Post

Better Home Internet with PiHole, RaspAlert, Unbound and SearXNG

The good thing about Single Board Computers like the Raspberry, is that additionally to our Iot Projects we can learn about networking as well.

The benefit of this? We can have a better and safer home internet. Let’s have a look which free and open source services can help us.

Pi-Hole

Pi-hole is a network-wide ad blocker that acts as a DNS sink. This means that it intercepts DNS queries from all devices on your network and blocks any queries to known ad-serving domains. Pi-hole can block ads on all devices on your network, including computers, smartphones, tablets, smart TVs, and even gaming consoles.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
### https://hub.docker.com/r/pihole/pihole


version: "3"
services:
  pihole:
    container_name: pihole
    image: pihole/pihole:latest
    ports:
      - 53:53/tcp
      - 53:53/udp
      - 67:67/udp
      - 86:80/tcp
      - 446:443/tcp
    environment:
      TZ: Europe/Madrid
      WEBPASSWORD: password_change_me #recommended
    # Volumes store your data between container upgrades
    volumes:
      - ~/Docker/pihole/:/etc/pihole/
      - ~/Docker/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/
    # Recommended but not required (DHCP needs NET_ADMIN)
    cap_add:
      - NET_ADMIN
    restart: unless-stopped

Add ipv6 support with: https://danielrampelt.com/blog/install-pihole-raspberry-pi-docker-ipv6/

Pi-Alert

A project that offers us a WIFI / LAN intruder detector. Check the devices connected and alert you with unknown devices. It also warns of the disconnection of “always connected” devices

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
version: "3.7"

services:
  pialert:
    image: jokobsk/pi.alert
    container_name: pialert
    ports:
      - "80:80"
    volumes:
      - "./config:/etc/pi.alert"
      - "./database:/var/lib/pi.alert"
      - "./logs:/var/log/pi.alert"

networks:
  pialert_net:
    name: pialert_net

depends_on:
  pialert:
    - pialert_scanner

You can customize the Pi.Alert configuration by editing the files in the ./config directory. For more information on how to configure Pi.Alert, please see the Pi.Alert documentation: https://github.com/pucherot/Pi.Alert.

Unbound DNS

We can also use Unbound as an alternative DNS with this docker-compose:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
version: "3.7"

services:
  unbound:
    image: unbound:latest
    container_name: unbound
    ports:
      - "53:53"

networks:
  unbound_net:
    name: unbound_net

depends_on:
  unbound:
    - pialert_scanner

You can customize the unbound DNS configuration by editing the unbound.conf file in the unbound DNS container.

If you are using unbound DNS as your DNS server, you may need to flush the DNS cache on your devices. You can do this by running the following command on your devices:

1
dscacheutil -flushcache

Wait, what’s occupying already my port 53?

1
2
3
4
5
6
7
8
9
10
sudo netstat -tuln | grep :53


sudo lsof -i :53
sudo systemctl stop systemd-resolved
#sudo systemctl disable systemd-resolved
#sudo systemctl enable systemd-resolved


#systemctl list-units --type=service | grep 'running'

And what’s my current DNS?

1
2
3
4
ip a #get netwk interface to check, something like eth0, wlan...
nmcli device show <your_netwk_interface> | grep IP4.DNS

#sudo nmcli connection modify <your_connection_name> ipv4.dns "192.168.3.200 9.9.9.9"
1
cat /etc/resolv.conf

Deploy PiHole with Unbound

Go to: http://192.168.3.200:85/admin/login.php

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
version: '3'

networks:
  dns_net:
    driver: bridge
    ipam:
        config:
        - subnet: 172.16.0.0/16 #check in portainer Nenwork Tab which one you have available (sort and see)

services:
  pihole:
    container_name: pihole
    hostname: pihole
    image: pihole/pihole:latest
    networks:
      dns_net:
        ipv4_address: 172.16.0.7
    ports:
    - "53:53/tcp"
    - "53:53/udp"
    - "85:80/tcp"
    #- "443:443/tcp"
    environment:
      TZ: 'Europe/London'
      WEBPASSWORD: 'password'
      PIHOLE_DNS_: '172.23.0.8#5053'
    volumes:
    - '/home/ubuntu/docker/pihole/etc-pihole/:/etc/pihole/'
    - '/home/ubuntu/docker/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/'
    restart: unless-stopped
  unbound:
    container_name: unbound #https://github.com/MatthewVance/unbound-docker/issues/58
    image: mvance/unbound-rpi #mvance/unbound:latest
    networks:
      dns_net:
        ipv4_address: 172.16.0.8
    volumes:
    - /home/ubuntu/docker/unbound:/opt/unbound/etc/unbound
    ports:
    - "5053:53/tcp"
    - "5053:53/udp"
    restart: unless-stopped
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
version: '3'

networks:
  dns_net:
    driver: bridge
    ipam:
        config:
        - subnet: 172.16.0.0/16 #check in portainer Nenwork Tab which one you have available (sort and see)

services:
  pihole:
    container_name: pihole
    hostname: pihole
    image: pihole/pihole:latest
    networks:
      dns_net:
        ipv4_address: 172.16.0.7
    ports:
    - "53:53/tcp"
    - "53:53/udp"
    - "85:80/tcp"
    #- "443:443/tcp"
    environment:
      TZ: 'Europe/London'
      WEBPASSWORD: 'password'
      PIHOLE_DNS_: '172.23.0.8#5053'
    volumes:
    - '/home/ubuntu/docker/pihole/etc-pihole/:/etc/pihole/'
    - '/home/ubuntu/docker/pihole/etc-dnsmasq.d/:/etc/dnsmasq.d/'
    restart: unless-stopped
  unbound:
    container_name: unbound
    image: mvance/unbound-rpi #mvance/unbound:latest
    networks:
      dns_net:
        ipv4_address: 172.16.0.8
    volumes:
    - /home/ubuntu/docker/unbound:/opt/unbound/etc/unbound
    ports:
    - "5053:53/tcp"
    - "5053:53/udp"
    restart: unless-stopped

SearXNG

The SearXNG project is developing and maintaining a self-hosted metasearch engine. This means that anyone can install and run their own Searx instance, and customize it to their liking.

You can spin it with this simple docker-compose:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
version: "3.7"

services:
  searxng:
    image: searxng/searxng
    container_name: searxng
    ports:
      #- "${PORT}:8080"
      - "3003:8080"
    volumes:
      #- "${PWD}/searxng:/etc/searxng"
      - "/home/Docker/searxng:/etc/searxng"
    environment:
      #- BASE_URL=http://localhost:$PORT/
      - BASE_URL=http://localhost:3003/
      - INSTANCE_NAME=my-instance
This post is licensed under CC BY 4.0 by the author.