Pi Hole for LAN ad blocking - Fritzbox Configuration

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Pi Hole for LAN ad blocking - Fritzbox Configuration

timmmay

20859 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#240779 25-Sep-2018 18:27

After seeing it mentioned on another thread I've set up Pi Hole on a R.Pi 1b - one of the early ones. I like the idea of LAN wide ad blocking, plus I guess a cache is good too. Setting it up was easy - an hour while I was doing something else.

It's sitting attached to an old switch in my office, using an old USB power supply. Because I don't think it's very reliable where it is I'd like to configure it in a way that if it gets unplugged DNS still works on my network. If it works out well I'll get another switch for my network cupboard and a better power supply and put it in there, so it should be more reliable.

The Fritzbox only issues one DNS server with DHCP, so I need another way.

Standard Pi Hole Setup

I guess the standard setup would be for the router to give out the Pi Hole IP for DNS in DHCP. I tried it - worked well - until I unplugged the Pi.

My Pi Hole Setup - to Validate

I've set up the Fritz so that the first DNS server to use is the Pi Hole, and the second is the 2Degrees secondary DNS server. The Pi Hole uses the 2degrees DNS, in case they have local media caches. I could easily use Google or CloudFlare, it's easy to switch later.

I figure this way DHCP tells clients to talk to the Fritzbox for DNS. When the Fritz gets a DNS request it first tries the Pi Hole, but if it doesn't get a reply it'll time out and go back to the 2 degrees DNS.

Question

Is this a good / viable setup? Is there a better way to use the Pi Hole as primary DNS but have it fail over to ISP DNS if something goes wrong?

Fritzbox Setup

1 | 2 | 3

29101 posts

Uber Geek
+1 received by user: 10216

Trusted

Lifetime subscriber

#2096377 25-Sep-2018 19:21

I found things were resolved on the secondary DNS all the time when I tried similar in the past, so it was pretty ineffective.

Richard rich.ms

scetoaux

56 posts

Master Geek
+1 received by user: 15

#2096398 25-Sep-2018 20:19

I don't think this will work the way that you're hoping. The Pi-Hole DNS IP needs to be issued by the DHCP server, not via the WAN connection itself.

timmmay

20859 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#2096401 25-Sep-2018 20:26

That's worth testing Rich.

First I checked that using that setup and DHCP it was all working as expected - yes it was.

I changed my PC network settings to directly address the Pi Hole for DNS, and the router for secondary. I unplugged the Pi, and DNS lookups took 5 seconds instead of being near instant. I then plugged the Pi back in DNS time dropped to near instant, and the count started going up again. Windows recovers very quickly when a DNS server comes back up.

However, after I plugged the Pi Hole back in the router is still using the secondary DNS. I'll keep an eye on it to see if it recovers and starts using primary again.

So I think this is an ok configuration for now. Once I've been using the Pi Hole on my PC directly for a while and it seems reliable I'll maybe have DHCP give out the Pi Hole IP and everyone can use it.

@scetoaux - I think it is working how I expected. Are there any tests you can think of other than the ones I've done to validate?

dfnt

1553 posts

Uber Geek
+1 received by user: 1036

Trusted

Lifetime subscriber

#2096404 25-Sep-2018 20:44

I use an EdgeRouter, but the concept is similar.

The pihole configured as the primary DNS for all my DHCP scopes with the EdgeRouter as secondary just for my primary scope. I don't care if my guest and iot vlans can't do DNS lookups while the pihole is offline for maintenance, but for primary lan at least they can continue functioning by failing over to

The pihole is configured to use the EdgeRouter as its upstream DNS, and EdgeRouter uses ISP assigned DNS servers.

Or in simple form: client -> pihole -> edgerouter -> isp dns

Quic referral link https://account.quic.nz/refer/276294 free setup code R276294EBWOBK

timmmay

20859 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#2096408 25-Sep-2018 20:56

@nas sounds like you use the recommended method of DCHP handing out the Pi Hole IP directly, with a second DNS server on your main scope. The Fritzbox doesn't seem to be able to do that, it's one DNS server only. I'd hand out the Pi Hole IP using DHCP once I trust it - time will tell. For now I'll have my PC address it directly as I can easily switch if I need to, but if my wife had problems while I wasn't here she'd not be impressed.

Looking at the Pi Hole logs, most queries are answered in 5-7ms, but there are some at 50 or even 400 ms. I guess those IPs aren't in the 2 degrees cache so they had to reach out to get them. Ireland IPs take up to 400ms, but it is a fair way away.

nzkc

1634 posts

Uber Geek
+1 received by user: 1041

#2096472 26-Sep-2018 00:32

If "its not very redundant where it is", why not move it to be by your router? Ive got my Pi plugged into the Fritzbox USB port to power it - I have the 7390 too. I didnt think it'd have enough power to power the Pi - but its been fine. Saves on power sockets too!

With regards to 2nd DNS servers for DHCP clients you are correct in that:

Fritzbox only allows one (itself by default)
PiHole as a DHCP server also only notifies of itself

I've got the PiHole in my set up as the DHCP server too as I wanted to use my own domain name and not fritz.box.

Edit: I think you are with 2degrees too... If you make the PiHole your DHCP server ensure you tick the "Enable IPv6 support" option on your PiHole and disable the "announce DNSv6 server via router advertisement (RFC 5006)" option on your Fritzbox. As well as disabling the IPv6 DHCP server on your Fritzbox. Your PiHole still gets the IPv6 subnet and allocates out of that.

Lego

Shop now for Lego sets and other gifts (affiliate link).

michaelmurfy

meow
13581 posts

Uber Geek
+1 received by user: 10912

Moderator

ID Verified

Trusted

Lifetime subscriber

#2096473 26-Sep-2018 00:46

I've got one running here however have a backup that spawns in Docker on my server if the primary (Raspberry Pi) goes offline for over a minute. I used to have it all running on my server (a HP Microserver) but found it can sometimes be unreliable when the server is under heavy load.

Other than that - I use the PiHole as the only DNS server.

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

timmmay

20859 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#2096495 26-Sep-2018 07:02

nzkc:

If "its not very redundant where it is", why not move it to be by your router? Ive got my Pi plugged into the Fritzbox USB port to power it - I have the 7390 too. I didnt think it'd have enough power to power the Pi - but its been fine. Saves on power sockets too!

With regards to 2nd DNS servers for DHCP clients you are correct in that:

Fritzbox only allows one (itself by default)
PiHole as a DHCP server also only notifies of itself
I've got the PiHole in my set up as the DHCP server too as I wanted to use my own domain name and not fritz.box.

Edit: I think you are with 2degrees too... If you make the PiHole your DHCP server ensure you tick the "Enable IPv6 support" option on your PiHole and disable the "announce DNSv6 server via router advertisement (RFC 5006)" option on your Fritzbox. As well as disabling the IPv6 DHCP server on your Fritzbox. Your PiHole still gets the IPv6 subnet and allocates out of that.

I will move it to beside the Fritz 7390, and use the Fritz USB as power, but I'm out of ports in that location right now. I'll go buy a 4 or 8 port switch this weekend, unless maybe @freitasm has one lying around he wants to sell? You're closer than the shops and probably better stocked! The advantage of using the Fritz USB is it's UPS protected.

I wouldn't use the PiHole to serve DHCP, I'll just announce it as the DNS server via DHCP. I don't turn IPv6 on on my router as I've found it caused some weird problems. I'll try it again perhaps.

michaelmurfy:

I've got one running here however have a backup that spawns in Docker on my server if the primary (Raspberry Pi) goes offline for over a minute. I used to have it all running on my server (a HP Microserver) but found it can sometimes be unreliable when the server is under heavy load.

Other than that - I use the PiHole as the only DNS server.

Interesting idea. I did consider running up a Linux VM on my PC, but it uses memory and it's not always on.

vulcannz

436 posts

Ultimate Geek
+1 received by user: 136
Inactive user

#2096496 26-Sep-2018 07:06

Unless you're handling HTTPS on the pi hole it won't help that much. Most advertising has moved to https now. So you need either SSL decrypt or a proxy that handles HTTPS requests (and decrypts them).

gbwelly

1263 posts

Uber Geek
+1 received by user: 776

#2096497 26-Sep-2018 07:19

vulcannz:

Unless you're handling HTTPS on the pi hole it won't help that much. Most advertising has moved to https now. So you need either SSL decrypt or a proxy that handles HTTPS requests (and decrypts them).

It blocks based on host name which isn't obscured by ssl. It's achilles heel is 1st party advertising.

timmmay

20859 posts

Uber Geek
+1 received by user: 5350

Trusted

Lifetime subscriber

#2096503 26-Sep-2018 07:35

Ad block plugin can deal with first party ads. Fortunately there aren't a huge number of those.

Samsung

Shop now on Samsung phones, tablets, TVs and more (affiliate link).

freitasm

BDFL - Memuneh
80655 posts

Uber Geek
+1 received by user: 41052

Administrator

ID Verified

Trusted

Geekzone

Lifetime subscriber

#2096506 26-Sep-2018 07:40

The only switch I have here now is a HP managed switch. I have to keep it because it allows me to tag/untag VLAN ID. There's a lot of routers released in New Zealand that don't do this - hard to understand why companies release these here as they won't work on UFB without this feature.

Referral links: Quic Broadband (free setup code: R587125ERQ6VE) | Samsung | AliExpress | Wise | Sharesies

Support Geekzone by subscribing (browse ads-free), or making a one-off or recurring donation through PressPatron.

vulcannz

436 posts

Ultimate Geek
+1 received by user: 136
Inactive user

#2096540 26-Sep-2018 09:02

gbwelly:

vulcannz:

Unless you're handling HTTPS on the pi hole it won't help that much. Most advertising has moved to https now. So you need either SSL decrypt or a proxy that handles HTTPS requests (and decrypts them).

It blocks based on host name which isn't obscured by ssl. It's achilles heel is 1st party advertising.

That is incorrect. SSL encrypts the entire session, including the URL and host name. All anything in between can see is the IP addresses and ports. It is possible to attempt a reverse DNS lookup on the IP, and try and have a peak at the cert on the host. But these are 50/50 - and when a CDN is involved it gets even harder.

I run SSL decrypt on my network at home, and sometimes I have to exclude work devices from that as I cannot install the resigning cert on them. They then fall back to take a guess with rdns/the cert name.You also need to be able to block advertising apps embedded in pages, web filtering alone doesn't cut it. In a typical week I will only block about 400 advertising URL hits, but around 3000-4000 advertising apps (like doubleclick) embedded in pages.

nzkc

1634 posts

Uber Geek
+1 received by user: 1041

#2096663 26-Sep-2018 10:40

vulcannz:

gbwelly:

It blocks based on host name which isn't obscured by ssl. It's achilles heel is 1st party advertising.

That is incorrect. SSL encrypts the entire session, including the URL and host name.

Snipped for brevity.

gbwelly's statement is correct. Your statements are also correct. They are not mutually exclusive. The HTML contains the URLs of the advertising and your machine can read these as they have been decrypted at that point (otherwise how would it read, interpret and render the HTML?). PiHole works by blocking the DNS requests of these hosts.

Geekzone is running over SSL. Yet you can still view the page source. And if you do that you'll see URLs in there!

gbwelly

1263 posts

Uber Geek
+1 received by user: 776

#2096664 26-Sep-2018 10:40

vulcannz:

That is incorrect. SSL encrypts the entire session, including the URL and host name.

Hey Mark, I know that you know your stuff, but you have the wrong end of the stick on how the Pi-hole blocks adverts. It doesn't care about protocols, it's a DNS based blocker. To fetch an advert the client must resolve the name of the server hosting the advert. This is the point where the Pi-hole returns nxdomain to the client.

1 | 2 | 3