• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to footer
  • Home
  • Create a VM ($25 Credit)
  • Buy a Domain
  • 1 Month free Back Blaze Backup
  • Other Deals
    • Domain Email
    • Nixstats Server Monitoring
    • ewww.io Auto WordPress Image Resizing and Acceleration
  • About
  • Links

IoT, Code, Security, Server Stuff etc

Views are my own and not my employer's.

Personal Development Blog...

Coding for fun since 1996, Learn by doing and sharing.

Buy a domain name, then create your own server (get $25 free credit)

View all of my posts.

  • Cloud
    • I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance.
    • How to buy a new domain and SSL cert from NameCheap, a Server from Digital Ocean and configure it.
    • Setting up a Vultr VM and configuring it
    • All Cloud Articles
  • Dev
    • I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance.
    • How to setup pooled MySQL connections in Node JS that don’t disconnect
    • NodeJS code to handle App logins via API (using MySQL connection pools (1000 connections) and query parameters)
    • Infographic: So you have an idea for an app
    • All Development Articles
  • MySQL
    • Using the free Adminer GUI for MySQL on your website
    • All MySQL Articles
  • Perf
    • PHP 7 code to send object oriented sanitised input data via bound parameters to a MYSQL database
    • I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance.
    • Measuring VM performance (CPU, Disk, Latency, Concurrent Users etc) on Ubuntu and comparing Vultr, Digital Ocean and UpCloud – Part 1 of 4
    • Speeding up WordPress with the ewww.io ExactDN CDN and Image Compression Plugin
    • Setting up a website to use Cloudflare on a VM hosted on Vultr and Namecheap
    • All Performance Articles
  • Sec
    • Using the Qualys FreeScan Scanner to test your website for online vulnerabilities
    • Using OWASP ZAP GUI to scan your Applications for security issues
    • Setting up the Debian Kali Linux distro to perform penetration testing of your systems
    • Enabling TLS 1.3 SSL on a NGINX Website (Ubuntu 16.04 server) that is using Cloudflare
    • PHP implementation to check a password exposure level with Troy Hunt’s pwnedpasswords API
    • Setting strong SSL cryptographic protocols and ciphers on Ubuntu and NGINX
    • Securing Google G Suite email by setting up SPF, DKIM and DMARC with Cloudflare
    • All Security Articles
  • Server
    • I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance.
    • All Server Articles
  • Ubuntu
    • I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance.
    • Useful Linux Terminal Commands
    • All Ubuntu Articles
  • VM
    • I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance.
    • All VM Articles
  • WordPress
    • Speeding up WordPress with the ewww.io ExactDN CDN and Image Compression Plugin
    • Installing and managing WordPress with WP-CLI from the command line on Ubuntu
    • How to backup WordPress on a host that has CPanel
    • Moving WordPress to a new self managed server away from CPanel
    • Moving a CPanel domain with email to a self managed VPS and Gmail
    • All WordPress Articles
  • All

DNS

Setting up a Raspberry PI as a DNS Sinkhole to block ads and Trackers

April 15, 2020 by Simon

What is PiHole (Version 5)?

fyi: I updated this post 3 months after I created it as I killed my 32GB Raspberry Pi Micro SD card when I pulled the power (before a storm) without shutting down the Raspberry PIU first. Always shutdown the pi before removing the power. I have a 16GB Micro SD card that I will use instead.

I am following my guide to re setup up my PiHole.

Snip from WikiPedia:  “Pi-hole is a Linux network-level advertisement and Internet tracker blocking application which acts as a DNS sinkhole (and optionally a DHCP server), intended for use on a private network. It is designed for use on embedded devices with network capability, such as the Raspberry Pi, but it can be used on other machines running Linux and cloud implementations. Pi-hole has the ability to block traditional website advertisements as well as advertisements in unconventional places, such as smart TVs and mobile operating system advertisements.”

What is a Raspberry PI?

A Raspberry PI is an inexpensive (5V Volt, 2 Amp) ARM based computer that can run off the power from a USB cable.

Raspberry PI models abvailable

Here is a photo of my Raspberry Pi 3B+  with an Adafruit LCD Screen

My Raspberry Pi has the following specifications 

  • 4 x 1.4GHz 64-bit (quad-core processor)
  • 1GB LPDDR2 SDRAM
  • Dual-band wireless LAN
  • Bluetooth 4.2/BLE,
  • Faster Ethernet
  • Extended 40-pin GPIO header
  • Full-size HDMI 4 USB 2.0 ports
  • 5V/2.5A DC power input

My screen has the following specifications (purchased from Pakronics)

  • 3.5″ display with 480×320 16-bit colour pixels
  • Resistive touch overlay

I plugged in a full sized USB Keyboard, Mouse and HDMI cable.

SD Card Choice

Read my guide to download and write an Raspberry Pi Operating System to an SD card.

I would not put a cheap/slow MicroSD card in the Raspberry PI, aim for at least a UHS (1) or UHS (3) speed SD card for the best bang for buck.

SD card speeds

fyi: I bought a new 32GB Samsung UHS 1 Ultra Micro SD card and it died after 12 hours of use. I replaced it with another 32GB No name brand CLASS 10 SD Card I had laying around.

(after I killed my 32GB Micro SD card I have chosen a 16GB Micro SD card as it is all I have spare)

Dead SD

Raspberry Setup

I download and saved the Raspian (Full) Operating System to a SD Card and inserted it into my Raspberry PI 3B+ (view the guide here on preparing an Operating System on a SD card).

I used the American 110-240V AC to 5.25V  2500ma DC power supply (with a US to AUS adaptor) that came with the Adafruit Screen.  It had a Micro USB connection on one end.

5.25V DC POwer Supply

It did not work though (I just had a flashing red light on the Raspberry Pi).

I had an Australian 240V AC to 5V 2500ma DC power supply to Micro USB.  from a previous project and it worked (the Raspberry Pi Started up).

5V 2500 mA power pack

I also have a number of Moki brand 240V to USB (1A and 2.4A) adapters. 

I will use the 2.4mA  plug. I know my Adafruit screen uses 100mA so this will do.

MOKI 240V 1A and 2.4A USB plugs

I plugged the HDMI cable into my Monitor and set up the HDMI as a Picture in Picture output so I can see my Main 4K screen (Display Port) and the Raspberry Pi HDMI input at the same time.

My First Raspberry Pi Boot

Mmmm my 4K screen with a 1080P HDMI picture in picture image (from the Raspberry Pi).

4k screen with a PiP HDMI input

The Raspberry Pi  booted fast and a welcome screen appeared

Apologies in advance, photos below are bad (I don’t have a HDMI capture card).

I clicked Next to setup the Raspberry PI

Welcome to the raspberry PI

I set my timezone and language

Set Timezone screenshot

I set a password

Set Password Screenshot

I skipped connecting to WiFi (I want pure Ethernet)

Join WiFi Screen

I was prompted to update the software (I clicked Next)

Update complete

Setup is complete

Setup is complete

I rebooted the Raspberry Pi

Second Boot

I changed further configuration by clicking the Raspberry Pi start button then Preferences then Raspberry PI Configuration

Screenshot of the Raspberry Pi menu showing Raspberry Pi Configuration

I changed the hostname to “raspberrypihole”, set Boot to CLI , Login as “pi“, and set Wait for network.

Update: After my Samsung SD card died I re setup my PI with a no name brand SD card and entered the name “raspberrypihole“

Set system options screenshot

Under display I reviewed the display options

Set video resolution options

I enabled SSH, SPI and I2C.

Enable SSH, SPI and I2C features screenshot.

I increased the GPU memory to 132GB

Allocate mempory screenshot

Time for a Reboot

Reboot warning.

SSH Access

I do not want to leave a keyboard, mouse and screen connected once I finish setting it up so I setup a SSH connection to the Raspberry Pi.

TIP: Putty is a free program for SSH connections.

I SSH’ed (more information on SSH below) to the Raspberry Pi and ran these commands to update it’s software and firmware.

sudo apt-get update  && sudo apt-get upgrade

Output

[email protected]:~ $ sudo apt-get update  && sudo apt-get upgrade
Hit:1 http://archive.raspberrypi.org/debian buster InRelease
Hit:2 http://raspbian.raspberrypi.org/raspbian buster InRelease
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.

The program “htop” is good for viewing system resources.

htop screenshot

Now it’s time to look at the Adafruit screen and case.

I put the Raspberry PI in the Adafruit Case

I purchased this kit for the Raspberry Pi, the LCD screen just connects to the Raspberry Pi GPIO pins.  It has a Adafruit LCD screen and a case for my Raspberry Pi 3B+

Photo of a Raspberry Pi 3B+, LCD screen and case

The screen just connects onto the GPIO pins

LCD Screens just connects to the Pi

The LCD screen allows you to use pins below the screen.

Male pins beside the female GPIO pins

GPIO pins documentation from https://www.raspberrypi.org/documentation/usage/gpio/

GPIO pin documentation from https://www.raspberrypi.org/documentation/usage/gpio/

A nice stack 🙂

Photo showing the LCD screen connected to the Pi

The case clips are hard to clip over the Raspberry Pi (Don’t force it or you might break for Pi)

Photo showing a case clip over the raspberry pi board

The case clip near the GPIO pins is on

Photo showing the case clip near the GPIO pins.

The clip near the power plug was off because the Raspberry Pi was not positioned correctly

Photo of the Raspberry PI off center of the lugs

After 30 minutes I carefully put the Raspberry Pi and LCD screen into the Case.

Photo showing the LCD screen in the case.

Side of the case with USB and Ethernet and USB porws exposed.

Photo of the Case exposing the USB and Ethernet port

HDMI, Power and Audio plugs are visible and lined up 🙂

Photo showing HDMI, Power and Audio plugs

The screen is visible through the case

Photo showing the case and LCD screen

The screen dips down on one side, I might have to prop it up (hot glue gun) a bit inside later

Photo showing the LCD screen dips to one side

SSH Connections to the Raspberry PI

I created an SSH connection to my Raspberry PI with MobaXterm (review here) and connected to it.

MobaXTerm connected to the pI

I ran the “ifconfig” command to get a list of all network interfaces.

I ran “ifconfig” to list all network interfaces.

MpobaXTerm ifconfig

I ran these commands to update my Raspberry PI Software

  • sudo apt-get update
  • sudo apt-get upgrade
  • sudo apt full-upgrade
  • sudo apt -y dist-upgrade

I updated the Pi Firmware too  (this is dangerous, only update if you have issues).

  • sudo rpi-update
Firmware update

I rebooted and connected to the Raspberry Pi and ran this command to get the Ethernet and wireless mac address.

The first interface is my Ethernet adopter the second if the WiFi adaptor.

ifconfig |grep ether
ether b8:27:eb:d9:00:86 txqueuelen 1000
ether b8:27:eb:8c:55:d3 txqueuelen 1000

The first Mac address is my Ethernet address on The Raspberry PI and the second is WiFi.

I logged into my router (Telstra DJA0230) and clicked Advanced then Local Network.  I could see my DHCP range was from 192.168.0.2 to 192.168.0.254, I shortened this to 192.168.0.2 to 192.168.0.200 (so I can set a static IP Address for the Raspberry PI) then I set a Static IP address for the Raspberry pi to 192.168.0.201.

I rebooted the Raspberry PI and checked the IP address 

I logged into my Router (at https://192.168.0.1)

Screenhshot of my routers DHCP range

When my Samsung SD card died I had to re-setup a new SD card but the IP address came across as the mac address stayed the same (as it was the same hardware), I did, however, change the name of the Static IP hostname in my home router to match the new name “raspberrypihole” (not “pihole”)

I set a static IP for this Ethernet address and defined 192.168.0.201 as the IP address.

Setting Up PiHole on the RaspBerry PI

I SSH’ed to my Raspberry Pi (with the new IP address) and ran this command

Now its time to install Pi Hole onto My Raspberry Pi

wget -O basic-install.sh https://install.pi-hole.net
sudo bash basic-install.sh
PiHole INstall

I was presented with “This installer will transform your device into a network-wide ad blocker! “

Install PiHole?

I was presented with “This installer will transform your device into a network-wide ad blocker! “

PiHole is free, but powered by your donations (consider donating)

Donate Plea

I donated. Thanks PiHole Team.

My doantion screenshot.

This will pay for itself in no time.

Donation receipt.

Static IP address is required.

Static IP Warning

I chose to just have PiHole work on Ethernet (and not Wifi)

Interface Select

I was prompted to set my upstream DNS provider.

Upstream DNS Provider

I selected all default blacklist lists.

Third Party Lists

I allowed PiHole to use IPv4 and IPv6.

TCP Support

My IP and Gateway was displayed on the screen.

IP and Gateway Info

Final warning about setting a static IP address.

Final Static IP Warning

The PiHole IPv6 address is show

Ready

Install a admin interface (Yes)

Web Admin on

Install lighthttpd (Yes)

thttpd

I chose to log all DNS queries.

Log HTTP Queries

I oped to allow the viewing of all logged data. This is less secure but I can reduce this later.

Debugging

PiHole is now setting up

PiHole Installing

Installation took about 10 minutes

Installing

A PiHole admin URL and Password was displayed (write this down)

PiHole Setup

I loaded the PiHole initial admin screen (http://192.168.0.201/admin/) and it was a bit empty.

PiHole Interface

I logged into my PiHole (at http://192.1768.0.201/admin/) with the password provided during setup.

Blank PiHole

The Raspberry Pi Pi Hole service was up and waiting for connections

I have Zero traffic going through the PiHole.

Before I add computers on my network to the PiHole I had better uninstall the nextdns.io (my blog post about NextDNS.io here) as the Pi will now be the main DNS blocking Sinkhole in our house.

Uninstall NextDNS.io

On my Windows 10 PC I added the DNS server for the PiHole in IPV4 and IPV6.

I obtained the PiHole IPV4 and IPV6 addresses (1) PiHole Admin, 2) Pi Hole Settings Page, 3) IP Address)

Pi Hole Settings Screen

PiHole IPV4 and IPV6 addresses.

PiHole IP Settings

I added the Pi Holes IPV4 IP address to my Windows 10 IP Settings.

I added the PIHole DNS to the IPV4 and IPV6 on my Windows 10 Ethernet adaptor

I added the Pi Holes IPV6 IP address to my Windows 10 IP Settings.

Setting IPV6 DNS Server

After 20 hours or rining computers through the Pi-Hole Admin interface I loaded the PiHole Admin Interface (at http://192.168.0.201/admin/index.php) was reporting stats.

I can view stats for Protocol and answered queries

Dashboard

I can also see stats for permitted and blocked domains

Top Allowed and blocked traffic

Default Block Lists

I can also see the source blocked domains

Ad Lists

Add 3rd party block lists

I added these block lists to my PiHole list of sites to block (Thanks Jol)

https://v.firebog.net/hosts/Easyprivacy.txt
https://v.firebog.net/hosts/Prigent-Ads.txt
https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-blocklist.txt
https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.2o7Net/hosts
https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt
https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt
https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt
https://hostfiles.frogeye.fr/multiparty-trackers-hosts.txt
https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/android-tracking.txt
https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV.txt
https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/AmazonFireTV.txt
https://v.firebog.net/hosts/Airelle-trc.txt
https://bitbucket.org/ethanr/dns-blacklists/raw/8575c9f96e5b4a1308f2f12394abd86d0927a4a0/bad_lists/Mandiant_APT1_Report_Appendix_D.txt
https://gist.githubusercontent.com/anudeepND/adac7982307fec6ee23605e281a57f1a/raw/5b8582b906a9497624c3f3187a49ebc23a9cf2fb/Test.txt
https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-blocklist.txt
https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt
https://hosts-file.net/ad_servers.txt
https://hosts-file.net/emd.txt
https://hosts-file.net/exp.txt
https://hosts-file.net/grm.txt
https://hosts-file.net/psh.txt
https://isc.sans.edu/feeds/suspiciousdomains_Medium.txt
https://mirror1.malwaredomains.com/files/justdomains
https://mirror.cedia.org.ec/malwaredomains/immortal_domains.txt
http://someonewhocares.org/hosts/hosts
https://phishing.army/download/phishing_army_blocklist_extended.txt
https://ransomwaretracker.abuse.ch/downloads/CW_C2_DOMBL.txt
https://ransomwaretracker.abuse.ch/downloads/LY_C2_DOMBL.txt
https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt
https://ransomwaretracker.abuse.ch/downloads/TC_C2_DOMBL.txt
https://ransomwaretracker.abuse.ch/downloads/TL_C2_DOMBL.txt
https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt
https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/win10/spy.txt
https://raw.githubusercontent.com/StevenBlack/hosts/master/data/add.2o7Net/hosts
https://raw.githubusercontent.com/StevenBlack/hosts/master/data/add.Risk/hosts
https://raw.githubusercontent.com/StevenBlack/hosts/master/data/add.Spam/hosts
https://raw.githubusercontent.com/StevenBlack/hosts/master/data/KADhosts/hosts
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
https://raw.githubusercontent.com/ZeroDot1/CoinBlockerLists/master/hosts
https://reddestdream.github.io/Projects/MinimalHosts/etc/MinimalHostsBlocker/minimalhosts
https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
https://v.firebog.net/hosts/AdguardDNS.txt
https://v.firebog.net/hosts/Airelle-hrsk.txt
https://v.firebog.net/hosts/Easylist.txt
https://v.firebog.net/hosts/Easyprivacy.txt
https://v.firebog.net/hosts/Prigent-Ads.txt
https://v.firebog.net/hosts/Prigent-Malware.txt
https://v.firebog.net/hosts/Prigent-Phishing.txt
https://v.firebog.net/hosts/Shalla-mal.txt
https://v.firebog.net/hosts/static/SamsungSmart.txt
https://v.firebog.net/hosts/static/w3kbl.txt
https://www.malwaredomainlist.com/hostslist/hosts.txt
https://www.squidblacklist.org/downloads/dg-malicious.acl
http://sysctl.org/cameleon/hosts
https://zerodot1.gitlab.io/CoinBlockerLists/hosts
https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist
http://www.joewein.net/dl/bl/dom-bl.txt
http://www.networksec.org/grabbho/block.txt

I updated all block lists at http://192.168.0.201/admin/gravity.php

Update Gravity Success.

666,862 domains on my block list 🙂

I now have the Pi Hole blocking 666,862 domains, this number will increase as sites are added to the remote lists, nice.

Dashboard Stats

LCD Screen Setup

I followed thin guide to setup the screen.

I can this code from the pi (logged in as root)

cd ~
wget https://raw.githubusercontent.com/adafruit/Raspberry-Pi-Installer-Scripts/master/adafruit-pitft.sh
chmod +x adafruit-pitft.sh
sudo ./adafruit-pitft.sh

I was prompted to choose a screen

Select configuration:
1. PiTFT 2.4", 2.8" or 3.2" resistive (240x320)
2. PiTFT 2.2" no touch (240x320)
3. PiTFT 2.8" capacitive touch (240x320)
4. PiTFT 3.5" resistive touch (320x480)
5. PiTFT Mini 1.3" or 1.54" display (240x240)
6. MiniPiTFT 1.14" display (240x135) - WARNING! CUTTING EDGE! WILL UPGRADE YOUR KERNEL TO LATEST
7. Quit without installing

SELECT 1-7:

I entered “3” for PiTFT 2.8″ capacitive touch (240×320)

I then was prompted to set the rotation of the screen

Select rotation:
1. 90 degrees (landscape)
2. 180 degrees (portait)
3. 270 degrees (landscape)
4. 0 degrees (portait)

SELECT 1-4: 

I entered “3” for 270 degrees (landscape).

I was prompted to allow the console to appear on the screen

Would you like the console to appear on the PiTFT display? [y/n]
y

Install Summary

Install Summary

I rebooted

Reboot [y/n]
y

I edited /boot/config.txt and changed these values

framebuffer_width=320
framebuffer_height=240

Installing PADD to display PiHole stats on the LCD

I followed this guide to install PADD (the software that displays the PiHole stats on the LCD screen)

cd ~
wget -N https://github.com/jpmck/PADD/files/4320681/padd.txt
mv padd.txt paddsimon.sh
chmod +x paddsimon.sh

Making PADD starts at boot

Edit this file

sudo nano  ~/.bashrc

and add the following to the end of the file

# Run PADD
# If we're on the PiTFT screen (ssh is xterm)
if [ "$TERM" == "linux" ] ; then
  while :
  do
    /root/paddsimon.sh
    sleep 0.2
  done
fi

I rebooted the PI.

sudo showdown -r now

How to Update the PiHole from the CLI

I ran the following command to update the PiHole block lists

pihole -g

Output…

  [i] Pi-hole blocking is enabled
  [i] Neutrino emissions detected...
  [✓] Pulling blocklist source list into range

  [i] Target: raw.githubusercontent.com (hosts)
  [✓] Status: Retrieval successful

  [i] Target: mirror1.malwaredomains.com (justdomains)
  [✓] Status: No changes detected

  [i] Target: sysctl.org (hosts)
  [✓] Status: No changes detected

  [i] Target: s3.amazonaws.com (simple_tracking.txt)
  [✓] Status: No changes detected

  [i] Target: s3.amazonaws.com (simple_ad.txt)
  [✓] Status: No changes detected

  [i] Target: hosts-file.net (ad_servers.txt)
  [✓] Status: No changes detected

  [i] Target: raw.githubusercontent.com (ytadblock.txt)
  [✓] Status: Retrieval successful

  [i] Target: v.firebog.net (Easyprivacy.txt)
  [✓] Status: No changes detected

  [i] Target: v.firebog.net (Prigent-Ads.txt)
  [✓] Status: No changes detected

  [i] Target: gitlab.com (notrack-blocklist.txt)
  [✓] Status: Retrieval successful

  [i] Target: raw.githubusercontent.com (hosts)
  [✓] Status: Retrieval successful

  [i] Target: raw.githubusercontent.com (spy.txt)
  [✓] Status: Retrieval successful

  [i] Target: www.github.developerdan.com (ads-and-tracking-extended.txt)
  [✓] Status: Retrieval successful

  [i] Target: hostfiles.frogeye.fr (firstparty-trackers-hosts.txt)
  [✓] Status: Retrieval successful

  [i] Target: hostfiles.frogeye.fr (multiparty-trackers-hosts.txt)
  [✓] Status: Retrieval successful

  [i] Target: raw.githubusercontent.com (android-tracking.txt)
  [✓] Status: Retrieval successful

  [i] Target: raw.githubusercontent.com (SmartTV.txt)
  [✓] Status: Retrieval successful

  [i] Target: raw.githubusercontent.com (AmazonFireTV.txt)
  [✓] Status: Retrieval successful

  [i] Target: v.firebog.net (Airelle-trc.txt)
  [✓] Status: No changes detected

  [i] Target: bitbucket.org (Mandiant_APT1_Report_Appendix_D.txt)
  [✓] Status: No changes detected

  [i] Target: gist.githubusercontent.com (Test.txt)
  [✓] Status: Retrieval successful

  [i] Target: gitlab.com (notrack-malware.txt)
  [✓] Status: Retrieval successful

  [i] Target: hosts-file.net (emd.txt)
  [✓] Status: No changes detected

  [i] Target: hosts-file.net (exp.txt)
  [✓] Status: No changes detected

  [i] Target: hosts-file.net (grm.txt)
  [✓] Status: No changes detected

  [i] Target: hosts-file.net (psh.txt)
  [✓] Status: No changes detected

  [i] Target: isc.sans.edu (suspiciousdomains_Medium.txt)
  [✓] Status: Retrieval successful

  [i] Target: mirror.cedia.org.ec (immortal_domains.txt)
  [✓] Status: No changes detected

  [i] Target: someonewhocares.org (hosts)
  [✓] Status: No changes detected

  [i] Target: phishing.army (phishing_army_blocklist_extended.txt)
  [✓] Status: Retrieval successful

  [i] Target: ransomwaretracker.abuse.ch (CW_C2_DOMBL.txt)
  [✓] Status: Retrieval successful

  [i] Target: ransomwaretracker.abuse.ch (LY_C2_DOMBL.txt)
  [✓] Status: Retrieval successful

  [i] Target: ransomwaretracker.abuse.ch (RW_DOMBL.txt)
  [✓] Status: Retrieval successful

  [i] Target: ransomwaretracker.abuse.ch (TC_C2_DOMBL.txt)
  [✓] Status: Retrieval successful

  [i] Target: ransomwaretracker.abuse.ch (TL_C2_DOMBL.txt)
  [✓] Status: Retrieval successful

  [i] Target: raw.githubusercontent.com (spy.txt)
  [✗] Status: Not found
  [✗] List download failed: no cached list available

  [i] Target: raw.githubusercontent.com (hosts)
  [✓] Status: Retrieval successful

  [i] Target: raw.githubusercontent.com (hosts)
  [✓] Status: Retrieval successful

  [i] Target: raw.githubusercontent.com (hosts)
  [✓] Status: Retrieval successful

  [i] Target: raw.githubusercontent.com (hosts)
  [✓] Status: Retrieval successful

  [i] Target: raw.githubusercontent.com (hosts)
  [✗] Status: Not found
  [✗] List download failed: no cached list available

  [i] Target: reddestdream.github.io (minimalhosts)
  [✓] Status: No changes detected

  [i] Target: s3.amazonaws.com (simple_malvertising.txt)
  [✓] Status: Retrieval successful

  [i] Target: v.firebog.net (AdguardDNS.txt)
  [✓] Status: No changes detected

  [i] Target: v.firebog.net (Airelle-hrsk.txt)
  [✓] Status: No changes detected

  [i] Target: v.firebog.net (Easylist.txt)
  [✓] Status: No changes detected

  [i] Target: v.firebog.net (Prigent-Malware.txt)
  [✓] Status: No changes detected

  [i] Target: v.firebog.net (Prigent-Phishing.txt)
  [✓] Status: No changes detected

  [i] Target: v.firebog.net (Shalla-mal.txt)
  [✓] Status: No changes detected

  [i] Target: v.firebog.net (SamsungSmart.txt)
  [✓] Status: No changes detected

  [i] Target: v.firebog.net (w3kbl.txt)
  [✓] Status: No changes detected

  [i] Target: www.malwaredomainlist.com (hosts.txt)
  [✓] Status: No changes detected

  [i] Target: www.squidblacklist.org (dg-malicious.acl)
  [✗] Status: Connection Timed Out (Cloudflare)
  [✗] List download failed: no cached list available

  [i] Target: zerodot1.gitlab.io (hosts)
  [✓] Status: No changes detected

  [i] Target: zeustracker.abuse.ch (blocklist.php?download=domainblocklist)
  [✓] Status: Retrieval successful

  [i] Target: www.joewein.net (dom-bl.txt)
  [✓] Status: Retrieval successful

  [i] Target: www.networksec.org (block.txt)
  [✓] Status: Retrieval successful
  [i] Received empty file: using previously cached list

  [✓] Consolidating blocklists
  [✓] Extracting domains from blocklists
  [i] Number of domains being pulled in by gravity: 1178534
  [✓] Removing duplicate domains
  [i] Number of unique domains trapped in the Event Horizon: 954486
  [i] Number of whitelisted domains: 2
  [i] Number of blacklisted domains: 0
  [i] Number of regex filters: 0
  [✓] Parsing domains into hosts format
  [✓] Cleaning up stray matter

  [✓] Force-reloading DNS service
  [✓] DNS service is running
  [✓] Pi-hole blocking is Enabled

I can view all possible command line options by running 

pihole /?

Output..

Usage: pihole [options]
Example: 'pihole -w -h'
Add '-h' after specific commands for more information on usage

Whitelist/Blacklist Options:
  -w, whitelist       Whitelist domain(s)
  -b, blacklist       Blacklist domain(s)
  --wild, wildcard     Wildcard blacklist domain(s)
  --regex, regex       Regex blacklist domains(s)
                        Add '-h' for more info on whitelist/blacklist usage

Debugging Options:
  -d, debug           Start a debugging session
                        Add '-a' to enable automated debugging
  -f, flush           Flush the Pi-hole log
  -r, reconfigure     Reconfigure or Repair Pi-hole subsystems
  -t, tail            View the live output of the Pi-hole log

Options:
  -a, admin           Web interface options
                        Add '-h' for more info on Web Interface usage
  -c, chronometer     Calculates stats and displays to an LCD
                        Add '-h' for more info on chronometer usage
  -g, updateGravity   Update the list of ad-serving domains
  -h, --help, help    Show this help dialog
  -l, logging         Specify whether the Pi-hole log should be used
                        Add '-h' for more info on logging usage
  -q, query           Query the adlists for a specified domain
                        Add '-h' for more info on query usage
  -up, updatePihole   Update Pi-hole subsystems
                        Add '--check-only' to exit script before update is perfo                                                     rmed.
  -v, version         Show installed versions of Pi-hole, Web Interface & FTL
                        Add '-h' for more info on version usage
  uninstall           Uninstall Pi-hole from your system
  status              Display the running status of Pi-hole subsystems
  enable              Enable Pi-hole subsystems
  disable             Disable Pi-hole subsystems
                        Add '-h' for more info on disable usage
  restartdns          Restart Pi-hole subsystems
  checkout            Switch Pi-hole subsystems to a different Github branch
                        Add '-h' for more info on checkout usage

After 1 Week

After 1 week stats were rolling into the PIHole.

40% of all traffic was being blocked.

PiHole stats screen

I could see blocked and allowed domain calls

Top permitted and blocked domains

I can white list domains if they are blocked.

I white listed fearby.com and events.gfe.nvidia.com

Done

This is what it looks like done

Done

Nice

Did it block Ad’s

Mostly Yes. Not all advertisements are blocked but most are.

Some YouTube Advertisements seem to get through but I am seeing far less Advertisements in web pages

Using Python to use buttons on the PiTFT Plus 320×240 TFT Touchscreen with a PiHole

Read this guide to make the buttons word: Using Python to use buttons on the PiTFT Plus 320×240 TFT Touchscreen with a PiHole

Troubleshooting

If you receive an update about updating languages on your first boot while updating you can manually update all software by running this after you first reboot in a Terminal window.

sudo apt-get update && apt-get full-upgrade

If your Micro SD cad is filling up you can run to free some space

sudo apt clean

I needed to white list “events.gfe.nvidia.com” to allow my video card drivers to upodate.

Cooling

The Raspberry Pi is running cool at 47c (even though it is in a tight space).

47c image

I might add a heat pipe to it and have an external fan.  I will thermal epoxy the hat pipe to the Pi CPU and run it outside to a external heat sink and fan.

eBay purchase for a fan, thermal epoxy and heatpipes.

I have many spare heat sinks laying around.

copper and aluminium heatsinks.

I will update when the part’s arrive.

Update: I did not end up adding extra cooling, there was no need in summer.

Rotating the screen

I did exit my /boot/config.txt to rotate my LCD Screen orientation 

Buttons

Read this guide to see how I setup a Python script to make my buttons work.

Do edit your /boot.config.txt to configure your screen rotation (if need be) and to check if the LCD screen is setup (by Adafruit)

framebuffer_width=240
framebuffer_height=320

Backup and Restore PiHole Settings

I used the PiHole Backup feature (at http://192.168.0.201/admin/settings.php?tab=teleporter) to backup all of my PiHole Settings to a zip file.

Handy Links

Handy Guide: https://learn.adafruit.com/pi-hole-ad-pitft-tft-detection-display/pitft-configuration to configure the LCD Screen

Schematics of the screen: https://learn.adafruit.com/assets/25555

Donate to PiHole: https://pi-hole.net/donate/

Raspberry Pi GPIO Pins: https://www.raspberrypi.org/documentation/usage/gpio/

 

 

v 2.3 Updating to PiHole 5.1.2

Filed Under: Uncategorized Tagged With: a, acts, advertisement, and, application, as, blocking, DNS, How, I, internet, is, Linux, network-level, one, Pi-hole, set, sinkhole. See, tracker, which

Protecting your devices with nextdns.io a DNS based service that blocks malicious websites, trackers, ads, typo squatting domains, new or parked domains, TLD’s, mature YouTube content and comments and more

March 13, 2020 by Simon

I was going to setup a local (in my house) PiHole (with a Raspberry PI) that blocks internet trackers (DNS Sinkhole) and Advertisements (yes, like the ones on my website) because I don’t want my kids consuming a bucket loads of Advertisements online when they watch YouTube.

I am against online trackers and big data building a profiles on kids that are 6 and 10 years old. I have stopped using Facebook, Twitter and stopped using Google Analytics on this website.

I demo’ed to my son about the big data sucking up his data by looking at an IT retailer here in Australia for a random computer product then a few seconds later we looked as  news sites (with Advertisements) in the UK and the US and to his surprise Advertisements for the randomly selected product in Australia was on his screen (sent from the other side of the world).

I am not against Content Creators making money from Advertisement revenue  I am against the privacy issue.  If you love consuming a Content Creators stuff then support them on their Merch store(s).

I don’t want my kids to accidentally fall victim to Malware, Cryptojacking, Phishing or spammy or known bad websites.  I have a leading Antivirus products on their Computers but it is best not to put all of your eggs in one basket.

Enter https://nextdns.io (Free)

fyi: NextDNS.io is in BETA development and if you want rock a rock solid experience you may want to wait until until the beta period is over (Maybe March 2020.  The only issue I have had is the NextDNS.io systray app sometimes does not open, I can work around this by starting and stopping the NextDNS.io service (“NextDNS DNS53 to DoH proxy“) in the Windows services app.

You can probably tell from the title of this post that NextDNS is a DNS based service that blocks malicious websites, trackers, ads, typo squatting domains, new or parked domains, TLD’s, mature YouTube content and comments and more.  In my research for PiHole I found that nextdns.io was mentioned (How-to: Pi-Hole Plus DNSCrypt Setup on Raspberry Pi 4).

I logged into https://nextdns.io/ and was impressed by their slick interface.

Quick Setup Steps

  1. Create a free account at https://my.nextdns.io/signup
  2. Login to https://my.nextdns.io/ and click the Setup tab
  3. Choose your platform that you want to setup nextdns onto (e.g Windows, Android etc)
  4. Follow the setup prompts to access the installer and obtain the Configuration ID
  5. Setup the app and enter the Configuration ID
  6. Enable NextDNS

Then login to the analytics tab at https://my.nextdns.io/ to see the app in action

Read on for more technical information

https://my.nextdns.io/ Security Options (Tab)

On their account page they had these features

Threat Intelligence Feeds
Block domains known to distribute malware or launch phishing attacks and botnet command-and-control servers using a blend of the most reputable threat intelligence feeds—all updated in real-time.

Google Safe Browsing
Block malware and phishing domains using Google Safe Browsing—a technology that examines billions of URLs per day looking for unsafe websites. Unlike the version embedded in some browsers, this does not associate your public IP address to threats and does not allow bypassing the block.

Cryptojacking Protection
Prevent the unauthorized use of your devices to mine cryptocurrency.

DNS Rebinding Protection
Prevent attackers from taking control of your local devices through the Internet by automatically blocking DNS responses containing private IP addresses.

IDN Homograph Attacks Protection
Block domains that impersonate other domains by abusing the large character set made available with the arrival of Internationalized Domain Names (IDNs)—e.g. replacing the Latin letter “e” with the Cyrillic letter “е”.

Typosquatting Protection
Block domains registered by malicious actors that target users who incorrectly type a website address into their browser (e.g. gooogle.com instead of google.com).

Domain Generation Algorithms (DGAs) Protection
Block domains generated by Domain Generation Algorithms (DGAs) seen in various families of malware that can be used as rendezvous points with their command and control servers.

Block Newly Registered Domains (NRDs)
Block domains registered less than 30 days ago. Those domains are known to be favored by threat actors to launch malicious campaigns.

Block Parked Domains
Parked domains are single-page websites often laden with ads and devoid of any value. Parked domain monetization can sometimes get mixed up with suspicious practices and malicious content.

Top-Level Domains (TLDs) Blocking
Block all domains and subdomains belonging to specific TLDs (e.g “.ru”).

Block Child _______ Abuse Material (CSAM)
Block domains hosting child ______ abuse material with the help of Project Arachnid, operated by the Canadian Centre for Child Protection. No information is transmitted back to Project Arachnid when a domain is blocked.

https://my.nextdns.io/ Privacy Options (Tab)

Under their privacy tab they offer these features

NextDNS Recommended Ads & Trackers Blocklist
A comprehensive blocklist to block ads & trackers in all countries. This is the recommended starter blocklist.

> 78,795 entries • Updated 6 minutes ago

Block Disguised Third-Party Trackers
Automatically detect and block third-party trackers disguising themselves as first-party to circumvent recent browser’s privacy protections like ITP.

Allow Affiliate & Tracking Links (Disabled by default)

Allow affiliate & tracking domains common on deals websites, in emails or in search results. Those usually only get called after manually clicking on a link.

https://my.nextdns.io/ Parental Controls (Tab)

Under the Parental Controls tab these options are available

Safe Search
Filter out adult content on all major search engines, including images and videos. This will also block access to search engines not supporting this feature.

YouTube Restricted Mode
Filter out mature videos on YouTube and block embedded mature videos from being watched on other websites. This will also hide all comments.

Block Bypass Methods
Prevent or hinder the use of methods that can help bypass NextDNS filtering on the network. This includes VPNs, proxies, Tor-related software and encrypted DNS providers.

https://my.nextdns.io/ Blacklist Controls

You have the ability to blacklist (block) one or many domains. I decided to block a few sites from my kids eyes.

3 sites added to the blacklisy

https://my.nextdns.io/ Whitelist Controls

You have the ability to whitelist (allow) one or many domains.  I white;listed my site.

I whitelisted fearby.com

IMHO: The words Blacklist and Whitelist are a bit old, maybe they should use Allow Site/Deny Site?

How to Setup nextdns.io

Easy setup instructions are available for Android, iOS, Windows, macOS, Linux, Chrome OS, Firefox and Routers

Setup instructions for Android, iOS,  Windows, macOS, Linux, Chrome OS, Firefox, Routers

I set these options

I disabled access to Mature websites along with Gambling, Piracy and Dating sites at my.nextdns.io

Disabled options

I enabled the Block Bypass Methods

option to enable bypass block

I enabled YouTube Restriction Mode

Setting to enable YouTube restriction mode

I went to the Privacy Tab at https://my.nextdns.io and added all Blocklists (about 100 lists).

100+ block lists

Tip: Don’t enable the “No Google (Completely block Google and its services)” as this will kill YouTube and my email (GSuite)

I am impressed by the number of available Blocklists and update frequency

Block ads & trackers using the most popular blocklists available—all updated in real-time.

Here is a list of the BLock lists availabe at the tile of this post.

NextDNS Recommended Ads & Trackers Blocklist
A comprehensive blocklist to block ads & trackers in all countries. This is the recommended starter blocklist.
78,795 entries • Updated 17 minutes ago

AdGuard Simplified Domain Names filter
A filter composed of several other filters (English filter, Social media filter, Spyware filter, Mobile Ads filter, EasyList and EasyPrivacy) and simplified specifically to be better compatible with DNS-level ad blocking.
github.com/AdguardTeam/AdguardSDNSFilter • 29,858 entries • Updated 13 hours ago

hpHosts (ATS / Ads & trackers)
hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad, tracking and malicious websites.
hosts-file.net • 45,734 entries • Updated 2 days ago

Steven Black
Extending and consolidating hosts files from several well-curated sources like adaway.org, mvps.org, malwaredomainlist.com, someonewhocares.org, and potentially others.
github.com/StevenBlack/hosts • 51,977 entries • Updated a day ago

Disconnect (Tracking)
Free yourself from unwanted tracking. Enjoy a faster, safer internet.
disconnect.me • 34 entries • Updated 2 days ago

Disconnect (Ads)
Free yourself from unwanted tracking. Enjoy a faster, safer internet.
disconnect.me • 2,701 entries • Updated 2 days ago

CAMELEON
CAMELEON is a free system that helps Internet users or administrators to blocks web-adverts.
sysctl.org/cameleon • 20,568 entries • Updated 2 days ago

Anudeep’s Blacklist
A list of adserving and tracking sites maintained by me. This list will be updated frequently. github.com/anudeepND/blacklist • 38,251 entries • Updated 2 days ago

NSABlocklist
Block all known NSA / GCHQ / C.I.A. / F.B.I. spying servers. Originally based on 2007 published Wikileaks documents and includes my own modifications from 2008, 2012, 2014 and 2015.
github.com/CHEF-KOCH/NSABlocklist • 8,199 entries • Updated 17 minutes ago

EasyList
EasyList is the primary filter list that removes most adverts from international webpages, including unwanted frames, images and objects. It is the most popular list used by many ad blockers and forms the basis of over a dozen combination and supplementary filter lists.
easylist.to • 17,646 entries • Updated 17 minutes ago

Peter Lowe
Blocklist for use with hosts files to block ads.
pgl.yoyo.org/adservers • 3,283 entries • Updated 11 hours ago

notracking
Automatically updated, moderated and optimized list for blocking ads, trackers and other online garbage.

github.com/notracking/hosts-blocklists • 81,155 entries • Updated 7 hours ago

EasyPrivacy
EasyPrivacy is an optional supplementary filter list that completely removes all forms of tracking from the internet, including web bugs, tracking scripts and information collectors, thereby protecting your personal data.
easylist.to • 6,869 entries • Updated 17 minutes ago

AdGuard Mobile Ads filter
Filter that blocks ads on mobile devices. Contains all known mobile ad networks.
kb.adguard.com/general/adguard-ad-filters#mobile-ads-filter • 1,002 entries • Updated 19 hours ago

Fanboy’s Annoyance List
Fanboy’s Annoyance List blocks Social Media content, in-page pop-ups and other annoyances; thereby substantially decreasing web page loading times and uncluttering them.
easylist.to • 1,028 entries • Updated 17 minutes ago

StreamingAds
Streaming services ads sources.
github.com/FadeMind/hosts.extras • 57 entries • Updated 2 days ago

Disconnect (Malvertising)
Free yourself from unwanted tracking. Enjoy a faster, safer internet.
disconnect.me • 2,736 entries • Updated 2 days ago

Goodbye Ads
Specially Designed for Mobile Ad Protection.
github.com/jerryn70/GoodbyeAds • 76,536 entries • Updated 2 days ago

AdGuard Tracking Protection filter
The most comprehensive list of various online counters and web analytics tools. If you do not want your actions on the Internet be tracked, use this filter.
kb.adguard.com/general/adguard-ad-filters#tracking-protection-filter • 5,014 entries • Updated 18 hours ago

AdAway
Blocking mobile ad providers and some analytics providers.
github.com/AdAway/adaway.github.io • 12,176 entries • Updated 2 days ago

WindowsSpyBlocker (Spy)
Block spying and tracking on Windows systems.
github.com/crazy-max/WindowsSpyBlocker • 365 entries • Updated 2 days ago

MVPS HOSTS
Includes entries for most major parasites, hijackers and unwanted Adware/Spyware programs!
winhelp2002.mvps.org/hosts.htm • 10,476 entries • Updated 2 days ago

AdGuard Base filter
Filter that enables removing of the ads from websites with English content.
kb.adguard.com/general/adguard-ad-filters#base-filter • 19,667 entries • Updated an hour ago

someonewhocares.org (Dan Pollock)
Protects you from many types of spyware, reduces bandwidth use, blocks certain pop-up traps, prevents user tracking by way of “web bugs” embedded in spam, provides partial protection to IE from certain web-based exploits and blocks most advertising you would otherwise be subjected to on the internet.
someonewhocares.org/hosts • 14,404 entries • Updated 2 days ago

dbl.oisd.nl
Internet’s #1 domain blocklist. Blocks Ads, Mobile Ads, Phishing, Malvertising, Malware, Tracking, Telemetry, CryptoJacking, Analytics, Spyware, Ransomware, Exploid, Fraud, Abuse, Scam, Spam, Hijack, Misleading Marketing.
oisd.nl • 1,160,440 entries • Updated 5 hours ago

NoTrack Tracker Blocklist
Contains one of the largest compilation of sites associated with tracking your online activities and invading your privacy.
gitlab.com/quidsup/notrack-blocklists • 13,412 entries • Updated 2 days ago

antipopads
List of popads.net domains.
github.com/Yhonay/antipopads • 11,442 entries • Updated a day ago

1Hosts (Complete)
Protect your ‘data’ & eyeballs from being auctioned to the highest bidder.
forum.xda-developers.com/android/general/badmojr-one-host-file-to-block-t3713360 • 66,731 entries • Updated 2 days ago

AdGuard Social Media filter
If you do not like numerous «Like» and «Tweet» buttons on all the popular websites on the Internet, subscribe to this filter, and you will not see them anymore.
kb.adguard.com/general/adguard-ad-filters#social-media-filter • 55 entries • Updated 3 hours ago

squidblacklist.org (Ads)
Blocks advertisements and tracking.
www.squidblacklist.org • 552 entries • Updated a month ago

UncheckyAds
Windows installers ads sources.
unchecky.com • 10 entries • Updated 2 days ago

Fanboy’s Enhanced Tracking List
Fanboy’s Enhanced Tracking List blocks common tracking scripts such as Omniture, Webtrends, Foresee, Coremetrics, Google-Analytics, Touchclarity, ChannelIntelligence.
fanboy.co.nz • 151 entries • Updated 2 days ago

EasyList China
EasyList China is an affiliated filter list written by John and Li that specifically removes adverts on Chinese language websites.
easylist.to/pages/other-supplementary-filter-lists-and-easylist-variants.html • 5,818 entries • Updated 17 minutes ago

280blocker
280blocker adblock domain lists.
280blocker.net • 1,059 entries • Updated 2 days ago

Lightswitch05 – Ads & Tracking
A programmatically expanded list of hosts I’ve found to not be on other lists.
www.github.developerdan.com/hosts • 107,013 entries • Updated 21 hours ago

Shalla’s Blacklists (tracker)
Site keeping an eye on where you surf and what you do in a passive. Covers web bugs, counters and other tracking mechanism in web pages that do not interfere with the local computer yet collecting information about the surfing person for later analyis. Sites actively spying out the surfer by installing software or calling home sites are not covered with tracker but with -> spyware.
www.shallalist.de • 1,246 entries • Updated 2 days ago

Shalla’s Blacklists (adv)
All about advertising: This includes sites offering banners and banner creation as well as sites delivering banners to be shown in webpages. Advertising companies are listed, too.
www.shallalist.de • 14,275 entries • Updated 2 days ago

Energized Ultimate
Strictly blocks advertisements, malwares, spams, statistics & trackers on both web browsing and applications. Flagship Protection Pack from Energized Protection.
github.com/EnergizedProtection/block • 970,212 entries • Updated 16 hours ago

EasyList Germany
EasyList Germany is a filter list written by the EasyList authors MonztA, Famlam and Khrin that specifically removes adverts on German language websites.
easylist.to/pages/other-supplementary-filter-lists-and-easylist-variants.html • 595 entries • Updated a day ago

CHEF-KOCH’s HOSTS Spotify Ad-Filter List
Blocks all Spotify Ads, easy peasy lemon squeezy!
github.com/CHEF-KOCH/Spotify-Ad-free • 4,041 entries • Updated 2 days ago

add.2o7Net
2o7 Network tracking.
hostsfile.org/hosts.html • 1,286 entries • Updated 2 days ago

Personal Blocklist by WaLLy3K
Content added to this list has been manually verified, and is updated irregularly. firebog.net/about • 753 entries • Updated 2 days ago

EasyList Dutch
EasyList Dutch is an affiliated filter list written by the EasyList author Famlam that specifically removes adverts on Dutch language websites.
easylist.to/pages/other-supplementary-filter-lists-and-easylist-variants.html • 83 entries • Updated 17 minutes ago

Liste FR
Liste FR is an affiliated filter list written by Lian, Crits and smed79 that specifically removes adverts on French language websites.
easylist.to/pages/other-supplementary-filter-lists-and-easylist-variants.html • 5,411 entries • Updated 17 minutes ago

Energized Basic
Strictly blocks advertisements, malwares, spams, statistics & trackers on both web browsing and applications. An All-Rounder Balanced Protection Pack.
github.com/EnergizedProtection/block • 654,392 entries • Updated 16 hours ago

CertyficateIT
Polish ads filter.
github.com/MajkiIT/polish-ads-filter • 3,128 entries • Updated 8 hours ago

Energized Regional Extension
Strictly blocks advertisements, malwares, spams, statistics & trackers on both web browsing and applications. An Extension to Block Regional Annoyances.
github.com/EnergizedProtection/block • 64,320 entries • Updated 16 hours ago

Energized Spark
Strictly blocks advertisements, malwares, spams, statistics & trackers on both web browsing and applications. True Lite Blocking.
github.com/EnergizedProtection/block • 67,662 entries • Updated 16 hours ago

ABPindo
ABPindo is an affiliated filter list written by hermawan that specifically removes adverts on Indonesian language websites.
github.com/ABPindo/indonesianadblockrules • 594 entries • Updated 2 days ago

Energized Blu
Strictly blocks advertisements, malwares, spams, statistics & trackers on both web browsing and applications. A Mid Ranger Flagship Protection Pack.
github.com/EnergizedProtection/block • 330,817 entries • Updated 16 hours ago

EasyList Italy
EasyList Italy is a filter list written by the EasyList author Khrin that specifically removes adverts on Italian language websites.
easylist.to/pages/other-supplementary-filter-lists-and-easylist-variants.html • 204 entries • Updated 17 minutes ago

AdGuard Russian filter
Filter that enables removing of the ads from websites in Russian.
kb.adguard.com/general/adguard-ad-filters#russian-filter • 3,944 entries • Updated an hour ago

Energized Blu Go
Strictly blocks advertisements, malwares, spams, statistics & trackers on both web browsing and applications. A Lightweight Mid Ranger Protection Pack.
github.com/EnergizedProtection/block • 131,781 entries • Updated 16 hours ago

RU AdList
Russian supplement for EasyList.
forums.lanik.us/viewforum.php?f=102 • 7,887 entries • Updated 17 minutes ago

yhosts
AD hosts爱好群,群号:201973909;
github.com/vokins/yhosts • 8,940 entries • Updated 2 days ago

EasyList Hebrew
EasyList Hebrew is an affiliated filter list written by BsT that specifically removes adverts on Hebrew language websites.
github.com/easylist/EasyListHebrew • 129 entries • Updated 13 hours ago

EasyList Czech and Slovak
EasyList Czech and Slovak is an affiliated filter list written by tomasko126 that specifically removes adverts on Czech and Slovak language websites.
github.com/tomasko126/easylistczechandslovak • 83 entries • Updated 2 days ago

hostsVN
Hosts block ads of Vietnamese – Hosts chặn quảng cáo của người Việt.
github.com/bigdargon/hostsVN • 18,846 entries • Updated 2 hours ago

Lightswitch05 – Tracking Aggressive
A very aggressive block list for tracking, geo-targeting, & ads. This list will likely break functionality, so do not use it unless you are willing to maintain your own whitelist.
www.github.developerdan.com/hosts • 4,919 entries • Updated 2 days ago

Liste AR
Liste AR is an affiliated filter list written by smed79 and Crits that specifically removes adverts on Arabic language websites.
easylist.to/pages/other-supplementary-filter-lists-and-easylist-variants.html • 85 entries • Updated 17 minutes ago

Bulgarian list
Bulgarian list is an affiliated filter list written by Alex that specifically removes adverts on Bulgarian language websites.
easylist.to/pages/other-supplementary-filter-lists-and-easylist-variants.html • 10 entries • Updated 2 days ago

Latvian List
Latvian List is an affiliated filter list written by anonymous74100 that specifically removes adverts on Latvian language websites.
notabug.org/latvian-list/adblock-latvian • 53 entries • Updated 2 days ago

EasyList Lithuania
EasyList Lithuania is an affiliated filter list written by gymka that specifically removes adverts on Lithuanian language websites.
github.com/EasyList-Lithuania/easylist_lithuania • 19 entries • Updated 2 days ago

Energized Xtreme Extension
Strictly blocks advertisements, malwares, spams, statistics & trackers on both web browsing and applications. An Extreme Solution for Ultimate Protection.
github.com/EnergizedProtection/block • 32,635 entries • Updated 16 hours ago

hufilter
Block hungarian ads.
github.com/hufilter/hufilter • 149 entries • Updated 2 days ago

Finnish Easylist Addition
Finnish adblock list.
github.com/finnish-easylist-addition/finnish-easylist-addition • 66 entries • Updated 2 days ago

ABPVN List
The ABP advertising filter is built with the mission of improving the browsing experience for users and for the Vietnamese.
abpvn.com • 19,490 entries • Updated 2 hours ago

Frellwit’s Swedish Hosts File
Reduce your exposure to ads, tracking, scams & badware, and occasionally some annoyances on (mostly) Swedish websites.
github.com/lassekongo83/Frellwits-filter-lists • 669 entries • Updated 2 days ago

1Hosts (Pro)
Protect your ‘data’ & eyeballs from being auctioned to the highest bidder.
forum.xda-developers.com/android/general/badmojr-one-host-file-to-block-t3713360 • 215,683 entries • Updated 2 days ago

bkrucarci turk-adlist
Ad servers list to block ads on Turkish websites.
github.com/bkrucarci/turk-adlist • 847 entries • Updated 2 days ago

AdAway Blocking Hosts File for Japan
AdAwayで使用可能な、日本環境用 広告除去用hostsを公開します。日本環境用に特化しています。
logroid.github.io/adaway-hosts • 31,809 entries • Updated 2 days ago

Goodbye Ads Ultra
Specially Designed for Mobile Ad Protection. Premium protection.
github.com/jerryn70/GoodbyeAds • 459,196 entries • Updated 2 days ago

ad-wars
只是 ad-wars 的帮助文档
github.com/jdlingyu/ad-wars • 1,548 entries • Updated 2 days ago

1Hosts (mini)
Protect your ‘data’ & eyeballs from being auctioned to the highest bidder.
forum.xda-developers.com/android/general/badmojr-one-host-file-to-block-t3713360 • 53,512 entries • Updated 2 days ago

YousList
Block filter for advertisements, mainly on Korean sites.
github.com/yous/YousList • 145 entries • Updated 5 hours ago

No Google Completely block Google and its services. github.com/nickspaargaren/no-google • 302 entries • Updated 2 days ago

That is a lot of protection

Nextdns.io Android Setup

I setup nextdns.io on my Android 10 Device

I installed the official NextDNS app from the Play Store (https://play.google.com/store/apps/details?id=io.nextdns.NextDNS) 

After the app was installed I entered my specified Configuration ID (tip: don’t copy the space on the end of the text) into the In the NextDNS app.

Now I can enable or disable the NextDNS.io protections.

Next DNS App on Androiud (Simple Connect/Disconnect Button)

Options are available in the app but are limited. If you need to change options go to https://my.nextdns.io/

NectDNS.io Android App Settings.

I enabled NextDNS then I tried accessing a mature website.

Access to the site was blocked.

Access to a mature site is blocked

I tried bypassing the invalid HTTP’s certificate.

This too was blocked also.

I opened YouTube and some advertisements were gone but not all (Hello PewDiePie, nice Merch)

NO ads in YouTube

Comments were disabled, Nice. Restricted mode is enabled, this is perfect for my kids (PewDiePie Fans).

NO Comments in YouTube.

I am not against Content Creators making money from Advertisement revenue I am against the privacy issue.  If you love consuming a Content Creators stuff then support them on their Merch store(s).

Windows 10 Setup

Installing on Windows is easy, login to https://my.nextdns.io/ and click on the Windows Button

1. Install the official NextDNS app → https://nextdns.io/download/windows/stable.

Click Next

Agree to the licence agreement

Agree to the licence agreement

Choose an Install location

Choose an Install location

Installing TAP Device (looks like it is from https://openvpn.net/)

Installing TAP Device (looks like it is from https://openvpn.net/)

You need to install the device.

Install Driver Screenshost

2. After installing, right-click on NextDNS icon in the Systray then open the Settings. Set your supplied ###### as Configuration ID found at 

3. Right-click on NextDNS icon in the Systray, then click on Enable.

add your config ID to the setup screen

You can enable or disable the NextDNS service from the Windows system tray

You can enable or disable the NextDNS service from the Windows system tray

You can also Start and Stop the service from the Windows services app

Start stop a service screenshot

Blocking bad sites , YouTube comments etc all work on Windows as they do on Android.

Nextdns.io iPad Setup

If I can get my daughters iPad from her hands I will show the steps.  Basically the same as android but from the Google Play store.

1. Install our official app from the App Store → https://apps.apple.com/app/nextdns/id1463342498

2. Open the app then go to Settings and toggle “Use Custom Configuration”. Enter your Configuration ID 

3. Enable NextDNS in the NextDNS iOS app

Blocking bad sites , YouTube comments etc all work on iOS as they do on Windows and Android.

Analyics (the nest feature)

The best part of NextDNS.io is the superb analytics available.  Because they are a DNS server they can track incoming request(s) from all of my connected computes.

In 2 days my home network made 22,247 queries to the internet, 5684 requests were blocked, I could see the top accessed websites (antivirus and kids games) and a map of where the requests were going.

nextdns.io analytics is awesome.

If the Analytics was not enough I could see all the requests logs.

I filtered all blocked web traffic.

List of web traffic blocked.

The internet is a dumpster fire with all this tracking.

dumpster fire meme

Pricing

Snip from here. “Pricing is completely free during the beta, then free up until about 300,000 DNS queries/month — $1.99/month for unlimited queries. If you decide to stay on the free plan, NextDNS will simply behave like a classic public resolver after reaching the 300,000 queries limit.”

Conclusion

Don’t surf the web without protection. Every parent should install this on their kids machines.

I can’t wait for this product to leave beta, I wan’t this service in my house.

I have not been paid to promote this product.

 

 

 

 

 

Version: v1.2

v1.2 Quick Setup Guide

v1.1 Updated Conclusion and Pricing.

v1.0 Initial Draft

Filed Under: Uncategorized Tagged With: Ads, Allow, Block, DNS, malicious websites, SinkHole, trackers, typo squatting domains

Setup a Certification Authority Authorization (CAA) DNS record(s) to prevent https cert issue/misuse

March 18, 2019 by Simon

On February 22nd 2017 CAA’s that issue https certificates are required to check what CAA’s are allowed to issue HTTP’s certificates for a website. To limit who can create HTTP’s certificates for your site all you need to do is specify a number of DNS records.

DNSSEC

Before adding DNS CAA records ensure you have enabled DNSSEC for extra security, this is not needed to setup CAA records but it’s a good idea.

DNSSEC Explained

Read my post here on setting up DNSSEC with Cloudflare here.

Namecheap allows you do set DNSSEC with 1 click (making the above guide not required unless you use Cloudflare).

One Click Enable DNS SEC

Testing DNSSEC

First, test DNSSEC on your website here: https://dnssec-analyzer.verisignlabs.com/ (I already have DNSSEC enabled)

I use Namecheap for buying domains and HTTP’s certs (you can buy a new domain here). Namecheap allow you to easily enable DNSSEC and CAA DNS records.

Read Namecheap’s CAA guide here.

Scott Helme tagged a great write up on CAA here.

CAA is probably the best bang for buck you’re going to get! https://t.co/pvThaQ8qFl

— Scott Helme (@Scott_Helme) March 14, 2019

Testing CAA (on your website)

Go to https://dev.ssllabs.com/ssltest/ and scan your website

https://dev.ssllabs.com screenshot showing a domain input box

You will see if CAA is enabled after the https test is complete (scroll past the rating)

https://dev.ssllabs.com scan showing A+

In my case CAA records were not detected.

Adding DNS CAA records at Namecheap

I logged into Namecheap, clicked Manage domain and clicked the Advanced DNS tab

Screenshot showing Namecheap Advanced DNS screen.
I click Add New Record (DNS), then I selected CAA
Screenshot of add NDS CAA record at Namecheap

Here are records for my main domain (allowing Comodo/Sectigo HTTP’s certificates only)

Type, Host, Value, TTL

CAA Record @ 0 issue "comodoca.com" Automatic
CAA Record @ 0 issue "comodo.com" Automatic
CAA Record @ 0 issue "usertrust.com" Automatic
CAA Record @ 0 issue "trust-provider.com" Automatic
CAA Record @ 0 issue "sectigo.com" Automatic

Here is my record allowing a sub domain (allowing Lets Encrypt HTTP’s certificates only)

Type, Host, Value, TTL

CAA Record audit.fearby.com 0 issue "letsencrypt.org" Automatic

It is also possible to setup email alerts of CAA violations where CAA’s support it. I setup a [email protected] email alias.

Type, Host, Value, TTL

CAA Record audit.fearby.com 0 iodef "mailto:[email protected]" Automatic
CAA [email protected] 0 iodef "mailto:[email protected]" Automatic

Image of my final Namecheap DNS config.

Screenshot os Namecheap DNS entries (table below)

Test CAA Records

I visited https://dev.ssllabs.com/ssltest/ and performed a final scan.

CNS CAA Final scan now passes at dev.ssllabs.com

Pass 🙂

I do have real time remote server monitoring reporting on https presence and uptime, read the post here.

Nixstats graphs

Plug(s)

  • Buy a VM, get $25 credit (blog post)
  • Buy a Domain from Namecheap
  • Setup GSuite Email for your domain
  • Setup a WordPress CDN or Image Resizing
  • Setup Realtime Server Monitoring

Warning

I had an issue where I failed to update my DNS (and define a CAA record) for the sub domain used for Nixstat reporting. I was receiving this error.

Connection not private warning.

dev.ssllabs.com was reporting the cert expired?

dev.ssllabs.com ssl report

The awesome chat support (Vincent) over at Nixstats found out it was because I did not have CAA record for the sub domain allowing “letsencrypt.org” to generate certs.

Created CAA record for status.feabry.com (CAA 0 issue "letsencrypt.org"

If you manually renew a Lets Encrypt cert with the following command without a CAA record you will see an error

> certbot -q renew

Error Output

Attempting to renew cert (subdomain.fearby.com) from /etc/letsencrypt/renewal/
subdomain.fearby.com.conf produced an unexpected error: Failed authorization procedure.
subdomain.fearby.com (http-01): urn:acme:error:caa :: CAA record for
subdomain.fearby.com prevents issuance. Skipping.
All renewal attempts failed.

DNS additions and changes take a while to propagate so monitor Whats My DNS for change status

https://www.whatsmydns.net/#CAA/status.fearby.com

Thanks for reading.

For simplicity I have removed all sub domain CAA settings for records and only set global ones

Revision History

v1.2 Troubleshooting

v1.1 Plugs

v1.0 initial Post

Filed Under: Advice, Caa, DNS, DNSSEC, Domain, HTTPS Tagged With: (CAA), Authority, Authorization, cert, Certification, DNS, HTTPS, issue, prevent, record(s), Setup, to

Setting up DNSSEC on a Namecheap domain hosted on UpCloud using CloudFlare

July 15, 2018 by Simon

This is how I set up DNSSEC on a Namecheap domain hosted on UpCloud using CloudFlare to setup DNS security extensions

If you have not read my previous posts I have now moved my blog to the awesome UpCloud host (signup using this link to get $25 free UpCloud VM credit). I compared Digital Ocean, Vultr and UpCloud Disk IO here and UpCloud came out on top by a long way (read the blog post here). Here is my blog post on moving from Vultr to UpCloud.

About DNSSEC

Wikipedia has a great write-up on DNSSEC also read the ICANN page on DNSSEC.

Snip “DNSSEC is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.”

https://daniellbenway.net has a great video explaining DNSSEC

Handy DNSSEC Links

  • NameCheap – What is DNSSEC.
  • NameCheap – How can I check if DNSSEC is working?
  • Namecheap – Managing DNSSEC
  • dnsviz.net – View my DNSSEC Status
  • Cloudflare – How does DNS Sec Work?
  • IETF RTC 3685 – Delegation Signer (DS) Resource Record (RR)
  • DNSSEC – Domain Name System – Security Extensions

Let’s view my DNSSEC status now

https://dnssec-analyzer.verisignlabs.com/ can help you check your sites DNSSEC status.

DNSSEC Analyzer - https://dnssec-analyzer.verisignlabs.com/

Prerequisites

This guide assumes you have already purchased a domain and set it up with say UpCloud hosting (read my setup guide here).

Buy a domain name from Namecheap here.

Domain names for just 88 cents!

Read my old guide here that I created while setting up Cloudflare on the Vultr host to see how to setup Cloudflare.

Setting up DNSSEC

First I logged into My Namecheap account, selected my domain, selected Advanced DNS and enabled DNSSEC.

Screenshot of Namecheap Advanced DNS page

I can see a number of values for DNSSEC KeyType/Algorithm/Digest Type and Digest. Below are the options in the dropdowns for Algorithm and Digest Type.

DNSSEC Algorithms

DNSSEC Algorithms (RSA, MD5 etc)

DNSSEC Digest Types

DNSSEC Digest Types (SHA etc)

I contacted NameCheap support and they said I needed to contact my UpCloud hosts to get relevant DNSSEC values.

My domain was purchased at NameCheap but by domain routers by Cloudflare DNS.

Namecheap DNS Nameservers pointing to cloudflare

By chance, I logged into my Cloudflare account and noticed they have a DNSSEC section under DNS. Nice.

Screenshot of Cloudflare menu, DNS highlighted.

I enabled DNSSEC

Enable Cloudflare DNSSEC records

Cloudflare offers all the relevant DNSSEC values.

Screenshot of Cloudflare DNSSEC generated Values

I entered these values into Namecheap under Advanced DNS on my domain.

Screenshot fo adding a DNS record at Namecheap

After 5 mins re-ran the DNSSEC Analyzr tool.

Screenshot of http://dnssec-debugger.verisignlabs.com/ Results

Hmmm, Cloudflare seems to think something is wrong 🙁

Screenshot of Cloudflare saying DNSSEC is not configured

I ran a DNS DS Lookup on my site. Everything appears ok.

Screenshot of https://mxtoolbox.com/SuperTool.aspx?action=mx

I re-added the record in Namecheap and waited for 15 mins and this time Cloudflare was happy. Maybe I just needed to wait for DNS replication a little longer?

Screenshot of cloudflare showing DNSSEC is all ok.

I tested my DNS serves with DNS Root Canary

DNS test with https://rootcanary.org/

I tested my site’s DNSSEC with https://zonemaster.iis.se/

Screenshot of https://zonemaster.iis.se/

Done

Skipping Cloudflare

I found that I can simply skip Cloudflare by enabling Premium DNS at Namecheap

Then enabling DNSSEC

Easy (totally independent of Cloudflare)

I hope this guide helps someone.

Please consider using my referral code and get $25 UpCloud VM credit for free.

https://www.upcloud.com/register/?promo=D84793

Ask a question or recommend an article

[contact-form-7 id=”30″ title=”Ask a Question”]

Revision History

V1.3 Namecheap DNSSEC

V1.2 ICANN DNSSEC link

V1.1 https://daniellbenway.net explainer video.

v1.0 Initial Post

Filed Under: CDN, Cloudflare, DNS, DNSSEC, Domain Tagged With: Cloudflare, DNS, dnssec, namecheap

Using Cloudflare DNS servers to speed up the internet and add privacy on OSX

April 2, 2018 by Simon

Below is how I setup my OSX to use Cloudflare’s new DNS servers to speed up internet browsing and add privacy on OSX

Cloudflare has launched a DNS service: https://blog.cloudflare.com/announcing-1111/

DNS Performance

You can view worldwide DNS performance by viewing https://www.dnsperf.com/#!dns-providers

DNS Performance

I check the DNS at my router, I am using ISP provided DNS servers.

Review DNS

Cloudflare DNS

On April Fools 2018 Cloudflare Released a DNS server service.

Snip from here: “DNS: Internet’s Directory Nearly everything on the Internet starts with a DNS request. DNS is the Internet’s directory. Click on a link, open an app, send an email and the first thing your device does is ask the directory: Where can I find this? Unfortunately, by default, DNS is usually slow and insecure. Your ISP, and anyone else listening in on the Internet, can see every site you visit and every app you use — even if their content is encrypted. Creepily, some DNS providers sell data about your Internet activity or use it target you with ads.”

https://1.1.1.1/

Set Cloudflare Nameservers using OSX

Open the Apple System Preferences, click Network, click on your Network (Wifi or ethernet), Click Advanced then DNS and add 1.1.1.1 and 1.0.0.1

Alternatively, you can manually set your DNS servers in OSX by editing the /etc/resolv.conf, by default SX will inherit DNS settings from our router.

cat /etc/resolv.conf
#
# macOS Notice
#
# This file is not consulted for DNS hostname resolution, address
# resolution, or the DNS query routing mechanism used by most
# processes on this system.
#
# To view the DNS configuration used by this system, use:
#   scutil --dns
#
# SEE ALSO
#   dns-sd(1), scutil(8)
#
# This file is automatically generated.
#
domain home
nameserver 1.1.1.1
nameserver 1.0.0.1

Troubleshooting: Clear DNS Cache

sudo killall -HUP mDNSResponder

Debug DNS Data

scutil --dns
DNS configuration

resolver #1
  search domain[0] : home
  nameserver[0] : 1.1.1.1
  nameserver[1] : 1.0.0.1
  flags    : Request A records
  reach    : 0x00000002 (Reachable)

resolver #2
  domain   : local
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300000

resolver #3
  domain   : 254.169.in-addr.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300200

resolver #4
  domain   : 8.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300400

resolver #5
  domain   : 9.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300600

resolver #6
  domain   : a.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 300800

resolver #7
  domain   : b.e.f.ip6.arpa
  options  : mdns
  timeout  : 5
  flags    : Request A records
  reach    : 0x00000000 (Not Reachable)
  order    : 301000

DNS configuration (for scoped queries)

resolver #1
  search domain[0] : home
  nameserver[0] : 1.1.1.1
  nameserver[1] : 1.0.0.1
  if_index : 7 (en0)
  flags    : Scoped, Request A records
  reach    : 0x00000002 (Reachable)

Confirm Cloudflare DNS from the OSX Comand line

nslookup www.fearby.com
Server:		1.1.1.1
Address:	1.1.1.1#53

Non-authoritative answer:
Name:	www.fearby.com
Address: 104.27.154.69
Name:	www.fearby.com
Address: 104.27.155.69

Privacy

I am not sure if Cloudflare is any more private than using ISP DNS but I’ll happily use it.

Several people have asked me about Cloudflare’s new 1.1.1.1 privacy DNS service. To be clear: it DOES NOT stop your ISPs from collecting your browsing history. ISPs can still see the sites you’re connecting to — even if the site is over HTTPS. You will still send a hostname.

— Zack Whittaker (@zackwhittaker) April 2, 2018

Speed

I can’t tell if DNS is faster, I did ping my ISP DNS before switching and it was about the same (sub 25ms), time will tell.

Conclusion

I have used https://www.opendns.com/ before and loved the dashboards, I hope Cloudflare add dashboard options too.

I hope this guide helps someone.

Ask a question or recommend an article

[contact-form-7 id=”30″ title=”Ask a Question”]

Revision History

v1.0 Initial post

Filed Under: DNS Tagged With: add, and, Cloudflare, DNS, internet, on, OSX, privacy, servers, speed, the, to, up, Using

Moving a CPanel domain with email to a self managed VPS and Gmail

August 3, 2017 by Simon

Below is my guide for moving away from NetRegistry CPanel domain to a self-managed server and GSuite email.

I have had www.fearby.com since 1999 on three CPanel hosts (superwerbhost in the US, Jumba in Australia, Uber in Australia (NetRegistry have acquired Uber and performance at the time of writing is terrible)). I was never informed by Uber of the sale but my admin portal was moved from one host to another and each time performance degraded. I tried to speed up WordPress by optimizing images, installing cache plugins but nothing worked, pages were loading in around 24 seconds on https://www.webpagetest.org.

Buy a domain name from Namecheap here.

Domain names for just 88 cents!

I had issues with a CPanel domain on the hosts (Uber/Netregistry) as they were migrating domains and the NetRegstry chat rep said I needed to phone Uber for support. No thanks, I’m going self-managed and saving a dollar.

I decided to take ownership of my slow domain and setup my own VM and direct web traffic to it and redirect email to GMail (I have done this before).  I have setup Digital Ocean VM’s (Ubuntu and Centos), Vultr VM’s and AWS VM’s.

I have also had enough of Resource Limit Reached messages with CPanel and I can’t wait to…

  • not have a slow WordPress.
  • setup my own server (not a slow hosts server).
  • spend $5 less (we currently pay $25 for a CPanel website with 20GB storage total)
  • get a faster website (sub 24 seconds load time).
  • larger email mailboxes (30GB each).
  • Generate my own “SSL Labs A+ rated” certificate for $10 a year instead of $150 a year for an “SSL Labs C rated” SSL certificate from my existing hosts.

Backup

I have about 10 email accounts on my CPanel domain (using 14GB) and 2x WordPress sites.  I want to backup my emails with (Outlook Export and Thunderbird Profile backup) and backup my domain file(s) a few times before I do anything.  Once DNS is set in motion no server waits.

The Plan

Once everything is backed up I intend to setup a $5 a month Vulr VM and redirect all mail to Google G Suite (I have redirected mail before).

I will setup a Vultr web server in Sydney (following my guide here), buy an  SSL certificate from Namecheap and move my WordPress sites.

Rough Plan

  • Reduce email accounts from 10x to 3x
  • Backup emails (twice with ThunderBird and Outlook).
  • Setup A Ubuntu V on Vultr.
  • Signup for Google G Suite Trial.
  • Transfer my domain to Namecheap.
  • Link to domain DNS to Vultr
  • Link to domain MX records to Google Email.
  • Transfer website.
  • Setup emails on google.
  • Restore WordPress.
  • Go live.
  • Downgrade to personal G Suite before the trial expires
  • Close down the old server.

Signing up for Google G Suite

I visited https://gsuite.google.com/ and started creating an account.

Get 20% off your first year by signing up for Google G Suite using this link: https://goo.gl/6vpuMm

Screenshots of Google G Suite setup

I created a link between G Suite and an existing GMail account.

More screenshots of Google G suite setup

Now I can create the admin account.

Picture of G suite asking how i will log in

Tip: Don’t use any emails that are linked as secondary emails with any Google services (this won’t be allowed). It’s s a well-known issue that you cannot add users emails who are linked to Google services (even as backup emails for Gmail, detach the email before adding it). Read more here.

Google G suite did not like my email provided

Final setup steps.

Final G suite setup screenshots.

Now I can add email accounts to G Suite.

G Suite said im all ready to add users

Adding email users to G Suite.

G Suite adding users

The next thing I had to do was upload a file to my domain to verify I own the domain (DNS verification is also an option).

I must say the setup and verify steps are quite easy to follow on G Suite.

Time to backup our existing CPanel site.

Screenshot of Cpanel users

Backup Step 1 (hopefully I won’t need this)

I decided to grab a complete copy of my CPanel domain with domains, databases and email accounts. This took 24 hours.

CPanel backup screenshot

Backup Step 2 (hopefully I won’t need this)

I download all mail via IMAP in Outlook and Mozilla Thunderbird and export it (Outlook Export and Thunderbird Profile backup). Google have IMAP instructions here.

DNS Changes at Namecheap

I obtained my domain EPP code from my CPanel hosts and transferred the domain name to Namecheap.

Namecheap was even nice enough to set my DNS point to my existing domain so I did not have to rush a move before DNS propagation.

P.S The Namecheap Chat Staff and Namecheap  Mobile App is awesome.

NameCheap DNS

Having backed up everything I logged into Namecheap and set my DNS to “NameCheap BasicDNS” and then went “Advanced DNS” and set appropriate DNS records for my domain. This assumes you have setup a VM with IPV4 and IPV6 (follow my guide here).

  • A Record @ IPV4_OF_MY_VULTR_SERVER
  • A Record www IPV4_OF_MY_VULTR_SERVER
  • A Record ftp IPV4_OF_MY_VULTR_SERVER
  • AAAA Record @ IPV6_OF_MY_VULTR_SERVER
  • AAAA Record www IPV6_OF_MY_VULTR_SERVER
  • AAAA Record ftp IPV6_OF_MY_VULTR_SERVER
  • C Name www fearby.com

The Google G Suite also asked me to add these following MX records to the DNS records.

  • MX Record @ ASPMX.L.GOOGLE.COM. 1
  • MX Record @ ASPMX1.L.GOOGLE.COM. 5
  • MX Record @ ASPMX2.L.GOOGLE.COM. 5
  • MX Record @ ASPMX3.L.GOOGLE.COM. 10
  • MX Record @ ASPMX4.L.GOOGLE.COM. 10

Then it was a matter of telling Google DNS changes were made (once DNS has replicated across the US).

My advice is to set DNS changes before bed as it can take 12 hours.

Sites like https://www.whatsmydns.net/ are great for keeping track of DNS replication.

Transferring WordPress

I logged into the CPanel and exported my WordPress Database (34MB SQL file).

I had to make the following PHP.ini changes to allow the larger file size restore uploads with the Adminer utility (default is 2mb). I could not get the server side adminer.sls.gz option to restore the database?

post_max_size = 50M
upload_max_filesize = 50M

# do change back to 2MB after you restore the files to prevent DOS attacks.

I had to make the following changes to nginx.conf (to prevent 404 errors on the database upload)

client_max_body_size 50M;
# client_max_body_size 2M; Reset when done

I also had to make these changes to NGINX (sites-available/default) to allow WordPress to work

# Add index.php to the list if you are using PHP
	index index.php index.html index.htm;

location / {
        # try_files $uri $uri/ =404;
        try_files $uri $uri/ /index.php?q=$uri&$args;
        index index.php index.html index.htm;
        proxy
}

I had a working MySQL (I followed my guide here).

Adminer is the best PHP MySQL management utility (beats PhpMyAdmin hands down).

Restart NGINX and PHP

nginx -t
nginx -s reload
sudo /etc/init.d/nginx restart
sudo service php7.0-fpm restart

I had an error on database import, a non-descript error in script line 1 (error hint here).

A simple search and replace in the SQL fixed it.

Once I had increased PHP uploads to 50M and Nginx I was able to upload my database backup with Adminer  (just remember to import to the created database that matches. the wp-config.php. Also, ensure your WordPress content is in place too.

The only other problem I had was WordPress gave an “Error 500” so moved   few plugins an all was good.

Importing Old Email

I was able to use the Google G Suite tools to import my old Mail (CPanel IMAP to Google IMAP).

Import IMAP mail to GMail

I love root access on my own server now, goodbye CPanel “Usage Limit Exceeded” errors (I only had light traffic on my site).

My self-hosted WordPress is a lot snappier now, my server has plenty of space (and only costs $0.007c and hour for 1x CPU, 1GB ram, 25GB SSD storage and 1000GB data transfer quota). I use the htop command to view system processor and disk space usage.

I can now have more space for content and not be restricted by tight hosts disk quotas or slow shared servers.  I use the pydf command to view dis space.

pydf
Filesystem Size  Used

Avail

 Use%                                                    Mounted on
/dev/vda1   25G 3289M

20G

 13.1 [######..........................................] /
/www/wp-content#

I use ncdu to view folder usage.

Installing ncdu

sudo apt-get install ncdu
Reading package lists... Done
Building dependency tree
Reading state information... Done
ncdu is already the newest version (1.11-1build1).
0 upgraded, 0 newly installed, 0 to remove and 58 not upgraded.

Type ncdu in the folder you want to browse under.

ncdu

You can arrow up and down folder structures and view folder/file usage.

SSL Certificate

I am setting up a new multi year SS cert now, I will update this guide later.  I had to read my SSL guide with Digital Ocean here.

I generated some certificate on my server

cd ~/
kdir sslcsrmaster4096
cd sslcsrmaster4096/
openssl req -new -newkey rsa:4096 -nodes -keyout domain.key -out domain.csr

Sample output for  a new certificate

openssl req -new -newkey rsa:4096 -nodes -keyout dummy.key -out dummy.csr
Generating a 4096 bit RSA private key
.................................................................................................++
......++
writing new private key to 'dummy.key'
-----
You are about to be asked to enter information that will be incorporated
into your certificate request.
What you are about to enter is what is called a Distinguished Name or a DN.
There are quite a few fields but you can leave some blank
For some fields there will be a default value,
If you enter '.', the field will be left blank.
-----
Country Name (2 letter code) [AU]: AU
State or Province Name (full name) [Some-State]: NSW
Locality Name (eg, city) []:Tamworth
Organization Name (eg, company) [Internet Widgits Pty Ltd]: Dummy Org
Organizational Unit Name (eg, section) []: Dummy Org Dept
Common Name (e.g. server FQDN or YOUR name) []: DummyOrg
Email Address []: [email protected]

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []: password
An optional company name []: DummyCO
[email protected]:~/sslcsrmaster4096# cat dummy.csr
-----BEGIN CERTIFICATE REQUEST-----
MIIFAjCCAuoCAQAwgYsxCzAJBgNVBAYTAkFVMQwwCgYDVQQIDANOU1cxETAPBgNV
BAcMCFRhbXdvcnRoMRIwEAYDVQQKDAlEdW1teSBPcmcxFzAVBgNVBAsMDkR1bW15
IE9yZyBEZXB0MREwDwYDVQQDDAhEdW1teU9yZzEbMBkGCSqGSIb3DQEJARYMbWVA
ZHVtbXkub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA6PUtWkRl
+gL0Hx354YuJ5Sul2Xh+ljILSlFoHAxktKlE+OJDJAtUtVQpo3/F2rGTJWmmtef+
shortenedoutput
swrUzpBv8hjGziPoVdd8qdAA2Gh/Y5LsehQgyXV1zGgjsi2GN4A=
-----END CERTIFICATE REQUEST-----

I then uploaded the certificate to Namecheap for an SSL cert registration.

I selected DNS C Name record as a way to verify I own my domain.

I am now waiting for Namecheap to verify my domain

End of the Google G Suite Business Trial

Before the end of the 14-day trial, you will need to add billing details to keep the email working.

At this stage, you can downgrade from a $10/m business account per user to a $5/m per user account if you wish. The only loss would be storage and google app access.

Get 20% off your first year by signing up for Google G Suite using this link: https://goo.gl/6vpuMm

Before your trial ends, add your payment details and downgrade from $10/user a month business prices to $5/iser a month individual if needed.

G Suite Troubleshooting

I was able to access new G Suite email account via gmail.com but not via Outlook 2015? I reset the password, followed the google troubleshooting guide and used the official incoming and outgoing settings but nothing worked.

troubleshooting 1

Google phone support suggested I enable less secure connection settings as Google firewall may be blocking Outlook. I know the IMAP RFC is many years old but I doubt Microsoft are talking to G Suite in a lazy manner.

Now I can view my messages and I can see one email that said I was blocked by the firewall. Google phone support and faqs don’t say why Outlook 2015 SSL based IMAP was blocked?

past email

Conclusion

Thanks to my wife who put up with my continual updates over the entire domain move. Voicing the progress helped me a lot.

Donate and make this blog better




Ask a question or recommend an article
[contact-form-7 id=”30″ title=”Ask a Question”]

V1.8 added ad link

Filed Under: Advice, DNS, MySQL, OS, Server, Ubuntu, VM, Vultr, Website, Wordpress Tagged With: C Name, DNS, gmail, mx, server, ubuntu, vm, VPS, Vulty

Setting up a Digital Ocean Droplet as a sub domain on an AWS Domain

July 15, 2017 by Simon

This guide hopes to show you how to set up a Digital Ocean Droplet (server) as a Sub Domain on an existing AWS domain. I am setting up a Digital Ocean Domain as a subdomain (both existing) and using the subdomain (Digital Ocean server) as a self-service status page. I have set up both domains with SSL certificates and strong Content Security Policies and Public Key Pinning.

Read this newer post on setting up Subdomains.

DO: Obtain the IP addresses for your Digital Ocean Droplet (that will be the subdomain). If you don’t already have a Digital Ocean Droplet click here (and get 2 months free).

Login to your AWS Console for the parent domain. I have a guide on setting up an AWS domain here and Digital Ocean Domain here.

This AWS guide was a handy start Creating a Subdomain That Uses Amazon Route 53 as the DNS Service without Migrating the Parent Domain.

From the AWS Route 53 screen, I clicked Get started now.

From here you can Create a Hosted Zone.

Create a Hosted Zone.

A subdomain can be created on AWS Route 53.

I created a route 53 A Name record and pointed it to a known Digital Ocean droplet IP address.

I created an A Name record on Digital Ocean for the droplet (e.g status.______.com).

I created an IPV6 (AAAA) record on Digital Ocean for the droplet?

I could not ping the server so I added the digital ocean name servers to the route 53 record set out of desperation.

Final Route information on AWS.

Hmm, nothing works as of yet.

https://www.whatsmydns.net is not showing movement yet.

Time to contact AWS for advice.

I tried to post a help post on the AWS forums but apparently, a user who has been paying AWS for 6 months does not have the right to post a new forum thread.

I posted a few helpful questions on twitter and I’ll try these out tonight.

Replies

And…

Thanks, guys, I’ll try these tonight and update this post.

I created a recordset for the parent domain on AWS and A record for the Digital Ocean subdomain with no luck.

This post will be updated soon.

Read my guide on Securing an Ubuntu VM with a free LetsEncrypt SSL certificate in 1 Minute.

v1.9 added info on let’s encrypt (10:38pm 29th July 2017 AEST)

Donate and make this blog better




Ask a question or recommend an article
[contact-form-7 id=”30″ title=”Ask a Question”]

Filed Under: AWS, Digital Ocean, DNS, Route53 Tagged With: AWS, digital ocean, DNS

Primary Sidebar

Poll

What would you like to see more posts about?
Results

Support this Blog

Create your own server today (support me by using these links

Create your own server on UpCloud here ($25 free credit).

Create your own server on Vultr here.

Create your own server on Digital Ocean here ($10 free credit).

Remember you can install the Runcloud server management dashboard here if you need DevOps help.

Advertisement:

Tags

2FA (9) Advice (17) Analytics (9) App (9) Apple (10) AWS (9) Backup (21) Business (8) CDN (8) Cloud (49) Cloudflare (8) Code (8) Development (26) Digital Ocean (13) DNS (11) Domain (27) Firewall (12) Git (7) Hosting (18) HTTPS (6) IoT (9) LetsEncrypt (7) Linux (20) Marketing (11) MySQL (24) NGINX (11) NodeJS (11) OS (10) PHP (13) Scalability (12) Scalable (14) Security (44) SEO (7) Server (26) Software (7) SSH (7) ssl (17) Tech Advice (9) Ubuntu (39) Uncategorized (23) UpCloud (12) VM (44) Vultr (24) Website (14) Wordpress (25)

Disclaimer

Terms And Conditions Of Use All content provided on this "www.fearby.com" blog is for informational purposes only. Views are his own and not his employers. The owner of this blog makes no representations as to the accuracy or completeness of any information on this site or found by following any link on this site. Never make changes to a live site without backing it up first.

Advertisement:

Footer

Popular

  • Backing up your computer automatically with BackBlaze software (no data limit)
  • How to back up an iPhone (including photos and videos) multiple ways
  • Add two factor auth login protection to WordPress with YubiCo hardware YubiKeys and or 2FA Authenticator App
  • Setup two factor authenticator protection at login on Ubuntu or Debian
  • Using the Yubico YubiKey NEO hardware-based two-factor authentication device to improve authentication and logins to OSX and software
  • I moved my domain to UpCloud (on the other side of the world) from Vultr (Sydney) and could not be happier with the performance.
  • Monitor server performance with NixStats and receive alerts by SMS, Push, Email, Telegram etc
  • Speeding up WordPress with the ewww.io ExactDN CDN and Image Compression Plugin
  • Add Google AdWords to your WordPress blog

Security

  • Check the compatibility of your WordPress theme and plugin code with PHP Compatibility Checker
  • Add two factor auth login protection to WordPress with YubiCo hardware YubiKeys and or 2FA Authenticator App
  • Setup two factor authenticator protection at login on Ubuntu or Debian
  • Using the Yubico YubiKey NEO hardware-based two-factor authentication device to improve authentication and logins to OSX and software
  • Setting up DNSSEC on a Namecheap domain hosted on UpCloud using CloudFlare
  • Set up Feature-Policy, Referrer-Policy and Content Security Policy headers in Nginx
  • Securing Google G Suite email by setting up SPF, DKIM and DMARC with Cloudflare
  • Enabling TLS 1.3 SSL on a NGINX Website (Ubuntu 16.04 server) that is using Cloudflare
  • Using the Qualys FreeScan Scanner to test your website for online vulnerabilities
  • Beyond SSL with Content Security Policy, Public Key Pinning etc
  • Upgraded to Wordfence Premium to get real-time login defence, malware scanner and two-factor authentication for WordPress logins
  • Run an Ubuntu VM system audit with Lynis
  • Securing Ubuntu in the cloud
  • No matter what server-provider you are using I strongly recommend you have a hot spare ready on a different provider

Code

  • How to code PHP on your localhost and deploy to the cloud via SFTP with PHPStorm by Jet Brains
  • Useful Java FX Code I use in a project using IntelliJ IDEA and jdk1.8.0_161.jdk
  • No matter what server-provider you are using I strongly recommend you have a hot spare ready on a different provider
  • How to setup PHP FPM on demand child workers in PHP 7.x to increase website traffic
  • Installing Android Studio 3 and creating your first Kotlin Android App
  • PHP 7 code to send object oriented sanitised input data via bound parameters to a MYSQL database
  • How to use Sublime Text editor locally to edit code files on a remote server via SSH
  • Creating your first Java FX app and using the Gluon Scene Builder in the IntelliJ IDEA IDE
  • Deploying nodejs apps in the background and monitoring them with PM2 from keymetrics.io

Tech

  • Backing up your computer automatically with BackBlaze software (no data limit)
  • How to back up an iPhone (including photos and videos) multiple ways
  • US v Huawei: The battle for 5G
  • Check the compatibility of your WordPress theme and plugin code with PHP Compatibility Checker
  • Is OSX Mojave on a 2014 MacBook Pro slower or faster than High Sierra
  • Telstra promised Fibre to the house (FTTP) when I had FTTN and this is what happened..
  • The case of the overheating Mac Book Pro and Occam’s Razor
  • Useful Linux Terminal Commands
  • Useful OSX Terminal Commands
  • Useful Linux Terminal Commands
  • What is the difference between 2D, 3D, 360 Video, AR, AR2D, AR3D, MR, VR and HR?
  • Application scalability on a budget (my journey)
  • Monitor server performance with NixStats and receive alerts by SMS, Push, Email, Telegram etc
  • Why I will never buy a new Apple Laptop until they fix the hardware cooling issues.

Wordpress

  • Replacing Google Analytics with Piwik/Matomo for a locally hosted privacy focused open source analytics solution
  • Setting web push notifications in WordPress with OneSignal
  • Telstra promised Fibre to the house (FTTP) when I had FTTN and this is what happened..
  • Check the compatibility of your WordPress theme and plugin code with PHP Compatibility Checker
  • Add two factor auth login protection to WordPress with YubiCo hardware YubiKeys and or 2FA Authenticator App
  • Monitor server performance with NixStats and receive alerts by SMS, Push, Email, Telegram etc
  • Upgraded to Wordfence Premium to get real-time login defence, malware scanner and two-factor authentication for WordPress logins
  • Wordfence Security Plugin for WordPress
  • Speeding up WordPress with the ewww.io ExactDN CDN and Image Compression Plugin
  • Installing and managing WordPress with WP-CLI from the command line on Ubuntu
  • Moving WordPress to a new self managed server away from CPanel
  • Moving WordPress to a new self managed server away from CPanel

General

  • Backing up your computer automatically with BackBlaze software (no data limit)
  • How to back up an iPhone (including photos and videos) multiple ways
  • US v Huawei: The battle for 5G
  • Using the WinSCP Client on Windows to transfer files to and from a Linux server over SFTP
  • Connecting to a server via SSH with Putty
  • Setting web push notifications in WordPress with OneSignal
  • Infographic: So you have an idea for an app
  • Restoring lost files on a Windows FAT, FAT32, NTFS or Linux EXT, Linux XFS volume with iRecover from diydatarecovery.nl
  • Building faster web apps with google tools and exceed user expectations
  • Why I will never buy a new Apple Laptop until they fix the hardware cooling issues.
  • Telstra promised Fibre to the house (FTTP) when I had FTTN and this is what happened..

Copyright © 2023 · News Pro on Genesis Framework · WordPress · Log in

Some ads on this site use cookies. You can opt-out if of local analytics tracking by scrolling to the bottom of the front page or any article and clicking "You are not opted out. Click here to opt out.". Accept Reject Read More
GDPR, Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled
Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Non-necessary
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.
SAVE & ACCEPT