Pi-hole in the cloud

Background

I regularly listen to several security podcasts, including Security Weekly. Recently, in the the tech segment they discussed Pi-hole, specifically for deployment in the cloud.

There are many benefits to having a cloud-based Pi-hole, particularly if you use an OpenVPN server for your mobile devices to prevent carrier snooping and privacy when on public wireless networks. Using a cloud-based Pi-hole extends your ad-free (and tracker-free) experience on the web to your mobile device, which is extremely powerful.

Side note: with Apple's new DNS proxy extension in iOS 11, maybe they'll allow modification of your DNS servers when on LTE, providing even more control without the requirement for VPN.

Setup

I chose DigitalOcean for my cloud provider, after looking at several others. Ultimately, the Pi-hole developers have a referral code, so it gave me an opportunity to give back in a small way.

The $5 droplet was more than sufficient, and even with ~20k queries per day, it still only uses 34% of memory.

I did not want a DNS server open to the world, so I used Iptables to only allow access from the networks I wanted. I strongly encourage this for anyone hosting this in the cloud. DigitalOcean now has cloud firewalls available for droplets, so this may suffice - and is likely easier to configure than Iptables - but I have not converted yet.

One thing I found on the first few days was that some websites were horrendously slow when loading. After a little digging, I found the issue was related to HTTPS not being able to connect on domains that were pi-hole'd. This would not have been an issue for the original Pi-hole since it would be located inside your network, but that's not the case here. Once I updated my Iptables rules to REJECT HTTPS traffic, instead of dropping it, the performance issues went away and all my dreams came true.

iptables -A INPUT -p tcp --destination-port 443 -j REJECT  

The reason for this is that the DROP action does nothing to the packet, so the client (your browser) waits around waiting for something to connect. The REJECT action sends back a RESET to the client, telling the client there's nothing the server can provide - which kills the attempt to connect to that port.

Results

As you can see, ~1300 requests were blocked, or roughly 8%. My top advertisers are no surprise:

After pointing some family networks to this server, I decided to spin up something internally at home on my ESX server. This was eye-opening to say the least.

I know I'm a heavy internet user (I work from home), and we have several IoT-type devices in the home, but this is a bit much. Thankfully, Pi-hole provides some additional detail to help figure out what's going on.

Turned out, I've got some misconfiguration on my workstation DNS for a split VPN I use for work, which results in a bunch of requests for internal domains going to my DNS server rather than over the VPN. Time to fix that!

Unexpected Benefits

I rarely watch live TV. In fact, my cable box is unplugged and the only reason I keep my cable TV subscription is so I can sign into apps like ABC and PBS Kids on my Roku to watch shows on demand. I was hoping that these apps would have their commercials blocked via Pi-hole, but alas, it did not.

However, Crackle ads did get blocked! Now, I can watch Seinfeld with no commercials, and life is good.

Should you use Pi-hole?

Yes - absolutely. For several reasons - passive ad/tracker blocking, some basic malware prevention via DNS and basic visibility into what's going on in your network. DNS is a powerful tool for many things, and knowing what's going on in your network is just one of them.

There are many guides for setting up Pi-hole without a Raspberry Pi, but if you have questions about my specific setup, please comment below and I'll be happy to answer.

Tweet Post Share Update