/ tech

Pi Hole sur Pine64 et avec DNS over HTTPS

Je me suis décidé à réinstaller Pi Hole sur mon Pine64 qui ne me servait plus à rien, voici la procédure :

Installation de Pihole sur le Pine64

On commence par instalelr une Armbian pour le Pine 64, j'ai pris la version basée sur Buster

https://dl.armbian.com/pine64/Debian_buster_next.7z

login : root
password : 1234

une fois le mot de passe modifié on s'occupe d'installer pihole.

PiHole

wget -O basic-install.sh https://install.pi-hole.net
sudo bash basic-install.sh

L'installation se déroule normallement, on configure l'Ip de la machine, on s'occupera de la mise à jour des listes de blocages plus tard.
Pour la partie serveurs DNS on choisit ceux que l'on veut, nous allons le modifier ensuite.

DNS Over HTTPS

Le but c'est l'anonymat et le respect de la vie privée (même si cette notion a de plus en plus tendance à s'effacer avec le temps ... mais c'est un autre sujet).

L'avantage de cette technique est que tout le traffic sortant de chez soi est rerouté via le HTTPS vers un fournisseur DNS qui respectera votre vie privé.

Meme le FAI ne peut voir les requêtes demandées.

pour le mettre en place on va utiliser le service DNS de Cloudflare via le binaire à compiler cloudflared :
https://github.com/cloudflare/cloudflared

pour l'installer :
apt install golang-go
export PATH=$PATH:/usr/local/go/bin
export GOPATH=~/gocode
git clone https://github.com/cloudflare/cloudflared
cd cloudflared
go clean
go get github.com/cloudflared/cloudflared/cmd/cloudflared
make cloudflared

sudo cp ./cloudflared /usr/local/bin
sudo chmod +x /usr/local/bin/cloudflared

on crée un user cloudflared :
sudo useradd -s /usr/sbin/nologin -r -M cloudflared

on edite le fichier default de cloudflared :
vi /etc/default/cloudflared

# Commandline args for cloudflared
CLOUDFLARED_OPTS=--port 5053 --upstream https://1.1.1.1/dns-query --upstream https://1.0.0.1/dns-query

vi /lib/systemd/system/cloudflared.service :

[Unit]
Description=cloudflared DNS over HTTPS proxy
After=syslog.target network-online.target

[Service]
Type=simple
User=cloudflared
EnvironmentFile=/etc/default/cloudflared
ExecStart=/usr/local/bin/cloudflared proxy-dns $CLOUDFLARED_OPTS
Restart=on-failure
RestartSec=10
KillMode=process

[Install]
WantedBy=multi-user.target

sudo systemctl enable cloudflared
sudo systemctl start cloudflared
sudo systemctl status cloudflared

Test que le service Cloudflared hebergé en localhost repond bien et se connecte en HTTPS pour les résolutions DNS :
dig @127.0.0.1 -p 5053 google.com

; <<>> DiG 9.11.5-P4-5.1-Debian <<>> @127.0.0.1 -p 5053 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 53913
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
; PAD: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 (".....................................................................")
;; QUESTION SECTION:
;google.com.			IN	A

;; ANSWER SECTION:
google.com.		199	IN	A	172.217.18.206

;; Query time: 38 msec
;; SERVER: 127.0.0.1#5053(127.0.0.1)
;; WHEN: Thu Oct 03 14:05:34 UTC 2019
;; MSG SIZE  rcvd: 138

Il ne reste plus qu'à reconfigurer le DNS du piHole pour taper sur des DNS customs vers :
127.0.0.1#5053

Mise à jour des listes de blocage DNS

ci dessous les url ajoutées de mon coté :

https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
https://mirror1.malwaredomains.com/files/justdomains
http://sysctl.org/cameleon/hosts
https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
https://hosts-file.net/ad_servers.txt
https://raw.githubusercontent.com/hectorm/hmirror/master/data/adaway.org/list.txt
https://raw.githubusercontent.com/hectorm/hmirror/master/data/adblock-nocoin-list/list.txt
https://raw.githubusercontent.com/hectorm/hmirror/master/data/adguard-simplified/list.txt
https://raw.githubusercontent.com/hectorm/hmirror/master/data/anudeepnd-adservers/list.txt
https://raw.githubusercontent.com/hectorm/hmirror/master/data/disconnect.me-ad/list.txt
https://raw.githubusercontent.com/hectorm/hmirror/master/data/disconnect.me-malvertising/list.txt
https://raw.githubusercontent.com/hectorm/hmirror/master/data/disconnect.me-malware/list.txt
https://raw.githubusercontent.com/hectorm/hmirror/master/data/disconnect.me-tracking/list.txt
https://raw.githubusercontent.com/hectorm/hmirror/master/data/easylist/list.txt
https://raw.githubusercontent.com/hectorm/hmirror/master/data/easyprivacy/list.txt
https://raw.githubusercontent.com/hectorm/hmirror/master/data/eth-phishing-detect/list.txt
https://raw.githubusercontent.com/hectorm/hmirror/master/data/fademind-add.2o7net/list.txt
https://raw.githubusercontent.com/hectorm/hmirror/master/data/fademind-add.dead/list.txt
https://raw.githubusercontent.com/hectorm/hmirror/master/data/fademind-add.risk/list.txt
https://raw.githubusercontent.com/hectorm/hmirror/master/data/fademind-add.spam/list.txt
https://raw.githubusercontent.com/hectorm/hmirror/master/data/kadhosts/list.txt
https://raw.githubusercontent.com/hectorm/hmirror/master/data/malwaredomainlist.com/list.txt
https://raw.githubusercontent.com/hectorm/hmirror/master/data/malwaredomains.com-immortaldomains/list.txt
https://raw.githubusercontent.com/hectorm/hmirror/master/data/malwaredomains.com-justdomains/list.txt
https://raw.githubusercontent.com/hectorm/hmirror/master/data/matomo.org-spammers/list.txt
https://raw.githubusercontent.com/hectorm/hmirror/master/data/mitchellkrogza-badd-boyz-hosts/list.txt
https://raw.githubusercontent.com/hectorm/hmirror/master/data/pgl.yoyo.org/list.txt
https://raw.githubusercontent.com/hectorm/hmirror/master/data/ransomwaretracker.abuse.ch/list.txt
https://raw.githubusercontent.com/hectorm/hmirror/master/data/someonewhocares.org/list.txt
https://raw.githubusercontent.com/hectorm/hmirror/master/data/spam404.com/list.txt
https://raw.githubusercontent.com/hectorm/hmirror/master/data/stevenblack/list.txt
https://raw.githubusercontent.com/hectorm/hmirror/master/data/winhelp2002.mvps.org/list.txt
https://raw.githubusercontent.com/hectorm/hmirror/master/data/zerodot1-coinblockerlists-browser/list.txt
https://raw.githubusercontent.com/hectorm/hmirror/master/data/zeustracker.abuse.ch/list.txt
https://raw.githubusercontent.com/CHEF-KOCH/Audio-fingerprint-pages/master/AudioFp.txt
https://raw.githubusercontent.com/CHEF-KOCH/Canvas-fingerprinting-pages/master/Canvas.txt
https://raw.githubusercontent.com/CHEF-KOCH/WebRTC-tracking/master/WebRTC.txt
https://raw.githubusercontent.com/CHEF-KOCH/CKs-FilterList/master/Anti-Corp/hosts/NSABlocklist.txt
https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-blocklist.txt
https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt
https://www.stopforumspam.com/downloads/toxic_domains_whole.txt
https://raw.githubusercontent.com/CamelCase11/UnifiedHosts/master/hosts.all
https://dbl.oisd.nl/
https://phishing.army/download/phishing_army_blocklist_extended.txt
https://tspprs.com/dl/crypto
https://tspprs.com/dl/tracking
https://tspprs.com/dl/spotify
https://raw.githubusercontent.com/CHEF-KOCH/CKs-FilterList/master/HOSTS/Game.txt
https://raw.githubusercontent.com/CHEF-KOCH/NSABlocklist/master/HOSTS
https://raw.githubusercontent.com/deathbybandaid/piholeparser/master/Subscribable-Lists/ParsedBlacklists/AakList.txt
https://raw.githubusercontent.com/deathbybandaid/piholeparser/master/Subscribable-Lists/ParsedBlacklists/Prebake-Obtrusive.txt
https://jasonhill.co.uk/pfsense/ytadblock.txt
https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist
https://raw.githubusercontent.com/CHEF-KOCH/BarbBlock-filter-list/master/HOSTS.txt
https://raw.githubusercontent.com/CHEF-KOCH/Canvas-Font-Fingerprinting-pages/master/Canvas.txt
https://raw.githubusercontent.com/CHEF-KOCH/CKs-FilterList/master/HOSTS/Ads-tracker.txt
https://raw.githubusercontent.com/CHEF-KOCH/CKs-FilterList/master/HOSTS/coinminer.txt
https://raw.githubusercontent.com/CHEF-KOCH/CKs-FilterList/master/HOSTS/Malware.txt
https://raw.githubusercontent.com/CHEF-KOCH/CKs-FilterList/master/filters/nsablocklist.txt
https://raw.githubusercontent.com/CHEF-KOCH/CKs-FilterList/master/uMatrix/CK's-uMatrix-FilterList.txt
http://phishing.mailscanner.info/phishing.bad.sites.conf
https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt
https://ransomwaretracker.abuse.ch/downloads/CW_C2_DOMBL.txt
https://ransomwaretracker.abuse.ch/downloads/LY_C2_DOMBL.txt
https://ransomwaretracker.abuse.ch/downloads/TC_C2_DOMBL.txt
https://ransomwaretracker.abuse.ch/downloads/TL_C2_DOMBL.txt
https://zerodot1.gitlab.io/CoinBlockerLists/list.txt
https://zerodot1.gitlab.io/CoinBlockerLists/list_browser.txt
https://zerodot1.gitlab.io/CoinBlockerLists/list_optional.txt
https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt
https://raw.githubusercontent.com/w13d/adblockListABP-PiHole/master/Spotify.txt
https://smokingwheels.github.io/Pi-hole/allhosts

Avec cette liste j'ai pas loin de 3 Millions de domains bloqués.

enjoy :)

Pi Hole sur Pine64 et avec DNS over HTTPS
Share this