I got a Raspberry Pi 3 a couple of years ago to use as a retro gaming device, which is well worth doing if you’re in to gaming and feeling nostalgic. It is super easy to set up, if you’re interested check out RetroPie – just be aware that many ROMs are copyrighted and may be illegal to download.
This post isn’t about RetroPie though. Since studying networking and cybersecurity, the Pi has had many different uses. It has been a wireless router, a network firewall, a web proxy, a VPN Server and a network monitor. However its current use is as a DNS sinkhole and DHCP server for my network, without doubt one of the most practical jobs I’ve had it perform.
Blocking Ads Using Pi-hole
Pi-hole is lightweight, open source software that will block ads across your whole network so you don’t need to configure individual devices. Websites load, but without the annoying ads, so loading times can be faster. For example without Pi-hole running, if I want to watch a video on the Sky Sports app on my iPhone, I am forced to endure two advertisements for the privilege, but with Pi-hole running, I can watch the video I’m interested in straight away.
It is very easy to install following the steps below, and works on most operating systems you can run on your Raspberry Pi. I have Raspberry Pi OS (used to be called Raspbian), but if you are starting from scratch and brand new to Raspberry Pi’s, check out this guide from the Raspberry Pi Foundation on how to install the operating system.
If you are using the GUI, open a terminal, otherwise SSH in to your Raspberry Pi. Note SSH is disabled by default with Raspberry Pi OS and must be enabled in the config menu first.
Don’t forget to make sure your system is up to date before you start the installation. Pi-hole can then be installed using the following command
sudo curl -sSL <https://install.pi-hole.net> | bashIf you want to avoid piping to bash, you can either download the installer manually or clone their repository
sudo git clone --depth 1 https://github.com/pi-hole/pi-hole.git Pi-holeEither way, once you run the installer you will be guided through the set up. You will be prompted to set a static IP address for your Pi-hole. If you are using DHCP, you might want to set a reservation or exclude the IP address to prevent conflicts. You will also need to select the network interface (ideally the Ethernet connection for faster speed).
You will be asked to select your upstream DNS provider. Either select from the options of popular providers or select custom to enter your ISP’s DNS servers.
Which DNS Provider Should You Use
If you use a router provided by your ISP, you are probably currently directed to their own DNS Server. My router doesn’t give me a choice to configure DNS, though of course there is always the option to configure it on each of your devices.
Since I stopped using my Raspberry Pi as a wireless router due to the slower speed, I no longer have Squid and SquidGuard blocking access to malicious websites. So I have been using 1.1.1.1 for Families from Cloudflare, which has been excellent so far, and blocks malicious websites with the option to also block websites featuring adult content.
Cloudflare is supposed to be the fastest DNS provider, but you could implement DNS over HTTPS for increased security, or another good option might be to set up your Pi-hole to be a recursive DNS server itself using Unbound from NLnet Labs. I haven’t used Unbound myself, but there is a guide on Pi-hole’s website if you want to look in to it.
Back to Pi-hole Installation
You will also be asked to select an ad services blacklist, if you want to block ads over IPv4, IPv6 or both, and whether you want to install the web interface and server for your Pi-hole, which is recommended. You also select whether to log queries and the level of privacy.
Once the installation has finished, you will get a message telling you the installation is complete and showing the password that you need for logging on to the web interface. You can test this by opening a browser and navigating to the web interface. The URL is http://IP_address/admin replacing IP_address with the IP of your Pi-hole. You can then log in using the password you were provided with.
Configure DNS
In order for Pi-hole to start blocking ads, it needs to be the primary DNS server. If you can configure your router to use the Raspberry Pi as the primary DNS, that is the easiest way. If like me, you are using an ISP provided router, you may not be able to change the DNS settings.
There are two ways around this. If you can disable DHCP in your router, you can use the inbuilt DHCP functionality of Pi-hole. This can be set up on the Web UI and though it is no more configurable than the DHCP of my particular router, at least using the UI, it works well and is a better option than manually configuring each of your devices individually.
From what I have read, using another DHCP on your Pi or configuring the Pi-hole DHCP manually in the config file doesn’t work smoothly with Pi-hole. If you have found a way around this, please let me know in the comments or send me a message.
My router still acts as the DHCP server for its guest network, which my IoT devices are connected to, so that may be an option for you to isolate your IoT devices from the rest of your network.
Using the Web UI
The interface is intuitive with graphical displays that you can drill down on, you can search the logs, and select devices and websites to query in the log. There is a whitelist for any blocked sites you want to unblock and a blacklist for any that you want to block. You can also alter the DNS settings and options you selected in the initial set up.
The only other thing to bear in mind, whatever you are using a Raspberry Pi for, is to make sure that you lock it down by implementing firewall rules and eliminate any vulnerabilities as much as possible.
Log2RAM
One of the issues faced with Raspberry Pi’s used for purposes that create logs is an increase in write cycles. This reduces the longevity of an SD card, which already have a shorter lifespan than an SSD, much less an HDD. Modern SD cards are better at writing across the whole memory to maximise the life span, something called wear levelling, but a few utilities like Log2RAM can also help in this regard.
Log2RAM works by pushing the log files to the RAM. They are then written to the SD card at specified intervals, thus reducing how often the SD card is written to. The only thing to bear in mind is that if your Raspberry Pi loses power suddenly, you would lose any logs that haven’t already been written to the SD card. So if you want those logs, make sure you shutdown the Raspberry Pi, as you should always do anyway, rather than cutting the power.
Installation
Log2RAM was scripted by Azlux and can be downloaded from their GitHub via
sudo wget https://github.com/azlux/log2ram/archive/master.tar.gz -o log2ram.tar.gzThis saves the archive as log2ram.tar.gz and it must then be extracted.
sudo tar xf log2ram.tar.gzThe files are extracted in a new directory called log2ram-master. Change to the new directory and then run the install script.
cd log2ram-master
sudo ./install.shA message will tell you to reboot to activate log2ram and that options are configured in /etc/log2ram.conf
You can confirm that Log2RAM is working using the command systemctl status log2ram
Customising Log2RAM
Within the config file there are a couple of options that you may wish to consider. One is the size of the log folder reserved in RAM. The default is 40MB and depending on your preferences you may wish to increase this. You will probably want to check how much is being stored as it will be different depending on your set up, though for most the defaults will be enough.
In order to check how much space is currently taken and how much RAM is being used, you can run the following commands.
df -h | grep log2ram
free -mAs you will see, unless you are creating a lot of logs the defaults should be adequate, but to change the size of the folder, edit the config file using the below command and change the figure in SIZE=40M
sudo nano /etc/log2ram.confAnother option you may wish to change is how often Log2RAM writes to disk. The default is once a day or upon reboot or shutdown and I would recommend keeping that schedule, but it be changed to weekly by running systemctl edit log2ram-daily.timer with sudo privileges and adding the following:
[Timer]
OnCalendar=weeklyOr even disabled with the command
sudo systemctl disable log2ram-daily.timer… in which case the logs will only be written when the system is rebooted or if the Log2RAM service is stopped.
Conclusion
With the Log2RAM service up and running, the lifespan of the SD card will be extended even with high usage of your Raspberry Pi. One way of checking the effect of Log2RAM is by installing iotop which monitors I/O usage. You could compare before and after running Pi-hole, and then again after installing Log2RAM.
What’s your favourite use of your Raspberry Pi? Let me know in the comments below.
Securing the Cyber World 