How to configure or Pi-Hole Plus DNSCrypt on Raspberry Pi 4 - Derek Seaman's IT Blog (2023)

To use: Updated 6/28/2020 to include Gravity Sync and macOS/iOS Pi Hole Control apps.

To use:Updated 11/15/2019 for optional use ofSiguienteDNS.ioDNS analysis and filtering service.

To use:Updated 11/1/2019 for anonymous DNS settings, added firmware update procedure for Raspberry Pi 4, and removed apt package to free up more disk space.

Lately, I've become more and more aware of the lack of privacy on the internet, let alone on sites that are full of ads or malware. Or your ISP is spying on every website you visit via clear-text DNS queries. I wanted an ad and malware blocker for my entire home network and a fully encrypted DNS.

After some research, I quickly discovered that Pi-hole was a very popular, robust, and free (software) solution for DNS filtering, and that DNSCrypt is great for keeping your DNS queries private. Both can run on a variety of platforms, but I wanted something relatively inexpensive, small and simple. So, after a long search, I decided on a Raspberry Pi 4 B. This could run on a Synology NAS, but the guide I found was quite complex and error-prone.

Now there are many configuration guides for Raspberry Pi, Pi-Hole and DNSCrypt on the internet. However, many of them were out of date, missing steps, or not as complete as I would have liked. Then I make my own version that I previously set up on my network. Also, I have the Eero WiFi Mesh Routers, so I have some advice on those setups as well.

I didn't have an RPi at home (I know I'm a bad geek). so i foundthis complete package on Amazon for $99🇧🇷 This package includes the Raspberry Pi 4 B, 4 GB RAM, case, power supply, memory card, HDMI cable and heatsink. You don't have to buy this exact package, nor does it have to be an RPi 4 B. The hardware requirements for Pi-Hole and DNSCrypt are minimal, so just about any Raspberry Pi will do. I wanted the high end model so I can reuse it in the future if I need to or install more services like a VPN server.

For those unfamiliar with Pi-Hole, it's basically an open source DNS server, but not a DNS resolver. What is the difference? Pi-Hole serves DNS queries for your local network, but needs to contact an upstream DNS server for resolution. It does not connect to root DNS servers. Pi-Hole has a predefined list of upstream DNS servers that you can use, or you can add your own. In my case, I point the Pi-Hole at my Eero Secure WiFi Gateway as it encrypts and forwards DNS queries to an upstream resolver while applying more ad and malware filters. If you don't have an Eero Wifi Mesh, you can use DNScrypt to encrypt requests and forward them to a resolver. More on that later.

Pi-Hole works with blacklists and whitelists. There are several sources for these lists and it is (mostly) up to you to locate and import the lists. Pi-Hole has some built-in lists from which you can block over 100,000 domains. Blocking more domains is not always better as it can break legitimate websites. In my case, I blocked about 2.4 million domains, but I had a decent learning curve to whitelist some domains I needed access to. You can customize block lists to suit your needs (e.g. block pornography, Facebook, malware, gambling, etc.).

Pi-Hole can block every DNS request it receives, but it can't always point every device on your network to Pi-Hole's DNS server. For example, some devices like Chromcast and IoT have hardcoded DNS servers that completely bypass pi-hole locks without any additional configuration. Eero can safely intercept these requests and filter them through its blacklist, but it doesn't forward the requests to your Pi-Hole instance. For that, you need something like a Ubiquiti Edge Router X with a specific configuration to intercept these "fake" DNS requests and forward them to the Pi-Hole.

1. Download the latest version ofRaspberry Pi Operating System.I received the "Recommended Desktop and Software" package. DO NOT unpack.

2. Download and installgrabador.io, which we will use to write the Raspbian Lite image to the SD card. There are versions for PC and Mac.

3. Connect your card reader and insert the microSD card. Attention: The content will be overwritten!

4. Start Etcher, click "choose the photo" and browse to the downloaded Raspbian Lite zip file.

5. Click "The blink!" and wait for the ZIP file to be written to the memory card and validation to complete. If an error occurs, check that the card/card reader is not blocked. If not, the download may be blocked, corrupted or incomplete Try it download the Raspbian Lite zip file again.

6. If you are doing this on a Windows computer, a pop-up window may appear asking you to format a drive. This is wrong and just clickCancel.

7. There is a small Fat32 partition on which we need to create a zero byte file calledsch🇧🇷 On Windows, open a command prompt, CD to the Fat32 partition, and type the following command (ignore the output error...expected). If you don't see a drive letter associated with the Fat32 partition, open Disk Management and assign it a letter. Log in:

.>sch

8. If you are on a Mac computer, go to the Fat32 partition (eg cd /Volumes/boot) and type:tocar ssh
If the boot partition is not mounted, remove the microSD card from its reader and reinsert it.

9. Cleanly disconnect the microSD card. Yes, just do not pull! Insert the microSD card into the Raspberry Pi.

7. For added security and to receive automatic updates, we will install updates unattended.

sudo apt-get install unattended updates

sudo nano /etc/apt/apt.conf.d/50unattended-upgrades

Add the following two lines just after the origin-Debian section and comment out the Debian lines.

"source=Raspbian,codename=${distro_codename},label=Raspbian";
"source=Raspberry Pi Foundation,codename=${distro_codename},label=Raspberry Pi Foundation";

Now we need to edit another file:

sudo nano /etc/apt/apt.conf.d/20auto-upgrades

Delete the existing lines and paste them into:

APT::Periodic::Update-Package-Lists "1";
APT::Periodical::Download-Update-Pakete "1";
APT::Periodic::Unattended update "1";
APT::Newspaper::Detailed "1";
APT::Periodical::AutocleanInterval "7";

To enable unattended updates, type:

sudo dpkg-reconfigure --priority=less unattended updates

Occasionally, a new EEPROM (firmware) for the Raspberry Pi 4 may become available. This will install an automatic updater and keep you on the latest firmware version. Run these commands below. If it says an update is needed, just restart your RPI withrestart sudoand the update will be installed.

Update sudo apt
sudo apt update complete
sudo apt install rpi-eeprom
sudo rpi-eeprom-update

Wolfram and Libreoffice are space hogs on the Raspberry Pi 4 and you probably won't need them. Also, this will make your backups bigger, so let's get rid of them. This saves over 1GB of storage space. If you want, skip this section.

sudo apt-get remove --purge wolfram-engine
sudo apt-get remove --purge libreoffice*
sudo apt-get clean
sudo apt-get delete automatically

1. SSH into your RPi and type:

curl -sSL https://install.pi-hole.net | pretendido

Step through the text-based wizard and accept all default values. When asked which DNS server to use, pick the one you are most comfortable with. We'll be installing and configuring DNSCrypt later in this blog post, so it doesn't matter what you choose now. Be sure to enter the management console password at the end of the installation wizard.

2. There are many blacklists, but here are a few that should generate around 1.7 million blocked domains. Enter the Pi-Hole (http://your IP address/Management), Click inthe settings, laterSperrlists🇧🇷 At once, paste the list below and click 'save and update🇧🇷 For a good discussion about more blacklisting you can visit the PI-Hole forumhere.

https://blocklist.site/app/dl/malware
https://blocklist.site/app/dl/ransomware
https://blocklist.site/app/dl/tracking
https://blocklist.site/app/dl/fraud
https://blocklist.site/app/dl/phishing
https://v.firebog.net/hosts/AdguardDNS.txt
https://1hos.cf
https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist
https://hosts-file.net/grm.txt
https://reddestdream.github.io/Projects/MinimalHosts/etc/MinimalHostsBlocker/minimalhosts
https://raw.githubusercontent.com/StevenBlack/hosts/master/data/KADhosts/hosts
https://raw.githubusercontent.com/StevenBlack/hosts/master/data/add.Spam/hosts
https://v.firebog.net/hosts/static/w3kbl.txt
https://v.firebog.net/hosts/BillStearns.txt
https://adaway.org/hosts.txt
https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt
https://v.firebog.net/hosts/Easyprivacy.txt
https://raw.githubusercontent.com/quidsup/notrack/master/trackers.txt
https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt
https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt
https://www.malwaredomainlist.com/hostslist/hosts.txt
https://dbl.oisd.nl/

3. After browsing the web a bit, I found that the Facebook comments were a bit broken with all the blocks. So I had to add the following two whitelist entries for comments to fully work:

b-graph.facebook.com
grafik.facebook.com

4. If you've used all of the blocklists above, be prepared to troubleshoot any apps or websites that don't work due to blocked domains. If you find a website or app that is not working, check the Pi-Hole logs for blocked domains and try whitelisting them one by one and test your website/app again to see what fixes the problem . 🇧🇷

Note: If you are using the Eero Wi-Fi mesh system, read about DNSCrypt and secure Eero at the end of this blog post. If you're using secure Eero, you don't need DNSCrypt. If you are not using secure Eero, go ahead and install DNSCrypt. Also if you want to useSiguienteDNS.ioFor an additional layer of security and DNS filtering (highly recommended), read this section and follow the instructions later in this section.

1. Enter the following commands to perform a basic installation of DNSCrypt. As this blog post ages, the exact download path WILL CHANGE. Check the list of latest versionshereand modify the wget and tar commands as needed to use the latest binary.

cd / opt

Add one or more servers under Global Settings. I like the DNSCloak iOS app for analyzing the huge number of servers you can use. For example, you can look for DNS servers that block ads, support Doh (DNS over HTTPS), show locations, etc. I like AdGuard DOH. You can also check the list of public DNSCrypt servershereand select one or more that meet your needs. Note: If you want to use the DNSNext.io service, just leave the default servers here and we'll configure that later in this section.

server_names = ['adguard-dns']

Under Local Address List, change the port number to anything above 1024. In this example, I'm using 5350. Pi-Hole uses port 53 (default for DNS), so we need to use a custom port number for DNSCrypt.

listen_addresses = ['127.0.0.1:5350', '[::1]:5350']

change the following:

require_dnssec = wahr
require_nofilter = false
cache = wrong(We will use the Pi-hole cache)

DNS Anyonmized is a new feature in recent versions of DNSCrypt. If you want to use this feature, scroll to the bottom of the TOML file. For server_name, add the same server name used above. For "via" servers, check the list of relayshereand choose a pair that meets your needs. I used servers very close to my house. You may want to use servers in another country or have other specific needs.To use:If you plan to use the NextDNS.io service, you don't want to anonymize your queries, so don't configure this section.

If you want to use NextDNS.IO service with DNS encryption, it's very easy. This provides a second layer of DNS filtering and protection. They also offer great analytics and stats for your network. If you don't want to use NextDNS.io, skip this section.

1. Log into your NextDNS account and clickAttitudeTab. Locate the dns stamp section of sdns under EndPoints and copy the string sdns to the clipboard.

2. Im DNSCryptdnscrypt-proxy.tomlfile is looking for the[static]section down. Add the following lines using your custom sdns stamp string that is on the clipboard.

[static.'NextDNS-Custom']
Stamp = 'sdns://xxxxxxxxxxxxx'

3. At the top of the DNSCrypt configuration file, change theServersline so that it exactly matches the static name used earlier.

server_names = ['NextDNS-Custom']

4. Save the configuration file and exit the editor.

1. We now need to launch and test the service to ensure it is working before configuring the Pi-Hole for use.

sudo ./dnscrypt-proxy -install service
sudo ./dnscrypt-proxy(Make sure the server is running without errors, then Ctrl-C to stop)
sudo ./dnscrypt-proxy -startup service
sudo systemctl status dnscrypt-proxy

Lossudo ./dnscrypt-proxyThe command provides detailed boot information and returns any errors found.sudo systemctl status dnscrypt-proxyit does the same for DNScrypt when started as a service. Both should have the same output as shown below. If the anonymous setting is configured correctly, these relay servers will appear in the DNSCrypt output.

To run a quick test that DNSCrypt can perform name resolution, type:

./dnscrypt-proxy -resolve www.aol.com

2. If you configured the Raspberry Pi to a static IP address, you can change the DNS server to point to localhost so that all DNS requests from the Raspberry Pi are filtered and encrypted. Locate the eth0 section and change the DNS server to127.0.0.1.

sudo nano /etc/dhcpcd.conf

Both AOL results must return valid public IP addresses. XP.apple.com address should NOT work and will only give 0.0.0.0 as it is blacklisted. If Apple's address returns a valid public IP, then something is wrong.

The final step is to reconfigure your network to use the new Pi-Hole DNS server. First, any device with a static IP address must change its DNS to use only the RPi address. Second, if your network uses DHCP (most home networks do), you will need to reconfigure your router/DHCP to use the new pi-hole DNS server. The exact steps vary widely, so I can't cover every option here. I'm using the Eero Mesh Wi-Fi system, so it's easy to open the Eero app and gonetwork settings,Advanced Settings,DNS,custom dnsand enter the IP address of the Pi-Hole. The mesh is then restarted. After the router reboots, open a command prompt or shell on your computers and do several searches:

nslookup www.aol.com(should return real addresses)
nslookup xp.apple.com(should return 0.0.0.0 as it is locked)

If allowed lookups work and blocks work as well, your device is fully using Pi-Hole and DNSCrypt. Congratulations.

Now that you've spent a few hours configuring your Raspberry Pi 4, you might want to back up your work. For Mac and Windows users, I like it a lotApple Pi Baker🇧🇷 Just launch Apple Pi Baker, shut down your RPi cleanly (sudo off -h now), remove the microSD card and insert it into your computer's reader. Then launch Apple Pi Baker and download the contents in a ZIP file. Viola... Now you have a complete Raspberry Pi backup file that you can always restore in the future.

12.Gravity Syncis a free project on Github that allows synchronizing some of the configuration settings (eg the blacklist) between two instances of Pihole 5.0. Setup is very easy and only takes a few minutes. Highly recommended for Pihole 5.0 redundant situations.

13🇧🇷 Pi-Hole Applications. If you're in the Apple ecosystem and want basic control over your Pi-hole instances (e.g. temporarily disable them, monitor stats, etc.), there are quite a few macOS and iOS apps to choose from. For macOS I suggestPiBarÖmonitored🇧🇷 For iOS and Apple Watch I recommendPi-hole remote control.

As you can see in this post, setting up a Raspberry Pi, Pi-Hole, and DNSCrypt involves a bit of manual configuration. However, you should be able to do this in an afternoon if you don't have any major issues. If you think all this is too much work and want something simpler, check out the Eero Mesh Wi-Fi System. It has a feature called Eero Secure that intercepts and encrypts all DNS requests and forwards them to a curated DNS server that blocks a large number of ads, malware and tracking websites.

Using Eero Secure is much easier than setting up Pi-Hole and DNSCrypt, but it doesn't offer the ability to create custom blacklists, whitelists, or anonymous DNS. For the average consumer, Eero Secure is the best option, but for super nerdy people, Pi-Hole and DNSCrypt work just fine.

To use:You may have devices with encrypted DNS servers like Chromecast on your network. They bypass your orifice without further work. You can capture these DNS queries and forward them to Pi-Hole/DNSCrypt by following my blog post:
Redirect hardcoded DNS to Pi-hole with Ubiquiti EdgeRouter