Update documentation for Pihole v6

maintenance.md

@@ -2,7 +2,40 @@
 
 ## Raspberry Pi
 
-Common commands:
+### Installation
+
+Write the Raspberry Pi image to a SD card with the Raspberry Pi imager.
+
+Since the server should be lightweight and will be accessed only via ssh, the image `Raspberry Pi OS Lite (64 bit)` is chosen.
+
+To activate ssh from the beginning, press `Ctrl` + `Shift` + `X` and input a username and password combination or a public key.
+
+After the installation is finished, let the device connect to the network and find out its IP address.
+
+In the router settings, it is recommended to set the Raspberry Pi's IP address to a static value (this is needed to more easily configure the Raspberry Pi as the DNS).
+
+Connect to the Raspberry Pi via `ssh <IP address> -l pi`.
+
+Adjust the time zone (Europe/Berlin) with `raspi-config`:
+
+```sh
+sudo raspi-config
+Localisation Options -> Timezone -> Europe -> Berlin
+Finish
+```
+
+Update all system packages:
+
+```sh
+sudo apt-get update 
+sudo apt-get upgrade 
+sudo apt-get dist-upgrade 
+sudo apt-get autoremove
+
+sudo reboot
+```
+
+### Common commands
 
 | Command | Description |
 | :-: | :-- |

router.md

@@ -20,8 +20,31 @@ Like Fritz!Box, many routers offer a built-in DHCP server. To use this setup, en
 
 Now, add public DNS servers to the router's settings under `Internet/Zugangsdaten/DNS-Server`.
 
-In Pi-hole, only the Fritz!Box should be added as an upstream server. Check `Use Conditional Forwarding` and type in the following values:
+## Using DNS over TLS (DoT)
 
+DNS requests from the local network should be encrypted via TLS before being sent to an upstream DNS server. This can be configured in the router under `Internet/Zugangsart/DNS-Server`. Here are some as an example:
+
+DNSv4-Server:
+
+- Andere DNSv4-Server verwenden: Check
+  - Bevorzugter DNSv4-Server: 94.140.14.140
+  - Alternativer DNSv4-Server: 176.9.93.198
+
+DNS over TLS (DoT):
+
+- Verschlüsselte Namensauflösung im Internet (DNS over TLS): Check
+  - Zertifikatsprüfung für verschlüsselte Namensauflösung im Internet erzwingen: Check
+
+Auflösungsnamen der DNS-Server
+
+- unfiltered.adguard-dns.com
+- dnsforge.de
+
+## Conditional forwarding
+
+In Pi-hole, only the Fritz!Box should be added as an upstream server. Uncheck every other upstream server in the web interface. Under `Use Conditional Forwarding` type in the following values, separated with commas:
+
+- Enabled as a boolean value
 - Local network in CIDR notation: 192.168.50.0/24 (adjust to the network)
 - IP address of your DHCP server (router): 192.168.50.1 (IPv4 address of the Fritz!Box)
 - Local domain name (optional): fritz.box

tools/pihole/pihole.md

@@ -6,102 +6,25 @@ Tutorials:
   - [Anleitungen](https://github.com/RPiList/specials/tree/master/Anleitungen)
   - [Benötigte Hardware](https://github.com/RPiList/specials/blob/master/Ben%C3%B6tigte%20Hardware.md)
 - [DAS halbiert eure Ladezeiten | Pi-Hole-Tutorial](https://youtu.be/FjNkv2aPiiA)
+- [Pi-hole: Einrichtung und Konfiguration mit Fritz!Box](https://www.kuketz-blog.de/pi-hole-einrichtung-und-konfiguration-mit-fritzbox-adblocker-teil1/)
 
 ## Installation
 
-Write the Raspberry Pi image to a SD card with the Raspberry Pi imager.
-
-Since the server should be lightweight and will be accessed only via ssh, the image `Raspberry Pi OS Lite (32 bit)` is chosen.
-
-<!--There's now also a 64 bit image available?-->
-
-To activate ssh from the beginning, press `Ctrl` + `Shift` + `X` and input a username and passwort combination or a public key.
-
-After the installation has finished, let the device connect to the network and find out its IP address.
-
-In the router settings, it is recommended to set the Raspberry Pi's IP address to a static value (this is needed to more easily configure the Raspberry PI as the DNS).
-
-Connect to the Raspberry Pi via `ssh <IP address> -l pi`.
-
-Then, install pihole with `curl -sSL https://install.pi-hole.net | bash`.
+Pihole can be installed with `sudo curl -sSL https://install.pi-hole.net | bash`.
 
 While installing, note down the web interface password that is shown in the terminal to later access the web interface for the first time.
 
 Now add the Raspberry Pi's IP address as a DNS to your router's settings.[^router-settings]
 
 The web interface is now accessible via `http://<IP address>/admin`. The standard port of the web interface is 80.
 
-### Pihole v6
-
-The next major version uses a different webserver. Thus all PHP components and the old webserver should be removed upon migration.
-
-```sh
-apt remove php lighttpd
-```
-
 ## Serving the pihole service over SSL
 
-When installing SSL on a web server, it is crucial to understand what web server is used and what the configuration looks like. Examples for web servers are `Nginx` and `Apache`. In the case of pihole, it's `lighttpd`.
-
-**Step 1:** Use OpenSSL to create the pem file.
-
-```sh
-openssl req -new -x509 -keyout server.pem -out server.pem -days 365 -noenc
-```
-
-This pem file now contains a key and a certificate (.crt) file.
-
-Following the above, the `.pem` file needs to be moved to `/etc/lighttpd/ssl/`. The location doesn’t really matter here as long as access is given to the files needed (*sudo chown www-data [pem file]*). "SSL" or "TLS" as the folder name is the most common setup.
-
-**Step 2:** Add the SSL config in the `/etc/lighttpd/conf-available/10-ssl.conf` file, where "10" notes down the order in which the config files are loaded in (which number is used is not important here).
-
-```php
-# https://redmine.lighttpd.net/projects/lighttpd/wiki/Docs_SSL
-# https://doc.lighttpd.net/lighttpd2/mod_openssl.html
-
-server.modules += ("mod_openssl")
-
-$HTTP["host"] =~ "(<IP address>|^pi.hole$)" {
-
-  # Enable the SSL engine with a LE cert, only for this specific host
-  $SERVER["socket"] == ":443" {
-    ssl.engine = "enable"
-    ssl.pemfile = "/etc/lighttpd/ssl/pihole.pem"
-    ssl.openssl.ssl-conf-cmd = ("MinProtocol" => "TLSv1.3", "Options" => "-ServerPreference")
-  }
-
-  # Redirect HTTP to HTTPS
-  $HTTP["scheme"] == "http" {
-    $HTTP["host"] =~ ".*" {
-      url.redirect = (".*" => "https://%0$0")
-    }
-  }
-}
-```
-
-**Step 3:** Enable the newly added module via `lighty-enable-mod`.
-
-```sh
-sudo lighty-enable-mod ssl
-```
-
-This will create a symlink to the config file in `/etc/lighttpd/conf-enabled/`.
-
-*Note: `lighty-disable-mod` can disable mods.*
-
-**Step 4:** Force-reload the lighttpd server
-
-```sh
-sudo service lighttpd force-reload
-```
-
-### Notes
-
-Opening the service in the browser now already works and the site can be accessed, however, the browser will warn the user because the certificate is self-signed.
+When installing SSL on a web server, it is crucial to understand what web server is used and what the configuration looks like. Examples for web servers are `Nginx` and `Apache`. In the case of pihole v6, it's `civetweb`.[^web-v5]
 
-This does not add anything to security because IF an attacker can read the password from the unencrypted connection via MITM, there is a far greater problem. For this attack to work, the hacker needs to already have access to the network.
+How to setup SSL in general is described in [SSL](../../ssl.md).
 
-Nevertheless may it be good for practice to see how certificates work and how they are enabled in a webserver.
+SSL is the de facto standard today and is not difficult to implement. Absolute security can not be guaranteed, especially when there are vulnerable IoT devices in the network that could be hacked. So, SSL support should definitely be added whenever possible.
 
 ## Creating a blocklist
 
@@ -164,20 +87,23 @@ There is also unbound, enabling recursive dns lookup.
 | Command | Description |
 | :-: | :-- |
 | pihole -up | Update pihole |
-| pihole -a -p | Set password for the web interface |
+| pihole setpassword | Set password for the web interface |
 
 ### Reduce memory access
 
-To minimise load on the SD card, pihole can be configured to not save as often to disk. In `/etc/pihole/pihole-FTL.conf`, type in the following settings:
+To minimise load on the SD card, pihole can be configured to not save as often to disk. In `/etc/pihole/pihole.toml`, type in the following settings:
 
 ```sh
-#; How often are queries stored in FTL's database [minutes] | Default: 1.0
-DBINTERVAL=30
-#; IP addresses older than the specified number of days are removed from database | Default: 365
-MAXDBDAYS=14
+# How long should queries be stored in the database [days]? | Default: 91
+maxDBdays = 14
+# How often do we store queries in FTL's database [seconds]? | Default: 60
+DBinterval = 300
+# How long should IP addresses be kept in the network_addresses table [days]? | Default: 91
+expire = 14
 ```
 
 ## Annotations
 
 [^router-settings]: An example setting for the Fritz!Box router has been added [here](/../router.md).
+[^web-v5]: Prior to Pi-hole v6, it was lighttpd.
 [^ping]: This can also be identified by using `ping`. If the IP is wrong, the command will say `Temporary failure in name resolution`.

tools/pihole/pihole_script_idea.txt

@@ -1,7 +1,29 @@
-1. Script that calculates the overlapping domains compared to the database in percent
+1. Script that calculates the overlapping domains from a list compared to the database (in percent)
 
 The given domain list overlaps to 4 % with the database (5/3462 domains)
 
+List endpoint? --> get all lists
+then download lists, combine into one list and compare with given list
+OR execute script on pihole device and get lists directly via /etc/pihole/listsCache (is there another place where lists are saved?)
+
+is there an easy way to get total number of domains in database? (metrics or ftl endpoint?)
+compare length of all lists with total number in database?
+
+differentiate allow/block list?
+filter for enabled/disabled?
+handle exact/regex?
+
+User input - Address of the list you want to add: X - Type of list: Allow/Block
+
 2. Script that outputs the number of duplicates in the database
 
 3. Script that updates the adlists from sefinek (adlists all need to be removed and readded in case a whole new list was added)
+
+4. Create group which does not block anything and then add script for moving clients to this group or away from this group
+
+5. SIEM: check if new devices connected to the network (to the pi.hole)
+
+pi.network.get_devices(), then check regularly if any new devices are in the list
+
+
+api documentation is in https://pi.hole/api/docs