A compehensive guide to setting up my personal configuration.
- DietPi
- Lower Device Power Consumpion
- Lean OS
USB Boot
You can also choose a USB flash drive as your main drive. Using a USB as your main drive will resolve the issue of writing too many times. USB jump drives are not only more endurant but they are faster than micro SD cards.
You can use the Raspberry Pi Imager to make the Pi boot from USB. SanDisk is a good brand of USB drive to buy.
A second PiHole is used for redundancy, not for DNS balancing. Depending on your network and with two Pi-Holes running in parallel, the split between the two Pi-Holes is not predictable or controllable. Although, the first Pi-Hole listed as DNS usually receives the majority of the traffic.
You won't have any control over the load balance if both Pi-Holes serve your entire network. But, you will have instant redundancy if one of the two Pi-Holes goes offline.
I try to create, maintain and search for mirrors for any blocklists under my configuration. That comes at a monetary cost, requiring more spacious SD cards, in my case I go for a 64gb SD, but in the future a 128gb might be required.
Pihole + Unbound can get you DNS over TLS, DOT. This is fully encrypted DNS. Your ISP will not be able to see your DNS requests.
Pi-hole ad blocker is great for what it does, blocking ads. But your DNS servers (eg. your ISP, Google, etc.) can and do sniff to find out what websites you are visiting (even the HTTPS sites). This is because DNS name resolutions (eg. google.com refers to this IP) are done as plain texts. In addition, this also poses some level of security risk.
DNS Over HTTPS The solution here is to send even your DNS lookup through HTTPS protocol (encrypted). Not all DNS providers offer this (because they won't be able to track your activity). Cloudflare does provide DNS over HTTPS.
Setting up DNS over HTTPS with Pi-hole on Raspberry Pi is quite easy. It requires command-line work but it is quite easy if you follow Pi-hole documentation for DNS over HTTPS.
How can I test if DNS over HTTPS is working?
Cloudflare has a test page that will provide information on your connection. Visit this page and it will tell you where you are connecting from, which DNS resolvers you are using, and whether the connection is secure or not.
I have Pi-hole and DNS Over HTTPS, can I improve my privacy even more?
Definitely. Take a look at configuring Unbound with Pi-hole. Instead of trusting your upstream DNS (eg. Cloudflare's 1.1.1.1 or 1.0.0.1), Unbound, a recursive DNS resolver that will run locally, will connect to the responsible server directly.
This will avoid the exact path you are visiting from being logged anywhere.
DNSSEC Issue
If you decide to setup Unbound, then make sure to disable caching and DNSSEC validation. Due to some existing DNSSEC bugs in dnsmasq, the developers recommend not using Pi-hole DNSSEC with unbound or Cloudflare.
You can disable DNSSEC using the Pi-hole admin dashboard (Settings -> DNS). Disabling Pi-hole caching requires setting the cache size to 0 in /etc/dnsmasq.d/01-pi-hole.conf, as described here.
Disadvantages of Using Pi-hole for DNS Only
There are some disadvantages to letting your router handle DHCP while specifying preferred DNS:
Per-host tracking will be unavailable and all requests to Pi-hole will appear as if they are coming from your router. My personal opinion is that this is not a big deal for a typical home user. You will not be able to connect to devices with their hostnames as Pi-hole cannot resolve hostnames. Again, not a big deal for a typical home user in my opinion.
If the above two disadvantages are deal breakers for you, then you can partially overcome those by using Pi-hole Hosts file or fully by advertising Pi-hole's IP address via dnsmasq in a router, if supported.
You will have to renew the DHCP leases provided by the router. The easiest way to do this is to restart the devices because resetting them locally on the device itself only updates settings for the single device. Rebooting forces the device to go offline and connect to the router again.
Alternatively, you may let your Pi-hole Server handle DHCP instead of your router, which would eliminate the disadvantages.
Firewall considerations
This is beyond the scope of this tutorial, but at least worth mentioning. If you have kids that being blocked from stuff they’re searching for, or if you’re running Pi-hole in your business and your employees want to bypass your blocking attempts, by default, there’s nothing stopping them from manually adjusting their DNS settings to use a non-Pi-hole DNS server.
To help with this, you’ll need to set up some firewall rules. For instance, you may create a rule that allows DNS services on port 53 for the IP addresses of your Pi-holes, but BLOCKS port 53 everywhere else. This way – even if someone is savvy enough to manually bypass their DNS settings to get around your Pi-hole, they still won’t be able to resolve anything. Haha…gotcha sucker.
- Improving Pi-hole Performance and Life
Move query logging to RAM - protects the SD card Query logging provides a lot of useful information as shown below. In addition, you get a lot of statistics. However, extensive writing can damage the SD card. For this reason, it is recommended to turn off query logging.
Note that this only affects the Pi-hole log and not the data that is in the long-term database. But, what if you want to leave it on for all the useful information it provides? A good option, in this case, is to move your logs to RAM instead of SD card. So all your logs on Raspberry Pi OS operating system will be written to RAM instead of SD card, thereby prolonging the life of SD card.
Log2ram
For this, we recommend Log2ram. The GitHub page has all the information for you to get started and customize, which only takes about 5 min or less in total.
Need somewhere to start? A robust collection of personal white-listed websites offered in a by-service structure for your consumption can be found under the Whitelist directory of this project's root folder.
BEWARE The whitelist aims to serve my own personal requirements, and therefore is only to be used as a starting block. For example, my Youtube list, does not contain Thumbnail Domains; that's because I don't like to see Youtube Thumbnails, I find them misleading and distracting, if you disagree, just add those domains afterwards from your Query Log.
Another useful source for specific whitelists, can be found here
How frequently should I update my Pi-hole adlists?
Keeping your block lists updated frequently is key to maintaining a secure and ad-free network environment. New malicious domains and ads sources are discovered regularly, so updating your adlists at least weekly is a good practice. By default, it updates once a week, every Sunday, but you can update them more frequently with the following, which will update it at 12pm every day. This can be adjusted as needed.
I hope this repository helped you set up the Pi-hole for a better internet browsing experience.
Happy browsing!
P.S. This is not a recommended configuration. Please, read the documentation, please...