====== Pi-hole ======
The [[https://github.com/pi-hole/pi-hole|Pi-hole]]® is a [[https://en.wikipedia.org/wiki/DNS_Sinkhole|DNS sinkhole]] that protects your devices from unwanted content, without installing any client-side software.
Once the installer has been run, you will need to configure your router to have DHCP clients use Pi-hole as their DNS server which ensures that all devices connecting to your network will have content blocked without any further intervention.
If your router does not support setting the DNS server, you can use Pi-hole's built-in DHCP server; just be sure to disable DHCP on your router first (if it has that feature available).
As a last resort, you can always manually set each device to use Pi-hole as their DNS server.
Документация: https://docs.pi-hole.net/\\
Docker image: https://hub.docker.com/r/pihole/pihole/\\
Бложик: https://pi-hole.net/blog/
# Обновить
pihole -up
===== Установка =====
==== Docker ====
https://github.com/pi-hole/docker-pi-hole
Админка на порту 5001, DNS на 53. Чтобы DNS не конфликтовал с systemd-resolve на хосте, нужно на хосте
sudo sed -r -i.orig 's/#?DNSStubListener=yes/DNSStubListener=no/g' /etc/systemd/resolved.conf
sudo sh -c 'rm /etc/resolv.conf && ln -s /run/systemd/resolve/resolv.conf /etc/resolv.conf'
sudo systemctl restart systemd-resolved
https://github.com/pi-hole/docker-pi-hole?tab=readme-ov-file#installing-on-ubuntu-or-fedora
Если systemd-resolve был выключен, то нужно привязать порт 53 к конкретному адресу хоста, иначе контейнеры не смогут разрешать внешние имена.
ports:
- 192.168.1.15:53:53/tcp
- 192.168.1.15:53:53/udp
https://discourse.pi-hole.net/t/solve-dns-resolution-in-other-containers-when-using-docker-pihole/31413
pihole:
image: pihole/pihole
container_name: pihole
restart: unless-stopped
environment:
TZ: 'Europe/Moscow'
WEBPASSWORD: 'Qwerty123456'
WEB_PORT: 5001
VIRTUAL_HOST: 'bva.dyndns.info'
PIHOLE_DNS_: '8.8.8.8;8.8.4.4;2001:4860:4860:0:0:0:0:8888;2001:4860:4860:0:0:0:0:8844;208.67.222.222;208.67.220.220;2620:119:35::35
;2620:119:53::53;84.200.69.80;84.200.70.40;2001:1608:10:25:0:0:1c04:b12f;2001:1608:10:25:0:0:9249:d69b;1.1.1.1;1.0.0.1;2606:4700:4700::11
11;2606:4700:4700::1001'
DNSSEC: true
DNSMASQ_LISTENING: 'all'
ports:
- 192.168.1.15:53:53/tcp
- 192.168.1.15:53:53/udp
- 5001:5001
volumes:
- '~/volumes/pihole/pihole:/etc/pihole'
- '~/volumes/pihole/dnsmasq:/etc/dnsmasq.d'
==== Локально ====
Методом № 2
# One-Step Automated Install
# Those who want to get started quickly and conveniently may install Pi-hole using the following command:
curl -sSL https://install.pi-hole.net | bash
# Alternative Install Methods
# Piping to bash is controversial, as it prevents you from reading code that is about to run on your system.
# Therefore, we provide these alternative installation methods which allow code review before installation:
# Method 1: Clone our repository and run
git clone --depth 1 https://github.com/pi-hole/pi-hole.git Pi-hole
cd "Pi-hole/automated install/"
sudo bash basic-install.sh
# Method 2: Manually download the installer and run
wget -O basic-install.sh https://install.pi-hole.net
sudo bash basic-install.sh
===== Выяснить, в каком чёрном списке находится домен =====
root@orangepione:~# pihole -q -exact vk.com
Exact match found in exact whitelist
vk.com
Exact matches for vk.com found in:
- https://raw.githubusercontent.com/AdguardTeam/FiltersRegistry/master/filters/filter_1_Russian/filter.txt
- https://raw.githubusercontent.com/AdguardTeam/FiltersRegistry/master/filters/filter_1_Russian/filter.txt
- https://raw.githubusercontent.com/AdguardTeam/FiltersRegistry/master/filters/filter_14_Annoyances/filter.txt
- https://raw.githubusercontent.com/AdguardTeam/FiltersRegistry/master/filters/filter_14_Annoyances/filter.txt
===== Ошибки, проблемы =====
==== Контейнер не стартует после перезагрузки хоста ====
Проблема возникает, когда DNS-порты привязаны к IP хоста. Если не указывать IP, всё работает.
ports:
- 192.168.1.15:53:53/tcp
- 192.168.1.15:53:53/udp
Дело в том, что сеть не успевает полностью подняться до запуска контейнера и его запуск обламывается. Для решения можно использовать следующий костыль:
# Сделать override-файл для докер-демона, запускающий скрипт
systemctl edit docker
[Service]
# wait for the network to be up
ExecStartPre=/etc/systemd/system/docker.service.d/wait_for_network.sh
# Скрипт
cat << EOF > /etc/systemd/system/docker.service.d/wait_for_network.sh
#!/bin/bash
ipServerAddress="192.168.1.1" # Адрес роутера, например
cycleLength=1 # The length of a wait cycle in seconds
timeout=15 # Maximum number of seconds to wait before giving up
elapsedTime=0
ping -c 1 \$ipServerAddress > /dev/null 2>&1
while [ \$? -ne 0 ]; do
if [ "\$elapsedTime" -ge "\$timeout" ]; then
# Timeout
exit 1
fi
elapsedTime=\$((elapsedTime + cycleLength))
sleep \$cycleLength
ping -c 1 \$ipServerAddress > /dev/null 2>&1
done
EOF
# Сделать скрипт запускаемым
chmod ug+x /etc/systemd/system/docker.service.d/wait_for_network.sh
https://discourse.pi-hole.net/t/solved-failed-to-allocate-and-map-port-53-53-after-system-restart/64872/6
==== DNSMASQ_WARN: reducing DNS packet size for nameserver XXX.XXX.XXX.XXX to 1232 ====
echo "edns-packet-max=1232" > /etc/dnsmasq.d/99-edns.conf
pihole restartdns
https://discourse.pi-hole.net/t/dnsmasq-warn-reducing-dns-packet-size/51803/9\\
https://discourse.pi-hole.net/t/dnsmasq-warn-reducing-dns-packet-size/51803/41