qusal/salt/sys-pihole/README.md

114 lines
3.4 KiB
Markdown
Raw Normal View History

2023-11-13 14:33:28 +00:00
# sys-pihole
Pi-hole DNS Sinkhole in Qubes OS.
## Table of Contents
* [Description](#description)
* [Installation](#installation)
* [Usage](#usage)
* [Web interface](#web-interface)
* [Torified Pi-Hole](#torified-pi-hole)
* [Local DNS server](#local-dns-server)
* [DNS issues after netvm restart](#dns-issues-after-netvm-restart)
* [Credits](#credits)
2023-11-13 14:33:28 +00:00
## Description
The package will create a standalone qube "sys-pihole". It blocks
advertisements and internet trackers by providing a DNS sinkhole. It is a drop
in replacement for sys-firewall.
The qube will be attached to the "netvm" of the "default_netvm", in other
words, if you are using Qubes OS default setup, it will use "sys-net" as the
"netvm", else it will try to figure out what is your upstream link and attach
to it.
## Installation
Pi-Hole commits and tags are not signed by individuals, but as they are done
through the web interface, they have GitHub Web-Flow signature. This is the
best verification we can get for Pi-Hole. If you don't trust the hosting
provider however, don't install this package.
* Top:
2023-11-13 14:33:28 +00:00
```sh
sudo qubesctl top.enable sys-pihole browser
sudo qubesctl --targets=tpl-browser,sys-pihole-browser,sys-pihole state.apply
sudo qubesctl top.disable sys-pihole browser
sudo qubesctl state.apply sys-pihole.appmenus
2023-11-13 14:33:28 +00:00
```
* State:
2023-11-13 14:33:28 +00:00
<!-- pkg:begin:post-install -->
2023-11-13 14:33:28 +00:00
```sh
sudo qubesctl state.apply sys-pihole.create
sudo qubesctl --skip-dom0 --targets=tpl-browser state.apply browser.install
sudo qubesctl --skip-dom0 --targets=sys-pihole state.apply sys-pihole.install
sudo qubesctl --skip-dom0 --targets=sys-pihole-browser state.apply sys-pihole.configure-browser
sudo qubesctl state.apply sys-pihole.appmenus
2023-11-13 14:33:28 +00:00
```
2023-11-13 14:33:28 +00:00
<!-- pkg:end:post-install -->
If you want to change the global preferences `updatevm` and `default_netvm`
and the per-qube preference `netvm` of all qubes from `sys-firewall` to
`sys-pihole`, run:
2023-11-13 14:33:28 +00:00
```sh
sudo qubesctl state.apply sys-pihole.prefs
2023-11-13 14:33:28 +00:00
```
## Usage
### Web interface
If you want to view statistics or manage the server through a GUI, open
`sys-pihole` or `sys-pihole-browser` desktop file `pihole-browser.desktop`
from the app menu. Addresses starting with `http` or `https` will be
redirected to `sys-pihole-browser`.
Pi-hole will be installed with the following settings:
2023-11-13 14:33:28 +00:00
* The DNS provider is Quad9 (filtered, DNSSEC)
* Steven Black's Unified Hosts List is included
* Query logging is enabled to show everything.
2023-11-13 14:33:28 +00:00
### Torified Pi-Hole
2023-11-13 14:33:28 +00:00
If you want to combine Pi-Hole with Tor, then you should reconfigure your
netvm chaining (will break tor's client stream isolation) as such:
* qube -> sys-pihole -> Tor-gateway -> sys-firewall -> sys-net
2023-11-13 14:33:28 +00:00
### Local DNS server
If you want sys-pihole to use itself to resolve DNS queries, enable the
service `local-dns-server` from Dom0 to sys-pihole:
```sh
qvm-features sys-pihole service.local-dns-server 1
```
Don't forget to restart sys-pihole after the changes.
Note that if Pi-hole as a problem the host will not not be able to reach the
internet for updates, syncing time etc.
### DNS issues after netvm restart
2023-11-13 14:33:28 +00:00
If you encounter problems with DNS after having upstream netvm route changes,
restart Pi-hole DNS from sys-pihole:
2023-11-13 14:33:28 +00:00
```sh
pihole restartdns
```
## Credits
* [Patrizio Tufarolo](https://blog.tufarolo.eu/how-to-configure-pihole-in-qubesos-proxyvm/)
* [Unman](https://github.com/unman/shaker/tree/main/pihole)