Using DNS to Clean Your Pipes

I really despise ads, they completely ruin my browsing experience. Auto-playing videos, popup and overlay ads, and Forbes begging me to buy a subscription or “turn off your adblocker.” It‘s all a drag, and although an browser-based ad-blocker will take care of most of them, ad-blockers work when you can actually install them in the browser Many of us have more than just desktops and laptops on our home networks. Gaming consoles, smart-phones, tablets, E-Readers, and more. How do you block ads on those devices if you can’t install ad-blockers on them?

To take it a step beyond just ads and focusing on security as well, many ad-blockers don’t block malware domains, browser-based bitcoin miners, and phishing sites. Even if you could configure your ad-blocker to handle these security issues, it still wouldn’t apply to your devices in which you have no control over the browser. The only way to really ensure what sites your devices can ‘talk’ to is to control the answers it gets from the server to their DNS queries.

The Power of DNS

If you’re not familiar with DNS, think of it like a phonebook. Wait, come to think of it, I haven’t owned a phonebook in over a decade. Instead, think of DNS like the contacts list in your phone, except instead of just the folks you know, it contains the names and phone numbers of everyone on Earth. That way, when I want to call Last Days of Autumn to see what beers they have on tap, I simply search my contacts for Last Days of Autumn and my phone dials the correct number (865–202–4298). DNS works much in the same way. When you want to visit savagesec.com, your machine asks its assigned DNS server “What is the IP address that savagesec.com is assigned?” and then your browser takes you there (198.49.23.144). DNS ensures you don’t need to memorize or keep a record book of all the IP addresses for your favorite sites, much like your contact book keeps the phone numbers of your favorite people.

Because your network queries DNS for almost every connection, it can be a very powerful network control. For example, if we can tell our devices that the drive-by malware site, supermaliciousdomain.com, resolves to 0.0.0.0, when we attempt to browse to the site, it goes nowhere, thus saving us from an infection. It doesn’t affect direct IP address connections, which we’ve seen in some malware, but for the most part advertisers and malactors use DNS names to communicate instead of directly contacting IP addresses.

Building a Pi-hole

To build a Pi-Hole, you’ll first need to build a Raspberry Pi. CanaKit makes some pretty solid kits that include everything you need. At a minimum you’ll need:

  1. Raspberry Pi 3 Model B
  2. 2.5A Micro-USB Power Supply
  3. A MicroSD Card (I used 32GB)
  4. A case for your Pi (optional, but a good idea. You could also build one out of Legos.)

To make it easy, I recommend buying this kit from CanaKit and tossing in a MicroSD card to your cart. This will bring your total investment to ~$63.

About the size of a credit card, just much thicker.

Once you’ve purchased your RasPi, download Raspbian. I recommend the Lite version because we aren’t going to need a GUI, so why introduce the overhead?

Once you’ve downloaded the image, follow these directions specific to your Operating System. I use Linux as a my daily driver, so the following is what I did. Your steps may be different depending on your OS.

After downloading and extracting the Raspbian Lite image, I plugged in my MicroSD to my machine and wiped it out using gparted. Next, we need to write the Raspbian image to the SD card. I did this using the dd command.

First, determine what device is your microSD card/target. You can do this on Linux with sudo fdisk -l. I know my SD card is showing itself to the OS as 29.7 GB, so I just look for that device.

Disk /dev/sde: 29.7GB. That’s my MicroSD.

Next, we are going to take the Raspbian image and use dd to write it to the SD card as follows. Remember, when using dd, if=input file and of=output file. In my case, the command is as follows:

sudo dd if=2017–11–29-raspbian-stretch-lite.img of=/dev/sde bs=1M conv=fsync

Now it’s time to eject the microSD and insert it into our Raspberry Pi to boot for the first time. You will need a source of power, a keyboard, an HDMI hookup for a display, and a network connection (I went with a wired connection).

Upon initial login, your username/password will be pi/raspberry. I advise you change this as soon as you login. You can change your password by simply typing passwd and pressing Enter.

Next, make sure you have an IP address with the ifconfig command and then update the system with the following commands:

sudo apt update
sudo apt upgrade

Next, let’s download and execute the Pi-Hole install script:

curl -sSL https://install.pihole.net>install.sh
chmod +x install.sh
sudo bash install.sh

At this point, you’ll walk through the setup. When you get to the page that asks if you are OK with the IP settings, say no so you can assign a static address. If you opt to use a DHCP address, make sure you set a DHCP reservation in your router.

After install is complete, it’s a good idea to set your admin console password to something you can remember. Do this with the following command:

sudo pihole -a -p

After you’ve set everything up, it’s time to shut it down:

sudo shutdown -P now

After it’s shut down, take your Raspberry Pi and plug it in to an empty Ethernet port on your router, then plug in the power.

Logging In to the Pi-Hole

Go to another machine on your network and ping the IP address of the Pi-Hole to make sure it’s on the network. After it reports back, connect to it in a browser by navigating to http://<pihole-ip-address>/admin. Log in with the username ‘admin’ and the password you specified.

Configuring your Router

After you’ve confirmed that your Pi-Hole is up, running, and you can log in to the admin interface, it’s time to configure all DNS requests to flow through your Pi-Hole for maximum DNS blockage!

We need to configure preferred DNS settigns, so log into your router (typically 192.168.1.1 or 192.168.0.1) and find the DNS settings. Set the primary DNS server to the IP address of your Pi-Hole and the secondary to whatever you’d like (I chose 8.8.8.8, one of Google’s DNS servers).

After setting your DNS servers, your router will likely need to reboot.

Confirming it’s Working

To confirm it’s working, log back into your Pi-Hole console and go to the Query Log. You should see it being populated by the domains you and anyone else on your network has been visiting.

After a day of using it, it’s already blocked 8% of my traffic:

How Does This Help Me?

Pi-hole was initially developed to block ads for all devices on your network without the need of a browser plug-in. This not only helps decrease the amount of bandwidth you’re using, but also gets rid of all of those annoying ads (including malvertising). Because the blocking ability of Pi-hole is based on DNS, the content you choose to block is completely up to you. To get a better idea of what is being blocked, log in to your Pi-hole admin console and navigate to Settings. You can see what lists the Pi-hole is using to generate it’s Gravity file (the master blockage file, if you will).

We can look at the exact domains by clicking on any of the files in the list. Looking at the first file in the list, Steven Black’s unified hosts lists, we can see that in addition to blocking ads, it’s also blocking trackers, analytics engines, browser-based cryptocurrency mining sites, as well as thousands malware domains. In addition to those categories, it’s also blocking shock sites, spyware domains, and scam sites. As you can see, it’s not just cleaning up ads.

You can also customize what you are blocking by adding or removing lists. For example, Steven Black has additional lists you can add to your Pi-hole configuration that include the blocking of fakenews, gambling, porn, and social media sites.

Block to your heart’s desire.

Wrapping Up

Using DNS to ‘clean your pipes’ is very powerful, in that it affects all devices on your network without having to install plugins, agents, or additional software. Having the ability to block known malicious sites, whether they be phishing domains, malvertising, drive-by malware, or malware beaconing domains, is something most organizations would pay a considerable amount of money for because it’s such a powerful tool to reduce risk. It can also be a valuable troubleshooting and investigative tool when trying to determine what hosts are being queried and at what time.

Although Pi-hole doesn’t scale to large enterprise (simply because of the amount of DNS requests), the block lists absolutely do. If you have the ability to sinkhole domains in your organization, I recommend utilizing some of the mentioned blocklists in this post. If you don’t currently have at tool to sinkhole DNS requests, you can build one using PowerShell!

If you do build a Pi-hole, I highly recommend donating to their project.


Using DNS to Clean Your Pipes was originally published in Savage Security Blog on Medium, where people are continuing the conversation by highlighting and responding to this story.

This is a Security Bloggers Network syndicated blog post. Read the original at: Savage Security Blog - Medium 2017-12-03.