkdir /etc/sublist/

Download and unzip this project:

$ cd /etc/sublist/
$ sudo wget https://github.com/aboul3la/Sublist3r/archive/master.zip
[...]
$ sudo unzip -o master.zip

This script will help us to retrieve dynamic subdomains created and generated by youtube (googlevideo in this case). I used to get these subdomain by using DNSDumpster but that was limited to only 100 domains (thank you to my readers for pointing that out). With this method, you should get routhly around 700+ subdomains.

3. Final script to implement the magic:

Sublist3r would also require some packages to be installed alongside, (instructions are also on Github), install them as follow

root@raspberrypi:~# apt-get install python-argparse python3-dns python3-requests

You should be able to test this script this way:

root@raspberrypi:/etc/sublist# python /etc/sublist/Sublist3r-master/sublist3r.py -h
usage: sublist3r.py [-h] -d DOMAIN [-b [BRUTEFORCE]] [-p PORTS] [-v [VERBOSE]]
[-t THREADS] [-e ENGINES] [-o OUTPUT] [-n]
OPTIONS:
-h, --help show this help message and exit
-d DOMAIN, --domain DOMAIN
Domain name to enumerate it's subdomains
-b [BRUTEFORCE], --bruteforce [BRUTEFORCE]
Enable the subbrute bruteforce module
-p PORTS, --ports PORTS
Scan the found subdomains against specified tcp ports
-v [VERBOSE], --verbose [VERBOSE]
Enable Verbosity and display results in realtime
-t THREADS, --threads THREADS
Number of threads to use for subbrute bruteforce
-e ENGINES, --engines ENGINES
Specify a comma-separated list of search engines
-o OUTPUT, --output OUTPUT
Save the results to text file
-n, --no-color Output without color
Example: python /etc/sublist/Sublist3r-master/sublist3r.py -d google.com

Now, I’m using this script for filtering the desired traffic and adding this to my blacklist file in Pihole (script path: /etc/pihole/youtube-ads.sh):

#!/usr/bin/env bash# Cleanup previous list of domains files
rm /var/log/sublist-youtube-result.txt
# Retrieve all .googlevideo.com subdomains
python /etc/sublist/Sublist3r-master/sublist3r.py -d googlevideo.com -n -o /var/log/sublist-youtube-result.txt
# Any .googlevideo.com subdomains starting with 'r' would be filtered in a file
grep ^r /var/log/sublist-youtube-result.txt >> /var/log/sublist-youtube-filtered.txt
# Any .googlevideo.com subdomains containing 's' from the previous filtered list will be filtered in a file
sed 's/\s.*$//' /var/log/sublist-youtube-filtered.txt >> /var/log/sublist-youtube-ads.txt
# Place findings in Pihole blacklist text file
cat /var/log/sublist-youtube-ads.txt > /etc/pihole/blacklist.txt
# Get unique values
perl -i -ne 'print if ! $x{$_}++' /etc/pihole/blacklist.txt
# Get unique values
chown -R pihole. /etc/pihole
# Pipe findings into pihole db
cat /etc/pihole/blacklist.txt | xargs pihole -b

This script is divided in several parts:

  • Retrieve subdomains from Sublist3r
  • Filter them, place findings in blacklist file and curate the results.
  • Use a xargs pipe to populate pihole db based on finding

I’m running this twice a hour with a cronjob (don’t forget to make this script executable with chmod):

root@raspberrypi:/home/pi# crontab -l
*/30 * * * * /etc/pihole/youtube-ads.sh

This configuration has been running for a while and I do have some time some ads on my FireTV or Youtube App on my phone. Overtime, the cronjob would collect subdomains and add them to your pihole file, which would limit the number of ads you’d be expose to.

Feel free to contact me if you want to share your ideas.

V. Regex blacklisting

I used to make use of that in the past with previous versions of Pihole, somehow, blacklisted domains redirected to a whitelisted CNAME were actually bypassing Pihole. I’m not having anymore this issue in Pihole version 5.1:

root@raspberrypi:/home/pi# pihole -v
Pi-hole version is v5.1.1 (Latest: v5.1.1)
AdminLTE version is v5.1 (Latest: v5.1)
FTL version is v5.1 (Latest: v5.1)

Previously, the only way for blocking this traffic was actually the use of Regex, by simply a list of pattern in this /etc/pihole/regex.list file. Here is an example:

root@raspberrypi:/home/pi# cat /etc/pihole/regex.list
^(.+[-_.])??adse?rv(er?|ice)?s?[0-9]*[-.]
^(.+[-_.])??m?ad[sxv]?[0-9]*[-_.]
^(.+[-_.])??telemetry[-.]
^(.+[-_.])??xn--
^adim(age|g)s?[0-9]*[-_.]
^adtrack(er|ing)?[0-9]*[-.]
^advert(s|is(ing|ements?))?[0-9]*[-_.]
^aff(iliat(es?|ion))?[-.]
^analytics?[-.]
^banners?[-.]
^beacons?[0-9]*[-.]
^count(ers?)?[0-9]*[-.]
^pixels?[-.]
^stat(s|istics)?[0-9]*[-.]
^track(ers?|ing)?[0-9]*[-.]
^traff(ic)?[-.]
google-{0,}(analytic|syndication|(ad[a-z0-9]*|tag)-{0,}service)[s]\.[a-z]{2,7}$
google-{0,}(analytics{0,}|(ad|tag)manager)\.[a-z]{2,7}$
double-{0,}clic(k|k[.]*by-{0,}google)\.[a-z]{2,7}$
(google|partner|pub)-{0,}ads{0,}-{0,}(apis{0,})\.[a-z]{2,7}$
(^|\.)facebook\.[A-Za-z0-9]+$
(^|\.)fb\.[A-Za-z0-9]+$
(^|\.)fbcdn\.[A-Za-z0-9]+$
(^|\.)fbsbx\.com$
(^|\.)fbsbx\.com\.online-metrix\.net$
(^|\.)m\.me$
(^|\.)messenger\.com$
(^|\.)tfbnw\.net$
(^|\.)instagram\.com$
(^|\.)whatsapp\.com$
^(.+\.)?amp\..+\.com$
^(.+\.)?ampproject\.org$
^(.+\.)?amp\.cloudflare\.com$
^(.+\.)?cdn\.ampproject\.org$
(.*\.|^)((think)?with)?google($|((adservices|apis|mail|static|syndication|tagmanager|tagservices|usercontent|zip|-analytics)($|\..+)))
([A-Za-z0-9.-]*\.)?clicks\.beap\.bc\.yahoo\.com/
([A-Za-z0-9.-]*\.)?secure\.footprint\.net/
([A-Za-z0-9.-]*\.)?match\.com/
([A-Za-z0-9.-]*\.)?clicks\.beap\.bc\.yahoo(\.\w{2}\.\w{2}|\.\w{2 ,4})/
([A-Za-z0-9.-]*\.)?sitescout(\.\w{2}\.\w{2}|\.\w{2,4})/
([A-Za-z0-9.-]*\.)?appnexus(\.\w{2}\.\w{2}|\.\w{2,4})/
([A-Za-z0-9.-]*\.)?evidon(\.\w{2}\.\w{2}|\.\w{2,4})/
([A-Za-z0-9.-]*\.)?mediamath(\.\w{2}\.\w{2}|\.\w{2,4})/
([A-Za-z0-9.-]*\.)?scorecardresearch(\.\w{2}\.\w{2}|\.\w{2,4})/
([A-Za-z0-9.-]*\.)?doubleclick(\.\w{2}\.\w{2}|\.\w{2,4})/
([A-Za-z0-9.-]*\.)?flashtalking(\.\w{2}\.\w{2}|\.\w{2,4})/
([A-Za-z0-9.-]*\.)?turn(\.\w{2}\.\w{2}|\.\w{2,4})/
([A-Za-z0-9.-]*\.)?mathtag(\.\w{2}\.\w{2}|\.\w{2,4})/
([A-Za-z0-9.-]*\.)?googlesyndication(\.\w{2}\.\w{2}|\.\w{2,4})/
([A-Za-z0-9.-]*\.)?s\.yimg\.com/cv/ae/us/audience/
([A-Za-z0-9.-]*\.)?clicks\.beap/
([A-Za-z0-9.-]*\.)?.doubleclick(\.\w{2}\.\w{2}|\.\w{2,4})/
([A-Za-z0-9.-]*\.)?yieldmanager(\.\w{2}\.\w{2}|\.\w{2,4})/
([A-Za-z0-9.-]*\.)?w55c(\.\w{2}\.\w{2}|\.\w{2,4})/
([A-Za-z0-9.-]*\.)?adnxs(\.\w{2}\.\w{2}|\.\w{2,4})/
([A-Za-z0-9.-]*\.)?advertising\.com/
([A-Za-z0-9.-]*\.)?evidon\.com/
([A-Za-z0-9.-]*\.)?scorecardresearch\.com/
([A-Za-z0-9.-]*\.)?flashtalking\.com/
([A-Za-z0-9.-]*\.)?turn\.com/
([A-Za-z0-9.-]*\.)?mathtag\.com/
([A-Za-z0-9.-]*\.)?surveylink/
([A-Za-z0-9.-]*\.)?info\.yahoo\.com/
([A-Za-z0-9.-]*\.)?ads\.yahoo\.com/
([A-Za-z0-9.-]*\.)?global\.ard\.yahoo\.com/
(^|\.)lgsmartad\.com$
ngfts.lge.com
lgtvonline.lge.com
(^|\.)buffpanel\.com$
(^|\.)bugsnag\.com$
(^|\.)redshell\.io$
(^|\.)treasuredata\.com$
(^|\.)unity(|3d)\.com$
(^|\.)unityads(|\.co)\.com$

VI. What next?

I will keep this publication up to date with the latest. Things keep moving fast, especially the new implementations such as DNS over HTTPS and I wonder how Pihole would involve and adapt with this technology.

Cloud technologies and solutions lover, https://cdcloudlogix.com