Skip to content

installation pihole

pihole docs

installation on linux

curl -sSL https://install.pi-hole.net | bash

basic

configfile

if OS uses dhcpcd for network configuration, add this to /etc/dhcpcd.conf

// static domain_name_servers=127.0.0.1 denyinterfaces veth* (put it into conf )

webport

first change server.port = 80 to server.port = 1080 here 

sudo nano /etc/lighttpd/lighttpd.conf

and add file here 

sudo nano /etc/lighttpd/external.conf
with line 
server.port := 1080
to be permanent

restart lighttpd server with either of these commands 

sudo systemctl restart lighttpd

sudo service lighttpd restart

Tip

service often redirects to systemctl. use systemctl for more advanced control for further configuration.

router pihole upstream dns server

Upstream 1 and Upstream 2 IP pihole

backup

gravity and config

backup

through webinterface at teleporter

restore

if u have .tarfile u need .tar.gz`` simplygzip .tarto get.tar.gz`

database

the database can be backed up while FTL is running when using the SQLite3 online backup method, e.g., 

sqlite3 /etc/pihole/pihole-FTL.db ".backup /home/pi/pihole-FTL.db.backup"
will create /home/pi/pihole-FTL.db.backup which is a copy of your long-term database.

commands

update pihole 

pihole -up

installation unbound

docs

sudo apt update
sudo apt install unbound

Listen only for queries from the local Pi-hole installation (on port 5335) Listen for both UDP and TCP requests Verify DNSSEC signatures, discarding BOGUS domains

add security and privacy 

nano /etc/unbound/unbound.conf.d/pi-hole.conf


server:
    # If no logfile is specified, syslog is used
    # logfile: "/var/log/unbound/unbound.log"
    verbosity: 0

    interface: 127.0.0.1
    port: 5335
    do-ip4: yes
    do-udp: yes
    do-tcp: yes

    # May be set to yes if you have IPv6 connectivity
    do-ip6: no

    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
    # Terredo tunnels your web browser should favor IPv4 for the same reasons
    prefer-ip6: no

    # Use this only when you downloaded the list of primary root servers!
    # If you use the default dns-root-data package, unbound will find it automatically
    #root-hints: "/var/lib/unbound/root.hints"

    # Trust glue only if it is within the server's authority
    harden-glue: yes

    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    harden-dnssec-stripped: yes

    # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
    use-caps-for-id: no

    # Reduce EDNS reassembly buffer size.
    # IP fragmentation is unreliable on the Internet today, and can cause
    # transmission failures when large DNS messages are sent via UDP. Even
    # when fragmentation does work, it may not be secure; it is theoretically
    # possible to spoof parts of a fragmented DNS message, without easy
    # detection at the receiving end. Recently, there was an excellent study
    # >>> Defragmenting DNS - Determining the optimal maximum UDP response size for DNS <<<
    # by Axel Koolhaas, and Tjeerd Slokker (https://indico.dns-oarc.net/event/36/contributions/776/)
    # in collaboration with NLnet Labs explored DNS using real world data from the
    # the RIPE Atlas probes and the researchers suggested different values for
    # IPv4 and IPv6 and in different scenarios. They advise that servers should
    # be configured to limit DNS messages sent over UDP to a size that will not
    # trigger fragmentation on typical network links. DNS servers can switch
    # from UDP to TCP when a DNS response is too big to fit in this limited
    # buffer size. This value has also been suggested in DNS Flag Day 2020.
    edns-buffer-size: 1232

    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    prefetch: yes

    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
    num-threads: 1

    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
    so-rcvbuf: 1m

    # Ensure privacy of local IP ranges
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10

also add edns-packet-max=1232 to a config file like /etc/dnsmasq.d/99-edns.conf to signal FTL to adhere to this limit.

start recursive server and test that it's operational 

sudo service unbound restart

the first query may be quite slow, but subsequent queries, also to other domains under the same TLD, should be fairly quick.

dig pi-hole.net @127.0.0.1 -p 5335

test validation¶

test DNSSEC validation using 

dig fail01.dnssec.works @127.0.0.1 -p 5335
first command should give a status report of status: SERVFAIL and no IP address.

dig dnssec.works @127.0.0.1 -p 5335
the second should give NOERROR plus an IP address.

add unbound to pihole

add 127.0.0.1#5335 as the custom 1 DNS (IPv4) and remove all upstream dns servers

disable resolvconf.conf entry for unbound (required for debian bullseye+ releases)

debian Bullseye+ releases auto-install a package called openresolv with a certain configuration that will cause unexpected behaviour for pihole and unbound. the effect is that the unbound-resolvconf.service instructs resolvconf to write unbound's own DNS service at nameserver 127.0.0.1 , but without the 5335 port, into the file /etc/resolv.conf. that /etc/resolv.conf file is used by local services/processes to determine DNS servers configured. You need to edit the configuration file and disable the service to work-around the misconfiguration.

step 1 - disable the service

to check if this service is enabled for your distribution, run below one. tt will show either active or inactive or it might not even be installed resulting in a could not be found message

systemctl is-active unbound-resolvconf.service
to disable the service, run the statement 
systemctl disable --now unbound-resolvconf.service

step 2 - disable the file resolvconf_resolvers.conf

disable the file resolvconf_resolvers.conf from being generated when resolvconf is invoked elsewhere. 

sudo sed -Ei 's/^unbound_conf=/#unbound_conf=/' /etc/resolvconf.conf
sudo rm /etc/unbound/unbound.conf.d/resolvconf_resolvers.conf

restart unbound

service unbound restart

to verify that the server works correctly, it’s a good idea to test it before committing the entire network to it. The command for testing locally on the Unbound machine is 

dig example.com @127.0.0.1
;; SERVER: 127.0.0.1#53(127.0.0.1)

in the next section we will be disabling the default ubuntu resolver 

dig example.com
;; SERVER: 127.0.0.53#53(127.0.0.53)

to check if this service is enabled for your distribution, run below one. it will show either active or inactive or it might not even be installed resulting in a could not be found message:

systemctl is-active unbound-resolvconf.service

to disable the service, run the statement 

sudo systemctl disable --now unbound-resolvconf.service