This Part 2 of 2 of a blog series based on a workshop created by Nick Kavadias for CryptoAUSTRALIA's Digital Self-Defence Meetup.

Not yet convinced that you need a network-wide ad-blocker? Read Part 1.

Do you have a Pi-hole installed and want to learn about how to take advantage of its advanced features? Read our other articles on Pi-hole.

Nick's Easy 5 Step Plan to set up a Pi-hole

So you are ready to set up a Pi-hole in your home or (small) office network? Just follow my 5 step plan! By the end of this article, you will have Pi-hole running on your network protecting all your devices from advertising, tracking and even malware.

I recently ran several CryptoAUSTRALIA workshops for setting up Pi-hole. The workshop participants used the following instructions. In this article, I have re-written these instructions, with additional screenshots and commentary.

In this article, I assume you have the Raspberry Pi (RPi) hardware and administrative access to your internet router. For further discussion about the requirements for setting up Pi-hole, refer to my first article.

I have tried to write the article with the widest audience in mind. If concepts I introduce are new to you, then chances are I have included a hyperlink to help explain it further. If you get stuck, then you can reach out to the Pi-hole team through Discourse, GitHub, Reddit or Twitter. Or, if you have a specific question for me (I am not a Pi-hole team member, just a keen user), then you can find me on CryptoAUSTRALIA's #Slack team.



Step 1: Get the Raspbian Lite image onto your microSD card

If you have not done so already, download the latest version of Raspbian Lite operating system, and download and install Etcher.io you use this software for writing images to card storage. Insert your microSD card into your computer/card reader. Start Etcher. Click 'Select Image' and select the Raspbian Lite zip image you downloaded previously. Click the 'Flash!' Button. If you get an error, check that your microSD card reader is not set to 'lock' and that you have downloaded a full copy of the Raspbian image. You may want to check the hashes of the image to ensure you have downloaded it in full.

Once you have flashed the microSD card successfully, Windows may try to reformat the unknown file partition you have created. This is because part of the Raspbian image has an ext4 file system partition. Windows is overzealous about destroying any partitions it does not recognise. DO NOT FORMAT THE PARTITION, click 'Cancel'.

Your computer should now mount a partition created on the microSD card. If you are using Windows and cannot see this partition, start "Computer Management", find the micro SD card volume, right-click on drive small FAT32 partition and give it a drive letter, I choose 'X'. To get Raspbian to start the Secure SHell daemon (SSHD) on-boot, you need to create an empty file called ssh on the boot partition of the microSD card. In Windows, the easiest way to do this open Windows Explorer and navigate to the boot partition. To do this right-click in the root of the folder, select New->Text File Document and then call it ssh (no .txt extension). If you have file extensions hidden, the .txt will still be there. Having file extensions hidden is a bad idea. You should turn this option off. On other operating systems, like Mac OS or Linux use the terminal to change the root of the boot partition, and run touch ssh to create the file. Unmount your microSD card cleanly, and put the card into your Raspberry Pi (RPi), we are ready to go!

Step 2: Plug your RPi into your network and turn it on

This is genuinely the hardest step in setting up Pi-hole. You will need to plug the RPi into your network, power it on and determine the IP address it received. You need this so that you can ssh into the device and install Pi-hole on it.

Connecting to your network and powering on

Plug the ethernet port from your RPi into your home router/wi-fi access point (AP). Power on the RPi. If you are new to RPis, you will notice that there is no on/off switch, as soon as there's power the RPi will start. I used my home router to power my RPi as the router has a USB port on the back of it. If you don’t have a USB port close by and do not have an official RPi power supply, an old 1 amp USB charger will do. Under-powering an RPi running Pi-hole is ok in my experience, but read this warning if you are concerned.



Step 3: Figure out your RPi's IP address

There are several methods for finding the IP address of your RPi. The easiest foolproof method, but also least convenient is to plug your RPi into a monitor or TV and take note of the IP address that appears when it boots up (see image below).



If you cannot plug your RPi into a monitor easily (as was the case when I ran the workshops), then try some of the methods below. They are by no means exhaustive. In the workshops I ran, I came across several clever individuals who had either purchased an RPi serial cable, or made their own, or had modified their RPi's MAC address to make it easy to find using an ARP command. If you are not that advanced, try one of the following methods below. Once you have an IP address, you can skip to Step 4.

Method 1: Try pinging the default Raspbian hostname

This will only work if the tech Gods are smiling on you (i.e. a working local DNS server which accepts registrations). Do not try this if you have multiple Raspberry Pi's on your network and you have not changed their hostnames from the default name of raspberrypi . You may end up installing Pi-hole on the wrong device. To try pinging, open up a Windows Command Prompt, or a Mac OS Terminal and type: ping raspberrypi

With some luck, this may work, and you will get an IP address returned and a ping response from your RPi.



Method 2: Check your router's DHCP table

To be able to use this method you will need to have admin access to your local router, know its IP address and how to log into it. Having admin access to your router is required for step 5. Some routers will list devices connected to it on the admin panel. The DHCP lease table on my router is below (yours may look different) the Raspberry Pi IP address is the last record.



Method 3: Use an IP network scanner

A network scanner is a useful tool for a network administrator. You can also use it to find your RPi on your network. Personally, for purposes like this I like Angry IP Scanner as it simple and easy to use.

Angry IP scanner will try every IP address on your network. If you have a lot of unknown devices on your network, you may want to run it before you plug your RPi in and after, and look for the difference; otherwise, it should be obvious.

Scanning your network with Angry IP Scanner

Download and run the installer. The latest version does require a working Java Runtime Environment (doh!). Click the IP↑ button and select 255...0 as the Netmask range (usually the case), then click Start. You should get results that look something like what is below.



If you are a power user, then go ahead and use your favourite scanning tools like Nmap, Masscan or Arp-scan.

Step 4: Run the Pi-hole installer

Once you have an IP address, you can now connect to your RPi with ssh. At at the time of writing, the default username and password for Raspbian is:

username:pi

password:raspberry

If Method 1 above worked for you, then you can connect using the hostname in Terminal on Mac OS, or PuTTy on Windows, i.e. ssh [email protected] Otherwise, connect using the IP address instead: ssh [email protected]



(Optional) Once logged in, it is a good idea to run: sudo raspi-config . Using this tool, you can: change the default password for the pi user;

change the locale to en-au.UTF8 (if you are an Aussie like me, or something else appropriate for you); and

change the hostname from the raspberrypi default.

I recommend you change all three of the above options. You can use the tab or arrow keys to navigate around, and spacebar/enter keys to turn toggle options on or off.





Still logged in by ssh to your RPi, you can now run the Pi-hole install command: curl -sSL https://install.pi-hole.net | bash

As an aside, it is generally unwise to pipe from curl to bash. If you wish to geek out about why, read the following article.

The Pi-hole installer should begin. You will have to use a similar console style navigation of tabs, arrow keys and enter/space bar to navigate the options. If you get stuck at any point, pick the default.

. If your device has more than one network interface, you will be prompted to pick an interface. We are using the wired interface, this should be named enxxx or eth0 . Next, you will be asked to pick a DNS provider. This is what Pi-hole will use upstream to satisfy DNS queries. Personally, I like Quad9 as they use cyber threat intelligence feeds to block malicious domains. If you are interested how malware-blocking public DNS providers perform, please refer to our earlier article. Next is the option to either accept the existing IP address or set up a static one. Depending on how your network is setup, best option is to pick something outside of the range your DHCP service on your router will allocate. If this all sounds too hard, then just leave the default Pi-hole has picked for you and you can change it later if necessary. Select Yes for installing 'web admin interface' and to 'log queries' If you get a prompt detecting a firewall in use, select Yes to install the Pi-hole default rules. Let the installer do its thing, grab a snack. When you come back you should see the following:

The installation is now complete. Take note of the IP address. If you changed your IP address during the install, you will have to reboot. You can do this using the command sudo reboot . After the installer exits, you may also want to set a different Admin Web Page password. You can do this with the command: pihole -a -p For other Pi-hole command-line options available, check out this page, or simply run pi-hole -h

You should now have a functioning Pi-hole server. Before you go ahead and reconfigure your home/office network for all clients (computers, smartphones etc.) to use the server, you can test it out by re-configuring an individual computer to use Pi-hole's DNS service. To do this, change the DNS server on the computer you want to test, to the IP address of the Pi-hole server (which you should have got from the previous step), i.e. usually: 192.168.X.Y. For instructions on how to point your computer to a DNS server manually, refer to:

You can also now log into the Pi-hole Web Admin interface by going to http://pi.hole/admin (if you have manually re-configured DNS on your computer) or http://192.168.x.y/admin where 192.168.X.Y is the IP address you have set for your Pi-hole.



Step 5: Re-configure your router so that Pi-hole is the DNS Server for your network

To have Pi-hole automatically used by all the clients on your network, you have to reconfigure your home/office router to use a different DNS server. If you have never tinkered with the settings on your home router, this may be a little challenging.

Your first step is to find out the IP address of your router and log into it with a web browser.

The Two Choices For Router Configuration

Most users at this point will have to make a choice when it comes to changing the configuration of their router:

Some users may have no choice but to go with the 'red pill' option and have to disable DHCP services on their router because they do not get the option of changing DNS Servers. Let's discuss these options properly.

The Blue Pill: Change the IP address of the DNS Server your router uses

This setting will have minimal impact on your current network setup. By default, most routers will make themselves the DNS Server for clients on the network. By replacing the DNS server that your router uses with Pi-hole's DNS server, it will mean all the devices on your network which get an IP address from the router, will use Pi-hole for DNS. Some routers, like my own, may allow setting the DNS server in the configuration for the DHCP service.

Log into your router as an administrator. Set the primary and secondary DNS server to be the IP address of your Pi-hole you configured in Step 4, i.e. 192.168.X.Y. There are too many different routers give step-by-step instructions on changing the DNS server settings, if you get stuck, try searching for the model of your router and the phrase "change DNS server settings". Save the setting on the router, and reboot all of your devices and that's it! You've now got the basic Pi-hole ad blocking enabled for your entire network!

TIP: Some routers will want a primary and secondary DNS Server. If your router requires two values, try putting in the IP address of your Pi-hole for both primary and secondary.

If you cannot make these above changes to your router because it has been locked-down by your ISP, or the router you are using does not support the option, you will have to choose the 'red pill' option below.

The Red Pill: Disable your router's DHCP service and have Pi-hole take over

DHCP is the protocol used to give out IP addresses to devices on a network. A service running on your router typically does this. You can disable this service on your router, and have Pi-hole take over performing the DHCP service. You may not wish to do this right away, but once you get a feel for the Pi-hole console, this is something you will want to do. On my network, I have Pi-hole take over DHCP so that local network name resolution works appropriately and Pi-hole can identify devices in its audit log by hostname instead of IP address.

Log into the Pi-hole administrator console http://192.168.x.y/admin where 192.168.X.Y is the IP address you have set for your Pi-hole. Click on the settings menu on the left-hand side. Under settings, there should be a section for turning the Pi-hole DHCP server. Click the checkbox to enable DHCP. The default settings provided should be ok. Just check that the IP address range makes sense for your network, and that the router address is correct. I personally like setting the DHCP lease time to be at least a week. For further discussion about these settings refer to this page.

Once you have reviewed the DHCP options and clicked enable, click Save. Log into your router and disable DHCP (make sure you do this after you turn on Pi-hole's DHCP). if you get stuck, try searching for the model of your router and the phrase "disable DHCP" Reboot a device on your network and reload the Settings page on your Pi-hole and expand the DHCP leases control, you should see the name of the device you restarted come up in the list. You should now have Pi-hole running DHCP services on your network.

and.. Done!

Congratulations! Your Pi-hole setup is complete.



You can confirm that you are using Pi-hole as your DNS Server by visiting the Pi-hole admin panel using the address: http://pi.hole with your web browser.

Test Pi-hole's ad blocking capability by browsing to your favourite website. There are also several test pages listed here you can try out.

Further Tinkering..

If you want to read how you can take advantage of Pi-hole's more advanced features refer to our previously published articles:

CryptoAUSTRALIA's Favourite Block Lists: You can add additional block lists to Pi-hole for blocking malware, phishing, gambling or porn.

Malware Blocking DNS Services: You can integrate powerful third-party anti-malware and anti-phishing DNS services quite easily into Pi-hole. This article reviews these services and explains how you can configure Pi-hole to use them.

Build a Privacy-respecting and Threat-blocking DNS Server: This articles describes how you can build your own threat-blocking DNS service.

About CryptoAUSTRALIA

CryptoAUSTRALIA is a leading authority promoting a society where Australians can defend their privacy.

We empower privacy concerned citizens through hands-on education and research relating to digital privacy and online security.

CryptoAUSTRALIA is run by volunteers and we rely on donations from the public to keep our organisation running.

If you have found this article useful please consider donating, or get involved.