Blocking ads network-wide with Pi-hole

I think it’s safe to say that the majority of people hate ads. However, it is a necessary evil since we all love free stuff. Whether that’s YouTube content, email service, etc., we want it for free. Some people install ad blocker add-ons on their browsers, and they work great. Some tech-savvy folks go even further by blocking ads network-wide. Today’s post is how to block ads network-wide.

Why block ads?

I love ads! Said no one, ever.

People have different opinions about ads. However, generally, people hate ads. Some common reasons are the following:

• Pervasive
• Intrusive
• Obnoxious
• And many more

For the most part, I agree with this list. However, some creators know how to be responsible with their content monetization. Not being responsible can affect the user experience. As a result, viewership goes down, or users find ways to block ads, which results to lower ad revenue.

Malvertising

What this list doesn’t have is malvertising or malicious advertising. It is one of my reasons why I block ads. It is, after all, a security issue. If you are unfamiliar with the term, please visit this site.

Essentially, cybercriminals pay an advertising network to display malicious ads that will redirect users to a compromised server. Malvertising can perform the following attacks on users without clicking anything:

• A “drive-by” download. It is a type of attack that downloads and installs malware or adware.
• Redirects to a phishing site.
• Redirects to a site with fraud advertising. Some of these fraud ads will instruct users to download software to clean their computers.
• The list goes on.

Enter Pi-hole

Pi-hole is a free and open-source software (FOSS) project. It was created by Jacob Salmela as an alternative to AdTrap back in 2014.

It is a Linux-based application that allows users to block advertisements and internet trackers at the network level. Originally designed to work with embedded devices like Raspberry Pi; hence, the name Pi-hole.

For several years, Pi-hole has known to work with other operating systems. But, now, the project officially supports several Linux distros, including my distro of choice, which is Ubuntu.

Linux VM

I chose the virtual machine route this time since I had issues with internal DNS resolutions back in 2016 or 2017 when I used a pre-packaged Pi-hole Docker container. With the conditional forwarding feature, that issue should no longer exist and I may consider moving to a Docker container again in the future.

My network currently has three ESXi servers. I assembled one of them back in 2012, one in 2016, and one this year.

Specs of my Pi-hole VM are the following:

• 1 x vCPU
• 768 MB of RAM
• 1 x vNIC
• 8 GB of disk space

Preliminary steps

Pi-hole needs a static IP address. We can approach this in two ways. One is statically assigning an IP address to the server. The other is to use a DHCP reservation. I prefer to assign an IP address on my servers.

Before Ubuntu 18.04, assigning a static IP address is controlled via the/etc/network/interfaces file. Now, it’s a YAML file that needs to be modified which is the /etc/netplan/50-cloud-init.yaml file.

Since I used the VMXNET3 network adapter type, the interface name is ens160. Under the interface, we need to change the DHCP line from true to false. Then, assign an IP address to the interface. Alternatively, we can delete the dhcp4: true line.

# This file is generated from information provided by
# the datasource.  Changes to it will not persist across an instance.
# To disable cloud-init's network configuration capabilities, write a file
# /etc/cloud/cloud.cfg.d/99-disable-network-config.cfg with the following:
# network: {config: disabled}
network:
    ethernets:
        ens160:
            addresses:
                    - 192.168.100.53/24
            gateway4: 192.168.100.1
            nameservers:
                addresses:
                    - 208.67.222.222
                    - 207.67.220.220
    version: 2

After saving the changes to the YAML file, we need to apply the changes. Issue the command as seen below for the changes to take effect.

$ sudo netplan apply

Finally, we’re on the last command in the preliminary steps. We now need to make sure our Ubuntu Linux is up to date.

$ sudo apt update && sudo apt dist-upgrade -y

Pi-hole installation

Installing Pi-hole is quite easy. We just need to issue a one-line command.

$ curl -sSL https://install.pi-hole.net | bash

You may be thinking that this is a risky command to issue. Pi-hole wrote a post on why curling and piping to bash is controversial. If you don’t trust what this command does, then head over to their GitHub for alternative methods of installation.

In the installation wizard, you can leave everything as default. If you ever need to change it, then you can do it after installation using the admin page.

Eventually, you’ll reach the end of the installation wizard, and it will provide you a random password. It also shows you how to access the WebUI to make additional configurations.

Post-installation

The default values in the installation wizard are enough for a typical home environment. That said, no need to make any changes by logging into the admin page except to change the default password that was created by the installation wizard.

Change default password

To change the password, you need to issue one command, as can be seen below.

$ sudo pihole -a -p
Enter New Password (Blank for no password): makemypasswordgreatagain
Confirm Password: makemypasswordgreatagain
  [✓] New password set

Conditional forwarding

As previously mentioned, I run an internal DNS in my network. I may consider moving everything to Pi-hole, but not at this time. That said, I configured the conditional forwarding feature. You’d want to do this if you have a similar environment like mine.

To configure, click on Settings > DNS and then scroll down until you find the Conditional Forwarding section.

Since I have multiple subnets, I needed to add PTR records so that I can perform reverse DNS lookups. Without these records, I was only able to perform lookups within the same network as my internal DNS server. In this case, it was only within the 192.168.100.0/24 network. To add more networks, create a file in the /etc/dnsmasq.d directory.

$ sudo vi /etc/dnsmasq.d/02-pihole.conf

server=/10.168.192.in-addr.arpa/192.168.100.155
server=/20.168.192.in-addr.arpa/192.168.100.155
server=/30.168.192.in-addr.arpa/192.168.100.155
server=/40.168.192.in-addr.arpa/192.168.100.155
server=/50.168.192.in-addr.arpa/192.168.100.155

After saving the file, make sure to restart the Pi-hole DNS service by issuing the sudo pihole restartdns command.

Pi-hole as internal DNS server

The easiest way to make Pi-hole as an internal DNS server is by making it the DHCP server for the network. A lot of people will opt for this option because it’s easy and automatic.

If you want to make your life harder, then adding entries to the host file is the other option. To edit the host file, use your favorite text editor and add host entries to /etc/hosts file. Below is an example of a host file I create for another home network that I have.

$ cat /etc/hosts
127.0.0.1 localhost
127.0.1.1 pihole

192.168.80.151 	esxi03	esxi03.networkjutsu.local
192.168.80.1 	erx	erx.networkjutsu.local
192.168.80.100	unifi	unifi.networkjutsu.local	unifi-controller	unifi-controller.networkjutsu.local
192.168.80.101	nanohd	nanohd.networkjutsu.local

# The following lines are desirable for IPv6 capable hosts
::1     ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters

Update: With the release of version 5.0, adding IP address and DNS name associations are now available on the Web UI. In the main navigation pane, click on Local DNS Records.

Alternatively, you can create /etc/pihole/custom.list file and add the IPs and names there.

$ more /etc/pihole/custom.list
192.168.1.1 rtr.networkjutsu.local
192.168.1.53 pihole01.networkjutsu.local

DNS resolution from another network

If you have multiple subnets, just like my environment, you will need to ensure that your Pi-hole interface listening behavior is correct. There might be an instance where the installation wizard sets it to Listen on all interfaces. With this setting, the Pi-hole ignores DNS queries from clients that are not in the same network as Pi-hole’s interface. Make sure to set it to Listen only on interface ens160 or Listen on all interfaces, permit all origins.

Alternatively, if you’re a CLI junkie, you can change this setting by editing /etc/pihole/setupVars.conf file. Below is my current setting.

$ cat /etc/pihole/setupVars.conf | grep DNSMASQ_LISTENING
DNSMASQ_LISTENING=single

If you want to know the Web UI equivalent, then use this table.

Adding more to the blocklist

While the built-in blocklist works great in blocking ads, there are other lists that you can add. Currently, I use some of the blocklists from The Firebog site. I need more time to test before adding more to the list. Additionally, I added Dshield’s suspicious domain list as well.

Update: I added some of the lists in here as well.

Client’s DNS configuration

Once you completed the Pi-hole configuration, you’re now ready to make changes to your DNS configuration. There are two approaches that you can take.

The first one is to change your router’s DNS configuration. I recommend using this route since it’s the easiest and fastest out of the two.

The second approach is to change the DHCP configuration settings to point to Pi-hole as the DNS server. This approach is slow since the DHCP timeout applies. To immediately take effect, clients will need to release and renew their DHCP lease.

Keeping it up to date

At this time of writing, the update mechanism is not available on the web UI. That said, you would have to use the CLI to update Pi-hole. To update, use the command below.

$  pihole -up
  [i] Checking for updates...
  [i] Pi-hole Core:	up to date
  [i] Web Interface:	up to date
  [i] FTL:		up to date

  [✓] Everything is up to date!

Pi-hole in action

Now that you’re finished with configurations, it’s time to see it in action. In the next few sections, I’m going to demonstrate the different types of scenarios to show the value of Pi-hole and ad blocker.

Scenario 1

Here’s an example of a network without Pi-hole and a browser without uBlock Origin installed. As expected, advertisements are showing on the page.

If you try it out yourself, you will notice that the page loads very slow. It is especially noticeable when you’re testing it using a low powered machine and not a very fast internet connection. With the use of developer tools, you will notice there are a lot of web requests.

Scenario 2

Here’s an example of a network with Pi-hole and a browser without uBlock Origin installed. As expected, no advertisements are showing on the page.

If you try to load the page again, with cache disabled, you will notice that it loads very fast. It is because of the reduced number of web requests blocked by Pi-hole. In this scenario, we saved a whopping 758%!

Scenario 3

Here’s an example of a network without Pi-hole and a browser with uBlock Origin installed. In this scenario, the browser add-on blocked the ads. However, it loaded the video player that we saw earlier but without the ads.

Using uBlock Origin still saves us a lot of web requests. However, the number is not as high as the one shown earlier. Nevertheless, having the ad blocker reduced the number of web calls to 403%.

Scenario 4

Here’s an example of a network with Pi-hole and a browser with uBlock Origin installed. Visually, there’s no difference between this and the second scenario. However, inspecting with developer tools shows that there’s a slight difference.

As you can see, it further reduced the number of requests compared to the second scenario. While not significant, having an ad blocker on your browser helps block ads and trackers not caught by Pi-hole.

An example of this is by visiting YouTube. If you turn off the ad blocker, the ads will load. Pi-hole cannot effectively block the ads because YouTube hosts both the content and advertisements on the same server.

Final Thoughts

As discussed, blocking ads is no longer just to avoid seeing obnoxious images or videos. It’s also for avoiding malvertising and saving bandwidth. With the combination of Pi-hole and ad blocker, you will definitely accomplish those objectives.

Disclosure

AndrewRoderos.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.