Pi-hole configuration qubes os 4.1

thank you,

just to make sure i understand

sys-net > Net qube (none) (current)

sys-firewall > Net qube : sys-net (current)

ChocolatVM > Net qube : pi-hole (current)

pi-hole >, Net qube : sys-firewall (current)

exact ?

Not 100%, you better should write/chain it this way:

sys-net > Net qube (none) (current)
pi-hole >, Net qube : sys-net (current)
sys-firewall > Net qube : pi-hole (current)
ChocolatVM > Net qube : sys-firewall (current)

(sys-firewall always has to be close to your work/personal/etcVMs and pi-hole / VPN and similar qubes before)

Now, found the way to update the DNS white/black lists on pi-hole. Just login on your pi-hole via browser from your CocolatVM (http://IP_of_the_pi-hole_qube/admin/index.php) with User= admin & Pass= your password you got within the pi-hole installation.
Then go Tools > Update Gravity

1 Like

ahh, and one more, I found out:
You indeed will find some advertisings on pages you’re visit. This is a tricky one: this ads are “pictures only” which are stored on the pages you visit (and which are not blocked) and bought to you via the webserver of the page, you visit.
With other words: you can’t block them, cause you would block the entire page. The thing is - click on the banners/ads, and you find out, that it’s redirecting you to pages/servers which were blocked through pi-hole and you simply will see a empty page - or at least the known error page of the browser.

Result: pi-hole is working proper.

(sys-firewall always has to be close to your work/personal/etcVMs and pi-hole / VPN and similar qubes before)

wait i didn’t understand this sentence
It’s not like that ? sorry i am a beginner
sys-net > Net qube (none) (current)

sys-firewall > Net qube : sys-net (current)

ChocolatVM > Net qube : pi-hole (current)

pi-hole >, Net qube : sys-firewall (current)

I must see like this example
sys-net > Net qube (none) (current)
pi-hole >, Net qube : sys-net (current)
sys-firewall > Net qube : pi-hole (current)
ChocolatVM > Net qube : sys-firewall (current)

1 Like

to be more clear I should write it that way:

Internet > sys-net (which has no net qube, because it’s connected to Internet) > pi-hole (which is connected to it’s net qube sys-net) > sys-firewall (which is connected to it’s net qube pi-hole) > ChocolateVM (which is connected to it’s net qube sys-firewall…

in short → internet > sys-net > pi-hole > sys-firewall > ChocolatVM > Qubes OS user

thats exactly what I have and you should test!

thank you very much, I will try again to reinstall everything from scratch and apply everything, just a question allow both link that explains how to install pi-hole which one I must choose for qubes 4.1

I don’t think you need to reinstall all. Just give pi-hole “sys-net” as netVM and sys-firewall “pi-hole” as netVM in Qubes Manager.

this is my file, where I build up my pi-hole:



# This howto will describe how you can setup a pihole NetVM which will 
# use NextDNS DNS-over-TLS as upstream DNS servers.
# It will allow you to filter out most dns spam locally (within Pihole) 
# and use NextDNS cloud services as an additional layer of protection.
# analyzing NextDNS logs you can also see at which point you can improve
# your pihole block lists.

# All commands can be run from dom0.
# Download the script in an AppV:
#    cd ~/
#    wget https://raw.githubusercontent.com/one7two99/my-qubes/master/my-qubes-templates/26-sys-pihole.md
# then from dom0:
qvm-run --pass-io --no-gui YOURAPPVM 'cat ~/26-sys-pihole.md' > sys-pihole.txt

# some variables to keep the setup flexible - change the names here
PiholeVM=sys-pihole
TemplateVM=debian-11-minimal

### Update template
qvm-run --auto --user root --pass-io --no-gui $TemplateVM 'apt-get update && apt-get upgrade'
qvm-run --auto --user root --pass-io --no-gui $TemplateVM 'apt-get install \
  qubes-core-agent-networking qubes-menus'
qvm-shutdown $TemplateVM

### create new standalone qube
qvm-create --template $TemplateVM --class StandaloneVM --label red $PiholeVM
qvm-prefs $PiholeVM provides_network true
qvm-service $PiholeVM qubes-firewall on

### tools
qvm-run --auto --user root --pass-io --no-gui $PiholeVM 'apt-get install \
  less psmisc nano unzip git curl dnsutils'

### Disable other DNS Resolver
qvm-run --user root --pass-io --no-gui $PiholeVM 'systemctl stop systemd-resolved && systemctl disable systemd-resolved'
qvm-run --user root --pass-io --no-gui $PiholeVM 'systemctl stop resolvconf && systemctl disable resolvconf'

### Download and install pihole
qvm-run --auto --user root --pass-io --no-gui $PiholeVM 'git clone --depth 1 https://github.com/pi-hole/pi-hole.git Pi-hole'
qvm-run --auto --user root $PiholeVM "xterm -e 'cd Pi-hole && cd automated\ install && bash basic-install.sh && read'"
# >>> write down login credentials!! <<<

### create file which will be run each time a qubes is started
qvm-run --user=root --pass-io --no-gui $PiholeVM 'mkdir -p /rw/config/network-hooks.d'
qvm-run --user=root $PiholeVM "xterm -e 'nano /rw/config/network-hooks.d/fw-update.sh'"
----------[ begin ]-------------
#!/bin/bash

# Flush the PR-QBS chain
iptables -t nat -F PR-QBS

# Add a rule that redirects all the DNS traffic to localhost:53
iptables -t nat -I PR-QBS -i vif+ -p udp --dport 53 -j DNAT --to-destination 127.0.0.1

# Enable the traffic coming from the virtual interfaces
# to be forwarded to the loopback interface
# enabling the route_localnet flag on them
find /proc/sys/net/ipv4/conf -name "vif*" -exec bash -c 'echo 1 | sudo tee {}/route_localnet' \;
----------[ ende ]-------------
qvm-run --user=root --pass-io --no-gui $PiholeVM 'chmod +x /rw/config/network-hooks.d/fw-update.sh'


#### Edit qubes-firewall-user-script
qvm-run --user=root $PiholeVM "xterm -e 'nano /rw/config/qubes-firewall-user-script'"
----------[ begin ]-------------
#!/bin/sh

# This script is called at AppVM boot if this AppVM has the qubes-firewall
# service enabled. It is executed after the empty chains for the Qubes firewall
# are created, but before rules for attached qubes are processed and inserted.
#
# It is a good place for custom rules and actions that should occur when the
# firewall service is started.
#
# Executable scripts located in /rw/config/qubes-firewall.d are executed
# immediately before this qubes-firewall-user-script.

# Allow access to Pihole WebGUI from AppVMs
iptables -I INPUT -s 10.137.0.0/24 -j ACCEPT
# Allow access to Pihole WebGUI from DispableVMs
iptables -I INPUT -s 10.138.0.0/16 -j ACCEPT

# Add a rule that accepts the traffic coming to localhost
# from XEN's virtual interfaces on port 53
iptables -I INPUT -i vif+ -p udp --dport 53 -d 127.0.0.1 -j ACCEPT
----------[ end ]-------------


# check firewall config
qvm-run --user root --pass-io --no-gui $PiholeVM 'iptables -L -v'
qvm-run --user root --pass-io --no-gui $PiholeVM 'iptables -L -v -nat'

# Anpassung DNSmasg
qvm-run --user root $PiholeVM "xterm -e 'nano /etc/dnsmasq.conf'"
# change file to:
interface=lo
bind-interfaces
conf-dir=/etc/dnsmasq.d

### Setup unbound with NextDNS.io-over-TLS
See: https://blog.cyclemap.link/2020-01-11-unbound
# Install & Enable unbound
qvm-run --pass-io --no-gui --user root $PiholeVM 'apt-get install -y unbound && \
   systemctl enable unbound'

# Configure Unbound to use your NextDNS configuration
qvm-run --user root $PiholeVM 'mkdir -p /etc/unbound/unbound.conf.d'
qvm-run --user root $PiholeVM "xterm -e 'nano /etc/unbound/unbound.conf.d/pihole.conf'"
----------[ begin ]-------------
### Unbound configuration file
### /etc/unbound/unbound.conf.d/pihole.conf

### DNS-over-TLS
server:
    port: 5300
    tls-upstream: yes                                          
    tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"

forward-zone:
  name: "."
  forward-tls-upstream: yes
  # insert DNS settings for unbound from NextDNS.io page
  # Login at NextDNS and then scroll down on the Setup-page
  forward-addr: 45.90.28.0#<YOURNEXTDNSCONFIGID>.dns1.nextdns.io
  forward-addr: 2a07:a8c0::#<YOURNEXTDNSCONFIGID>.dns1.nextdns.io
  forward-addr: 45.90.30.0#<YOURNEXTDNSCONFIGID>.dns2.nextdns.io
  forward-addr: 2a07:a8c1::#<YOURNEXTDNSCONFIGID>.dns2.nextdns.io
----------[ end ]-------------


### Update keys
qvm-run --pass-io --no-gui --user root $PiholeVM 'update-ca-certificates'
qvm-run --pass-io --no-gui --user root $PiholeVM 'sudo -u unbound unbound-anchor'
qvm-run --pass-io --no-gui --user root $PiholeVM 'systemctl restart unbound'


### reboot
qvm-shutdown $PiholeVM 
qvm-service $PiholeVM disable-dns-server on
qvm-prefs $PiholeVM provides_network true

### finalize installation
# Set the Pihole-Qube as NetVM
# Open up a browser in an AppVM and connect to the Pihole IP
# http://<YOURPIHOLEIP>/admin/settings.php?tab=dns
# Disable Upstream DNS Servers (on the left)
# Enable Upstream DNS Servers (on the right)
#    [X] Custom 1 (IPv4)
#    127.0.0.1#5300
# Scroll down and enable DNSSEC
#    [X] Use DNSSEC

# Add blocklists via http://<YOURPIHOLEIP>/admin/groups-adists.php
# You can use my list of blocklists (scroll down)
# This will add up to ~3.000.000 domains which will be blocked :-)
# Update blocklists via http://<YOURPIHOLEIP>/admin/gravity.php

#----[begin blocklists]-----
# Migrated from /etc/pihole/adlists.list
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts

# No Google - https://github.com/nickspaargaren/no-google/blob/master/README.md
https://raw.githubusercontent.com/nickspaargaren/no-google/master/pihole-google.txt

# Suspicious Lists - https://firebog.net	
https://raw.githubusercontent.com/PolishFiltersTeam/KADhosts/master/KADhosts.txt
https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Spam/hosts
https://v.firebog.net/hosts/static/w3kbl.txt
https://raw.githubusercontent.com/matomo-org/referrer-spam-blacklist/master/spammers.txt
https://someonewhocares.org/hosts/zero/hosts
https://raw.githubusercontent.com/VeleSila/yhosts/master/hosts
https://winhelp2002.mvps.org/hosts.txt
https://v.firebog.net/hosts/neohostsbasic.txt
https://raw.githubusercontent.com/RooneyMcNibNug/pihole-stuff/master/SNAFU.txt
https://paulgb.github.io/BarbBlock/blacklists/hosts-file.txt
	
# Advertising List - https://firebog.net/
https://adaway.org/hosts.txt
https://v.firebog.net/hosts/AdguardDNS.txt
https://v.firebog.net/hosts/Admiral.txt
https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
https://v.firebog.net/hosts/Easylist.txt
https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext
https://raw.githubusercontent.com/FadeMind/hosts.extras/master/UncheckyAds/hosts
https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts
https://raw.githubusercontent.com/jdlingyu/ad-wars/master/hosts

# Tracking & Telemetry List - https://firebog.net
https://v.firebog.net/hosts/Easyprivacy.txt
https://v.firebog.net/hosts/Prigent-Ads.txt
https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.2o7Net/hosts
https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt
https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt
https://hostfiles.frogeye.fr/multiparty-trackers-hosts.txt
https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt
https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/android-tracking.txt
https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV.txt
https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/AmazonFireTV.txt
https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-blocklist.txt

# Malicious List - https://firebog.net
https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareHosts.txt
https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt
https://v.firebog.net/hosts/Prigent-Crypto.txt
https://bitbucket.org/ethanr/dns-blacklists/raw/8575c9f96e5b4a1308f2f12394abd86d0927a4a0/bad_lists/Mandiant_APT1_Report_Appendix_D.txt
https://phishing.army/download/phishing_army_blocklist_extended.txt
https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt
https://raw.githubusercontent.com/Spam404/lists/master/main-blacklist.txt
https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Risk/hosts
https://urlhaus.abuse.ch/downloads/hostfile/
https://v.firebog.net/hosts/Prigent-Malware.txt
https://v.firebog.net/hosts/Shalla-mal.txt

# Other List - https://firebog.net
https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser
https://raw.githubusercontent.com/chadmayfield/my-pihole-blocklists/master/lists/pi_blocklist_porn_all.list
https://raw.githubusercontent.com/chadmayfield/my-pihole-blocklists/master/lists/pi_blocklist_porn_top1m.list
https://raw.githubusercontent.com/anudeepND/blacklist/master/facebook.txt

# Amazon - https://github.com/bloodhunterd/Pi-hole-Blocklists
https://github.com/bloodhunterd/Pi-hole-Blocklists/blob/master/Amazon.txt

# NoTrack - https://gitlab.com/quidsup/notrack-blocklists
https://gitlab.com/quidsup/notrack-blocklists/-/blob/master/notrack-blocklist.txt
https://gitlab.com/quidsup/notrack-blocklists/-/blob/master/notrack-malware.txt

# Energized Ultimate - https://github.com/EnergizedProtection/block/blob/master/README.md
https://block.energized.pro/ultimate/formats/hosts.txt

# GoodbyeAds -https://github.com/jerryn70/GoodbyeAds/tree/master/Formats
https://github.com/jerryn70/GoodbyeAds/blob/master/Formats/GoodbyeAds-AdBlock-Filter.txt
https://github.com/jerryn70/GoodbyeAds/blob/master/Formats/GoodbyeAds-Ultra-AdBlock-Filter.txt
https://github.com/jerryn70/GoodbyeAds/blob/master/Formats/GoodbyeAds-YouTube-AdBlock-Filter.txt

# Energized Regional Extension - https://energized.pro/#download
https://block.energized.pro/extensions/regional/formats/domains.txt
3 Likes

I take into account the last message or the penultimate by this aue it is not the same

TheGardner

to be more clear I should write it that way:

Internet > sys-net (which has no net qube, because it’s connected to Internet) > pi-hole (which is connected to it’s net qube sys-net) > sys-firewall (which is connected to it’s net qube pi-hole) > ChocolateVM (which is connected to it’s net qube sys-firewall…

in short → internet > sys-net > pi-hole > sys-firewall > ChocolatVM > Qubes OS user

TheGardner

thats exactly what I have and you should test!

Does your Pi-Hole Query Log show any data? I more or less followed the instructions in “PiHole Cloudflared” ( without using Cloudflare), but the Query Log in my pi-hole vm is showing no data while the pi-hole on my router is logging every request.

hi ephile
it’s very complicated for me, because I used the two tutorials together but it doesn’t work, I have to redo everything properly.

Thanks for posting this file. I started from scratch and replaced the “PiHole Cloudflared” instructions with commands from this file whenever they differed (ignoring Cloudflare and Unbound) and now have a working Pi-hole vm in 4.1.

Looking at iptables -L -v and netstat -antpu I cannot tell any real difference between the two setups, but for some reason only TheGardner’s setup works. It does seem that the issue may be in step 9 “Copy and Paste following-” of the Cloudflared instructions, since that’s the only place they differed wrt Pi-hole.

I’m starting from zero, so I changed,

PiholeVM=sys-pidns2
TemplateVM=debian-10-minimal

in

PiholeVM=sys-pidns2
TemplateVM=debian-11-minimal

I what should I change PiholeVM=sys-pidns2 ?

and also in, ### create new standalone qube

when I do
qvm-create --template $TemplateVM --class StandaloneVM --label red $PiholeVM

i have this message

[lovely@dom0 ~]$ qvm-create --template $TemplateVM --class StandaloneVM --label red $PiholeVM
usage: qvm-create [--verbose] [--quiet] [--help] [--class CLS] [--standalone] [--disp]
                  [--property NAME=VALUE] [--pool VOLUME_NAME=POOL_NAME] [-P POOL_NAME]
                  [--template VALUE] [--label VALUE] [--help-classes]
                  [--root-copy-from FILENAME | --root-move-from FILENAME]
                  [VMNAME]
qvm-create: error: argument --template/-t: expected one argument
[lovely@dom0 ~]$ 

and what happens, if you use:

qvm-create --template debian-11-minimal --class StandaloneVM --label red sys-pidns2

PS.: You also can use sys-pihole instead of using sys-pidns2 if you are more comfortable with it.

thank you for your help, I will continue the installation, just to confirm something, I installed debian-template-minimal, following https://www.qubes-os.org/doc/templates/minimal/ but I must install what extension needed for the pi-hole machine, among `

pciutils 
vim-minimal 
less psmisc 
gnome-keyring
Audio: pulseaudio-qubes
qubes-core-agent-networking
qubes-core-agent-networking
qubes-agent-dom0-updates
qubes-core-agent-networking
qubes-core-agent-network-manager
tcpdump telnet
nmap ncat.
qubes-usb-proxy
qubes-input-proxy-sender
default-mgmt-dvm: requires 
qubes-core-agent-passwordless-root
qubes-mgmt-salt-vm-connector
qubes-core-agent
qubes-core-agent-nautilus
qubes-core-agent-thunar
qubes-core-agent-dom0-updates
qubes-menus
qubes-desktop-linux-common
qubes-gpg-split
qubes-u2f
qubes-pdf-converter
qubes-img-converter
qubes-thunderbird
qubes-app-shutdown-idle: 
qubes-mgmt-salt-vm-connector
`

i’m blocked on

qvm-run --user root --pass-io --no-gui $PiholeVM 'systemctl stop resolvconf && systemctl disable resolvconf'

[lovely@dom0 ~]$ qvm-run --user root --pass-io --no-gui PiholeVM 'systemctl stop resolvconf && systemctl disable resolvconf'
Failed to stop resolvconf.service: Unit resolvconf.service not loaded.

looks like your resolvconf isn’t/wasn’t running and so you get that error message.
You should move on with:

qvm-run --user root --pass-io --no-gui PiholeVM 'systemctl disable resolvconf'

Any message again?

Thank you, I will continue with the installation.