DNS with Pi-Hole + DNSCrypt

This is a follow on post from Using a Pi-hole to fight phishing.

I already had Pi-Hole running. It’s a fantastic tool for several reasons, namely:

  • Allows you to block adverts and malware at a DNS level. This is much more effective than using ad-blockers. All devices on the network can be protected using this measure (as opposed to say just a browser on a single desktop PC).
  • Allows you to block additional sites which you want.
  • Gives you visibility to what is happening on your own network.
  • Allows you to leverage more secure DNS technologies such as DNS-over-HTTPS (DoH) for all devices.

My instance was running along with cloudflared proxy to allow for my external DNS requests to take place using DoH. However, I did have an issue where my connection seemed to drop or hang randomly. This started driving me up the wall some what. After further investigation I found the root case to be the DNS requests to Cloudflare:

So I did some digging around and came across a recommendation to use dnscrypt-proxy instead of cloudflared. After looking at it, I found this a better solution since not only does is support DoH and DNS over TLS (which cloudflared does as well), it also support DNSCrypt. So it is more versatile than cloudflared. Additionally, while I admire what Cloudflare does and provides, I would like to move aware from a single vendor for these type of things, and have something which makes it easy to switch my external DNS name resolver.

dnscrypt-proxy

Steps to install dnscrypt-proxy are pretty straight forward:

  1. Change the current directory to /opt: cd /opt
  2. Download the latest version: sudo wget https://github.com/DNSCrypt/dnscrypt-proxy/releases/download/2.0.39/dnscrypt-proxy-linux_arm64-2.0.39.tar.gz
  3. Unarchive the downloaded archive: sudo tar -xvzf ./dnscrypt-proxy-linux_arm64-2.0.39.tar.gz
  4. Remove the downloaded archive: sudo rm dnscrypt-proxy-linux_arm64-2.0.39.tar.gz
  5. Rename the unpacked directory: `sudo mv ./linux-x86_64 ./dnscrypt-proxy
  6. Change directory to dnscrypt-proxy: cd dnscrypt-proxy
  7. Create configuration from an example: sudo cp ./example-dnscrypt-proxy.toml ./dnscrypt-proxy.toml
  8. Edit the configuration:
    server_names = ['cloudflare'] # you can can change this and get a list of names from https://dnscrypt.info/public-servers
    listen_addresses = ['127.0.0.1:54']
  9. Install the dnscrypt-proxy: sudo ./dnscrypt-proxy -service install
  10. Start dnscrypt-proxy: sudo ./dnscrypt-proxy -service start

Pi-hole

Steps to install Pi-hole are pretty straight forward as well:

  1. In your home directory, clone the Pi-hole repository: git clone --depth 1 https://github.com/pi-hole/pi-hole.git Pi-hole
  2. Change directory to the install directory: cd "Pi-hole/automated install/"
  3. Run the installation script: sudo bash basic-install.sh
  4. Accept the defaults. You will have to set a name server, just choose any from the list (this will be changed later).
  5. Log into the Pi-hole Admin Web UI.
  6. Navigate to the Settings tab.
  7. Click on the DNS tab.
  8. Uncheck any Upstream DNS Servers which are selected and check Custom 1(IPv4) under and set the value to 127.0.0.1#54.
  9. Save the changes.
  10. Test your setup: dig @<pi-hole_ip> www.google.com (where <pi-hole_ip> is the IP address of your Pi-hole server).
  11. If you want to setup TLS for your admin web UI, edit the file /etc/lighttpd/external.conf:
$HTTP["host"] == "<enter-appropriate-hostname>" {
  # Ensure the Pi-hole Block Page knows that this is not a blocked domain
  setenv.add-environment = ("fqdn" => "true")

  # Enable the SSL engine with a LE cert, only for this specific host
  $SERVER["socket"] == ":443" {
    ssl.engine = "enable"
    ssl.pemfile = "<certificate-and-private-key>"
    ssl.ca-file =  "<ca-cert>"
    ssl.honor-cipher-order = "enable"
    ssl.cipher-list = "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"
    ssl.use-compression = "disable"
    ssl.use-sslv2 = "disable"
    ssl.use-sslv3 = "disable"
  }

  # Redirect HTTP to HTTPS
  $HTTP["scheme"] == "http" {
    $HTTP["host"] =~ ".*" {
      url.redirect = (".*" => "https://%0$0")
    }
  }
}
  1. Restart lighttpd: sudo systemctl restart lighttpd

This a slightly modified copy of a post which is available at: https://blog.sean-wright.com/dns-with-pi-hole-dnscrypt/

Note: The Cyber Volunteer 19 team recommend this setup for HOME use only. Hospitals and healthcare providers should use business class solutions for DNS services and protective DNS.

Using a Pi-hole to fight phishing

Introduction

Due to recent events related to COVID-19, some Health Centres in Europe have fallen  victim to ransomware attacks. The first channel to spread ransomware is often phishing, so here are some suggestions to block web surfing to phishing sites if users have clicked on any emailed phishing links.

In my personal journey of learning about this technology, I installed some time ago Pi-hole Ad Blocking on my Raspberry Pi to avoid annoying commercials when surfing the net from home. Pi-hole can have more powerful applications as well, such as adding other types of blacklists to the Pi-hole – and a phishing site blacklist could be one of them.

The chain

The chain to follow to transform your Pi-hole into a DNS that blocks phishing links is pretty easy:

  1. Download and install Pi-hole; there are many guides on the Internet, depending on where you want to install it, here’s one for Raspberry.
  2. Add the phishing list to the adlist.list of your Pi-hole installation.
  3. Update your Gravity list.
  4. Report and vote for phishing sites.
  5. Check that Pi-hole blocks the right DNS queries.

As stated, the first step is pretty simple – yet it’s off topic here (ping the author if you are in trouble with the installation), so now to discuss directly the second point.

Add phishing list

I recently found a very good project that updates a phishing blacklist every 6 hours. This list could be implemented in your own Pi-hole installation to block phishing sites. It is called Phishing Army and it updates its lists directly from 3 sources:

Add Phishing Army blacklist to your Pi-hole

To add the Phishing Army blacklist to your Pi-hole simply add the list to the list file in the path /etc/pihole/adlist.list file in your Pi-hole installation. Just connect to the Pi-hole via ssh and type this command:

# vim /etc/pihole/adlists.list

Paste the link at the bottom of your list file, write and quit.

Update your Gravity list

Now you have to update the Gravity black list by typing the command

# pihole -g

Report and vote for phishing sites

The first thing to do is to report and vote for phishing sites and the easiest way is to follow the instruction written on the amazing blog of the CyberV19 volunteers about using the voting system on Phishtank. When a Phishtank-submitted link reaches a good number of votes, it is marked as phishing. At this stage, it will then be put on the blacklist update of Phishing Army and automatically updated in the feed to your Pi-hole.

Checks

Now you can check if your Pi-hole is blocking malicious DNS requests. Search for a full or partial link in the Query Lists Search of the Pi-hole:


Try to surf to one of the links in the results and see the DNS query blocked by the Pi-hole:


Well done!

Conclusions

This is a home setup scenario. For a small company or test enterprise solutions, we would suggest installing Pi-hole in a docker container and configuring the Domain Controller to point to the Pi-hole as your primary DNS.

To reiterate, we recommend this setup for HOME use only. Hospitals and healthcare providers should use business class solutions for DNS services and protective DNS.

Thanks

Thanks to Luca Testoni for writing this blog and and contributing to CV19! This is a slightly modified version of the post on https://blackcloud.me/fight-phishing/