Pi-Hole

If you’ve ever done some research on protecting yourself against online tracking, you’ve definitely seen articles discussing Pi-hole, a network-wide ad blocking service/tool.

You can install Pi-hole on just about any hardware (including a Raspberry Pi) or as a VM. I switched from a Raspberry Pi to a Linux Containers (LXC) on Proxmox.
After you installed your Pi-hole instance, you configure the devices on your home network to use it as their primary DNS server. In a more advanced network, you can use DHCP leases or an Active Directory environment to automatically configure your clients. This is especially usefull when you can’t manually configure DNS on your clients (e.g. IoT or roaming devices). If you can’t configure DHCP leases (e.g. ISP-provided modem/router combo), you can configure your Pi-hole instance to also act as a DHCP server, handing out IP addresses and configuring DNS.
This wide variety of configurations and features makes Pi-hole an incredibly powerfull asset in protecting your online activity against unwanted tracking.

The actual installation of Pi-hole is outside the scope of this blog post, mainly because there are hundreds if not thousands of tutorials available online. I advise you to start with the official documentation.

Blocklists

You can configure your Pi-hole instance to one or more “safe” upstream DNS providers, like OpenDNS and Quad9, which provide some protection against unwanted websites as they provide some DNS filtering.
Some upstream providers are also configured to use DNSSEC, which will allow the Pi-hole to validate the signature of DNS responses, protecting against DNS response modifications.

One of the main features of Pi-hole, however, is its blocklists. These blocklists are consolidated by Gravity, an internal Pi-hole script, into a one unique list used by the DNS resolver to block or whitelist DNS queries.

Pi-hole by default includes some lists that will block domains linked to tracking by advertisement companies. As such, your online browsing is already much “cleaner” as soon as your clients use Pi-hole for their DNS queries.

Pi-hole vs Phishing

Now we come to the crux of this blog post: weaponising your Pi-hole instance to help protect you against phishing.

Phishing attacks often include the use of malicious domains hosting copies of legitimate websites. These domains eventually get picked up by antimalware and/or threat intel companies, who often also compile lists of “bad domains”.

We can use these lists to help protect users on our network against phishing.
Note that this won’t protect you against phishing sites hosted on legitimate domains (e.g. sharepoint) or which haven’t been flagged yet.

Phishing Army is one of the organisations compiling lists of phishing related domains. Their list, which is updated every six hours, includes reports from PhishTank, OpenPhish and PhishFindR.

Adding this list to Pi-hole is very easy.

Login on the Pi-Hole admin portal. You can find it at http://<pi-hole IP>/admin

Pi-hole login
Pi-hole admin login

Go to Settings, then Blocklists and add the Phishing Army blocklist URL to the list.

https://phishing.army/download/phishing_army_blocklist.txt

Update 2020-07-20
Another useful blocklist is that of URLhaus by Abuse.ch

https://urlhaus.abuse.ch/downloads/hostfile/

Adding the blocklist to Pi-hole
Adding the blocklist to Pi-hole

Update 2020-07-20
Clients can now be grouped and adlists can be assigned to those groups.
Because of this change, adlists have been moved and can now be found under “Group Management”.

Click “Save and Update” to immediately update Gravity, or click “Save” and manually update Gravity (Tools > Update Gravity).

Updating Gravity
Updating Gravity

You can check whether the blocklist is functioning correctly by testing a domain you know is present in the blocklist.

Blocklist query
Testing the blocklist

Browsing to this domain, you’ll see your system won’t be able to find it. The Pi-hole query log show that the query was blocked via the internal block list (blocked - gravity). In my case, the domain lookup was also blocked by the upstream DNS provider (blocked - external).

Query log
Query log

Note that Pi-hole automatically updates Gravity every Sunday. If you want to update more frequently, SSH into your Pi-hole and modify /etc/cron.d/pihole.

Pi-hole crontab
Pi-hole crontab

Upstream DNS

Another important improvement you can make, is picking a secure and privacy-preserving upstream DNS. This ensures the DNS queries that weren’t blocked by PiHole aren’t logged by e.g. your ISP and some upstream DNS providers add the option of using their blocklists as well.

I personally can recomment NextDNS as upstream DNS provider. Not only do they have additional lists like Threat Intelligence Feeds and Cryptojacking prevention, they also allow you to block newly registred domains (common in phishing) and help protect against DNS rebinding attacks. Their free plan grants you 300,000 queries per month and upgrading to unlimited costs you less than €20 per year.