Pi-hole configuration qubes os 4.1

(sys-firewall always has to be close to your work/personal/etcVMs and pi-hole / VPN and similar qubes before)

wait i didn’t understand this sentence
It’s not like that ? sorry i am a beginner
sys-net > Net qube (none) (current)

sys-firewall > Net qube : sys-net (current)

ChocolatVM > Net qube : pi-hole (current)

pi-hole >, Net qube : sys-firewall (current)

I must see like this example
sys-net > Net qube (none) (current)
pi-hole >, Net qube : sys-net (current)
sys-firewall > Net qube : pi-hole (current)
ChocolatVM > Net qube : sys-firewall (current)

1 Like

to be more clear I should write it that way:

Internet > sys-net (which has no net qube, because it’s connected to Internet) > pi-hole (which is connected to it’s net qube sys-net) > sys-firewall (which is connected to it’s net qube pi-hole) > ChocolateVM (which is connected to it’s net qube sys-firewall…

in short → internet > sys-net > pi-hole > sys-firewall > ChocolatVM > Qubes OS user

thats exactly what I have and you should test!

thank you very much, I will try again to reinstall everything from scratch and apply everything, just a question allow both link that explains how to install pi-hole which one I must choose for qubes 4.1

I don’t think you need to reinstall all. Just give pi-hole “sys-net” as netVM and sys-firewall “pi-hole” as netVM in Qubes Manager.

this is my file, where I build up my pi-hole:



# This howto will describe how you can setup a pihole NetVM which will 
# use NextDNS DNS-over-TLS as upstream DNS servers.
# It will allow you to filter out most dns spam locally (within Pihole) 
# and use NextDNS cloud services as an additional layer of protection.
# analyzing NextDNS logs you can also see at which point you can improve
# your pihole block lists.

# All commands can be run from dom0.
# Download the script in an AppV:
#    cd ~/
#    wget https://raw.githubusercontent.com/one7two99/my-qubes/master/my-qubes-templates/26-sys-pihole.md
# then from dom0:
qvm-run --pass-io --no-gui YOURAPPVM 'cat ~/26-sys-pihole.md' > sys-pihole.txt

# some variables to keep the setup flexible - change the names here
PiholeVM=sys-pihole
TemplateVM=debian-11-minimal

### Update template
qvm-run --auto --user root --pass-io --no-gui $TemplateVM 'apt-get update && apt-get upgrade'
qvm-run --auto --user root --pass-io --no-gui $TemplateVM 'apt-get install \
  qubes-core-agent-networking qubes-menus'
qvm-shutdown $TemplateVM

### create new standalone qube
qvm-create --template $TemplateVM --class StandaloneVM --label red $PiholeVM
qvm-prefs $PiholeVM provides_network true
qvm-service $PiholeVM qubes-firewall on

### tools
qvm-run --auto --user root --pass-io --no-gui $PiholeVM 'apt-get install \
  less psmisc nano unzip git curl dnsutils'

### Disable other DNS Resolver
qvm-run --user root --pass-io --no-gui $PiholeVM 'systemctl stop systemd-resolved && systemctl disable systemd-resolved'
qvm-run --user root --pass-io --no-gui $PiholeVM 'systemctl stop resolvconf && systemctl disable resolvconf'

### Download and install pihole
qvm-run --auto --user root --pass-io --no-gui $PiholeVM 'git clone --depth 1 https://github.com/pi-hole/pi-hole.git Pi-hole'
qvm-run --auto --user root $PiholeVM "xterm -e 'cd Pi-hole && cd automated\ install && bash basic-install.sh && read'"
# >>> write down login credentials!! <<<

### create file which will be run each time a qubes is started
qvm-run --user=root --pass-io --no-gui $PiholeVM 'mkdir -p /rw/config/network-hooks.d'
qvm-run --user=root $PiholeVM "xterm -e 'nano /rw/config/network-hooks.d/fw-update.sh'"
----------[ begin ]-------------
#!/bin/bash

# Flush the PR-QBS chain
iptables -t nat -F PR-QBS

# Add a rule that redirects all the DNS traffic to localhost:53
iptables -t nat -I PR-QBS -i vif+ -p udp --dport 53 -j DNAT --to-destination 127.0.0.1

# Enable the traffic coming from the virtual interfaces
# to be forwarded to the loopback interface
# enabling the route_localnet flag on them
find /proc/sys/net/ipv4/conf -name "vif*" -exec bash -c 'echo 1 | sudo tee {}/route_localnet' \;
----------[ ende ]-------------
qvm-run --user=root --pass-io --no-gui $PiholeVM 'chmod +x /rw/config/network-hooks.d/fw-update.sh'


#### Edit qubes-firewall-user-script
qvm-run --user=root $PiholeVM "xterm -e 'nano /rw/config/qubes-firewall-user-script'"
----------[ begin ]-------------
#!/bin/sh

# This script is called at AppVM boot if this AppVM has the qubes-firewall
# service enabled. It is executed after the empty chains for the Qubes firewall
# are created, but before rules for attached qubes are processed and inserted.
#
# It is a good place for custom rules and actions that should occur when the
# firewall service is started.
#
# Executable scripts located in /rw/config/qubes-firewall.d are executed
# immediately before this qubes-firewall-user-script.

# Allow access to Pihole WebGUI from AppVMs
iptables -I INPUT -s 10.137.0.0/24 -j ACCEPT
# Allow access to Pihole WebGUI from DispableVMs
iptables -I INPUT -s 10.138.0.0/16 -j ACCEPT

# Add a rule that accepts the traffic coming to localhost
# from XEN's virtual interfaces on port 53
iptables -I INPUT -i vif+ -p udp --dport 53 -d 127.0.0.1 -j ACCEPT
----------[ end ]-------------


# check firewall config
qvm-run --user root --pass-io --no-gui $PiholeVM 'iptables -L -v'
qvm-run --user root --pass-io --no-gui $PiholeVM 'iptables -L -v -nat'

# Anpassung DNSmasg
qvm-run --user root $PiholeVM "xterm -e 'nano /etc/dnsmasq.conf'"
# change file to:
interface=lo
bind-interfaces
conf-dir=/etc/dnsmasq.d

### Setup unbound with NextDNS.io-over-TLS
See: https://blog.cyclemap.link/2020-01-11-unbound
# Install & Enable unbound
qvm-run --pass-io --no-gui --user root $PiholeVM 'apt-get install -y unbound && \
   systemctl enable unbound'

# Configure Unbound to use your NextDNS configuration
qvm-run --user root $PiholeVM 'mkdir -p /etc/unbound/unbound.conf.d'
qvm-run --user root $PiholeVM "xterm -e 'nano /etc/unbound/unbound.conf.d/pihole.conf'"
----------[ begin ]-------------
### Unbound configuration file
### /etc/unbound/unbound.conf.d/pihole.conf

### DNS-over-TLS
server:
    port: 5300
    tls-upstream: yes                                          
    tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"

forward-zone:
  name: "."
  forward-tls-upstream: yes
  # insert DNS settings for unbound from NextDNS.io page
  # Login at NextDNS and then scroll down on the Setup-page
  forward-addr: 45.90.28.0#<YOURNEXTDNSCONFIGID>.dns1.nextdns.io
  forward-addr: 2a07:a8c0::#<YOURNEXTDNSCONFIGID>.dns1.nextdns.io
  forward-addr: 45.90.30.0#<YOURNEXTDNSCONFIGID>.dns2.nextdns.io
  forward-addr: 2a07:a8c1::#<YOURNEXTDNSCONFIGID>.dns2.nextdns.io
----------[ end ]-------------


### Update keys
qvm-run --pass-io --no-gui --user root $PiholeVM 'update-ca-certificates'
qvm-run --pass-io --no-gui --user root $PiholeVM 'sudo -u unbound unbound-anchor'
qvm-run --pass-io --no-gui --user root $PiholeVM 'systemctl restart unbound'


### reboot
qvm-shutdown $PiholeVM 
qvm-service $PiholeVM disable-dns-server on
qvm-prefs $PiholeVM provides_network true

### finalize installation
# Set the Pihole-Qube as NetVM
# Open up a browser in an AppVM and connect to the Pihole IP
# http://<YOURPIHOLEIP>/admin/settings.php?tab=dns
# Disable Upstream DNS Servers (on the left)
# Enable Upstream DNS Servers (on the right)
#    [X] Custom 1 (IPv4)
#    127.0.0.1#5300
# Scroll down and enable DNSSEC
#    [X] Use DNSSEC

# Add blocklists via http://<YOURPIHOLEIP>/admin/groups-adists.php
# You can use my list of blocklists (scroll down)
# This will add up to ~3.000.000 domains which will be blocked :-)
# Update blocklists via http://<YOURPIHOLEIP>/admin/gravity.php

#----[begin blocklists]-----
# Migrated from /etc/pihole/adlists.list
https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts

# No Google - https://github.com/nickspaargaren/no-google/blob/master/README.md
https://raw.githubusercontent.com/nickspaargaren/no-google/master/pihole-google.txt

# Suspicious Lists - https://firebog.net	
https://raw.githubusercontent.com/PolishFiltersTeam/KADhosts/master/KADhosts.txt
https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Spam/hosts
https://v.firebog.net/hosts/static/w3kbl.txt
https://raw.githubusercontent.com/matomo-org/referrer-spam-blacklist/master/spammers.txt
https://someonewhocares.org/hosts/zero/hosts
https://raw.githubusercontent.com/VeleSila/yhosts/master/hosts
https://winhelp2002.mvps.org/hosts.txt
https://v.firebog.net/hosts/neohostsbasic.txt
https://raw.githubusercontent.com/RooneyMcNibNug/pihole-stuff/master/SNAFU.txt
https://paulgb.github.io/BarbBlock/blacklists/hosts-file.txt
	
# Advertising List - https://firebog.net/
https://adaway.org/hosts.txt
https://v.firebog.net/hosts/AdguardDNS.txt
https://v.firebog.net/hosts/Admiral.txt
https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
https://v.firebog.net/hosts/Easylist.txt
https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=0&mimetype=plaintext
https://raw.githubusercontent.com/FadeMind/hosts.extras/master/UncheckyAds/hosts
https://raw.githubusercontent.com/bigdargon/hostsVN/master/hosts
https://raw.githubusercontent.com/jdlingyu/ad-wars/master/hosts

# Tracking & Telemetry List - https://firebog.net
https://v.firebog.net/hosts/Easyprivacy.txt
https://v.firebog.net/hosts/Prigent-Ads.txt
https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.2o7Net/hosts
https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt
https://hostfiles.frogeye.fr/firstparty-trackers-hosts.txt
https://hostfiles.frogeye.fr/multiparty-trackers-hosts.txt
https://www.github.developerdan.com/hosts/lists/ads-and-tracking-extended.txt
https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/android-tracking.txt
https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/SmartTV.txt
https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/AmazonFireTV.txt
https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-blocklist.txt

# Malicious List - https://firebog.net
https://raw.githubusercontent.com/DandelionSprout/adfilt/master/Alternate%20versions%20Anti-Malware%20List/AntiMalwareHosts.txt
https://osint.digitalside.it/Threat-Intel/lists/latestdomains.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_malvertising.txt
https://v.firebog.net/hosts/Prigent-Crypto.txt
https://bitbucket.org/ethanr/dns-blacklists/raw/8575c9f96e5b4a1308f2f12394abd86d0927a4a0/bad_lists/Mandiant_APT1_Report_Appendix_D.txt
https://phishing.army/download/phishing_army_blocklist_extended.txt
https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt
https://raw.githubusercontent.com/Spam404/lists/master/main-blacklist.txt
https://raw.githubusercontent.com/FadeMind/hosts.extras/master/add.Risk/hosts
https://urlhaus.abuse.ch/downloads/hostfile/
https://v.firebog.net/hosts/Prigent-Malware.txt
https://v.firebog.net/hosts/Shalla-mal.txt

# Other List - https://firebog.net
https://zerodot1.gitlab.io/CoinBlockerLists/hosts_browser
https://raw.githubusercontent.com/chadmayfield/my-pihole-blocklists/master/lists/pi_blocklist_porn_all.list
https://raw.githubusercontent.com/chadmayfield/my-pihole-blocklists/master/lists/pi_blocklist_porn_top1m.list
https://raw.githubusercontent.com/anudeepND/blacklist/master/facebook.txt

# Amazon - https://github.com/bloodhunterd/Pi-hole-Blocklists
https://github.com/bloodhunterd/Pi-hole-Blocklists/blob/master/Amazon.txt

# NoTrack - https://gitlab.com/quidsup/notrack-blocklists
https://gitlab.com/quidsup/notrack-blocklists/-/blob/master/notrack-blocklist.txt
https://gitlab.com/quidsup/notrack-blocklists/-/blob/master/notrack-malware.txt

# Energized Ultimate - https://github.com/EnergizedProtection/block/blob/master/README.md
https://block.energized.pro/ultimate/formats/hosts.txt

# GoodbyeAds -https://github.com/jerryn70/GoodbyeAds/tree/master/Formats
https://github.com/jerryn70/GoodbyeAds/blob/master/Formats/GoodbyeAds-AdBlock-Filter.txt
https://github.com/jerryn70/GoodbyeAds/blob/master/Formats/GoodbyeAds-Ultra-AdBlock-Filter.txt
https://github.com/jerryn70/GoodbyeAds/blob/master/Formats/GoodbyeAds-YouTube-AdBlock-Filter.txt

# Energized Regional Extension - https://energized.pro/#download
https://block.energized.pro/extensions/regional/formats/domains.txt
3 Likes

I take into account the last message or the penultimate by this aue it is not the same

TheGardner

to be more clear I should write it that way:

Internet > sys-net (which has no net qube, because it’s connected to Internet) > pi-hole (which is connected to it’s net qube sys-net) > sys-firewall (which is connected to it’s net qube pi-hole) > ChocolateVM (which is connected to it’s net qube sys-firewall…

in short → internet > sys-net > pi-hole > sys-firewall > ChocolatVM > Qubes OS user

TheGardner

thats exactly what I have and you should test!

Does your Pi-Hole Query Log show any data? I more or less followed the instructions in “PiHole Cloudflared” ( without using Cloudflare), but the Query Log in my pi-hole vm is showing no data while the pi-hole on my router is logging every request.

hi ephile
it’s very complicated for me, because I used the two tutorials together but it doesn’t work, I have to redo everything properly.

Thanks for posting this file. I started from scratch and replaced the “PiHole Cloudflared” instructions with commands from this file whenever they differed (ignoring Cloudflare and Unbound) and now have a working Pi-hole vm in 4.1.

Looking at iptables -L -v and netstat -antpu I cannot tell any real difference between the two setups, but for some reason only TheGardner’s setup works. It does seem that the issue may be in step 9 “Copy and Paste following-” of the Cloudflared instructions, since that’s the only place they differed wrt Pi-hole.

I’m starting from zero, so I changed,

PiholeVM=sys-pidns2
TemplateVM=debian-10-minimal

in

PiholeVM=sys-pidns2
TemplateVM=debian-11-minimal

I what should I change PiholeVM=sys-pidns2 ?

and also in, ### create new standalone qube

when I do
qvm-create --template $TemplateVM --class StandaloneVM --label red $PiholeVM

i have this message

[lovely@dom0 ~]$ qvm-create --template $TemplateVM --class StandaloneVM --label red $PiholeVM
usage: qvm-create [--verbose] [--quiet] [--help] [--class CLS] [--standalone] [--disp]
                  [--property NAME=VALUE] [--pool VOLUME_NAME=POOL_NAME] [-P POOL_NAME]
                  [--template VALUE] [--label VALUE] [--help-classes]
                  [--root-copy-from FILENAME | --root-move-from FILENAME]
                  [VMNAME]
qvm-create: error: argument --template/-t: expected one argument
[lovely@dom0 ~]$ 

and what happens, if you use:

qvm-create --template debian-11-minimal --class StandaloneVM --label red sys-pidns2

PS.: You also can use sys-pihole instead of using sys-pidns2 if you are more comfortable with it.

thank you for your help, I will continue the installation, just to confirm something, I installed debian-template-minimal, following https://www.qubes-os.org/doc/templates/minimal/ but I must install what extension needed for the pi-hole machine, among `

pciutils 
vim-minimal 
less psmisc 
gnome-keyring
Audio: pulseaudio-qubes
qubes-core-agent-networking
qubes-core-agent-networking
qubes-agent-dom0-updates
qubes-core-agent-networking
qubes-core-agent-network-manager
tcpdump telnet
nmap ncat.
qubes-usb-proxy
qubes-input-proxy-sender
default-mgmt-dvm: requires 
qubes-core-agent-passwordless-root
qubes-mgmt-salt-vm-connector
qubes-core-agent
qubes-core-agent-nautilus
qubes-core-agent-thunar
qubes-core-agent-dom0-updates
qubes-menus
qubes-desktop-linux-common
qubes-gpg-split
qubes-u2f
qubes-pdf-converter
qubes-img-converter
qubes-thunderbird
qubes-app-shutdown-idle: 
qubes-mgmt-salt-vm-connector
`

i’m blocked on

qvm-run --user root --pass-io --no-gui $PiholeVM 'systemctl stop resolvconf && systemctl disable resolvconf'

[lovely@dom0 ~]$ qvm-run --user root --pass-io --no-gui PiholeVM 'systemctl stop resolvconf && systemctl disable resolvconf'
Failed to stop resolvconf.service: Unit resolvconf.service not loaded.

looks like your resolvconf isn’t/wasn’t running and so you get that error message.
You should move on with:

qvm-run --user root --pass-io --no-gui PiholeVM 'systemctl disable resolvconf'

Any message again?

Thank you, I will continue with the installation.

I have the same problem the same message

dex@dom0 ~]$ qvm-run --user root --pass-io --no-gui PiholeVM 'systemctl disable resolvconf'
Failed to disable unit: Unit file resolvconf.service does not exist.

thats okay, so the service is disabled already. You can move on with the other steps

ok thank you