Pi-Hole

DNS blocklists I use for Pi-hole, AdGuard Home and pfBlocker-NG
pfSense / Pi-Hole

DNS blocklists I use for Pi-hole, AdGuard Home and pfBlocker-NG

- by Vikash Jhagroe - Leave a Comment
Reading Time: < 1 minute

These are the blocklists I use:

https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/doh-vpn-proxy-bypass.txt
https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt
https://justdomains.github.io/blocklists/lists/adguarddns-justdomains.txt
https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/AmazonFireTV.txt
https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/android-tracking.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
https://justdomains.github.io/blocklists/lists/easylist-justdomains.txt
https://justdomains.github.io/blocklists/lists/easyprivacy-justdomains.txt
https://adaway.org/hosts.txt
https://v.firebog.net/hosts/AdguardDNS.txt
https://v.firebog.net/hosts/Admiral.txt
https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt
https://v.firebog.net/hosts/Easylist.txt
https://v.firebog.net/hosts/Easyprivacy.txt
https://raw.githubusercontent.com/nextdns/cname-cloaking-blocklist/master/domains
https://phishing.army/download/phishing_army_blocklist.txt
https://raw.githubusercontent.com/klabacita/pmoreno-list/main/proxies.txt
https://perflyst.github.io/PiHoleBlocklist/SmartTV.txt
https://blocklistproject.github.io/Lists/tiktok.txt
https://raw.githubusercontent.com/WindowsLies/BlockWindows/master/hostslist
https://raw.githubusercontent.com/bambenek/block-doh/master/doh-hosts.txt
https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-domains_abandoned.txt
https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-domains.txt
https://raw.githubusercontent.com/oneoffdallas/dohservers/master/list.txt
https://raw.githubusercontent.com/Sekhan/TheGreatWall/master/TheGreatWall.txt
https://big.oisd.nl/
https://raw.githubusercontent.com/hagezi/dns-blocklists/main/domains/tif.txt
https://raw.githubusercontent.com/hagezi/dns-blocklists/main/domains/ultimate.txt
https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/fake.txt
https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/popupads.txt
https://raw.githubusercontent.com/hagezi/dns-blocklists/main/domains/native.amazon.txt
https://raw.githubusercontent.com/hagezi/dns-blocklists/main/domains/native.apple.txt
https://raw.githubusercontent.com/hagezi/dns-blocklists/main/domains/native.winoffice.txt
https://raw.githubusercontent.com/hagezi/dns-blocklists/main/domains/native.lgwebos.txt
https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareAdGuardHome.txt
https://raw.githubusercontent.com/laylavish/uBlockOrigin-HUGE-AI-Blocklist/main/noai_hosts.txt
https://raw.githubusercontent.com/blocklistproject/Lists/refs/heads/master/smart-tv.txt
DNS blocklists I use for Pi-hole, AdGuard Home and pfBlocker-NG Read More
DNS-based adblocking walktrough with real-world statistics based on Pi-hole DNS sinkhole
Pi-Hole

DNS-based adblocking walktrough with real-world statistics based on Pi-hole DNS sinkhole

- by Vikash Jhagroe - Leave a Comment

Reading Time: < 1 minuteThis video will show real-world statistics of DNS-based adblocking and tracking protection based on Pi-hole.

Official Netgate DNS redirect article for pfSense: https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html.

Below are the blocklists that I use:
– https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
– https://raw.githubusercontent.com/hagezi/dns-blocklists/main/adblock/doh-vpn-proxy-bypass.txt
– https://adguardteam.github.io/HostlistsRegistry/assets/filter_2.txt
– https://justdomains.github.io/blocklists/lists/adguarddns-justdomains.txt
– https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/AmazonFireTV.txt
– https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/android-tracking.txt
– https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
– https://justdomains.github.io/blocklists/lists/easylist-justdomains.txt
– https://justdomains.github.io/blocklists/lists/easyprivacy-justdomains.txt
– https://adaway.org/hosts.txt
– https://v.firebog.net/hosts/AdguardDNS.txt
– https://v.firebog.net/hosts/Admiral.txt
– https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt
– https://v.firebog.net/hosts/Easylist.txt
– https://raw.githubusercontent.com/jdlingyu/ad-wars/master/hosts
– https://v.firebog.net/hosts/Easyprivacy.txt
– https://raw.githubusercontent.com/nextdns/cname-cloaking-blocklist/master/domains
– https://phishing.army/download/phishing_army_blocklist.txt
– https://raw.githubusercontent.com/klabacita/pmoreno-list/main/proxies.txt
– https://perflyst.github.io/PiHoleBlocklist/SmartTV.txt
– https://blocklistproject.github.io/Lists/tiktok.txt
– https://raw.githubusercontent.com/WindowsLies/BlockWindows/master/hostslist
– https://raw.githubusercontent.com/bambenek/block-doh/master/doh-hosts.txt
– https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-domains_abandoned.txt
– https://raw.githubusercontent.com/dibdot/DoH-IP-blocklists/master/doh-domains.txt
– https://raw.githubusercontent.com/oneoffdallas/dohservers/master/list.txt
– https://raw.githubusercontent.com/Sekhan/TheGreatWall/master/TheGreatWall.txt
– https://big.oisd.nl
– https://raw.githubusercontent.com/hagezi/dns-blocklists/main/domains/tif.txt
– https://raw.githubusercontent.com/hagezi/dns-blocklists/main/domains/ultimate.txt

 

DNS-based adblocking walktrough with real-world statistics based on Pi-hole DNS sinkhole Read More
Active Directory / Microsoft / Pi-Hole / Server 2019

Use Pi-hole with Microsoft Active Directory

- by Vikash Jhagroe - 23 Comments.
Reading Time: 6 minutes

I’m a big fan of Pi-hole and have been using it to get rid of advertisement and tracking. Check my blogpost here if you want to know how to set Pi-hole up. It’s an amazing piece of software to protect your online privacy and provide network wide ad-blocking. In my day job I’m an IT-consultant for enterprise IT-solutions and in this post I will show you how to use Pi-hole with Microsoft Active Directory and protect all your domain joined clients from advertisement, tracking and also keep your clients secure from those malware websites.

Of course, you need to test this extensively before rolling it out in your infrastructure. I cannot stress this enough. The solution described in this blogpost did not show any kind of strange unexpected behaviour in my testlab but every infrastructure is different. Especially with endusers and applications there may be some challenges. So test before you implement!

Requirements

Microsoft Active Directory depends on Active Directory-Integrated DNS Service and Active Directory-Integrated DHCP Service. In this scenario all your domain joined clients are getting their IP-addresses and DNS settings from the Microsoft DHCP server. The DNS settings is used by the domain joined clients to talk to the Active Directory for DNS lookups and Active Directory related tasks. My testlab is running on Windows Server 2019 Active Directory and DNS Service, but this should also work if you are running a Windows Server 2016 environment. The requirement list is:

  • Microsoft Windows Server 2019
  • Microsoft Active Directory 2019
  • Microsoft Active Directory-Integrated DNS 2019
  • Microsoft Active Directory-Integrated DHCP Server 2019
  • Pi-hole Server
  • Domain joined client(s)

Let’s get started

They key Pi-hole feature we will be using in order to get this working is called Conditional Forwarding. I will explain in this post later on how we will use this feature.

DHCP Server settings

My DHCP Server is running on my Active Directory Domain controller. I’m sure a lot of you have the same setup which is fine. In the DHCP Server we have to specify certain options like DNS Servers and DNS Domain Name. My DHCP server is running on IP-address 192.168.130.10. My DNS Domain Name is vikash.nl. For DNS Servers fill in the IP-address of your Pi-hole Server. My Pi-hole server is running on IP-address 192.168.100.21.

On your DHCP server open the management console for DHCP Server and expand the scope options. Make sure the values match your network infrastructure:

Pi-hole Server settings

Now I will show you how to use Pi-hole with Microsoft Active Directory. The idea here is provide the Pi-hole Server as the DNS server to your domain joined clients. Then in the Pi-hole Server settings we will enable the option called Conditional Forwarding. Here we have to enter the IP-address of our Active Directory-Integrated DHCP server and also a Local Domain Name. This local domain name has to be your Active Directory name. In my case that is vikash.nl. What will happen now is that if the Pi-hole gets DNS requests from clients that need to resolve something.vikash.nl it will forward that request to our DHCP server which is also our Active Directory Domain controller. This makes sure that all the Active Directory related communications between my domain joined clients and Active Directory are completed successfully.

On the Pi-hole server go to Settings and select the DNS tab:

As you can see in the screenshot above I am using Cloudflare DNS Servers as my Upstream DNS. You can use any DNS Server as your upstream DNS. This basically means that for all DNS requests not related to vikash.nl the Pi-hole server will resolve those using Cloudflare. That is exactly what we want because it will make sure that internet is still working for all our domain joined clients. At the same time we will be able to see all the DNS requests in the Pi-hole Server Query Log for every client. This gives us control to protect our domain joined clients from ads, tracking or even malware.

In the DNS tab scroll to the bottom of the page and enter the DHCP server IP-address and the Local Domain Name. My DHCP server is 192.168.130.10 and my Local Domain Name is vikash.nl. Check your network infrastructure for your specific settings and click Save:

Testing

Now let’s make sure that everything works. First we will check that the correct DHCP settings are distributed to a client we want to join to the domain vikash.nl. I will use a Windows Server 2019 as client with the name vdi01.

Check IP-address

Open up a command prompt on the machine and make sure that the client is getting the correct settings from the DHCP server:

As you can see in the screenshot above the client is getting the DNS Domain Name and the DNS Server settings according to our scope options in the DHCP server. Check that the client is not already domain joined:

Join the client to the domain

Next step is to join the client (my vdi01) to my domain vikash.nl. Click in the Server Manager on WORKGROUP and then click on Change in the window that pops up:

Select the Domain option here and enter your domain name. Remember that this must be the same as DNS Domain Name entered in the DHCP Scope options and in the Conditional Forwarding on the Pi-hole. In my case this is vikash.nl. Then click on OK.

Windows will prompt you to enter Domain credentials which are allowed to do a domain join. In my testlab I use the domain administrator account for that. Enter the credentials and click on OK:

You will get a prompt from Windows telling you that the domain join was completed successfully. It looks like everything is working :). Click on OK and reboot you client.

After the client reboots login using a domain account:

Check that everything is ok and the client is a member of the domain:

Check Pi-hole Query Log

We can see the magic happening when we check the Query Log on our Pi-hole Server. Open the admin page of Pi-hole server and select the Query Log in the left menu:

As you can see in the screenshot above my client with IP-address 192.168.130.211 (vdi01.vikash.nl) is able to resolve internet queries as wel as queries related to my domain vikash.nl. Filesharing is working fine as well:

How amazing is this?! We are using Pi-hole with Microsoft Active Directory infrastructure and that means that we can now benefit from the protection of Pi-hole on enterprise level :). Of course this test is limited but imagine the possibilities. You can now provide all your endusers with a ad-free and tracking free internet experience but still be in control if some specific website needs to be unblocked.

Use Pi-hole with Microsoft Active Directory Read More
Pi-Hole

Exclude client devices with Pi-hole 5

- by Vikash Jhagroe - 4 Comments.
Reading Time: 4 minutes

I am a big fan of Pi-hole and I recommend it to everyone. It is an amazing piece of software to get rid of advertisement and tracking on a network level and recently Pi-hole version 5 was released. Check my blogpost here if you want to know how to set it up. That blogpost is based on version 4 of Pi-hole but the same applies for version 5. Just follow the steps there to secure your network and take back your online privacy. Pi-hole 5 has a lot of new features but the one I want to talk about is how to exclude client devices with Pi-hole 5.

Use case

Being able to exclude individual client devices can be extreme useful during troubleshooting. There may be times that you want to bypass the ad-blocking capabilities of Pi-hole like for IoT devices. Many IoT devices are connected to some cloud solution, especially if they are using Apple HomeKit. I’ve had many IoT devices go offline because Pi-hole was blocking them and I did not want to have to whitelist all those domains. My IoT devices are on a separate VLAN and I want them to use my Pi-hole as DNS server but I don’t want anything blocked for them. Pi-hole 5 makes that possible without jumping trough any hoops.

Let’s get started

Excluding client devices with Pi-hole 5 is done using Group Management. After installing Pi-hole a default group is created. Blocklists are now called Adlists and all the adlists you add are added to the default group called Default. Check the screenshot below:

As you can see we can now also add a comment to an adlist :). Very nice for documentation purposes. Mine says Migrated from /etc/pihole/adlists.list because my Pi-hole was upgraded from version 4 to version 5. That comment is automatically added during the upgrade proces.

Create a new Group

The first this we need to do is create a new group. Go to Group Management and click on Group. Enter a name and description and click on Add.

Make sure the List of configured groups show the new group you added:

Check group assignment

Now we have to make sure that the new Exclude_Group group we created does not have adlists assigned to it.

Go to Group Management -> Adlists and check the Group Assigment column. In the above screenshot you can see that I have all my adlists assigned to the Default group. Next we can add client devices to the Exclude_Group group. Every client device added to this group will have no adlists because all our adlists are assigned to the Default group.

Adding client devices

Go to Group Management -> Clients. Find the IP address of the client device on the dropdown menu. You can also enter a custom IP address. My client device has IP address 192.168.100.185. Enter a Comment and then click on Add.

Not that after adding the client device it will automatically be added to the Default group:

Change the group to exclude client device

All we have to do now is change the Group assignment for the client device to the group we created earlier on. It is important to deselect the Default group! We only want the client device with IP address 192.168.100.185 be member of the group Exclude_Group. Rember that the Exclude_Group does not have adlists assigned so any member of that group will still use Pi-hole as DNS server without the blocking functionality.

After you have made sure that the client device is only member of the Exclude_Group click on Apply. Your screen should look something like this:

Do some testing

Now that my client device with IP address 192.168.100.185 is excluded we can do some testing. Opening a browser of my client device and visiting https://www.google.com shows the following in the query log of Pi-hole:

Note that the following DNS request is now allowed: adservice.google.com

I know that my exclusion is working because adservice.google.com is on several adlists I use:

If I change the group of this client device back to Default we will observe the following behaviour:

Well, and that is all there is if you want to exclude client devices with Pi-hole 5 blocking especially if you find that after implementing Pi-hole (or adlists) something broke in your network. Really helpful I’d say.

Exclude client devices with Pi-hole 5 Read More