1. Home
  2. IN THE dIGITAL TRENCHES...
  3. Installing Pi-hole in Linux Mint with an Archer A9

Installing Pi-hole in Linux Mint with an Archer A9

Installing Pi-hole in Linux Mint with an Archer A9



    Using Pi-hole on a home network has become a popular way to deal with the overwhelming amount of advertisements and trackers used on web pages and in apps these days. It's a great way to keep an eye on what servers are being contacted from the devices in your network. There's a surprising amount of traffic on the typical residential network and much of it is simply relaying your online activities to one of the big data-mongers. 

     Installing Pi-hole is simple, especially since if you've reached that point, you've already done the worst part, which is installing your favorite version of Linux in a virtual machine, old PC, laptop or  SOC device like the Raspberry Pi. But Pi-hole only officially supports a few Linux distros. I understand they can't test on everything, but at least they've given us a way to bypass the 'officially supported distro check' in the Pi-hole installation script. I use Linux Mint because Ubuntu, while free, still makes decisions based on corporate policies and not the end user. So if you're using Mint or any other 'not officially supported distro', the following is for you.

So once you have your Linux distro installed, whether it be in a VM or on metal, you need to download the Pi-hole software package. Open a terminal and use the following commands to clone the software (repository) on to your computer:

1: sudo su ( or whatever your distro uses to change to root, or just use sudo in front of each command )

2: apt install git -y   (if you haven't installed git already)

3: git clone --depth 1 https://github.com/pi-hole/pi-hole.git Pi-hole

Next, we'll need to reach the install script and modify it, still using root or sudo in front of each command. 

4: cd Pi-hole

5: cd 'automated install'

6: geany basic-install.sh  ( or use gedit, vim, or whatever your favorite bash text editor is )

7: roll down to line 82, just after variable initialization,  and enter the following line exactly:

PIHOLE_SKIP_OS_CHECK='true' 

8: click the save button, then close the editor. 

9: now back in your terminal, run the command ./basic-install.sh .

     There are other methods online about how to pass the variable PIHOLE_SKIP_OS_CHECK=true to the basic-install.sh script, but none of them worked for me. Instead of wasting time searching DDG for other options, it's simpler just to insert the variable into the install script itself. If you're good with bash programming, you can remove the whole OS check from the install script too. But, after inserting the variable to the shell script, now I've got a Pi-hole installer that I can keep and it will attempt to install in most distros, unsupported or not.

    A few other notes about the Pi-hole:

     Set your IP address to 'manual' (static) in your Linux settings. If the IP changes when it reboots (rarely needs to but does sometimes happen), then you'll have the wrong address set for your DNS resolver. 

     While going through the Pi-hole setup, copy or write down the information it gives you near the end. You'll need it. Using the default configurations are good and use the supplied block list at least. But write down  IPv4 address and IPv6 addresses it shows you. Also write down the password, you'll need it to check in on the Pi-hole, especially if you're running it headless.

     Those IP addresses it tells you it's using need to be entered into your router or each of the devices on your network. It's easier to find the IPv4 DNS entry in your router and change it to the v4 address of the Pi-hole. Otherwise, you'll need to set the DNS address on each device in your network. Finding the setting in the router can be difficult, and tiresome, but keep looking until you find it. Most routers have a setting to define your own DNS settings or get the settings from your IP. My router, TP-link Archer A9 is pretty confused when it comes to the DNS setting. There are two places where it can be entered but only one is effective. It also won't let me set a DNS router in the same subnet as my local addresses. My ASUS router didn't have an issue with this, but TP-link oddly does. 

     So if you have a router like TP-link, that thinks it knows better than you, there's another step in the setup process. First, get  your router/modem's external ip. Set it as your DNS server. Next find the router's port forward/virtual server tab and set port 53 to be forwarded to the IP address of the Pi-hole. But that's not all because you don't want an open resolver open on the net. They can be used for multiplying bot attacks and poisoning the ARP protocol. So...

     While in your router, note the DHCP rage. On residential routers it's usually 192.168.x.x/x or 10.x.x.x/x. Get the first three numbers of that range then go back to the terminal in your Pi-hole. Get root again. Enter the following commands:

iptables -A INPUT -s 0.0.0.0/0 -p tcp --ddport 53 -j DROP   (blocks all tcp connections to the Pihole)

iptables -A INPUT -s 0.0.0.0/0 -p udp --ddport 53 -j DROP  (blocks all udp connections to the Pihole)

iptables -A INPUT -s 0.0.0.0/0 -p tcp --ddport 80 -j DROP   (blocks all tcp http connections to the Pihole)

     The -ddport 80 blocks eternal access to the FTL monitoring server that Pihole runs. The 53 port is the DNS port that answers DNS queries. 

     Now we need to let your local LAN devices connect to it and you'll need the first 3 octets (numbers between the dots) of the IP range of your network. On mine, it's 10.0.0, my gateway/router is 10.0.0.1 and my computer is 10.0.0.123. Use your first three numbers. It should be the same as the first 3 octets of your Pi-hole's IP address. Enter the following commands inserting your IP range. The /24 will be the same. 

iptables -A INPUT -s 10.0.0.0/24 -p tcp -ddport 53 -j ACCEPT (allows the range to access the Pi-hole)

iptables -A INPUT -s 10.0.0.0/24 -p udp -ddport 53 -j ACCEPT  

iptables -A INPUT -s 10.0.0.0/24 -p tcp -ddport 80 -j ACCEPT 

     Now monitor your Pi-hole dashboard and make sure there aren't any clients showing up from outside your LAN's IP range. It's a good idea to check it also and see if there's a noisy device making a lot of requests. You'll be surprised at how often software contacts external servers. You'll find out which devices are keeping track of you and what devices aren't really off when they say they are. It can also show you if viruses are contacting their command and control servers. 

     And make a donation to the good people at Pi-hole who are helping to wrestle back the net from the corporate waste that clutters it up.

https://github.com/pi-hole/pi-hole

https://docs.pi-hole.net/main/basic-install/

https://discourse.pi-hole.net/t/restrict-access-to-pihole/3397/7

https://www.reddit.com/r/pihole/comments/ifz2di/block_a_clients_ip/

https://wiki.vpsget.com/index.php/Iptables_example_block_all_except_specified

*not affiliated with Pihole or any other site or company mentioned in this article. 


How CyDeRinc's Home Cyber-Defense Initiative Works
Senators Try Again to Outlaw Online Privacy 2/5/2022
Everyone Needs Personal Network Security!