So lots of people are starting to get more serious about their online security, I have a bit of experience setting up simple home solutions that provide you with at least some peace of mind on the attacks and who's harvesting your data front.
As a reminder, none of this makes you invulnerable to exploitation or totally safe. The best was to practice network security is to log off and unplug your router.
Hardware
There are two good options you have for hardware firewalls/DNS filters: pi-hole and opnsense / pfsense. Pi-hole is incredibly cheap and simple to set up. Once you have all the hardware, installing it takes about 10 minutes and you won't lose internet. Pfsense and it's opnsense fork are a bit more involved, but still simple enough that anyone who knows how to install Linux can use them. You'll need a computer with at least 2 Ethernet ports so keep that in mind.
Pi-hole
What it does
Pi-hole is an open source DNS filter that allows you to block unwanted connections and websites from phoning home or serving you data. At the user level, it blocks all ads, but it's better than a standard ad-blocker because it's network wide and never actually allows the connections to be made past the pi-hole.
Requirements
Pi-hole only requires a raspberry pi (any one of them) and a 8GB+ SD card. Total all in cost is around $35 if you don't already have a pi. You can also just run it on an old laptop or even in Docker or Virtual-box on your computer.
Set-up
Download the latest Raspbian and use a tool like Rufus on Windows or dd on Linux.
After you have a bootable SD card, open it in your file explorer or CLI of choice and add a file called "ssh" with no file extension to the root directory. This will allow you to remote into your pi once you have it plugged into your router. If you're going to connect the pi over wireless, you can edit the "wpa-supplicant.conf" file with your log in info so it connects automatically.
Now that the pi is set up, connect it to your router either with an Ethernet cable or wirelessly. If you feel more comfortable setting it up with a GUI, that's fine, just do all the initial setup with the pi plugged into a monitor then plug it into the router last.
If you're using SSH to connect to your pi, open your router's main menu (usually by going to 192.168.1.1 or 192.168.0.1 in your browser). If you don't know your router ip address, type "ipconfig" into a windows command line or "ifconfig" in Linux. The ip address after "default gateway" is your router. On your router there should be a client list that will show all the connected devices. Look for your pi on there and remember/write down the ip address. Then open powershell or a terminal and type:
ssh pi@{pi-ipaddress}
This should give you a yes/no question about security, type "yes" to connect. The default password for Raspbian is "raspberry". Once you're in, you want to set the pi's ip address to be static. This can be done by typing:
ifconfig eth0 {pi-ipaddress} netmask 255.255.255.0
I'd also recommend changing the password with the "passwd" command and updating everything to the latest version with:
apt-get update
As a reminder, for a lot of actions in Linux, you need to type "sudo" before them. I won't include that in any of my example commands, because it's your responsibility to invoke that. Only use sudo if you're sure you want the command you're using to have admin privileges. It'll tell you if that's the case.
Once that's done, you're ready to install pi-hole
Installation
In the pi terminal, you can quick install pi-hole with the command:
curl -sSL https://install.pi-hole.net | bash
Or if you want to do it manually, the github has instructions.
This will start an automated setup script that installs everything you need. Write down the password it creates, or change the password to something you want by typing:
pihole -a -p
Once it's done, you should be able to type:
{pi-ipaddress}/admin
or
http://pi.hole/admin
Into any browser and get to the admin console. Log in and configure your DNS settings under the "settings" tab. I use Cloudflare and OpenDNS as my upstream DNS providers, but that's up to you. From here you have a few options, either manually assigning the pi-hole as your DNS server on all your devices, or having your router DHCP assign it. You can also set-up the pi-hole to be your DHCP server if you want (this is a good option if you aren't attached to your router DHCP server).
Router DHCP: Go to your router interface and find the DHCP options. There should be an option to set the default DNS servers. Put your pi-hole ip as the only DNS server and apply the changes. This step is different for every router, so I can't really help much. Just look up your router model number for a good idea on how to do this.
Pi-hole as DHCP: Disable DHCP in your router settings and enable it on the pi-Hole. You might need to plug in the pi-hole address as the DHCP server somewhere on your router. Again, this is different with all routers.
Manual: On any devices you want to use pi-hole with, go to the network settings and find the DNS option and set it to your pihole.
Once this is done, you can refresh the admin console and you should start seeing queries being logged. Try cycling your device if it doesn't show up. Sometimes you'll only see your router's ip address if pi-hole isn't your DHCP server. The "conditional forwarding" option in the DNS settings can be a work around for this problem.
Ad-lists
This part is entirely up to you. The default lists are pretty good at blocking ads, but for other stuff you might want to search around. This writeup on the pi-hole forums has some links to blocklists and upstream DNS servers you can use. To test that your pi-hole is working properly, you can go to a site like https://dnsleaktest.com/ to see that only the upstream DNS servers you assigned are being queried. Sites like https://canyoublockit.com/ are good for testing the ad and tracker blocking of your pihole. When you run it, keep your query log open in another tab and blacklist anything that gets forwarded from that site.
This turned out to be a pretty long write-up, so I'm going to do the opnsense/pfsense ones in a separate post. If anyone has any questions I'll try and answer to the best of my ability and if you see something wrong with my writeup, call me out and I'll edit it.
I just know as soon as I did any of this it'd fuck my work remote desktop and I'd have to turn it all off lol
Pihole shouldn't interfere with that. At least it's never done that for me. You can set it up with your VPN too so you are always getting DNS queries filtered through your pihole, even on other networks.
I have half a mind to believe that the recent push for DNS-over-HTTPS is just companies finding ways to ensure users cannot filter out shitty IoT phone home. I look forward to the next generation of Samsung smart TVs that only operate with DoH and you have no choice but to accept the ads if you connect it to your network (which, when it comes to shitty IoT devices, you never should).
The only situation where I think DoH is useful is if you're being blocked (government/ISP/boss) and you can use it to circumvent. So the other 98+% of the time it'll just be used to pretend it's offering security and "privacy".
Maybe I'm wrong.
This appears more like you set your own upstream DNS to DoH, not blocking DoH requests made by applications/devices on your network.
Yeah, but pihole is still serving as a mitm for the service so it's resolved on the pihole and served to your devices right?
Only if you can change the settings of the device (at which point you have so much control over it that the point is moot). If the dns is hard coded to some DoH service you can’t MITM that without denying all service. As far as I know, at any rate.
Most devices have a fallback, you could just block 53, 80, 443, 853 per device (for the offending iot garbage). Or block those ports per application locally. You can also block those ports for the big DoH servers (1.1.1.1 , 8.8.8.8, etc)
Thanks for the info. I hopefully will never buy something that is this level of BS but if I do I will be sure to try my best to block it.
There's always some sort of work around, it's just a matter of spending the time to figure it out
Probably not a good idea to run core services off of an SD card, so if you really want to use a Pi please at least consider booting off a USB SSD. Depending on which Pi model you have, it should already be possible or might require minor tinkering.
I would personally advocate just running pfSense + pfblockerng on a virtual machine, but this is your thread.
Agreed, I was planning on doing the pfSense option in a different thread. Pihole on SD is definitely not the best, but with the newer ones you don't have to worry as much because there's enough ram to avoid constantly writing to the card.
Mine didn't hit any snags until a couple days ago (which is what prompted me to make this thread). Been running off an 8 gig gas station card for almost 3 years. Your mileage will definitely vary though.
While useful, DNS blacklists don't really make your home network "more secure", as advertised.
I was planning on doing a second part on setting up an opnsense firewall, this was just the simpler one that I figured I'd get out of the way fist. DNS filtering doesn't do much for security from direct attack, but it does significantly reduce the amount of tracking data that can be gathered on you.
Pi-hole is window curtains and opnsense is the deadbolt.
