2023-11-13 14:33:28 +00:00
|
|
|
# sys-pihole
|
|
|
|
|
|
|
|
Pi-hole DNS Sinkhole in Qubes OS.
|
|
|
|
|
|
|
|
## Table of Contents
|
|
|
|
|
|
|
|
* [Description](#description)
|
|
|
|
* [Installation](#installation)
|
|
|
|
* [Usage](#usage)
|
2024-01-05 17:45:04 +01:00
|
|
|
* [Web interface](#web-interface)
|
|
|
|
* [Torified Pi-Hole](#torified-pi-hole)
|
|
|
|
* [Local DNS server](#local-dns-server)
|
|
|
|
* [DNS issues after netvm restart](#dns-issues-after-netvm-restart)
|
2023-11-13 14:33:28 +00:00
|
|
|
* [Credits](#credits)
|
|
|
|
|
|
|
|
## Description
|
|
|
|
|
|
|
|
The package will create a standalone qube "sys-pihole". It blocks
|
|
|
|
advertisements and internet trackers by providing a DNS sinkhole. It is a drop
|
|
|
|
in replacement for sys-firewall.
|
|
|
|
|
|
|
|
The qube will be attached to the "netvm" of the "default_netvm", in other
|
|
|
|
words, if you are using Qubes OS default setup, it will use "sys-net" as the
|
|
|
|
"netvm", else it will try to figure out what is your upstream link and attach
|
|
|
|
to it.
|
|
|
|
|
|
|
|
## Installation
|
|
|
|
|
|
|
|
Pi-Hole commits and tags are not signed by individuals, but as they are done
|
|
|
|
through the web interface, they have GitHub Web-Flow signature. This is the
|
|
|
|
best verification we can get for Pi-Hole. If you don't trust the hosting
|
|
|
|
provider however, don't install this package.
|
|
|
|
|
|
|
|
- Top:
|
|
|
|
```sh
|
|
|
|
qubesctl top.enable sys-pihole browser
|
2023-12-19 23:06:37 +01:00
|
|
|
qubesctl --targets=tpl-browser,sys-pihole-browser,sys-pihole state.apply
|
2023-11-13 14:33:28 +00:00
|
|
|
qubesctl top.disable sys-pihole browser
|
|
|
|
qubesctl state.apply sys-pihole.appmenus
|
|
|
|
```
|
|
|
|
|
|
|
|
- State:
|
|
|
|
<!-- pkg:begin:post-install -->
|
|
|
|
```sh
|
|
|
|
qubesctl state.apply sys-pihole.create
|
|
|
|
qubesctl --skip-dom0 --targets=tpl-browser state.apply browser.install
|
|
|
|
qubesctl --skip-dom0 --targets=sys-pihole state.apply sys-pihole.install
|
|
|
|
qubesctl --skip-dom0 --targets=sys-pihole-browser state.apply sys-pihole.configure-browser
|
|
|
|
qubesctl state.apply sys-pihole.appmenus
|
|
|
|
```
|
|
|
|
<!-- pkg:end:post-install -->
|
|
|
|
|
|
|
|
If you want to change the global preferences `updatevm` and `default_netvm`
|
|
|
|
and the per-qube preference `netvm` of all qubes from `sys-firewall` to
|
|
|
|
`sys-pihole`, run:
|
|
|
|
```sh
|
|
|
|
qubesctl state.apply sys-pihole.prefs
|
|
|
|
```
|
|
|
|
|
|
|
|
## Usage
|
|
|
|
|
2024-01-05 17:45:04 +01:00
|
|
|
### Web interface
|
|
|
|
|
2023-11-13 14:33:28 +00:00
|
|
|
Pi-hole will be installed with these default settings:
|
|
|
|
|
|
|
|
- The DNS provider is Quad9 (filtered, DNSSEC)
|
|
|
|
- Steven Black's Unified Hosts List is included
|
|
|
|
- Query logging is enabled to show everything.
|
|
|
|
|
2024-01-05 16:32:42 +01:00
|
|
|
You can change the settings via the admin interface:
|
2023-11-13 14:33:28 +00:00
|
|
|
- URL: http://localhost/admin
|
2024-01-05 16:32:42 +01:00
|
|
|
- There is no password (access allowed only through localhost)
|
2023-11-13 14:33:28 +00:00
|
|
|
|
|
|
|
If you want to view statistics or manage the server through a GUI, open
|
|
|
|
`sys-pihole` or `sys-pihole-browser` desktop file `pihole-browser.desktop`
|
|
|
|
from Dom0. Addresses starting with `http` or `https` will be redirected
|
|
|
|
to `sys-pihole-browser`.
|
|
|
|
|
|
|
|
The browser separation from the server is to avoid browsing malicious sites
|
|
|
|
and exposing the browser to direct network on the same machine the server is
|
|
|
|
running. The browser qube is offline and only has access to the admin
|
|
|
|
interface. In other words, it has control over the server functions, if the
|
|
|
|
browser is compromised, it can compromise the server.
|
|
|
|
|
2024-01-05 17:45:04 +01:00
|
|
|
### Torified Pi-Hole
|
2023-11-13 14:33:28 +00:00
|
|
|
|
|
|
|
If you want to combine Pi-Hole with Tor, then you should reconfigure your
|
|
|
|
netvm chaining (will break tor's client stream isolation) as such:
|
|
|
|
|
|
|
|
- qube -> sys-pihole -> Tor-gateway -> sys-firewall -> sys-net
|
|
|
|
|
2024-01-05 17:45:04 +01:00
|
|
|
### Local DNS server
|
|
|
|
|
|
|
|
If you want sys-pihole to use itself to resolve DNS queries, enable the
|
|
|
|
service `local-dns-server` from Dom0 to sys-pihole:
|
|
|
|
```sh
|
2024-01-09 18:48:29 +01:00
|
|
|
qvm-features sys-pihole service.local-dns-server 1
|
2024-01-05 17:45:04 +01:00
|
|
|
```
|
|
|
|
|
|
|
|
Don't forget to restart sys-pihole after the changes.
|
|
|
|
|
|
|
|
Note that if Pi-hole as a problem the host will not not be able to reach the
|
|
|
|
internet for updates, syncing time etc.
|
|
|
|
|
|
|
|
### DNS issues after netvm restart
|
|
|
|
|
2023-11-13 14:33:28 +00:00
|
|
|
If you encounter problems with DNS after having upstream netvm route changes,
|
2024-01-05 17:45:04 +01:00
|
|
|
restart Pi-hole DNS from sys-pihole:
|
2023-11-13 14:33:28 +00:00
|
|
|
```sh
|
|
|
|
pihole restartdns
|
|
|
|
```
|
|
|
|
|
|
|
|
## Credits
|
|
|
|
|
|
|
|
- [Patrizio Tufarolo](https://blog.tufarolo.eu/how-to-configure-pihole-in-qubesos-proxyvm/)
|
|
|
|
- [Unman](https://github.com/unman/shaker/tree/main/pihole)
|