Pihole

$ git clone –depth 1 https://github.com/pi-hole/pi-hole.git Pi-hole $ cd “Pi-hole/automated install/” $ sudo bash basic-install.sh

1. Unbound

2. OR DNSMasq

# recursive DNS server solution
$ sudo apt install unbound dnsmasq
$ wget -O root.hints https://www.internic.net/domain/named.root
$ sudo mv root.hints /var/lib/unbound/

# configure unbound
$ sudo nano /etc/unbound/unbound.conf.d/pi-hole.conf
  </etc/unbound/unbound.conf.d/pi-hole.conf>
  server:
      # If no logfile is specified, syslog is used
      # logfile: "/var/log/unbound/unbound.log"
      verbosity: 0
      port: 5353
      do-ip4: yes
      do-udp: yes
      do-tcp: yes
      # May be set to yes if you have IPv6 connectivity
      do-ip6: no
      # Use this only when you downloaded the list of primary root servers!
      root-hints: "/var/lib/unbound/root.hints"
      # Trust glue only if it is within the servers authority
      harden-glue: yes
      # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
      harden-dnssec-stripped: yes
      # Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes
      # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
      use-caps-for-id: no
      # Reduce EDNS reassembly buffer size.
      # Suggested by the unbound man page to reduce fragmentation reassembly problems
      edns-buffer-size: 1472
      # Perform prefetching of close to expired message cache entries
      # This only applies to domains that have been frequently queried
      prefetch: yes
      # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
      num-threads: 1
      # Ensure kernel buffer is large enough to not lose messages in traffic spikes
      so-rcvbuf: 1m
      # Ensure privacy of local IP ranges
      private-address: 192.168.0.0/16
      private-address: 169.254.0.0/16
      private-address: 172.16.0.0/12
      private-address: 10.0.0.0/8
      private-address: fd00::/8
      private-address: fe80::/10
$ sudo service unbound start
$ dig pi-hole.net @127.0.0.1 -p 5353

# test DNSSEC validation
$ dig sigfail.verteiltesysteme.net @127.0.0.1 -p 5353
$ dig sigok.verteiltesysteme.net @127.0.0.1 -p 5353

# configure PiHole
http://192.168.35.30/admin/settings.php?tab=dns
Upstream DNS Servers:
  Custom 1 (ipv4): 127.0.0.1#5353

# option available for routers with OpenWRT, DD-WRT, etc.
# per host tracking on pi-hole, ability to resolve hostnames on LAN, ad blocking/network monitoring provided by pi-hole
# Additional DNSMasq Options
dhcp-option=6,192.168.35.30

# configure PiHole
http://192.168.35.30/admin/settings.php?tab=dns
Upstream DNS Servers:
  Custom 1 (ipv4): 192.168.1.1

[x] DHCP server enabled
Router (gateway) IP address: 192.168.35.1
Domain: lan
Lease time in hours: 24
[x] Enable IPv6 support (SLAAC + RA)
[x] Enable DHCP rapid commit (fast address assignment)

[x] Get dynamically from ISP

[x] Use these DNS servers
  192.168.35.30

# disabled
[] Use Router as DHCP Server

# generate debug log
$ pihole -d

# Network tab fails to load, something is using port 80 (maybe apache2?)
$ sudo system lighttpd status