Pi-hole configuration qubes os 4.1

hello, after days of research I can’t get the result I’m trying to switch my entire network to pi-hole. in order not to have advertising, I have a sys-net appvm, a sys-firewall appvm, a ChocolaVm appvm, a sys-vpn appvm, I want to have pi-hole, so I created an appvm named pi-hole debian platform, I installed pi-hole on it. but I’m blocked to configure them all, in what order? and is there a configuration to do in pihole? what order? sys-net what will i put in net qube, sys-firewall what will i put like net qube , sys-vpn what will i put in net qube pihole what will i put in net qube and in all vm? and in which vm provides network must be checked, if you could help me, thank you

1 Like

Have you read here and here?

This is, what I did and it’s working since then…


hello thegardner yes I installed pi-hole by looking at both sites, but it doesn’t work, I want my chocolatvm machine to be filtered by pi-hole, but I can’t do it

I have these as configuration,

sys-net > template fedora-34 (current), Net qube (none) (current), type AppVM, mode HVM (current), provides network : authorized.

sys-firewall > template fedora-34-dvm (current), Net qube : sys-net (current), type DispVM, mode Default (PVH) (current), provides network : authorized.

ChocolatVM > template fedora-34 (current), Net qube : pi-hole (current), type AppVM, mode Default (PVH) (current), provides network : not authorized.

pi-hole >, Net qube : sys-firewall (current), type Standalone, mode Default (PVH) (current), provides network : authorized.

to start and what this configuration is correct?
if so why does my firefox on my ChocholatVM machine show me advertisements and pi-hole does not block them? thank you


…sorry for the delay…

so mine config is close to yours then… internet < sys-net < sys-pihole < sys-firewall < personal (chocolateVM)

My sys-pihole qube is a standaloneVM based on Debian-11 (I guess) and it’s working as it should.
And yes - sometimes I also see advertisements, but it’s much rarer as it would, without the pihole qube. Thing probably is, I didn’t do any updates for pihole yet, just the usual updates for the qube itself…

thank you,

just to make sure i understand

sys-net > Net qube (none) (current)

sys-firewall > Net qube : sys-net (current)

ChocolatVM > Net qube : pi-hole (current)

pi-hole >, Net qube : sys-firewall (current)

exact ?

Not 100%, you better should write/chain it this way:

sys-net > Net qube (none) (current)
pi-hole >, Net qube : sys-net (current)
sys-firewall > Net qube : pi-hole (current)
ChocolatVM > Net qube : sys-firewall (current)

(sys-firewall always has to be close to your work/personal/etcVMs and pi-hole / VPN and similar qubes before)

Now, found the way to update the DNS white/black lists on pi-hole. Just login on your pi-hole via browser from your CocolatVM (http://IP_of_the_pi-hole_qube/admin/index.php) with User= admin & Pass= your password you got within the pi-hole installation.
Then go Tools > Update Gravity

1 Like

ahh, and one more, I found out:
You indeed will find some advertisings on pages you’re visit. This is a tricky one: this ads are “pictures only” which are stored on the pages you visit (and which are not blocked) and bought to you via the webserver of the page, you visit.
With other words: you can’t block them, cause you would block the entire page. The thing is - click on the banners/ads, and you find out, that it’s redirecting you to pages/servers which were blocked through pi-hole and you simply will see a empty page - or at least the known error page of the browser.

Result: pi-hole is working proper.

(sys-firewall always has to be close to your work/personal/etcVMs and pi-hole / VPN and similar qubes before)

wait i didn’t understand this sentence
It’s not like that ? sorry i am a beginner
sys-net > Net qube (none) (current)

sys-firewall > Net qube : sys-net (current)

ChocolatVM > Net qube : pi-hole (current)

pi-hole >, Net qube : sys-firewall (current)

I must see like this example
sys-net > Net qube (none) (current)
pi-hole >, Net qube : sys-net (current)
sys-firewall > Net qube : pi-hole (current)
ChocolatVM > Net qube : sys-firewall (current)

1 Like

to be more clear I should write it that way:

Internet > sys-net (which has no net qube, because it’s connected to Internet) > pi-hole (which is connected to it’s net qube sys-net) > sys-firewall (which is connected to it’s net qube pi-hole) > ChocolateVM (which is connected to it’s net qube sys-firewall…

in short → internet > sys-net > pi-hole > sys-firewall > ChocolatVM > Qubes OS user

thats exactly what I have and you should test!

thank you very much, I will try again to reinstall everything from scratch and apply everything, just a question allow both link that explains how to install pi-hole which one I must choose for qubes 4.1

I don’t think you need to reinstall all. Just give pi-hole “sys-net” as netVM and sys-firewall “pi-hole” as netVM in Qubes Manager.

this is my file, where I build up my pi-hole:

# This howto will describe how you can setup a pihole NetVM which will 
# use NextDNS DNS-over-TLS as upstream DNS servers.
# It will allow you to filter out most dns spam locally (within Pihole) 
# and use NextDNS cloud services as an additional layer of protection.
# analyzing NextDNS logs you can also see at which point you can improve
# your pihole block lists.

# All commands can be run from dom0.
# Download the script in an AppV:
#    cd ~/
#    wget https://raw.githubusercontent.com/one7two99/my-qubes/master/my-qubes-templates/26-sys-pihole.md
# then from dom0:
qvm-run --pass-io --no-gui YOURAPPVM 'cat ~/26-sys-pihole.md' > sys-pihole.txt

# some variables to keep the setup flexible - change the names here

### Update template
qvm-run --auto --user root --pass-io --no-gui $TemplateVM 'apt-get update && apt-get upgrade'
qvm-run --auto --user root --pass-io --no-gui $TemplateVM 'apt-get install \
  qubes-core-agent-networking qubes-menus'
qvm-shutdown $TemplateVM

### create new standalone qube
qvm-create --template $TemplateVM --class StandaloneVM --label red $PiholeVM
qvm-prefs $PiholeVM provides_network true
qvm-service $PiholeVM qubes-firewall on

### tools
qvm-run --auto --user root --pass-io --no-gui $PiholeVM 'apt-get install \
  less psmisc nano unzip git curl dnsutils'

### Disable other DNS Resolver
qvm-run --user root --pass-io --no-gui $PiholeVM 'systemctl stop systemd-resolved && systemctl disable systemd-resolved'
qvm-run --user root --pass-io --no-gui $PiholeVM 'systemctl stop resolvconf && systemctl disable resolvconf'

### Download and install pihole
qvm-run --auto --user root --pass-io --no-gui $PiholeVM 'git clone --depth 1 https://github.com/pi-hole/pi-hole.git Pi-hole'
qvm-run --auto --user root $PiholeVM "xterm -e 'cd Pi-hole && cd automated\ install && bash basic-install.sh && read'"
# >>> write down login credentials!! <<<

### create file which will be run each time a qubes is started
qvm-run --user=root --pass-io --no-gui $PiholeVM 'mkdir -p /rw/config/network-hooks.d'
qvm-run --user=root $PiholeVM "xterm -e 'nano /rw/config/network-hooks.d/fw-update.sh'"
----------[ begin ]-------------

# Flush the PR-QBS chain
iptables -t nat -F PR-QBS

# Add a rule that redirects all the DNS traffic to localhost:53
iptables -t nat -I PR-QBS -i vif+ -p udp --dport 53 -j DNAT --to-destination

# Enable the traffic coming from the virtual interfaces
# to be forwarded to the loopback interface
# enabling the route_localnet flag on them
find /proc/sys/net/ipv4/conf -name "vif*" -exec bash -c 'echo 1 | sudo tee {}/route_localnet' \;
----------[ ende ]-------------
qvm-run --user=root --pass-io --no-gui $PiholeVM 'chmod +x /rw/config/network-hooks.d/fw-update.sh'

#### Edit qubes-firewall-user-script
qvm-run --user=root $PiholeVM "xterm -e 'nano /rw/config/qubes-firewall-user-script'"
----------[ begin ]-------------

# This script is called at AppVM boot if this AppVM has the qubes-firewall
# service enabled. It is executed after the empty chains for the Qubes firewall
# are created, but before rules for attached qubes are processed and inserted.
# It is a good place for custom rules and actions that should occur when the
# firewall service is started.
# Executable scripts located in /rw/config/qubes-firewall.d are executed
# immediately before this qubes-firewall-user-script.

# Allow access to Pihole WebGUI from AppVMs
iptables -I INPUT -s -j ACCEPT
# Allow access to Pihole WebGUI from DispableVMs
iptables -I INPUT -s -j ACCEPT

# Add a rule that accepts the traffic coming to localhost
# from XEN's virtual interfaces on port 53
iptables -I INPUT -i vif+ -p udp --dport 53 -d -j ACCEPT
----------[ end ]-------------

# check firewall config
qvm-run --user root --pass-io --no-gui $PiholeVM 'iptables -L -v'
qvm-run --user root --pass-io --no-gui $PiholeVM 'iptables -L -v -nat'

# Anpassung DNSmasg
qvm-run --user root $PiholeVM "xterm -e 'nano /etc/dnsmasq.conf'"
# change file to:

### Setup unbound with NextDNS.io-over-TLS
See: https://blog.cyclemap.link/2020-01-11-unbound
# Install & Enable unbound
qvm-run --pass-io --no-gui --user root $PiholeVM 'apt-get install -y unbound && \
   systemctl enable unbound'

# Configure Unbound to use your NextDNS configuration
qvm-run --user root $PiholeVM 'mkdir -p /etc/unbound/unbound.conf.d'
qvm-run --user root $PiholeVM "xterm -e 'nano /etc/unbound/unbound.conf.d/pihole.conf'"
----------[ begin ]-------------
### Unbound configuration file
### /etc/unbound/unbound.conf.d/pihole.conf

### DNS-over-TLS
    port: 5300
    tls-upstream: yes                                          
    tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"

  name: "."
  forward-tls-upstream: yes
  # insert DNS settings for unbound from NextDNS.io page
  # Login at NextDNS and then scroll down on the Setup-page
  forward-addr: 2a07:a8c0::#<YOURNEXTDNSCONFIGID>.dns1.nextdns.io
  forward-addr: 2a07:a8c1::#<YOURNEXTDNSCONFIGID>.dns2.nextdns.io
----------[ end ]-------------

### Update keys
qvm-run --pass-io --no-gui --user root $PiholeVM 'update-ca-certificates'
qvm-run --pass-io --no-gui --user root $PiholeVM 'sudo -u unbound unbound-anchor'
qvm-run --pass-io --no-gui --user root $PiholeVM 'systemctl restart unbound'

### reboot
qvm-shutdown $PiholeVM 
qvm-service $PiholeVM disable-dns-server on
qvm-prefs $PiholeVM provides_network true

### finalize installation
# Set the Pihole-Qube as NetVM
# Open up a browser in an AppVM and connect to the Pihole IP
# http://<YOURPIHOLEIP>/admin/settings.php?tab=dns
# Disable Upstream DNS Servers (on the left)
# Enable Upstream DNS Servers (on the right)
#    [X] Custom 1 (IPv4)
# Scroll down and enable DNSSEC
#    [X] Use DNSSEC

# Add blocklists via http://<YOURPIHOLEIP>/admin/groups-adists.php
# You can use my list of blocklists (scroll down)
# This will add up to ~3.000.000 domains which will be blocked :-)
# Update blocklists via http://<YOURPIHOLEIP>/admin/gravity.php

#----[begin blocklists]-----
# Migrated from /etc/pihole/adlists.list

# No Google - https://github.com/nickspaargaren/no-google/blob/master/README.md

# Suspicious Lists - https://firebog.net	
# Advertising List - https://firebog.net/

# Tracking & Telemetry List - https://firebog.net

# Malicious List - https://firebog.net

# Other List - https://firebog.net

# Amazon - https://github.com/bloodhunterd/Pi-hole-Blocklists

# NoTrack - https://gitlab.com/quidsup/notrack-blocklists

# Energized Ultimate - https://github.com/EnergizedProtection/block/blob/master/README.md

# GoodbyeAds -https://github.com/jerryn70/GoodbyeAds/tree/master/Formats

# Energized Regional Extension - https://energized.pro/#download

I take into account the last message or the penultimate by this aue it is not the same


to be more clear I should write it that way:

Internet > sys-net (which has no net qube, because it’s connected to Internet) > pi-hole (which is connected to it’s net qube sys-net) > sys-firewall (which is connected to it’s net qube pi-hole) > ChocolateVM (which is connected to it’s net qube sys-firewall…

in short → internet > sys-net > pi-hole > sys-firewall > ChocolatVM > Qubes OS user


thats exactly what I have and you should test!

Does your Pi-Hole Query Log show any data? I more or less followed the instructions in “PiHole Cloudflared” ( without using Cloudflare), but the Query Log in my pi-hole vm is showing no data while the pi-hole on my router is logging every request.

hi ephile
it’s very complicated for me, because I used the two tutorials together but it doesn’t work, I have to redo everything properly.

Thanks for posting this file. I started from scratch and replaced the “PiHole Cloudflared” instructions with commands from this file whenever they differed (ignoring Cloudflare and Unbound) and now have a working Pi-hole vm in 4.1.

Looking at iptables -L -v and netstat -antpu I cannot tell any real difference between the two setups, but for some reason only TheGardner’s setup works. It does seem that the issue may be in step 9 “Copy and Paste following-” of the Cloudflared instructions, since that’s the only place they differed wrt Pi-hole.

I’m starting from zero, so I changed,




I what should I change PiholeVM=sys-pidns2 ?