"Hands Off" Pi-hole Configuration

Recently it has occurred to me that the best possible approach to certain "appliance-like" devices, such as a pi-hole, is that it should be configured as if it were not going to be touched at all for years on end. This has certain obvious benefits, such as giving the ability to use a pi-hole to people who recognize the need for one, but are not technically savvy to keep one running and up to date constantly. In practice, this means that the pihole should be installed in the simplest possible configuration and be set up to be continually self-updating. This way, the pihole continues to operate as intended without human inspection, but at the same time, remains up-to-date to protect from potential security threats.

In general, the approach is fairly simple:

1. Configure the Raspberry Pi with some really basic tools
2. Set up unattended-upgrades
3. Install the pi-hole software
4. Set up a cron job to upgrade the pihole software on a weekly basis

Initial Configuration

In general, I recommend configuring the Raspberry Pi SD card image using Raspberry Pi Imager which provides access to some interesting advanced settings, such as having the default user not be named pi and configuring a good password. On top of that, you can enable SSH, configure WiFi, and set the proper time zone. That last one is actually pretty important as you want unattended-upgrades and the cron job to update the pi-hole software when you are least likely to be using it, rather than in the middle of the day.

Basic Software Installation

Once the Raspberry Pi is up and running and you have SSH-ed into it, I recommend running the following few incantations (as root) to install really basic, useful tools:

apt-get update --fix-missing;
apt-get upgrade -y;
apt-get dist-upgrade -y;
apt-get autoremove -y;
apt-get install emacs-nox tmux htop -y;

Unattended Upgrades

Reference: https://www.digitalocean.com/community/tutorials/how-to-keep-ubuntu-22-04-servers-updated

Install unattended-upgrades

apt install unattended-upgrades -y

Check the service status:

systemctl status unattended-upgrades.service

Configuration

Edit the file /etc/apt/apt.conf.d/50unattended-upgrades and uncomment/change the following lines to show as they are here:

Unattended-Upgrade::Origins-Pattern {
        // Codename based matching:
        // This will follow the migration of a release through different
        // archives (e.g. from testing to stable and later oldstable).
        // Software will be the latest available for the named release,
        // but the Debian release itself will not be automatically upgraded.
        "origin=Debian,codename=${distro_codename}-updates";
        "origin=Debian,codename=${distro_codename}-proposed-updates";
        "origin=Debian,codename=${distro_codename},label=Debian";
        "origin=Debian,codename=${distro_codename},label=Debian-Security";
        "origin=Debian,codename=${distro_codename}-security,label=Debian-Security";

        // Archive or Suite based matching:
        // Note that this will silently match a different release after
        // migration to the specified archive (e.g. testing becomes the
        // new stable).
//      "o=Debian,a=stable";
//      "o=Debian,a=stable-updates";
//      "o=Debian,a=proposed-updates";
//      "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports";
};
...
Unattended-Upgrade::AutoFixInterruptedDpkg "true";
...
Unattended-Upgrade::MinimalSteps "true";
...
Unattended-Upgrade::Remove-Unused-Kernel-Packages "true";
...
Unattended-Upgrade::Remove-Unused-Dependencies "true";
...
Unattended-Upgrade::Automatic-Reboot "true";
...
Unattended-Upgrade::Automatic-Reboot-WithUsers "true";
...
Unattended-Upgrade::Automatic-Reboot-Time "02:00";

Note that unlike with other machines, the time zone is set properly if you use the Raspberry Pi imager as noted above, so there is no need to account for UTC

and once you're done editing, reload the unattended upgrades daemon with: systemctl restart unattended-upgrades.service

Pihole Installation/Configuration

curl -sSL https://install.pi-hole.net | bash

The web interface password will be generated by the installation wizard, so be sure to record it in your password manager of choice.

Web Interface Configuration

Web UI -> Settings -> DNS

Upstream DNS Servers:

• Custom 1: 1.1.1.2
• Custom 2: 1.0.0.2
• Custom 3: 8.8.8.8

Interface Settings: Permit all origins

Use DNSSEC: Checked

Web UI -> Adlists

Add the following adlists by pasting (These are the malicious lists from https://firebog.net/):

https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareHosts.txt
https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt
https://v.firebog.net/hosts/Prigent-Crypto.txt
https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Risk/hosts
https://bitbucket.org/ethanr/dns-blacklists/raw/8575c9f96e5b4a1308f2f12394abd86d0927a4a0/bad_lists/Mandiant_APT1_Report_Appendix_D.txt
https://phishing.army/download/phishing_army_blocklist_extended.txt
https://malware-filter.gitlab.io/malware-filter/phishing-filter-hosts.txt
https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt
https://v.firebog.net/hosts/RPiList-Malware.txt
https://v.firebog.net/hosts/RPiList-Phishing.txt
https://raw.githubusercontent.com/Spam404/lists/master/main-blacklist.txt
https://raw.githubusercontent.com/AssoEchap/stalkerware-indicators/master/generated/hosts
https://urlhaus.abuse.ch/downloads/hostfile/

Regular Upgrades

Set to upgrade the pihole software at 3:00am every Tuesday: crontab -e

0 3 * * 2 /usr/local/bin/pihole updatePihole > /var/log/pihole/up.log 2>&1

• Last updated:
• Contributors