qusal/salt/sys-pihole
Ben Grande ab044c15b1
feat: bump Pi-Hole version
Many of the Pi-Hole releases of this year were made due to security
vulnerabilities. None of them are to concern to Qusal users.

- GHSA-jg6g-rrj6-xfg6: Requires authenticated user;
- GHSA-95g6-7q26-mp9x: Requires authenticated user; and
- GHSA-3597-244c-wrpj: Requires shell in the same qube running Pi-Hole.

The admin interface is only allowed through localhost, therefore only
sys-pihole and sys-pihole-browser qubes have access to it, blocked by
firewall (nftables) and HTTP server (lighttpd). Qubes with access to the
admin interface are not of a concern, we assume that every qube that has
access to the admin interface is trusted, therefore, only if a qube
doesn't have access to the admin interface and can gain access, it
becomes a concern, which hasn't happened.
2024-07-07 15:26:52 +02:00
..
files feat: use ip interface group for faster evaluation 2024-07-05 12:00:22 +02:00
appmenus.sls refactor: initial commit 2023-11-13 14:33:28 +00:00
appmenus.top refactor: initial commit 2023-11-13 14:33:28 +00:00
configure-browser.sls refactor: prefer systemd sockets over socat 2024-06-25 22:16:26 +02:00
configure-browser.top refactor: initial commit 2023-11-13 14:33:28 +00:00
create.sls refactor: prefer systemd sockets over socat 2024-06-25 22:16:26 +02:00
create.top refactor: initial commit 2023-11-13 14:33:28 +00:00
init.top refactor: initial commit 2023-11-13 14:33:28 +00:00
install.sls feat: bump Pi-Hole version 2024-07-07 15:26:52 +02:00
install.top refactor: initial commit 2023-11-13 14:33:28 +00:00
prefs.sls chore: copyright update 2024-01-29 16:49:54 +01:00
prefs.top refactor: initial commit 2023-11-13 14:33:28 +00:00
README.md doc: lint markdown files 2024-07-04 17:27:31 +02:00
version fix: generate RPM Specs for Qubes Builder V2 2024-06-21 17:00:06 +02:00

sys-pihole

Pi-hole DNS Sinkhole in Qubes OS.

Table of Contents

Description

The package will create a standalone qube "sys-pihole". It blocks advertisements and internet trackers by providing a DNS sinkhole. It is a drop in replacement for sys-firewall.

The qube will be attached to the "netvm" of the "default_netvm", in other words, if you are using Qubes OS default setup, it will use "sys-net" as the "netvm", else it will try to figure out what is your upstream link and attach to it.

Installation

Pi-Hole commits and tags are not signed by individuals, but as they are done through the web interface, they have GitHub Web-Flow signature. This is the best verification we can get for Pi-Hole. If you don't trust the hosting provider however, don't install this package.

  • Top:
sudo qubesctl top.enable sys-pihole browser
sudo qubesctl --targets=tpl-browser,sys-pihole-browser,sys-pihole state.apply
sudo qubesctl top.disable sys-pihole browser
sudo qubesctl state.apply sys-pihole.appmenus
  • State:
sudo qubesctl state.apply sys-pihole.create
sudo qubesctl --skip-dom0 --targets=tpl-browser state.apply browser.install
sudo qubesctl --skip-dom0 --targets=sys-pihole state.apply sys-pihole.install
sudo qubesctl --skip-dom0 --targets=sys-pihole-browser state.apply sys-pihole.configure-browser
sudo qubesctl state.apply sys-pihole.appmenus

If you want to change the global preferences updatevm and default_netvm and the per-qube preference netvm of all qubes from sys-firewall to sys-pihole, run:

sudo qubesctl state.apply sys-pihole.prefs

Usage

Web interface

If you want to view statistics or manage the server through a GUI, open sys-pihole or sys-pihole-browser desktop file pihole-browser.desktop from the app menu. Addresses starting with http or https will be redirected to sys-pihole-browser.

Pi-hole will be installed with the following settings:

  • The DNS provider is Quad9 (filtered, DNSSEC)
  • Steven Black's Unified Hosts List is included
  • Query logging is enabled to show everything.

Torified Pi-Hole

If you want to combine Pi-Hole with Tor, then you should reconfigure your netvm chaining (will break tor's client stream isolation) as such:

  • qube -> sys-pihole -> Tor-gateway -> sys-firewall -> sys-net

Local DNS server

If you want sys-pihole to use itself to resolve DNS queries, enable the service local-dns-server from Dom0 to sys-pihole:

qvm-features sys-pihole service.local-dns-server 1

Don't forget to restart sys-pihole after the changes.

Note that if Pi-hole as a problem the host will not not be able to reach the internet for updates, syncing time etc.

DNS issues after netvm restart

If you encounter problems with DNS after having upstream netvm route changes, restart Pi-hole DNS from sys-pihole:

pihole restartdns

Credits