Digging a fresh Pi-hole
Dig out that unused Pi and fire up the interweb to get started!
EVERYTHING BUT THE KITCHEN SINK “Pi-hole takes over ad-blocking duties for your entire network. All of your PCs, phones, kettles, TVs and smart fridges are protected.”
When you visit a website on your computer (a word we’re using to include any and all internet-connected devices), you type in the domain name. Your machine then consults a domain name service (DNS) to find the IP address of the site you want to visit.
If you’re looking for back issues of your favourite monthly magazine, for example, you type https:// linuxformat.com into the address bar, your DNS quickly consults its records, and directs the connection to our IP address, which is currently 18.134.167.236.
“Can I have index.html?” asks your computer. “Here you go!” says the LXF server, returning a bare HTML document from its home on the AWS EU-West server farm. An HTML document isn’t much good on its own, but it references other assets it needs to function and display properly. In the HTML head, your browser sees reference to a stylesheet containing rules to make the page look pretty, and references to images, so you can examine what’s on this month’s cover. Your browser downloads all the ancillary parts, and puts them together as the LFX web devs intended.
Large sites tend to have their HTML pages stored on one server, and images and media files served from a subdomain or content distribution network (CDN). Each of these subdomains or CDNs has a different IP address, and your computer queries the DNS for each.
With a very few notable exceptions, adverts and tracking scripts are not served from the same domain as any of the other content you see in your browser. Pi-hole works by standing between your computer and the internet, and checking domain name requests against a list of known ad servers or tracking domains.
If the requested asset is on a blacklisted domain, Pi-hole returns an IP address of 0.0.0.0. This address is effectively a black hole, from which no assets can be returned. The ad or tracking script isn’t loaded.
If the asset isn’t on a blacklisted domain, the request is forwarded to your usual DNS server.
This is almost exactly how a browser or host-based ad blocker works, with one key difference: Pi-hole takes over ad-blocking duties for your entire network. All of your PCs, phones, kettles, toasters, TVs and smart fridges are protected.
Fill your Pi-hole!
For very sensible reasons (see boxout, opposite page),
we’re advising that you use an actual Raspberry Pi to run Pi-hole. The model doesn’t matter – although we recommend connecting over a wired connection (such as Ethernet) rather than Wi-Fi.
Before you start, make sure you have the Raspberry Pi Imager tool on your desktop PC. Insert your microSD card or plug in your USB drive, and select a distro. We recommend Raspberry Pi OS Lite, because it comes with less unnecessary software. You’re not going to be running the Pi as a desktop computer, so you don’t need desktop software – or even a desktop.
Once you’ve flashed your boot media, stick it in the Raspberry Pi, and power up. Now open a terminal and connect to your Pi over SSH:
$ ssh pi@your.pi.local.ip.address
Update and upgrade your system with:
$ sudo apt update && sudo apt upgrade
Because your Pi will be acting as a server, you need to ensure it has a static local IP address. Double-check its current IP address with:
$ hostname -I
This command returns a whole load of IP addresses – you only need the first one. You also need your nameserver addresses (take a note of the contents):
$ cat /etc/resolv.conf
The last piece of information you need is the IP address of the router. To find this, check the sticker on the box. Ours is 192.168.1.1.
Use Nano to edit your /etc/dhcpcd.conf file:
$ sudo nano /etc/dhcpcd.conf
At the bottom of the file, enter the information you just gathered:
interface [Either eth0 or wlan0 ] static_routers=[Your router IP address] static domain_name_servers=[Nameserver addresses] static ip_address=[Your Pi IP address]/24
Save the file with Ctrl+O then Ctrl+X, and reboot the Raspberry Pi:
$ sudo reboot
The absolute easiest way to get Pi-hole on to your Raspberry Pi is with a script helpfully provided by the
Pi-hole developers.
Install Curl with:
$ sudo apt install curl
Then fetch and run the script:
$ curl -sSL https://install.pi-hole.net | bash
Enter your password when requested and let the
Pi-hole automated installer script do its work. Hit OK when told that This installer will transform your device into a network-wide ad blocker! and OK again to acknowledge the call for donations, then Continue to acknowledge that your Pi has a static IP address.
At the next prompt, you need to choose an interface. If you’re connected via Ethernet, choose eth0. Otherwise choose wlan0 for wireless.
You also need to choose an upstream DNS provider. Google is the default option, but we can’t quite bring ourselves to trust the company that we’re most trying to avoid. Cloudflare is a solid choice, and has historically resisted calls to block certain copyrightinfringing websites.
The script then offers to install StevenBlack’s unified hosts list. This is one of the most comprehensive, consolidated lists of advertising and tracking domains currently available. At the time of writing, it contains 144,626 entries, and while it doesn’t necessarily catch all domains, it’s pretty good, so go ahead and hit the Yes button.
You absolutely do want the admin web interface. Not only does it make administering Pi-hole a breeze, but it makes you look (and feel) like you’re in command of a starship. You also want the lighttpd web server, and to enable query logging.
The privacy mode you select is up to you. If you select Show Everything, you can see all the traffic on your network, and which device it belongs to. This can be super-handy, as we’ll show you on the following pages, but it’s also ethically questionable.
Once you’ve answered the setup questions, installation completes, and you can visit the admin page in your browser at pi.hole/admin.
The last thing you may need to do is set your Pi-hole as the DHCP (dynamic host configuration protocol) server for your network.
Type your router IP address into your browser, and enter the password when requested. The DHCP section can be quite tricky to find. On our naff Vodafone Connect router (a Huawei in disguise), it was located in Settings > IPV4 > DHCP. Enter your Raspberry Pi’s local IP address.
That’s it. Any request to domains on your blocklist are now black-holed. Your network is safe from adverts and trackers.
In the Pi-hole dashboard, you can see statistics on total queries, queries blocked, and the percentage of queries blocked. As shocking as these statistics are, after a few days, you’ll want to head to the Query Log section to see what’s going on in real time.
This section shows you every request from every device on your network as it happens. We have an old Microsoft tablet acting as a recipe platform and music player. That’s all it does – so why is it sending regular requests and data to finance.services.appex.bing.com? It shouldn’t be. If you find a suspicious entry like this, hit Blacklist to stop it from making contact again.