Pi-Hole - The DNS Triangle

Updated: August 14, 2019

The modern Internet is a fairly annoying place. Quite often, innocent activities like reading text or watching videos are interrupted by promotional messages better known as ads. This wouldn't be a problem if the ads were relevant, well-timed, or non-intrusive, but despite much "progress" in artificial intelligence, deep learning and other buzzwords, they are none of those. Then, we have privacy and whatnot.

The battle between ad givers and ad blockers rages on. It's also slowly escalating, as more and more people are turning against the aggressive in-yer-face ad model. For the most part, if you use an adblocking extension in your browser, you're all set. But then, you're at the mercy of the browser company and what they allow, plus this doesn't always work in every browser and/or operating system. The solution is to complete block network requests to ad servers, and this is what Pi-Hole does. Let's review.

Teaser

Getting started

Pi-Hole is a black hole for Internet advertisers. It's a set of software tools that will block DNS requests to domains identified to be ad serving so your browsing sessions - or any Internet-facing activity for that matter - never includes any advertising. This is a network-level solution, and as such, it should work for all scenarios. The benefits, apart from reduced noise, also include reduced volume of traffic, improved privacy and whatnot.

This got me intrigued, and I decided to setup Pi-Hole. Now, in general, Pi-Hole is designed to be used as an appliance. As its name implies, you might want to use a cheap Raspberry Pi device, install Pi-Hole on it, and then use it as your network filter. Therein lies problem number one - you do need some understanding of networking to be able to configure Pi-Hole correctly. Overall, a complete Pi-Hole solution covers:

So you need to remember that all of the above requires expertise. You cannot just casually plug 'n' play a solution of this nature in your setup. But if you have a nerdy friend, they might be able to do this for you. As to how simple or complicated this is, well, let's continue.

Installation wizard

I downloaded the script and ran it. You get a text-based wizard that is relatively simple to follow. I ran this on KDE neon, and it only installed software from the system repositories, apart from its own components, which come from GitHub.

Install 1

Install 2

Install 3

You need to tell Pi-Hole what DNS to use. For example, you can use your own router, which is typically what Linux systems will be using, something like 192.168.1.1 or 192.168.2.1 or alike. Things are a bit more difficult to understand with systemd in place now, but we will get there. You also have the option to use some of the existing Internet DNS (like Google or CloudFlare). I decided to start with my custom setup.

DNS setup

Like any adblocker, Pi-Hole uses lists to block ads. This is the strongest and the weakest link of the solution, because if the lists are not up to date, happen to be inaccurate, or badly made, you could have gaps or false positives, where legitimate domains get rejected. But for that matter, this is no different than adblocking via browser extensions, except it's a bit more thorough, hence aggressive. Most browser extensions apply rules only to third-party domains, so the chances of the expected domain not behaving is relatively low. Pi-Hole is meant to be foolproof, and that means it could prevent legit sites from loading.

Lists

Web UI sounds like a nice thing. I had it configured.

Web UI

And that was it. Supposedly, Pi-Hole was installed and configured, and I could use it now.

Did it work?

Nope. I had no Internet connectivity - failure in name resolution. My local system - neon - was using itself as its DNS (or rather the installed Pi-Hole, which was using the router), but it seemed that Pi-Hole was not providing its resolution service.

The problem at this point is - you can't go online as you have no Internet, so if you want to search for answers, you need another machine. I tried uninstalling Pi-Hole, and this was a simple and clean solution, and the connectivity was instantly restored. I installed it again, and got the same results.

I decided to try some command-line checks. Pi-Hole comes with several commands that let you enable it, disable it, start name resolution service, check status and alike. It turns out I was having a problem with something called pihole-FTL. Well, all right.

pihole enable
  [i] Enabling blocking
  [✗] pihole-FTL: no process found
  [✓] Pi-hole Enabled

I tried to run pihole-FTL, but it wouldn't start. Well, as it turns out, I needed sudo. Looking at the online documentation, the setup errors aren't that well documented. So it would seem I've gotten past my first hurdle in the configuration.

pihole-FTL
FATAL: Opening of FTL log (/var/log/pihole-FTL.log) failed!
       Make sure it exists and is writeable by user neon

sudo pihole-FTL
FTL started!

But I still had no Internet. I figured the DNS service was still down, so I tried to restart it.

pihole restartdns
  [✗] Failed to start pihole-FTL.service: Unit pihole-FTL.service not found.

From the error, I figured there was no unit file to start the FTL service, or it was borked. Searching online, I learned that the service file needed to be changed. Namely, under /etc/init.d/pihole-FTL, I had to edit a line that invokes FTL from:

su -s /bin/sh -c "/usr/bin/pihole-FTL" "$FTLUSER"

To just this line:

/usr/bin/pihole-FTL

After this, Pi-Hole started without errors.

sudo pihole restartdns
  [✓] Starting DNS service

Pi-Hole wasn't blocking ads

I did have connectivity, but the ads were there. Pi-Hole wasn't doing any filtering. So I decided to access the Web UI and see if I could do any changes and tweaking there. But when I tried to go to the Pi-Hole address, there was no Web server listening. The http://ip-address/admin and http://pi-hole/admin didn't do anything.

I did some more testing on the command line, and as it turns out the lighttpd service wasn't running, which would explain why I didn't have the Web UI. So it was time to do some more wizardry, and again, the documentation was a bit sparse on this subject. I hit more errors:

sudo systemctl restart lighttpd.service
Job for lighttpd.service failed because the control process exited with error code. See "systemctl status lighttpd.service" and "journalctl -xe" for details.

This time, though, because I did have the Internet, I could search online, and soon found out the reason for the issue. The following thread led me to the right answer - although there is NOTHING in the error logs that would indicate the solution. And here, I'd like to point, once again, the undecipherable complexity of systemd. I had to search for information in a binary log, and even then, the information was useless.

I was actually missing a package - gamin - why it isn't installed as a dependency right away, no idea. But once I had this installed, lighttpd started just fine, and the Web UI was there for me to explore.

sudo apt-get install gamin

systemctl status lighttpd.service
● lighttpd.service - Lighttpd Daemon
  Loaded: loaded (/lib/systemd/system/lighttpd.service; enabled; vendor preset: enabled)
  Active: active (running) since Thu 2019-05-09 15:34:03 CEST; 2s ago
 Process: 19060 ExecStartPre=/usr/sbin/lighttpd -tt -f /etc/lighttpd/lighttpd.conf (code=exited, status=0/SUCCESS)
Main PID: 19069 (lighttpd)
   Tasks: 6 (limit: 4915)
  CGroup: /system.slice/lighttpd.service
          ├─19069 /usr/sbin/lighttpd -D -f /etc/lighttpd/lighttpd.conf
          ├─19078 /usr/bin/php-cgi
          ├─19079 /usr/bin/php-cgi
          ├─19080 /usr/bin/php-cgi
          ├─19081 /usr/bin/php-cgi
          └─19082 /usr/bin/php-cgi

Web UI running

Web UI login and password

But I still had no ads blocked. So I tried to login, and realized I had another problem - I couldn't access the admin page where I could actually check all the logs and details, and make changes. Again, searching online, I found out that I had to reset the default password from the command line:

pihole -a -p

I then had access to the Web UI settings. It's a really nice and powerful interface. You get lots of options, including the ability to temporarily stop Pi-Hole, so if you encounter problems, rather than changing everything, you can only pause the filtering. No need to play with DNS settings.

Populate blocklists

And going through the interface, I realized my blocklists were all empty. Yes, this is evident from the main page, but you need to know what you're looking for. Why wouldn't Pi-Hole prompt you to update the lists or actually do this as part of the setup? I ran a manual update from the command line, and the lists were generated.

pihole -g -f

Block lists

All right, did it work?

Yes, now, it was finally working! Pi-Hole was now doing its DNS duty and was also filtering the traffic. I do have to say it was effective and non-intrusive. And if I'm not mistaken, there was even a slight performance boost on the network side, as the system had to handle fewer queries and serve less content. Indeed, even with some innocent browsing, 20% of all queries were blocked. That sounds like a lot. But it also highlights the current situation of the modern Internet. The fact there are over 100,000 domains on the blocklist also tells its part of this sad story. It also explains the gentle latency improvement.

Working

Conclusion

At the end of the day, I had Pi-hole running, but the setup was far from trivial. There were four or five cardinal problems, and none of these should have happened, because the installation wizard could have gone through separate checks to make sure things were working. Part of the first-time run could be the service check, and if there are issues there, some sort of self-diagnosis to make sure FTL is up and running. The same applies to the Web service. Then, there's the password reset and list update. All of these would make the experience much more streamlined.

As a product, Pi-Hole is a very nice and powerful tool. It does its job extremely well, it's fast, effective and robust, and the Web UI is nicely designed. You also gain some on the traffic side, as there's less content that needs to be served, and fewer queries to be resolved, hence performance improvement for the stuff that matters. The setup isn't trivial but it is achievable, and you have a lot of flexibility in how you wire up your network. You could have Pi-Hole as a standalone system, or it could serve all the different devices in your home. All in all, this is the doomsday weapon for if and when the Internet turns rogue on you. Well worth testing, but remember the second rule of thermodynamics. You can't have trivial and complex at the same time.

Cheers.