IoT, Code, Security and Server Stuff
Views are my own and not my employer's.
Pi-hole is a Linux network-level advertisement and Internet tracker blocking application which acts as a DNS sinkhole. See how I set one up.
Read the full article here: https://fearby.com/article/setting-up-a-raspberry-pi-as-a-dns-sinkhole-to-block-ads-and-trackers/
Snip from WikiPedia: “Pi-hole is a Linux network-level advertisement and Internet tracker blocking application which acts as a DNS sinkhole (and optionally a DHCP server), intended for use on a private network. It is designed for use on embedded devices with network capability, such as the Raspberry Pi, but it can be used on other machines running Linux and cloud implementations. Pi-hole has the ability to block traditional website advertisements as well as advertisements in unconventional places, such as smart TVs and mobile operating system advertisements.”
A Raspberry PI is an inexpensive (5V Volt, 2 Amp) ARM based computer that can run off the power from a USB cable.
Here is a photo of my Raspberry Pi 3B+ with an Adafruit LCD Screen
My Raspberry Pi has the following specifications
My screen has the following specifications (purchased from Pakronics)
I plugged in a full sized USB Keyboard, Mouse and HDMI cable.
Read my guide to download and write an Raspberry Pi Operating System to an SD card.
I would not put a cheap/slow MicroSD card in the Raspberry PI, aim for at least a UHS (1) or UHS (3) speed SD card for the best bang for buck.
fyi: I bought a new 32GB Samsung UHS 1 Ultra Micro SD card and it died after 12 hours of use. I replaced it with another 32GB No name brand CLASS 10 SD Card I had laying around.
I download and saved the Raspian (Full) Operating System to a SD Card and inserted it into my Raspberry PI 3B+ (view the guide here on preparing an Operating System on a SD card).
I used the American 110-240V AC to 5.25V 2500ma DC power supply (with a US to AUS adaptor) that came with the Adafruit Screen. It had a Micro USB connection on one end.
It did not work though (I just had a flashing red light on the Raspberry Pi).
I had an Australian 240V AC to 5V 2500ma DC power supply to Micro USB. from a previous project and it worked (the Raspberry Pi Started up).
I also have a number of Moki brand 240V to USB (1A and 2.4A) adapters.
I will use the 2.4mA plug. I know my Adafruit screen uses 100mA so this will do.
I plugged the HDMI cable into my Monitor and set up the HDMI as a Picture in Picture output so I can see my Main 4K screen (Display Port) and the Raspberry Pi HDMI input at the same time.
Mmmm my 4K screen with a 1080P HDMI picture in picture image (from the Raspberry Pi).
The Raspberry Pi booted fast and a welcome screen appeared
Apologies in advance, photos below are bad (I don’t have a HDMI capture card).
I clicked Next to setup the Raspberry PI
I set my timezone and language
I set a password
I skipped connecting to WiFi (I want pure Ethernet)
I was prompted to update the software
Setup is complete
I rebooted the Raspberry Pi
I changed further configuration by clicking the Raspberry Pi start button then Preferences then Raspberry PI Configuration
I changed the hostname to “raspberrypihole”, set Boot to CLI , Login as “pi“, and set Wait for network.
Update: After my Samsung SD card died I re setup my PI with a no name brand SD card and entered the name “raspberrypihole“
Under display I reviewed the display options
I enabled SSH, SPI and I2C.
I increased the GPU memory to 132GB
Time for a Reboot
I do not want to leave a keyboard, mouse and screen connected once I finish setting it up so I setup a SSH connection to the Raspberry Pi.
TIP: Putty is a free program for SSH connections.
I SSH’ed (more information on SSH below) to the Raspberry Pi and ran these commands to update it’s software and firmware.
sudo apt-get update && sudo apt-get upgradeOutput
[email protected]:~ $ sudo apt-get update && sudo apt-get upgrade
Hit:1 http://archive.raspberrypi.org/debian buster InRelease
Hit:2 http://raspbian.raspberrypi.org/raspbian buster InRelease
Reading package lists... Done
Reading package lists... Done
Building dependency tree
Reading state information... Done
Calculating upgrade... Done
0 upgraded, 0 newly installed, 0 to remove and 0 not upgraded.
The program “htop” is good for viewing system resources.
Now it’s time to look at the Adafruit screen and case.
I purchased this kit for the Raspberry Pi, the LCD screen just connects to the Raspberry Pi GPIO pins. It has a Adafruit LCD screen and a case for my Raspberry Pi 3B+
The screen just connects onto the GPIO pins
The LCD screen allows you to use pins below the screen.
GPIO pins documentation from https://www.raspberrypi.org/documentation/usage/gpio/
A nice stack 🙂
The case clips are hard to clip over the Raspberry Pi (Don’t force it or you might break for Pi)
The case clip near the GPIO pins is on
The clip near the power plug was off because the Raspberry Pi was not positioned correctly
After 30 minutes I carefully put the Raspberry Pi and LCD screen into the Case.
Side of the case with USB and Ethernet and USB porws exposed.
HDMI, Power and Audio plugs are visible and lined up 🙂
The screen is visible through the case
The screen dips down on one side, I might have to prop it up (hot glue gun) a bit inside later
I created a SSH connection to my Raspberry PI with Putty
I created a SSH connection to the Raspberry Pi and connected to it.
I ran the “ifconfig” command to get a list of all network interfaces.
I ran “ifconfig” to list all network interfaces.
I ran these commands to update my Raspberry PI Software
I updated the Pi Firmware too (this is dangerous, only update if you have issues).
I rebooted and connected to the Raspberry Pi and ran this command to get the Ethernet and wireless mac address.
The first interface is my Ethernet adopter the second if the WiFi adaptor.
ifconfig |grep ether
ether b8:27:eb:d9:00:86 txqueuelen 1000
ether b8:27:eb:8c:55:d3 txqueuelen 1000The first Mac address is my Ethernet address on The Raspberry PI and the second is WiFi.
I logged into my router (Telstra DJA0230) and clicked Advanced then Local Network. I could see my DHCP range was from 192.168.0.2 to 192.168.0.254, I shortened this to 192.168.0.2 to 192.168.0.200 (so I can set a static IP Address for the Raspberry PI) then I set a Static IP address for the Raspberry pi to 192.168.0.201.
I rebooted the Raspberry PI and checked the IP address
I logged into my Router (at https://192.168.0.1)
When my Samsung SD card died I had to re-setup a new SD card but the IP address came across as the mac address stayed the same (as it was the same hardware), I did however change the name of the Static IP hostname in my home router to match the new name “raspberrypihole” (not “pihole”)
I set a static IP for this Ethernet address and defined 192.168.0.201 as the IP address.
I SSH’ed to my Raspberry Pi (with the new IP address) and ran this command
Now its time to install Pi Hole onto My Raspberry Pi
curl -sSL https://install.pi-hole.net | bashI received a Root user error
I read this guide on temporarily allowing root logins then rebooted my Pi and connected again as root. Running as root is not a good idea long term buy it works and my location is secure.
I logged in as root and checked my username
# whoami
rootI re-ran this command to restart the PiHole Setup
curl -sSL https://install.pi-hole.net | bashRoot user is found
Available packages are downloaded
Confirmation warning.
PiHole is free, consider donating.
I donated. Thanks
This will pay for itself in no time.
Static IP address is required.
I chose to just have PiHole work on Ethernet (and not Wifi)
I was prompted to set my upstream DNS provider.
I selected all default blacklist lists.
I allowed PiHole to use IPv4 and IPv6.
My IP and Gateway was displayed on the screen.
Final warning about setting a static IP address.
The PiHole IPv6 address is show
Install a web server (Yes)
I chose to log all DNS queries.
I oped to allow the viewing of all logged data. This is less secure but I can reduce this later.
The PiHole setup resumed and PiHole was downloaded from GitHub.
A progress bar displayed the install status.
A PiHole admin URL and Password was displayed (write this down)
I loaded the PiHole initial admin screen (http://192.168.0.201/admin/) and it was a bit empty.
I login and logged in.
I had better uninstall the nextdns.io (my blog post about NextDNS.io here) as the Pi will now be the main DNS blocking Sinkhole in our house.
The Raspberry Pi Pi Hole service was up and waiting for connections
On my Windows 10 PC I added the DNS server for the PiHole in IPV4 and IPV6.
I obtained the PiHole IPV4 and IPV6 addresses (1) PiHole Admin, 2) Pi Hole Settings Page, 3) IP Address)
I added the Pi Holes IPV4 IP address to my Windows 10 IP Settings.
I added the Pi Holes IPV6 IP address to my Windows 10 IP Settings.
After 18 hours the Pi Hole Admin interface (at http://192.168.0.201/admin/index.php) was reporting stats.
I can view stats for Protocol and answered queries
I can also see stats for permitted and blocked domains
I can also see the source blocked domains
I added these block lists to my PiHole list of sites to block (Thanks Jol)
https://v.firebog.net/hosts/Easyprivacy.txt
https://v.firebog.net/hosts/Prigent-Ads.txt
https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-blocklist.txt
https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.2o7Net/hosts
https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt
https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt
https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt
https://hostfiles.frogeye.fr/multiparty-trackers-hosts.txt
https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/android-tracking.txt
https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV.txt
https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/AmazonFireTV.txt
https://v.firebog.net/hosts/Airelle-trc.txt
https://bitbucket.org/ethanr/dns-blacklists/raw/8575c9f96e5b4a1308f2f12394abd86d0927a4a0/bad_lists/Mandiant_APT1_Report_Appendix_D.txt
https://gist.githubusercontent.com/anudeepND/adac7982307fec6ee23605e281a57f1a/raw/5b8582b906a9497624c3f3187a49ebc23a9cf2fb/Test.txt
https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-blocklist.txt
https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt
https://hosts-file.net/ad_servers.txt
https://hosts-file.net/emd.txt
https://hosts-file.net/exp.txt
https://hosts-file.net/grm.txt
https://hosts-file.net/psh.txt
https://isc.sans.edu/feeds/suspiciousdomains_Medium.txt
https://mirror1.malwaredomains.com/files/justdomains
https://mirror.cedia.org.ec/malwaredomains/immortal_domains.txt
http://someonewhocares.org/hosts/hosts
https://phishing.army/download/phishing_army_blocklist_extended.txt
https://ransomwaretracker.abuse.ch/downloads/CW_C2_DOMBL.txt
https://ransomwaretracker.abuse.ch/downloads/LY_C2_DOMBL.txt
https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt
https://ransomwaretracker.abuse.ch/downloads/TC_C2_DOMBL.txt
https://ransomwaretracker.abuse.ch/downloads/TL_C2_DOMBL.txt
https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt
https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/win10/spy.txt
https://raw.githubusercontent.com/StevenBlack/hosts/master/data/add.2o7Net/hosts
https://raw.githubusercontent.com/StevenBlack/hosts/master/data/add.Risk/hosts
https://raw.githubusercontent.com/StevenBlack/hosts/master/data/add.Spam/hosts
https://raw.githubusercontent.com/StevenBlack/hosts/master/data/KADhosts/hosts
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
https://raw.githubusercontent.com/ZeroDot1/CoinBlockerLists/master/hosts
https://reddestdream.github.io/Projects/MinimalHosts/etc/MinimalHostsBlocker/minimalhosts
https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
https://v.firebog.net/hosts/AdguardDNS.txt
https://v.firebog.net/hosts/Airelle-hrsk.txt
https://v.firebog.net/hosts/Easylist.txt
https://v.firebog.net/hosts/Easyprivacy.txt
https://v.firebog.net/hosts/Prigent-Ads.txt
https://v.firebog.net/hosts/Prigent-Malware.txt
https://v.firebog.net/hosts/Prigent-Phishing.txt
https://v.firebog.net/hosts/Shalla-mal.txt
https://v.firebog.net/hosts/static/SamsungSmart.txt
https://v.firebog.net/hosts/static/w3kbl.txt
https://www.malwaredomainlist.com/hostslist/hosts.txt
https://www.squidblacklist.org/downloads/dg-malicious.acl
http://sysctl.org/cameleon/hosts
https://zerodot1.gitlab.io/CoinBlockerLists/hosts
https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist
http://www.joewein.net/dl/bl/dom-bl.txt
http://www.networksec.org/grabbho/block.txt
I updated all block lists
I now have the PiHole blocking 945,481 domains
I followed thin guide to setup the screen.
I can this code from the pi (logged in as root)
cd ~
wget https://raw.githubusercontent.com/adafruit/Raspberry-Pi-Installer-Scripts/master/adafruit-pitft.sh
chmod +x adafruit-pitft.sh
sudo ./adafruit-pitft.shI edited /boot/config.txt and changed these values
framebuffer_width=320
framebuffer_height=240I was prompted to choose a screen
Select configuration:
1. PiTFT 2.4", 2.8" or 3.2" resistive (240x320)
2. PiTFT 2.2" no touch (240x320)
3. PiTFT 2.8" capacitive touch (240x320)
4. PiTFT 3.5" resistive touch (320x480)
5. PiTFT Mini 1.3" or 1.54" display (240x240)
6. MiniPiTFT 1.14" display (240x135) - WARNING! CUTTING EDGE! WILL UPGRADE YOUR KERNEL TO LATEST
7. Quit without installing
SELECT 1-7:I entered “3” for PiTFT 2.8″ capacitive touch (240×320)
I then was prompted to set the rotation of the screen
Select rotation:
1. 90 degrees (landscape)
2. 180 degrees (portait)
3. 270 degrees (landscape)
4. 0 degrees (portait)
SELECT 1-4: I entered “3” for 270 degrees (landscape).
I was prompted to allow the console to appear on the screen
Would you like the console to appear on the PiTFT display? [y/n]
yI rebooted
Reboot [y/n]
yI followed this guide to install PADD (the software that displays the PiHole stats on the LCD screen)
cd ~
wget -N https://github.com/jpmck/PADD/files/4320681/padd.txt
rename padd.txt paddsimon.sh
chmod +x paddsimon.shEdit this file
sudo nano ~/.bashrcand add the following to the end of the file
# Run PADD
# If we're on the PiTFT screen (ssh is xterm)
if [ "$TERM" == "linux" ] ; then
while :
do
/root/paddsimon.sh
sleep 0.2
done
fi
I rebooted the PI.
I created a bash script with this contents to turn the screen off
#!/bin/bash
gpio -g pwm 18 0I created a bash script with this contents to turn the screen on
#!/bin/bash
gpio -g pwm 18 1023I ran the following command to update the PiHole block lists
pihole -gOutput…
[i] Pi-hole blocking is enabled
[i] Neutrino emissions detected...
[✓] Pulling blocklist source list into range
[i] Target: raw.githubusercontent.com (hosts)
[✓] Status: Retrieval successful
[i] Target: mirror1.malwaredomains.com (justdomains)
[✓] Status: No changes detected
[i] Target: sysctl.org (hosts)
[✓] Status: No changes detected
[i] Target: s3.amazonaws.com (simple_tracking.txt)
[✓] Status: No changes detected
[i] Target: s3.amazonaws.com (simple_ad.txt)
[✓] Status: No changes detected
[i] Target: hosts-file.net (ad_servers.txt)
[✓] Status: No changes detected
[i] Target: raw.githubusercontent.com (ytadblock.txt)
[✓] Status: Retrieval successful
[i] Target: v.firebog.net (Easyprivacy.txt)
[✓] Status: No changes detected
[i] Target: v.firebog.net (Prigent-Ads.txt)
[✓] Status: No changes detected
[i] Target: gitlab.com (notrack-blocklist.txt)
[✓] Status: Retrieval successful
[i] Target: raw.githubusercontent.com (hosts)
[✓] Status: Retrieval successful
[i] Target: raw.githubusercontent.com (spy.txt)
[✓] Status: Retrieval successful
[i] Target: www.github.developerdan.com (ads-and-tracking-extended.txt)
[✓] Status: Retrieval successful
[i] Target: hostfiles.frogeye.fr (firstparty-trackers-hosts.txt)
[✓] Status: Retrieval successful
[i] Target: hostfiles.frogeye.fr (multiparty-trackers-hosts.txt)
[✓] Status: Retrieval successful
[i] Target: raw.githubusercontent.com (android-tracking.txt)
[✓] Status: Retrieval successful
[i] Target: raw.githubusercontent.com (SmartTV.txt)
[✓] Status: Retrieval successful
[i] Target: raw.githubusercontent.com (AmazonFireTV.txt)
[✓] Status: Retrieval successful
[i] Target: v.firebog.net (Airelle-trc.txt)
[✓] Status: No changes detected
[i] Target: bitbucket.org (Mandiant_APT1_Report_Appendix_D.txt)
[✓] Status: No changes detected
[i] Target: gist.githubusercontent.com (Test.txt)
[✓] Status: Retrieval successful
[i] Target: gitlab.com (notrack-malware.txt)
[✓] Status: Retrieval successful
[i] Target: hosts-file.net (emd.txt)
[✓] Status: No changes detected
[i] Target: hosts-file.net (exp.txt)
[✓] Status: No changes detected
[i] Target: hosts-file.net (grm.txt)
[✓] Status: No changes detected
[i] Target: hosts-file.net (psh.txt)
[✓] Status: No changes detected
[i] Target: isc.sans.edu (suspiciousdomains_Medium.txt)
[✓] Status: Retrieval successful
[i] Target: mirror.cedia.org.ec (immortal_domains.txt)
[✓] Status: No changes detected
[i] Target: someonewhocares.org (hosts)
[✓] Status: No changes detected
[i] Target: phishing.army (phishing_army_blocklist_extended.txt)
[✓] Status: Retrieval successful
[i] Target: ransomwaretracker.abuse.ch (CW_C2_DOMBL.txt)
[✓] Status: Retrieval successful
[i] Target: ransomwaretracker.abuse.ch (LY_C2_DOMBL.txt)
[✓] Status: Retrieval successful
[i] Target: ransomwaretracker.abuse.ch (RW_DOMBL.txt)
[✓] Status: Retrieval successful
[i] Target: ransomwaretracker.abuse.ch (TC_C2_DOMBL.txt)
[✓] Status: Retrieval successful
[i] Target: ransomwaretracker.abuse.ch (TL_C2_DOMBL.txt)
[✓] Status: Retrieval successful
[i] Target: raw.githubusercontent.com (spy.txt)
[✗] Status: Not found
[✗] List download failed: no cached list available
[i] Target: raw.githubusercontent.com (hosts)
[✓] Status: Retrieval successful
[i] Target: raw.githubusercontent.com (hosts)
[✓] Status: Retrieval successful
[i] Target: raw.githubusercontent.com (hosts)
[✓] Status: Retrieval successful
[i] Target: raw.githubusercontent.com (hosts)
[✓] Status: Retrieval successful
[i] Target: raw.githubusercontent.com (hosts)
[✗] Status: Not found
[✗] List download failed: no cached list available
[i] Target: reddestdream.github.io (minimalhosts)
[✓] Status: No changes detected
[i] Target: s3.amazonaws.com (simple_malvertising.txt)
[✓] Status: Retrieval successful
[i] Target: v.firebog.net (AdguardDNS.txt)
[✓] Status: No changes detected
[i] Target: v.firebog.net (Airelle-hrsk.txt)
[✓] Status: No changes detected
[i] Target: v.firebog.net (Easylist.txt)
[✓] Status: No changes detected
[i] Target: v.firebog.net (Prigent-Malware.txt)
[✓] Status: No changes detected
[i] Target: v.firebog.net (Prigent-Phishing.txt)
[✓] Status: No changes detected
[i] Target: v.firebog.net (Shalla-mal.txt)
[✓] Status: No changes detected
[i] Target: v.firebog.net (SamsungSmart.txt)
[✓] Status: No changes detected
[i] Target: v.firebog.net (w3kbl.txt)
[✓] Status: No changes detected
[i] Target: www.malwaredomainlist.com (hosts.txt)
[✓] Status: No changes detected
[i] Target: www.squidblacklist.org (dg-malicious.acl)
[✗] Status: Connection Timed Out (Cloudflare)
[✗] List download failed: no cached list available
[i] Target: zerodot1.gitlab.io (hosts)
[✓] Status: No changes detected
[i] Target: zeustracker.abuse.ch (blocklist.php?download=domainblocklist)
[✓] Status: Retrieval successful
[i] Target: www.joewein.net (dom-bl.txt)
[✓] Status: Retrieval successful
[i] Target: www.networksec.org (block.txt)
[✓] Status: Retrieval successful
[i] Received empty file: using previously cached list
[✓] Consolidating blocklists
[✓] Extracting domains from blocklists
[i] Number of domains being pulled in by gravity: 1178534
[✓] Removing duplicate domains
[i] Number of unique domains trapped in the Event Horizon: 954486
[i] Number of whitelisted domains: 2
[i] Number of blacklisted domains: 0
[i] Number of regex filters: 0
[✓] Parsing domains into hosts format
[✓] Cleaning up stray matter
[✓] Force-reloading DNS service
[✓] DNS service is running
[✓] Pi-hole blocking is Enabled
I can view all possible command line options by running
pihole /?Output..
Usage: pihole [options]
Example: 'pihole -w -h'
Add '-h' after specific commands for more information on usage
Whitelist/Blacklist Options:
-w, whitelist Whitelist domain(s)
-b, blacklist Blacklist domain(s)
--wild, wildcard Wildcard blacklist domain(s)
--regex, regex Regex blacklist domains(s)
Add '-h' for more info on whitelist/blacklist usage
Debugging Options:
-d, debug Start a debugging session
Add '-a' to enable automated debugging
-f, flush Flush the Pi-hole log
-r, reconfigure Reconfigure or Repair Pi-hole subsystems
-t, tail View the live output of the Pi-hole log
Options:
-a, admin Web interface options
Add '-h' for more info on Web Interface usage
-c, chronometer Calculates stats and displays to an LCD
Add '-h' for more info on chronometer usage
-g, updateGravity Update the list of ad-serving domains
-h, --help, help Show this help dialog
-l, logging Specify whether the Pi-hole log should be used
Add '-h' for more info on logging usage
-q, query Query the adlists for a specified domain
Add '-h' for more info on query usage
-up, updatePihole Update Pi-hole subsystems
Add '--check-only' to exit script before update is perfo rmed.
-v, version Show installed versions of Pi-hole, Web Interface & FTL
Add '-h' for more info on version usage
uninstall Uninstall Pi-hole from your system
status Display the running status of Pi-hole subsystems
enable Enable Pi-hole subsystems
disable Disable Pi-hole subsystems
Add '-h' for more info on disable usage
restartdns Restart Pi-hole subsystems
checkout Switch Pi-hole subsystems to a different Github branch
Add '-h' for more info on checkout usage
After 1 week stats were rolling into the PIHole.
40% of all traffic was being blocked.
I could see blocked and allowed domain calls
I can white list domains if they are blocked.
This is what it looks like done
PiHole stats on the LCD screen
View of the pi from the left hand side
View of the pi from the right hand side
Nice
After 2 months the PiHole served 266,737 DNS requests. 95,268 requests were blocked (13,000 ad’s, tens of thousands of trackers.
Mostly yes. Not all advertisements are blocked but most are.
Some YouTube Advertisements seem to get through but I am seeing far less Advertisements in web pages
I needed to white list “events.gfe.nvidia.com” to allow my video card drivers to upodate.
The Raspberry Pi is running cool at 47c (even though it is in a tight space).
I might add a heat pipe to it and have an external fan. I will thermal epoxy the hat pipe to the Pi CPU and run it outside to a external heat sink and fan.
I have many spare heat sinks laying around.
I will update when the part’s arrive.
I did exit my /boot/config.txt to rotate my LCD Screen orientation
Read this guide to see how I setup a Python script to make my buttons work.
Do edit your /boot.config.txt to configure your screen rotation (if need be) and to check if the LCD screen is setup (by Adafruit)
framebuffer_width=240
framebuffer_height=320
# --- added by adafruit-pitft-helper Sun 8 Mar 2020 12:29:49 AM AEDT ---
dtparam=spi=on
dtparam=i2c1=on
dtparam=i2c_arm=on
dtoverlay=pitft28-capacitive,speed=64000000,fps=30
dtoverlay=pitft28-capacitive,rotate=270,touch-swapxy=true,touch-invy=true
# --- end adafruit-pitft-helper Sun 0 Mar 2020 12:29:49 AM AEDT ---
Handy Guide: https://learn.adafruit.com/pi-hole-ad-pitft-tft-detection-display/pitft-configuration to configure the LCD Screen
Schematics of the screen: https://learn.adafruit.com/assets/25555
Donate to PiHole: https://pi-hole.net/donate/
Raspberry Pi GPIO Pins: https://www.raspberrypi.org/documentation/usage/gpio/
v 1.2
I was going to setup a local (in my house) PiHole (with a Raspberry PI) that blocks internet trackers (DNS Sinkhole) and Advertisements (yes, like the ones on my website) because I don’t want my kids consuming a bucket loads of Advertisements online when they watch YouTube.
I am against online trackers and big data building a profiles on kids that are 6 and 10 years old. I have stopped using Facebook, Twitter and stopped using Google Analytics on this website.
I demo’ed to my son about the big data sucking up his data by looking at an IT retailer here in Australia for a random computer product then a few seconds later we looked as news sites (with Advertisements) in the UK and the US and to his surprise Advertisements for the randomly selected product in Australia was on his screen (sent from the other side of the world).
I am not against Content Creators making money from Advertisement revenue I am against the privacy issue. If you love consuming a Content Creators stuff then support them on their Merch store(s).
I don’t want my kids to accidentally fall victim to Malware, Cryptojacking, Phishing or spammy or known bad websites. I have a leading Antivirus products on their Computers but it is best not to put all of your eggs in one basket.
fyi: NextDNS.io is in BETA development and if you want rock a rock solid experience you may want to wait until until the beta period is over (Maybe March 2020. The only issue I have had is the NextDNS.io systray app sometimes does not open, I can work around this by starting and stopping the NextDNS.io service (“NextDNS DNS53 to DoH proxy“) in the Windows services app.
You can probably tell from the title of this post that NextDNS is a DNS based service that blocks malicious websites, trackers, ads, typo squatting domains, new or parked domains, TLD’s, mature YouTube content and comments and more. In my research for PiHole I found that nextdns.io was mentioned (How-to: Pi-Hole Plus DNSCrypt Setup on Raspberry Pi 4).
I logged into https://nextdns.io/ and was impressed by their slick interface.
Then login to the analytics tab at https://my.nextdns.io/ to see the app in action
Read on for more technical information
On their account page they had these features
Threat Intelligence Feeds
Block domains known to distribute malware or launch phishing attacks and botnet command-and-control servers using a blend of the most reputable threat intelligence feeds—all updated in real-time.
Google Safe Browsing
Block malware and phishing domains using Google Safe Browsing—a technology that examines billions of URLs per day looking for unsafe websites. Unlike the version embedded in some browsers, this does not associate your public IP address to threats and does not allow bypassing the block.
Cryptojacking Protection
Prevent the unauthorized use of your devices to mine cryptocurrency.
DNS Rebinding Protection
Prevent attackers from taking control of your local devices through the Internet by automatically blocking DNS responses containing private IP addresses.
IDN Homograph Attacks Protection
Block domains that impersonate other domains by abusing the large character set made available with the arrival of Internationalized Domain Names (IDNs)—e.g. replacing the Latin letter “e” with the Cyrillic letter “е”.
Typosquatting Protection
Block domains registered by malicious actors that target users who incorrectly type a website address into their browser (e.g. gooogle.com instead of google.com).
Domain Generation Algorithms (DGAs) Protection
Block domains generated by Domain Generation Algorithms (DGAs) seen in various families of malware that can be used as rendezvous points with their command and control servers.
Block Newly Registered Domains (NRDs)
Block domains registered less than 30 days ago. Those domains are known to be favored by threat actors to launch malicious campaigns.
Block Parked Domains
Parked domains are single-page websites often laden with ads and devoid of any value. Parked domain monetization can sometimes get mixed up with suspicious practices and malicious content.
Top-Level Domains (TLDs) Blocking
Block all domains and subdomains belonging to specific TLDs (e.g “.ru”).
Block Child _______ Abuse Material (CSAM)
Block domains hosting child ______ abuse material with the help of Project Arachnid, operated by the Canadian Centre for Child Protection. No information is transmitted back to Project Arachnid when a domain is blocked.
Under their privacy tab they offer these features
NextDNS Recommended Ads & Trackers Blocklist
A comprehensive blocklist to block ads & trackers in all countries. This is the recommended starter blocklist.
> 78,795 entries • Updated 6 minutes ago
Block Disguised Third-Party Trackers
Automatically detect and block third-party trackers disguising themselves as first-party to circumvent recent browser’s privacy protections like ITP.
Allow Affiliate & Tracking Links (Disabled by default)
Allow affiliate & tracking domains common on deals websites, in emails or in search results. Those usually only get called after manually clicking on a link.
Under the Parental Controls tab these options are available
Safe Search
Filter out adult content on all major search engines, including images and videos. This will also block access to search engines not supporting this feature.
YouTube Restricted Mode
Filter out mature videos on YouTube and block embedded mature videos from being watched on other websites. This will also hide all comments.
Block Bypass Methods
Prevent or hinder the use of methods that can help bypass NextDNS filtering on the network. This includes VPNs, proxies, Tor-related software and encrypted DNS providers.
You have the ability to blacklist (block) one or many domains. I decided to block a few sites from my kids eyes.
You have the ability to whitelist (allow) one or many domains. I white;listed my site.
IMHO: The words Blacklist and Whitelist are a bit old, maybe they should use Allow Site/Deny Site?
Easy setup instructions are available for Android, iOS, Windows, macOS, Linux, Chrome OS, Firefox and Routers
I set these options
I disabled access to Mature websites along with Gambling, Piracy and Dating sites at my.nextdns.io
I enabled the Block Bypass Methods
I enabled YouTube Restriction Mode
I went to the Privacy Tab at https://my.nextdns.io and added all Blocklists (about 100 lists).
Tip: Don’t enable the “No Google (Completely block Google and its services)” as this will kill YouTube and my email (GSuite)
I am impressed by the number of available Blocklists and update frequency
Block ads & trackers using the most popular blocklists available—all updated in real-time.
Here is a list of the BLock lists availabe at the tile of this post.
NextDNS Recommended Ads & Trackers Blocklist
A comprehensive blocklist to block ads & trackers in all countries. This is the recommended starter blocklist.
78,795 entries • Updated 17 minutes ago
AdGuard Simplified Domain Names filter
A filter composed of several other filters (English filter, Social media filter, Spyware filter, Mobile Ads filter, EasyList and EasyPrivacy) and simplified specifically to be better compatible with DNS-level ad blocking.
github.com/AdguardTeam/AdguardSDNSFilter • 29,858 entries • Updated 13 hours ago
hpHosts (ATS / Ads & trackers)
hpHosts is a community managed and maintained hosts file that allows an additional layer of protection against access to ad, tracking and malicious websites.
hosts-file.net • 45,734 entries • Updated 2 days ago
Steven Black
Extending and consolidating hosts files from several well-curated sources like adaway.org, mvps.org, malwaredomainlist.com, someonewhocares.org, and potentially others.
github.com/StevenBlack/hosts • 51,977 entries • Updated a day ago
Disconnect (Tracking)
Free yourself from unwanted tracking. Enjoy a faster, safer internet.
disconnect.me • 34 entries • Updated 2 days ago
Disconnect (Ads)
Free yourself from unwanted tracking. Enjoy a faster, safer internet.
disconnect.me • 2,701 entries • Updated 2 days ago
CAMELEON
CAMELEON is a free system that helps Internet users or administrators to blocks web-adverts.
sysctl.org/cameleon • 20,568 entries • Updated 2 days ago
Anudeep’s Blacklist
A list of adserving and tracking sites maintained by me. This list will be updated frequently. github.com/anudeepND/blacklist • 38,251 entries • Updated 2 days ago
NSABlocklist
Block all known NSA / GCHQ / C.I.A. / F.B.I. spying servers. Originally based on 2007 published Wikileaks documents and includes my own modifications from 2008, 2012, 2014 and 2015.
github.com/CHEF-KOCH/NSABlocklist • 8,199 entries • Updated 17 minutes ago
EasyList
EasyList is the primary filter list that removes most adverts from international webpages, including unwanted frames, images and objects. It is the most popular list used by many ad blockers and forms the basis of over a dozen combination and supplementary filter lists.
easylist.to • 17,646 entries • Updated 17 minutes ago
Peter Lowe
Blocklist for use with hosts files to block ads.
pgl.yoyo.org/adservers • 3,283 entries • Updated 11 hours ago
notracking
Automatically updated, moderated and optimized list for blocking ads, trackers and other online garbage.
github.com/notracking/hosts-blocklists • 81,155 entries • Updated 7 hours ago
EasyPrivacy
EasyPrivacy is an optional supplementary filter list that completely removes all forms of tracking from the internet, including web bugs, tracking scripts and information collectors, thereby protecting your personal data.
easylist.to • 6,869 entries • Updated 17 minutes ago
AdGuard Mobile Ads filter
Filter that blocks ads on mobile devices. Contains all known mobile ad networks.
kb.adguard.com/general/adguard-ad-filters#mobile-ads-filter • 1,002 entries • Updated 19 hours ago
Fanboy’s Annoyance List
Fanboy’s Annoyance List blocks Social Media content, in-page pop-ups and other annoyances; thereby substantially decreasing web page loading times and uncluttering them.
easylist.to • 1,028 entries • Updated 17 minutes ago
StreamingAds
Streaming services ads sources.
github.com/FadeMind/hosts.extras • 57 entries • Updated 2 days ago
Disconnect (Malvertising)
Free yourself from unwanted tracking. Enjoy a faster, safer internet.
disconnect.me • 2,736 entries • Updated 2 days ago
Goodbye Ads
Specially Designed for Mobile Ad Protection.
github.com/jerryn70/GoodbyeAds • 76,536 entries • Updated 2 days ago
AdGuard Tracking Protection filter
The most comprehensive list of various online counters and web analytics tools. If you do not want your actions on the Internet be tracked, use this filter.
kb.adguard.com/general/adguard-ad-filters#tracking-protection-filter • 5,014 entries • Updated 18 hours ago
AdAway
Blocking mobile ad providers and some analytics providers.
github.com/AdAway/adaway.github.io • 12,176 entries • Updated 2 days ago
WindowsSpyBlocker (Spy)
Block spying and tracking on Windows systems.
github.com/crazy-max/WindowsSpyBlocker • 365 entries • Updated 2 days ago
MVPS HOSTS
Includes entries for most major parasites, hijackers and unwanted Adware/Spyware programs!
winhelp2002.mvps.org/hosts.htm • 10,476 entries • Updated 2 days ago
AdGuard Base filter
Filter that enables removing of the ads from websites with English content.
kb.adguard.com/general/adguard-ad-filters#base-filter • 19,667 entries • Updated an hour ago
someonewhocares.org (Dan Pollock)
Protects you from many types of spyware, reduces bandwidth use, blocks certain pop-up traps, prevents user tracking by way of “web bugs” embedded in spam, provides partial protection to IE from certain web-based exploits and blocks most advertising you would otherwise be subjected to on the internet.
someonewhocares.org/hosts • 14,404 entries • Updated 2 days ago
dbl.oisd.nl
Internet’s #1 domain blocklist. Blocks Ads, Mobile Ads, Phishing, Malvertising, Malware, Tracking, Telemetry, CryptoJacking, Analytics, Spyware, Ransomware, Exploid, Fraud, Abuse, Scam, Spam, Hijack, Misleading Marketing.
oisd.nl • 1,160,440 entries • Updated 5 hours ago
NoTrack Tracker Blocklist
Contains one of the largest compilation of sites associated with tracking your online activities and invading your privacy.
gitlab.com/quidsup/notrack-blocklists • 13,412 entries • Updated 2 days ago
antipopads
List of popads.net domains.
github.com/Yhonay/antipopads • 11,442 entries • Updated a day ago
1Hosts (Complete)
Protect your ‘data’ & eyeballs from being auctioned to the highest bidder.
forum.xda-developers.com/android/general/badmojr-one-host-file-to-block-t3713360 • 66,731 entries • Updated 2 days ago
AdGuard Social Media filter
If you do not like numerous «Like» and «Tweet» buttons on all the popular websites on the Internet, subscribe to this filter, and you will not see them anymore.
kb.adguard.com/general/adguard-ad-filters#social-media-filter • 55 entries • Updated 3 hours ago
squidblacklist.org (Ads)
Blocks advertisements and tracking.
www.squidblacklist.org • 552 entries • Updated a month ago
UncheckyAds
Windows installers ads sources.
unchecky.com • 10 entries • Updated 2 days ago
Fanboy’s Enhanced Tracking List
Fanboy’s Enhanced Tracking List blocks common tracking scripts such as Omniture, Webtrends, Foresee, Coremetrics, Google-Analytics, Touchclarity, ChannelIntelligence.
fanboy.co.nz • 151 entries • Updated 2 days ago
EasyList China
EasyList China is an affiliated filter list written by John and Li that specifically removes adverts on Chinese language websites.
easylist.to/pages/other-supplementary-filter-lists-and-easylist-variants.html • 5,818 entries • Updated 17 minutes ago
280blocker
280blocker adblock domain lists.
280blocker.net • 1,059 entries • Updated 2 days ago
Lightswitch05 – Ads & Tracking
A programmatically expanded list of hosts I’ve found to not be on other lists.
www.github.developerdan.com/hosts • 107,013 entries • Updated 21 hours ago
Shalla’s Blacklists (tracker)
Site keeping an eye on where you surf and what you do in a passive. Covers web bugs, counters and other tracking mechanism in web pages that do not interfere with the local computer yet collecting information about the surfing person for later analyis. Sites actively spying out the surfer by installing software or calling home sites are not covered with tracker but with -> spyware.
www.shallalist.de • 1,246 entries • Updated 2 days ago
Shalla’s Blacklists (adv)
All about advertising: This includes sites offering banners and banner creation as well as sites delivering banners to be shown in webpages. Advertising companies are listed, too.
www.shallalist.de • 14,275 entries • Updated 2 days ago
Energized Ultimate
Strictly blocks advertisements, malwares, spams, statistics & trackers on both web browsing and applications. Flagship Protection Pack from Energized Protection.
github.com/EnergizedProtection/block • 970,212 entries • Updated 16 hours ago
EasyList Germany
EasyList Germany is a filter list written by the EasyList authors MonztA, Famlam and Khrin that specifically removes adverts on German language websites.
easylist.to/pages/other-supplementary-filter-lists-and-easylist-variants.html • 595 entries • Updated a day ago
CHEF-KOCH’s HOSTS Spotify Ad-Filter List
Blocks all Spotify Ads, easy peasy lemon squeezy!
github.com/CHEF-KOCH/Spotify-Ad-free • 4,041 entries • Updated 2 days ago
add.2o7Net
2o7 Network tracking.
hostsfile.org/hosts.html • 1,286 entries • Updated 2 days ago
Personal Blocklist by WaLLy3K
Content added to this list has been manually verified, and is updated irregularly. firebog.net/about • 753 entries • Updated 2 days ago
EasyList Dutch
EasyList Dutch is an affiliated filter list written by the EasyList author Famlam that specifically removes adverts on Dutch language websites.
easylist.to/pages/other-supplementary-filter-lists-and-easylist-variants.html • 83 entries • Updated 17 minutes ago
Liste FR
Liste FR is an affiliated filter list written by Lian, Crits and smed79 that specifically removes adverts on French language websites.
easylist.to/pages/other-supplementary-filter-lists-and-easylist-variants.html • 5,411 entries • Updated 17 minutes ago
Energized Basic
Strictly blocks advertisements, malwares, spams, statistics & trackers on both web browsing and applications. An All-Rounder Balanced Protection Pack.
github.com/EnergizedProtection/block • 654,392 entries • Updated 16 hours ago
CertyficateIT
Polish ads filter.
github.com/MajkiIT/polish-ads-filter • 3,128 entries • Updated 8 hours ago
Energized Regional Extension
Strictly blocks advertisements, malwares, spams, statistics & trackers on both web browsing and applications. An Extension to Block Regional Annoyances.
github.com/EnergizedProtection/block • 64,320 entries • Updated 16 hours ago
Energized Spark
Strictly blocks advertisements, malwares, spams, statistics & trackers on both web browsing and applications. True Lite Blocking.
github.com/EnergizedProtection/block • 67,662 entries • Updated 16 hours ago
ABPindo
ABPindo is an affiliated filter list written by hermawan that specifically removes adverts on Indonesian language websites.
github.com/ABPindo/indonesianadblockrules • 594 entries • Updated 2 days ago
Energized Blu
Strictly blocks advertisements, malwares, spams, statistics & trackers on both web browsing and applications. A Mid Ranger Flagship Protection Pack.
github.com/EnergizedProtection/block • 330,817 entries • Updated 16 hours ago
EasyList Italy
EasyList Italy is a filter list written by the EasyList author Khrin that specifically removes adverts on Italian language websites.
easylist.to/pages/other-supplementary-filter-lists-and-easylist-variants.html • 204 entries • Updated 17 minutes ago
AdGuard Russian filter
Filter that enables removing of the ads from websites in Russian.
kb.adguard.com/general/adguard-ad-filters#russian-filter • 3,944 entries • Updated an hour ago
Energized Blu Go
Strictly blocks advertisements, malwares, spams, statistics & trackers on both web browsing and applications. A Lightweight Mid Ranger Protection Pack.
github.com/EnergizedProtection/block • 131,781 entries • Updated 16 hours ago
RU AdList
Russian supplement for EasyList.
forums.lanik.us/viewforum.php?f=102 • 7,887 entries • Updated 17 minutes ago
yhosts
AD hosts爱好群,群号:201973909;
github.com/vokins/yhosts • 8,940 entries • Updated 2 days ago
EasyList Hebrew
EasyList Hebrew is an affiliated filter list written by BsT that specifically removes adverts on Hebrew language websites.
github.com/easylist/EasyListHebrew • 129 entries • Updated 13 hours ago
EasyList Czech and Slovak
EasyList Czech and Slovak is an affiliated filter list written by tomasko126 that specifically removes adverts on Czech and Slovak language websites.
github.com/tomasko126/easylistczechandslovak • 83 entries • Updated 2 days ago
hostsVN
Hosts block ads of Vietnamese – Hosts chặn quảng cáo của người Việt.
github.com/bigdargon/hostsVN • 18,846 entries • Updated 2 hours ago
Lightswitch05 – Tracking Aggressive
A very aggressive block list for tracking, geo-targeting, & ads. This list will likely break functionality, so do not use it unless you are willing to maintain your own whitelist.
www.github.developerdan.com/hosts • 4,919 entries • Updated 2 days ago
Liste AR
Liste AR is an affiliated filter list written by smed79 and Crits that specifically removes adverts on Arabic language websites.
easylist.to/pages/other-supplementary-filter-lists-and-easylist-variants.html • 85 entries • Updated 17 minutes ago
Bulgarian list
Bulgarian list is an affiliated filter list written by Alex that specifically removes adverts on Bulgarian language websites.
easylist.to/pages/other-supplementary-filter-lists-and-easylist-variants.html • 10 entries • Updated 2 days ago
Latvian List
Latvian List is an affiliated filter list written by anonymous74100 that specifically removes adverts on Latvian language websites.
notabug.org/latvian-list/adblock-latvian • 53 entries • Updated 2 days ago
EasyList Lithuania
EasyList Lithuania is an affiliated filter list written by gymka that specifically removes adverts on Lithuanian language websites.
github.com/EasyList-Lithuania/easylist_lithuania • 19 entries • Updated 2 days ago
Energized Xtreme Extension
Strictly blocks advertisements, malwares, spams, statistics & trackers on both web browsing and applications. An Extreme Solution for Ultimate Protection.
github.com/EnergizedProtection/block • 32,635 entries • Updated 16 hours ago
hufilter
Block hungarian ads.
github.com/hufilter/hufilter • 149 entries • Updated 2 days ago
Finnish Easylist Addition
Finnish adblock list.
github.com/finnish-easylist-addition/finnish-easylist-addition • 66 entries • Updated 2 days ago
ABPVN List
The ABP advertising filter is built with the mission of improving the browsing experience for users and for the Vietnamese.
abpvn.com • 19,490 entries • Updated 2 hours ago
Frellwit’s Swedish Hosts File
Reduce your exposure to ads, tracking, scams & badware, and occasionally some annoyances on (mostly) Swedish websites.
github.com/lassekongo83/Frellwits-filter-lists • 669 entries • Updated 2 days ago
1Hosts (Pro)
Protect your ‘data’ & eyeballs from being auctioned to the highest bidder.
forum.xda-developers.com/android/general/badmojr-one-host-file-to-block-t3713360 • 215,683 entries • Updated 2 days ago
bkrucarci turk-adlist
Ad servers list to block ads on Turkish websites.
github.com/bkrucarci/turk-adlist • 847 entries • Updated 2 days ago
AdAway Blocking Hosts File for Japan
AdAwayで使用可能な、日本環境用 広告除去用hostsを公開します。日本環境用に特化しています。
logroid.github.io/adaway-hosts • 31,809 entries • Updated 2 days ago
Goodbye Ads Ultra
Specially Designed for Mobile Ad Protection. Premium protection.
github.com/jerryn70/GoodbyeAds • 459,196 entries • Updated 2 days ago
ad-wars
只是 ad-wars 的帮助文档
github.com/jdlingyu/ad-wars • 1,548 entries • Updated 2 days ago
1Hosts (mini)
Protect your ‘data’ & eyeballs from being auctioned to the highest bidder.
forum.xda-developers.com/android/general/badmojr-one-host-file-to-block-t3713360 • 53,512 entries • Updated 2 days ago
YousList
Block filter for advertisements, mainly on Korean sites.
github.com/yous/YousList • 145 entries • Updated 5 hours ago
No Google Completely block Google and its services. github.com/nickspaargaren/no-google • 302 entries • Updated 2 days ago
That is a lot of protection
I setup nextdns.io on my Android 10 Device
I installed the official NextDNS app from the Play Store (https://play.google.com/store/apps/details?id=io.nextdns.NextDNS)
After the app was installed I entered my specified Configuration ID (tip: don’t copy the space on the end of the text) into the In the NextDNS app.
Now I can enable or disable the NextDNS.io protections.
Options are available in the app but are limited. If you need to change options go to https://my.nextdns.io/
I enabled NextDNS then I tried accessing a mature website.
Access to the site was blocked.
I tried bypassing the invalid HTTP’s certificate.
This too was blocked also.
I opened YouTube and some advertisements were gone but not all (Hello PewDiePie, nice Merch)
Comments were disabled, Nice. Restricted mode is enabled, this is perfect for my kids (PewDiePie Fans).
I am not against Content Creators making money from Advertisement revenue I am against the privacy issue. If you love consuming a Content Creators stuff then support them on their Merch store(s).
Installing on Windows is easy, login to https://my.nextdns.io/ and click on the Windows Button
1. Install the official NextDNS app → https://nextdns.io/download/windows/stable.
Agree to the licence agreement
Choose an Install location
Installing TAP Device (looks like it is from https://openvpn.net/)
You need to install the device.
2. After installing, right-click on NextDNS icon in the Systray then open the Settings. Set your supplied ###### as Configuration ID found at
3. Right-click on NextDNS icon in the Systray, then click on Enable.
You can enable or disable the NextDNS service from the Windows system tray
You can also Start and Stop the service from the Windows services app
Blocking bad sites , YouTube comments etc all work on Windows as they do on Android.
If I can get my daughters iPad from her hands I will show the steps. Basically the same as android but from the Google Play store.
1. Install our official app from the App Store → https://apps.apple.com/app/nextdns/id1463342498
2. Open the app then go to Settings and toggle “Use Custom Configuration”. Enter your Configuration ID
3. Enable NextDNS in the NextDNS iOS app
Blocking bad sites , YouTube comments etc all work on iOS as they do on Windows and Android.
The best part of NextDNS.io is the superb analytics available. Because they are a DNS server they can track incoming request(s) from all of my connected computes.
In 2 days my home network made 22,247 queries to the internet, 5684 requests were blocked, I could see the top accessed websites (antivirus and kids games) and a map of where the requests were going.
If the Analytics was not enough I could see all the requests logs.
I filtered all blocked web traffic.
The internet is a dumpster fire with all this tracking.
Snip from here. “Pricing is completely free during the beta, then free up until about 300,000 DNS queries/month — $1.99/month for unlimited queries. If you decide to stay on the free plan, NextDNS will simply behave like a classic public resolver after reaching the 300,000 queries limit.”
Don’t surf the web without protection. Every parent should install this on their kids machines.
I can’t wait for this product to leave beta, I wan’t this service in my house.
I have not been paid to promote this product.
Version: v1.2
v1.2 Quick Setup Guide
v1.1 Updated Conclusion and Pricing.
v1.0 Initial Draft
This is how I setup Certification Authority Authorization (CAA) DNS record(s) to prevent https cert issue/misuse on my domain and 1 sub domain.
Read the full article here: https://fearby.com/article/setup-a-certification-authority-authorization-caa-dns-records-to-prevent-https-cert-issue-misuse/
On February 22nd 2017 CAA’s that issue https certificates are required to check what CAA’s are allowed to issue HTTP’s certificates for a website. To limit who can create HTTP’s certificates for your site all you need to do is specify a number of DNS records.
Advertisement:
Before adding DNS CAA records ensure you have enabled DNSSEC for extra security, this is not needed to setup CAA records but it’s a good idea.
DNSSEC Explained
Read my post here on setting up DNSSEC with Cloudflare here.
Namecheap allows you do set DNSSEC with 1 click (making the above guide not required unless you use Cloudflare).
First, test DNSSEC on your website here: https://dnssec-analyzer.verisignlabs.com/ (I already have DNSSEC enabled)
I use Namecheap for buying domains and HTTP’s certs (you can buy a new domain here). Namecheap allow you to easily enable DNSSEC and CAA DNS records.
Read Namecheap’s CAA guide here.
Scott Helme tagged a great write up on CAA here.
CAA is probably the best bang for buck you’re going to get! https://t.co/pvThaQ8qFl
— Scott Helme (@Scott_Helme) March 14, 2019
Advertisement:
Go to https://dev.ssllabs.com/ssltest/ and scan your website
You will see if CAA is enabled after the https test is complete (scroll past the rating)
In my case CAA records were not detected.
I logged into Namecheap, clicked Manage domain and clicked the Advanced DNS tab
Advertisement:
Here are records for my main domain (allowing Comodo/Sectigo HTTP’s certificates only)
Type, Host, Value, TTL
CAA Record @ 0 issue "comodoca.com" Automatic
CAA Record @ 0 issue "comodo.com" Automatic
CAA Record @ 0 issue "usertrust.com" Automatic
CAA Record @ 0 issue "trust-provider.com" Automatic
CAA Record @ 0 issue "sectigo.com" AutomaticHere is my record allowing a sub domain (allowing Lets Encrypt HTTP’s certificates only)
Type, Host, Value, TTL
CAA Record audit.fearby.com 0 issue "letsencrypt.org" AutomaticIt is also possible to setup email alerts of CAA violations where CAA’s support it. I setup a [email protected] email alias.
Type, Host, Value, TTL
CAA Record audit.fearby.com 0 iodef "mailto:[email protected]" Automatic
CAA [email protected] 0 iodef "mailto:[email protected]" AutomaticImage of my final Namecheap DNS config.
Advertisement:
I visited https://dev.ssllabs.com/ssltest/ and performed a final scan.
Pass 🙂
I do have real time remote server monitoring reporting on https presence and uptime, read the post here.
Plug(s)
I had an issue where I failed to update my DNS (and define a CAA record) for the sub domain used for Nixstat reporting. I was receiving this error.
dev.ssllabs.com was reporting the cert expired?
The awesome chat support (Vincent) over at Nixstats found out it was because I did not have CAA record for the sub domain allowing “letsencrypt.org” to generate certs.
If you manually renew a Lets Encrypt cert with the following command without a CAA record you will see an error
> certbot -q renew
Error Output
Attempting to renew cert (subdomain.fearby.com) from /etc/letsencrypt/renewal/
subdomain.fearby.com.conf produced an unexpected error: Failed authorization procedure.
subdomain.fearby.com (http-01): urn:acme:error:caa :: CAA record for
subdomain.fearby.com prevents issuance. Skipping.
All renewal attempts failed.
DNS additions and changes take a while to propagate so monitor Whats My DNS for change status
Thanks for reading.
For simplicity I have removed all sub domain CAA settings for records and only set global ones
Revision History
v1.2 Troubleshooting
v1.1 Plugs
v1.0 initial Post
This is how I set up a dedicated Debian subdomain (VM), Installed MySQL 14 and connected to it from a WordPress installation on a different VM
Read the full article here: https://fearby.com/article/setup-a-dedicated-debian-subdomain-vm-install-mysql-14-and-connect-to-it-from-a-wordpress-on-a-different-vm
This is how I setup DNSSEC on a Namecheap domain hosted on UpCloud using CloudFlare to setup DNS security extensions.
Read the full article here: https://fearby.com/article/setting-up-dnssec-on-a-namecheap-domain-hosted-on-upcloud-using-cloudflare/
This is how I setup DNSSEC on a Namecheap domain hosted on UpCloud using CloudFlare to setup DNS security extensions
Advertisement:
If you have not read my previous posts I have now moved my blog to the awesome UpCloud host (signup using this link to get $25 free UpCloud VM credit). I compared Digital Ocean, Vultr and UpCloud Disk IO here and UpCloud came out on top by a long way (read the blog post here). Here is my blog post on moving from Vultr to UpCloud.
About DNSSEC
Wikipedia has a great write-up on DNSSEC also read the ICANN page on DNSSEC.
Snip “DNSSEC is a set of extensions to DNS which provide to DNS clients (resolvers) origin authentication of DNS data, authenticated denial of existence, and data integrity, but not availability or confidentiality.”
https://daniellbenway.net has a great video explaining DNSSEC
Handy DNSSEC Links
Let’s view my DNSSEC status now
https://dnssec-analyzer.verisignlabs.com/ can help you check your sites DNSSEC status.
Prerequisites
This guide assumes you have already purchased a domain and set it up with say UpCloud hosting (read my setup guide here).
Buy a domain name from Namecheap here.
Read my old guide here that I created while setting up Cloudflare on the Vultr host to see how to setup Cloudflare.
Setting up DNSSEC
First I logged into My Namecheap account, selected my domain, selected Advanced DNS and enabled DNSSEC.
I can see a number of values for DNSSEC KeyType/Algorithm/Digest Type and Digest. Below are the options in the dropdowns for Algorithm and Digest Type.
DNSSEC Algorithms
DNSSEC Digest Types
I contacted NameCheap support and they said I needed to contact my UpCloud hosts to get relevant DNSSEC values.
My domain was purchased at NameCheap but by domain routers by Cloudflare DNS.
Advertisement:
By chance, I logged into my Cloudflare account and noticed they have a DNSSEC section under DNS. Nice.
I enabled DNSSEC
Cloudflare offers all the relevant DNSSEC values.
I entered these values into Namecheap under Advanced DNS on my domain.
After 5 mins re-ran the DNSSEC Analyzr tool.
Hmmm, Cloudflare seem to think something is wrong 🙁
I ran a DNS DS Lookup on my site. Everything appears ok.
I re-added the record in Namecheap and waited for 15 mins and this time Cloudflare was happy. Maybe I just needed to wait for DNS replication a little longer?
I tested my DNS serves with DNS Root Canary
I tested my site’s DNSSEC with https://zonemaster.iis.se/
Done
Skipping Cloudflare
I found that I can simply skip cloudflare by enabling Premium DNS at Namecheap
Then enabling DNSSEC
Easy (totally independant of Cloudflare)
I hope this guide helps someone.
Advertisement:
Please consider using my referral code and get $25 UpCloud VM credit for free.
https://www.upcloud.com/register/?promo=D84793
Ask a question or recommend an article
[contact-form-7 404 "Not Found"]
Revision History
V1.3 Namecheap DNSSEC
V1.2 ICANN DNSSEC link
V1.1 https://daniellbenway.net explainer video.
v1.0 Initial Post
Below is how I setup my OSX to use Cloudflare’s new DNS servers to speed up internet browsing and add privacy on OSX
Advertisement:
Cloudflare has launched a DNS service: https://blog.cloudflare.com/announcing-1111/
DNS Performance
You can view worldwide DNS performance by viewing https://www.dnsperf.com/#!dns-providers
I check the DNS at my router, I am using ISP provided DNS servers.
Cloudflare DNS
On April Fools 2018 Cloudflare Released a DNS server service.
Snip from here: “DNS: Internet’s Directory Nearly everything on the Internet starts with a DNS request. DNS is the Internet’s directory. Click on a link, open an app, send an email and the first thing your device does is ask the directory: Where can I find this? Unfortunately, by default, DNS is usually slow and insecure. Your ISP, and anyone else listening in on the Internet, can see every site you visit and every app you use — even if their content is encrypted. Creepily, some DNS providers sell data about your Internet activity or use it target you with ads.”
Set Cloudflare Nameservers using OSX
Open the Apple System Preferences, click Network, click on your Network (Wifi or ethernet), Click Advanced then DNS and add 1.1.1.1 and 1.0.0.1
Alternatively, you can manually set your DNS servers in OSX by editing the /etc/resolv.conf, by default SX will inherit DNS settings from our router.
Troubleshooting: Clear DNS Cache
Debug DNS Data
Confirm Cloudflare DNS from the OSX Comand line
Privacy
I am not sure if Cloudflare is any more private than using ISP DNS but I’ll happily use it.
Several people have asked me about Cloudflare’s new 1.1.1.1 privacy DNS service. To be clear: it DOES NOT stop your ISPs from collecting your browsing history. ISPs can still see the sites you’re connecting to — even if the site is over HTTPS. You will still send a hostname.
— Zack Whittaker (@zackwhittaker) April 2, 2018
Speed
I can’t tell if DNS is faster, I did ping my ISP DNS before switching and it was about the same (sub 25ms), time will tell.
Conclusion
I have used https://www.opendns.com/ before and loved the dashboards, I hope Cloudflare add dashboard options too.
I hope this guide helps someone.
Ask a question or recommend an article
[contact-form-7 404 "Not Found"]
Revision History
v1.0 Initial post
Below is my guide for moving away from NetRegistry CPanel domain to a self-managed server and GSuite email.
Advertisement:
I have had www.fearby.com since 1999 on three CPanel hosts (superwerbhost in the US, Jumba in Australia, Uber in Australia (NetRegistry have acquired Uber and performance at the time of writing is terrible)). I was never informed by Uber of the sale but my admin portal was moved from one host to another and each time performance degraded. I tried to speed up WordPress by optimizing images, installing cache plugins but nothing worked, pages were loading in around 24 seconds on https://www.webpagetest.org.
Buy a domain name from Namecheap here.
I had issues with a CPanel domain on the hosts (Uber/Netregistry) as they were migrating domains and the NetRegstry chat rep said I needed to phone Uber for support. No thanks, I’m going self-managed and saving a dollar.
Advertisement:
I decided to take ownership of my slow domain and setup my own VM and direct web traffic to it and redirect email to GMail (I have done this before). I have setup Digital Ocean VM’s (Ubuntu and Centos), Vultr VM’s and AWS VM’s.
I have also had enough of Resource Limit Reached messages with CPanel and I can’t wait to…
Backup
I have about 10 email accounts on my CPanel domain (using 14GB) and 2x WordPress sites. I want to backup my emails with (Outlook Export and Thunderbird Profile backup) and backup my domain file(s) a few times before I do anything. Once DNS is set in motion no server waits.
The Plan
Once everything is backed up I intend to setup a $5 a month Vulr VM and redirect all mail to Google G Suite (I have redirected mail before).
I will setup a Vultr web server in Sydney (following my guide here), buy an SSL certificate from Namecheap and move my WordPress sites.
Rough Plan
Signing up for Google G Suite
I visited https://gsuite.google.com/ and started creating an account.
Get 20% off your first year by signing up for Google G Suite using this link: https://goo.gl/6vpuMm
I created a link between G Suite and an existing GMail account.
Now I can create the admin account.
Tip: Don’t use any emails that are linked as secondary emails with any Google services (this won’t be allowed). It’s s a well-known issue that you cannot add users emails who are linked to Google services (even as backup emails for Gmail, detach the email before adding it). Read more here.
Final setup steps.
Now I can add email accounts to G Suite.
Adding email users to G Suite.
The next thing I had to do was upload a file to my domain to verify I own the domain (DNS verification is also an option).
I must say the setup and verify steps are quite easy to follow on G Suite.
Time to backup our existing CPanel site.
Backup Step 1 (hopefully I won’t need this)
I decided to grab a complete copy of my CPanel domain with domains, databases and email accounts. This took 24 hours.
Backup Step 2 (hopefully I won’t need this)
I download all mail via IMAP in Outlook and Mozilla Thunderbird and export it (Outlook Export and Thunderbird Profile backup). Google have IMAP instructions here.
DNS Changes at Namecheap
I obtained my domain EPP code from my CPanel hosts and transferred the domain name to Namecheap.
Namecheap was even nice enough to set my DNS point to my existing domain so I did not have to rush a move before DNS propagation.
P.S The Namecheap Chat Staff and Namecheap Mobile App is awesome.
Having backed up everything I logged into Namecheap and set my DNS to “NameCheap BasicDNS” and then went “Advanced DNS” and set appropriate DNS records for my domain. This assumes you have setup a VM with IPV4 and IPV6 (follow my guide here).
The Google G Suite also asked me to add these following MX records to the DNS records.
Then it was a matter of telling Google DNS changes were made (once DNS has replicated across the US).
My advice is to set DNS changes before bed as it can take 12 hours.
Sites like https://www.whatsmydns.net/ are great for keeping track of DNS replication.
Transferring WordPress
I logged into the CPanel and exported my WordPress Database (34MB SQL file).
I had to make the following PHP.ini changes to allow the larger file size restore uploads with the Adminer utility (default is 2mb). I could not get the server side adminer.sls.gz option to restore the database?
I had to make the following changes to nginx.conf (to prevent 404 errors on the database upload)
I also had to make these changes to NGINX (sites-available/default) to allow WordPress to work
I had a working MySQL (I followed my guide here).
Adminer is the best PHP MySQL management utility (beats PhpMyAdmin hands down).
Restart NGINX and PHP
I had an error on database import, a non-descript error in script line 1 (error hint here).
A simple search and replace in the SQL fixed it.
Once I had increased PHP uploads to 50M and Nginx I was able to upload my database backup with Adminer (just remember to import to the created database that matches. the wp-config.php. Also, ensure your WordPress content is in place too.
The only other problem I had was WordPress gave an “Error 500” so moved few plugins an all was good.
Importing Old Email
I was able to use the Google G Suite tools to import my old Mail (CPanel IMAP to Google IMAP).
I love root access on my own server now, goodbye CPanel “Usage Limit Exceeded” errors (I only had light traffic on my site).
My self-hosted WordPress is a lot snappier now, my server has plenty of space (and only costs $0.007c and hour for 1x CPU, 1GB ram, 25GB SSD storage and 1000GB data transfer quota). I use the htop command to view system processor and disk space usage.
I can now have more space for content and not be restricted by tight hosts disk quotas or slow shared servers. I use the pydf command to view dis space.
I use ncdu to view folder usage.
Installing ncdu
Type ncdu in the folder you want to browse under.
You can arrow up and down folder structures and view folder/file usage.
SSL Certificate
I am setting up a new multi year SS cert now, I will update this guide later. I had to read my SSL guide with Digital Ocean here.
I generated some certificate on my server
Sample output for a new certificate
openssl req -new -newkey rsa:4096 -nodes -keyout dummy.key -out dummy.csr Generating a 4096 bit RSA private key .................................................................................................++ ......++ writing new private key to 'dummy.key' ----- You are about to be asked to enter information that will be incorporated into your certificate request. What you are about to enter is what is called a Distinguished Name or a DN. There are quite a few fields but you can leave some blank For some fields there will be a default value, If you enter '.', the field will be left blank. ----- Country Name (2 letter code) [AU]: AU State or Province Name (full name) [Some-State]: NSW Locality Name (eg, city) []:Tamworth Organization Name (eg, company) [Internet Widgits Pty Ltd]: Dummy Org Organizational Unit Name (eg, section) []: Dummy Org Dept Common Name (e.g. server FQDN or YOUR name) []: DummyOrg Email Address []: [email protected] Please enter the following 'extra' attributes to be sent with your certificate request A challenge password []: password An optional company name []: DummyCO [email protected]:~/sslcsrmaster4096# cat dummy.csr -----BEGIN CERTIFICATE REQUEST----- MIIFAjCCAuoCAQAwgYsxCzAJBgNVBAYTAkFVMQwwCgYDVQQIDANOU1cxETAPBgNV BAcMCFRhbXdvcnRoMRIwEAYDVQQKDAlEdW1teSBPcmcxFzAVBgNVBAsMDkR1bW15 IE9yZyBEZXB0MREwDwYDVQQDDAhEdW1teU9yZzEbMBkGCSqGSIb3DQEJARYMbWVA ZHVtbXkub3JnMIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEA6PUtWkRl +gL0Hx354YuJ5Sul2Xh+ljILSlFoHAxktKlE+OJDJAtUtVQpo3/F2rGTJWmmtef+ shortenedoutput swrUzpBv8hjGziPoVdd8qdAA2Gh/Y5LsehQgyXV1zGgjsi2GN4A= -----END CERTIFICATE REQUEST-----
I then uploaded the certificate to Namecheap for an SSL cert registration.
I selected DNS C Name record as a way to verify I own my domain.
I am now waiting for Namecheap to verify my domain
End of the Google G Suite Business Trial
Before the end of the 14-day trial, you will need to add billing details to keep the email working.
At this stage, you can downgrade from a $10/m business account per user to a $5/m per user account if you wish. The only loss would be storage and google app access.
Get 20% off your first year by signing up for Google G Suite using this link: https://goo.gl/6vpuMm
Before your trial ends, add your payment details and downgrade from $10/user a month business prices to $5/iser a month individual if needed.
G Suite Troubleshooting
I was able to access new G Suite email account via gmail.com but not via Outlook 2015? I reset the password, followed the google troubleshooting guide and used the official incoming and outgoing settings but nothing worked.
Google phone support suggested I enable less secure connection settings as Google firewall may be blocking Outlook. I know the IMAP RFC is many years old but I doubt Microsoft are talking to G Suite in a lazy manner.
Now I can view my messages and I can see one email that said I was blocked by the firewall. Google phone support and faqs don’t say why Outlook 2015 SSL based IMAP was blocked?
Conclusion
Thanks to my wife who put up with my continual updates over the entire domain move. Voicing the progress helped me a lot.
Donate and make this blog better
Ask a question or recommend an article
[contact-form-7 404 "Not Found"]
V1.8 added ad link
