# "Hands Off" Pi-hole Configuration Recently it has occurred to me that the best possible approach to certain "appliance-like" devices, such as a [pi-hole](https://pi-hole.net/), is that it should be configured as if it were not going to be touched at all for years on end. This has certain obvious benefits, such as giving the ability to use a pi-hole to people who recognize the need for one, but are not technically savvy to keep one running and up to date constantly. In practice, this means that the pihole should be installed in the simplest possible configuration and be set up to be continually self-updating. This way, the pihole continues to operate as intended without human inspection, but at the same time, remains up-to-date to protect from potential security threats. In general, the approach is fairly simple: 1. Configure the Raspberry Pi with some really basic tools 2. Set up [`unattended-upgrades`](https://wiki.debian.org/UnattendedUpgrades) 3. Install the pi-hole software 4. Set up a cron job to upgrade the pihole software on a weekly basis ## Initial Configuration In general, I recommend configuring the Raspberry Pi SD card image using [Raspberry Pi Imager](https://www.easyprogramming.net/raspberrypi/raspberry_pi_imager_advanced_options.php) which provides access to some interesting advanced settings, such as having the default user *not* be named `pi` and configuring a good password. On top of that, you can enable SSH, configure WiFi, and set the proper time zone. That last one is actually pretty important as you want unattended-upgrades and the cron job to update the pi-hole software when you are least likely to be using it, rather than in the middle of the day. ### Basic Software Installation Once the [Raspberry Pi is up and running and you have SSH-ed](https://www.howtogeek.com/768053/how-to-ssh-into-your-raspberry-pi/) into it, I recommend running the following few incantations (as root) to install really basic, useful tools: ```bash apt-get update --fix-missing; apt-get upgrade -y; apt-get dist-upgrade -y; apt-get autoremove -y; apt-get install emacs-nox tmux htop -y; ``` ## Unattended Upgrades *Reference: https://www.digitalocean.com/community/tutorials/how-to-keep-ubuntu-22-04-servers-updated* Install `unattended-upgrades` ```bash apt install unattended-upgrades -y ``` Check the service status: ```bash systemctl status unattended-upgrades.service ``` ### Configuration Edit the file `/etc/apt/apt.conf.d/50unattended-upgrades` and uncomment/change the following lines to show as they are here: ``` Unattended-Upgrade::Origins-Pattern { // Codename based matching: // This will follow the migration of a release through different // archives (e.g. from testing to stable and later oldstable). // Software will be the latest available for the named release, // but the Debian release itself will not be automatically upgraded. "origin=Debian,codename=${distro_codename}-updates"; "origin=Debian,codename=${distro_codename}-proposed-updates"; "origin=Debian,codename=${distro_codename},label=Debian"; "origin=Debian,codename=${distro_codename},label=Debian-Security"; "origin=Debian,codename=${distro_codename}-security,label=Debian-Security"; // Archive or Suite based matching: // Note that this will silently match a different release after // migration to the specified archive (e.g. testing becomes the // new stable). // "o=Debian,a=stable"; // "o=Debian,a=stable-updates"; // "o=Debian,a=proposed-updates"; // "o=Debian Backports,a=${distro_codename}-backports,l=Debian Backports"; }; ... Unattended-Upgrade::AutoFixInterruptedDpkg "true"; ... Unattended-Upgrade::MinimalSteps "true"; ... Unattended-Upgrade::Remove-Unused-Kernel-Packages "true"; ... Unattended-Upgrade::Remove-Unused-Dependencies "true"; ... Unattended-Upgrade::Automatic-Reboot "true"; ... Unattended-Upgrade::Automatic-Reboot-WithUsers "true"; ... Unattended-Upgrade::Automatic-Reboot-Time "02:00"; ``` *Note that unlike with other machines, the time zone is set properly if you use the Raspberry Pi imager as noted above, so there is no need to account for UTC* and once you're done editing, reload the unattended upgrades daemon with: `systemctl restart unattended-upgrades.service` ## Pihole Installation/Configuration ```bash curl -sSL https://install.pi-hole.net | bash ``` The web interface password will be generated by the installation wizard, so be sure to record it in your password manager of choice. ### Web Interface Configuration #### `Web UI -> Settings -> DNS` Upstream DNS Servers: - Custom 1: `1.1.1.2` - Custom 2: `1.0.0.2` - Custom 3: `8.8.8.8` Interface Settings: `Permit all origins` Use DNSSEC: Checked #### `Web UI -> Adlists` Add the following adlists by pasting (These are the malicious lists from https://firebog.net/): ``` https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareHosts.txt https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt https://v.firebog.net/hosts/Prigent-Crypto.txt https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Risk/hosts https://bitbucket.org/ethanr/dns-blacklists/raw/8575c9f96e5b4a1308f2f12394abd86d0927a4a0/bad_lists/Mandiant_APT1_Report_Appendix_D.txt https://phishing.army/download/phishing_army_blocklist_extended.txt https://malware-filter.gitlab.io/malware-filter/phishing-filter-hosts.txt https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt https://v.firebog.net/hosts/RPiList-Malware.txt https://v.firebog.net/hosts/RPiList-Phishing.txt https://raw.githubusercontent.com/Spam404/lists/master/main-blacklist.txt https://raw.githubusercontent.com/AssoEchap/stalkerware-indicators/master/generated/hosts https://urlhaus.abuse.ch/downloads/hostfile/ ``` ### Regular Upgrades Set to upgrade the pihole software at 3:00am every Tuesday: `crontab -e` ``` 0 3 * * 2 /usr/local/bin/pihole updatePihole > /var/log/pihole/up.log 2>&1 ```