Hackers are opportunists. You’re likely not a target but your banking information might be or you might have an IoT device that has a known vulnerability that can be used to launch a DDOS attack. Welcome to a multi part series of locking down your home network. Part 1 will be adding Pi Hole to our arsenal.
Pi Hole is a project created to do DNS black holing on your network. This is great security posture to start with because of the rise of what is known as malvertising. It extends beyond just protecting you from malvertising to stretch to malicious domains, phishing attempts, command and control domains for malware, etc.
Before we get started with Pi Hole I’d like to also make the suggestion of ad-blocking in general. As a further precaution and to help with websites annoyance you can install browser extensions such as UBlock Origins, no-script, etc. UBlock Origins is very user friendly and works extremely well.
Shameless ask. The content developers for this blog rely on ads to help pay for server, domain, pizza, and beer. If you’re going to block ads please consider donating so we can all be happy hackers!
The requirements for Pi Hole are pretty small. You should be able to use a pi 1, pi 2, or pi 3 with a 8g microSD card. This can also be done on a Virtual Machine or the cloud or really anything you can install Linux on. For the simplicity and cheapness I’m using a Raspberry Pi 3.
- Download Raspbian Stretch Lite
- Format your microSD Card
I’m using OSX for this but the commands for Linux should be the same or similar.
Look for the SD card you plugged in. In my case it’s
/dev/disk2. If you’re not sure do a
diskutil list then unplug the SD card and do another
diskutil list and you should be able to determine which one is your sd card.
/dev/disk2 (external, physical): /dev/disk2 (external, physical) #: TYPE NAME SIZE IDENTIFIER 0: FDisk_partition_scheme *7.9 GB disk2 1: Windows_FAT_32 boot 43.8 MB disk2s1 2: Linux 7.9 GB disk2s2
Note: Make sure your SD card is not locked you’ll get
dd permission denied
sudo diskutil unmountDisk /dev/disk2 sudo dd if=/dev/random of=/dev/disk2 sudo dd if=/users/<username>/downloads/2017-11-29-raspbian-stretch-lite.img of=/dev/disk2 bs=1m sudo dd if=/Users/<username>/Downloads/2017-11-29-raspbian-stretch-lite.img of=/dev/disk2 bs=1m Password: 1772+0 records in 1772+0 records out 1858076672 bytes transferred in 836.881027 secs (2220240 bytes/sec)
We’re ready to boot!
Grab your pi, a keyboard, power source, hdmi, monitor and plug into your router! Once Raspbian has booted the default username and password is
username: pi and
password: raspberry .
First order of business is to configure our Raspian OS to fit us. Go ahead and type
sudo rapspi-config. The default Keyboard layout is English UK so unless that fits your demographic and normal keyboard layout you might want to consider changing that or you’re gonna have a bad time.
Next and this is super important! We need to change the default password for the pi. So once you’re done doing your initial configuration go ahead and type
passwd and change that password!
Lets install Pi Hole!
Once you’re done with the initial configuration we’ll need to install Pi Hole. To get started make sure you have a internet connection
Next we need to get a root shell so type
sudo su now we can install. Type the following
curl -sSL https://install.pi-hole.net | bash
You’ll start walking through the process of the install. You’ll get to a part that asks you to select an upstream DNS provider. This is totally up to you. For mine i’m going to use Quad9. Quad9 is a DNS provider that also provides DNS blackholing to known malicious domains.
The rest of the settings should be fine as default.
As documented by the pi-hole you’ll want to configure a static ip address to the pi from your router. Every router is different and i’m not going to go into how this is done because I can’t support all routers. The same goes true for setting your routers DNS to your pi. Pi-hole has a document about how to configure your router to use the pi as the dns here https://discourse.pi-hole.net/t/how-do-i-configure-my-devices-to-use-pi-hole-as-their-dns-server/245.
If you didn’t have ad-blocker turned on before and the pi-hole is working you won’t be seeing ads on this blog any longer. Also there is the dashboard that you can get to by going to
x.x.x.x\admin where you replace the x’s to the ip address of your pi.
That’s it! We’re all done. You can disconnect the pi from the keyboard and monitor and let it just do it’s job.