Hoerli's Pi-Hole DNS-Server

Beitrag von **Hoerli** » Sa 25. Jan 2020, 23:27

Ich habe mehrere Server online, welche mit einem Pi-Hole ausgestattet sind.
Den Beitrag mit allen Infos gibts hier: https://hoerli.net/hoerlis-pi-holes-fuers-internet/

Dieser Thread ist lediglich für alle da, die sich gerne einmal die Config anschauen möchten, die von mir noch verändert wurde.

Die nginx-Config:

Code: Alles auswählen

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
	worker_connections 768;
	# multi_accept on;
}

http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	# server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
	ssl_prefer_server_ciphers on;

	##
	# Logging Settings
	##

	access_log off;
	# access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log crit;

	##
	# Gzip Settings
	##

	gzip on;
	gzip_disable "msie6";

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}


stream {
include /etc/nginx/streams/*;
}

Die Config für das Webinterface eines Pi-Holes:

Code: Alles auswählen

server {
        listen 8080;
        listen [::]:8080;

        root /var/www/html;
        autoindex off;

        index pihole/index.php index.php index.html index.htm;

        location / {
                expires max;
                try_files $uri $uri/ =404;
        }

        location ~ \.php$ {
                include snippets/fastcgi-php.conf;
                fastcgi_pass unix:/run/php/php7.3-fpm.sock;
                fastcgi_param FQDN true;
                #auth_basic "Restricted"; #For Basic Auth
                #auth_basic_user_file /etc/nginx/.htpasswd;  #For Basic Auth
        }

        location /*.js {
                index pihole/index.js;
                #auth_basic "Restricted"; #For Basic Auth
                #auth_basic_user_file /etc/nginx/.htpasswd;  #For Basic Auth
        }

        location /admin {
                root /var/www/html;
                index index.php index.html index.htm;
                #auth_basic "Restricted"; #For Basic Auth
                #auth_basic_user_file /etc/nginx/.htpasswd;  #For Basic Auth
        }

        location ~ /\.ht {
                deny all;
        }
}

Die Config für den Webzugang:

Code: Alles auswählen

server {
  listen 80;
  listen [::]:80;
  server_name pihole.hoerli.net;
  
  return 301 https://$host$request_uri;
}

server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name pihole.hoerli.net;
    index   index.php;
    auth_basic "Pihole Adminarea";
    auth_basic_user_file /PFAD/ZUR/DATEI;

    location ^~ / {
      auth_basic "Pihole Adminarea";
      auth_basic_user_file /etc/nginx/passwd/pihole;
      proxy_set_header X-Real-IP $remote_addr;
      proxy_set_header Host $host;
      proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_pass http://127.0.0.1:8080/admin/;
      proxy_read_timeout 90;
    }



    ssl_certificate /etc/letsencrypt/live/pihole.hoerli.net/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/pihole.hoerli.net/privkey.pem; # managed by Certbot
}

Die Config wurde angelegt, um den Zugang zum Webinterface etwas sicherer zu machen.

Genutzte DNS-Server (dns-servers.conf):

Code: Alles auswählen

Google (ECS);8.8.8.8;8.8.4.4;2001:4860:4860:0:0:0:0:8888;2001:4860:4860:0:0:0:0:8844
OpenDNS (ECS);208.67.222.222;208.67.220.220;2620:119:35::35;2620:119:53::53
Level3;4.2.2.1;4.2.2.2;;
Comodo;8.26.56.26;8.20.247.20;;
DNS.WATCH;84.200.69.80;84.200.70.40;2001:1608:10:25:0:0:1c04:b12f;2001:1608:10:25:0:0:9249:d69b
Quad9 (filtered, DNSSEC);9.9.9.9;149.112.112.112;2620:fe::fe;2620:fe::9
Quad9 (unfiltered, no DNSSEC);9.9.9.10;149.112.112.10;2620:fe::10;2620:fe::fe:10
Quad9 (filtered + ECS);9.9.9.11;149.112.112.11;2620:fe::11;
Cloudflare;1.1.1.1;1.0.0.1;2606:4700:4700::1111;2606:4700:4700::1001

Log-Level (pihole-FTL.conf):

Code: Alles auswählen

PRIVACYLEVEL=4

Pi-Hole-Config im Gesamtpaket (setupVars.conf):

Code: Alles auswählen

PIHOLE_INTERFACE=LAN-Interface
IPV4_ADDRESS=IP-des-Servers
IPV6_ADDRESS=IP-des-Servers
QUERY_LOGGING=false
INSTALL_WEB_SERVER=false
INSTALL_WEB_INTERFACE=true
LIGHTTPD_ENABLED=false
WEBPASSWORD=SuperSichererHashWertFürDasPasswort
DNSMASQ_LISTENING=single
PIHOLE_DNS_1=8.8.8.8
PIHOLE_DNS_2=8.8.4.4
PIHOLE_DNS_3=2001:4860:4860:0:0:0:0:8888
PIHOLE_DNS_4=2001:4860:4860:0:0:0:0:8844
PIHOLE_DNS_5=208.67.222.222
PIHOLE_DNS_6=208.67.220.220
PIHOLE_DNS_7=2620:119:35::35
PIHOLE_DNS_8=2620:119:53::53
PIHOLE_DNS_9=4.2.2.1
PIHOLE_DNS_10=4.2.2.2
PIHOLE_DNS_11=8.26.56.26
PIHOLE_DNS_12=8.20.247.20
PIHOLE_DNS_13=84.200.69.80
PIHOLE_DNS_14=84.200.70.40
PIHOLE_DNS_15=2001:1608:10:25:0:0:1c04:b12f
PIHOLE_DNS_16=2001:1608:10:25:0:0:9249:d69b
PIHOLE_DNS_17=9.9.9.9
PIHOLE_DNS_18=149.112.112.112
PIHOLE_DNS_19=2620:fe::fe
PIHOLE_DNS_20=2620:fe::9
PIHOLE_DNS_21=9.9.9.10
PIHOLE_DNS_22=149.112.112.10
PIHOLE_DNS_23=2620:fe::10
PIHOLE_DNS_24=2620:fe::fe:10
PIHOLE_DNS_25=9.9.9.11
PIHOLE_DNS_26=149.112.112.11
PIHOLE_DNS_27=2620:fe::11
PIHOLE_DNS_28=1.1.1.1
PIHOLE_DNS_29=1.0.0.1
PIHOLE_DNS_30=2606:4700:4700::1111
PIHOLE_DNS_31=2606:4700:4700::1001
PIHOLE_DNS_32=80.80.80.80#53
DNS_FQDN_REQUIRED=true
DNS_BOGUS_PRIV=true
DNSSEC=true
CONDITIONAL_FORWARDING=false
BLOCKING_ENABLED=true

Die Config des DoT-Dienstes für nginx:
/etc/nginx/streams/dns-over-tls

Code: Alles auswählen

upstream dns-servers {
server Lokales-Pihole;
server weiterer-server;
server weiterer-server2;
}
server {
listen 853 ssl; # managed by Certbot
ssl_certificate /etc/letsencrypt/live/pihole.hoerli.net/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/pihole.hoerli.net/privkey.pem; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams-2048.pem; # managed by Certbot
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers HIGH:!aNULL:!MD5;

ssl_handshake_timeout 10s;
ssl_session_cache shared:SSL:20m;
ssl_session_timeout 4h;
proxy_pass dns-servers;
}

Filterlisten (Stand 01.2020)

Code: Alles auswählen

https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts
https://mirror1.malwaredomains.com/files/justdomains
http://sysctl.org/cameleon/hosts
https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist
https://s3.amazonaws.com/lists.disconnect.me/simple_tracking.txt
https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt
https://hosts-file.net/ad_servers.txt
https://pgl.yoyo.org/adservers/serverlist.php?hostformat=hosts&showintro=1&mimetype=plaintext&_=211989
http://www.malwaredomainlist.com/hostslist/hosts.txt
https://www.squidblacklist.org/downloads/dg-ads.acl
https://ransomwaretracker.abuse.ch/downloads/RW_URLBL.txt
https://ransomwaretracker.abuse.ch/downloads/RW_IPBL.txt
https://ransomwaretracker.abuse.ch/downloads/RW_DOMBL.txt
https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt
https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/firewall/spy.txt
https://gist.githubusercontent.com/Perflyst/315f86393712a0c2107ee8eb58c6acee/raw/4aaa7e9c76815a8a5a2de8c3ef42d21b1f06c6b8/Samsung%2520Smart-TV%2520Blocklist%2520Adlist%2520(for%2520PiHole)
https://raw.githubusercontent.com/imkarthikk/pihole-facebook/master/pihole-facebook.txt
https://raw.githubusercontent.com/Cauchon/NSABlocklist-pi-hole-edition/master/Trackers/trackers.txt
https://raw.githubusercontent.com/Cauchon/NSABlocklist-pi-hole-edition/master/Trackers/webrtc%20tracking.txt
https://raw.githubusercontent.com/Cauchon/NSABlocklist-pi-hole-edition/master/Trackers/canvas%20fingerprinting%20pages.txt
https://raw.githubusercontent.com/Cauchon/NSABlocklist-pi-hole-edition/master/Trackers/audio%20fingerporint%20pages.txt
https://raw.githubusercontent.com/Cauchon/NSABlocklist-pi-hole-edition/master/Trackers/Canvas%20font%20fingerprinting.txt
https://raw.githubusercontent.com/anudeepND/youtubeadsblacklist/master/domainlist.txt
https://raw.githubusercontent.com/EnergizedProtection/block/master/basic/formats/hosts
https://raw.githubusercontent.com/jerryn70/GoodbyeAds/master/Hosts/GoodbyeAds.txt
https://raw.githubusercontent.com/Hoerli1337/nVidiaAntiSpy/master/list.txt
https://raw.githubusercontent.com/HenningVanRaumle/pihole-ytadblock/master/ytadblock.txt
https://paste1.nsa2go.de/paste.php?raw&id=36
https://raw.githubusercontent.com/TheBlockList/Blocklist/master/adblock
https://raw.githubusercontent.com/TheBlockList/Blocklist/master/amazon
https://raw.githubusercontent.com/TheBlockList/Blocklist/master/axel-springer
https://raw.githubusercontent.com/TheBlockList/Blocklist/master/facebook
https://raw.githubusercontent.com/TheBlockList/Blocklist/master/gaming
https://raw.githubusercontent.com/TheBlockList/Blocklist/master/nvidia
https://raw.githubusercontent.com/TheBlockList/Blocklist/master/stuff
https://raw.githubusercontent.com/TheBlockList/Blocklist/master/google
https://raw.githubusercontent.com/TheBlockList/Blocklist/master/twitch
https://raw.githubusercontent.com/TheBlockList/Blocklist/master/soundcloud
https://raw.githubusercontent.com/RPiList/specials/master/notserious
https://raw.githubusercontent.com/StevenBlack/hosts/master/alternates/fakenews/hosts
https://raw.githubusercontent.com/AdroitAdorKhan/EnergizedProtection/master/core/hosts-xtreme
https://hosts-file.net/emd.txt
http://winhelp2002.mvps.org/hosts.txt
https://adaway.org/hosts.txt
https://raw.githubusercontent.com/TheBlockList/Blocklist/master/huawei
https://gitlab.com/quidsup/notrack-blocklists/blob/master/notrack-malware.txt
https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-malware.txt
https://raw.githubusercontent.com/RPiList/specials/master/Win10Telemetry

Mehr wurde nicht verändert.

Beitrag von **Hoerli** » Sa 25. Jan 2020, 23:34

Server 1:
Hostname: pihole.hoerli.net
IPv4: 5.9.63.240
IPv6: -
Port: 30000
DoT-Adresse: pihole.hoerli.net
Standort: Deutschland – Frankfurt

Server 2:
Hostname: pihole2.hoerli.net
IPv4: 54.37.90.222
IPv6: -
Port: 53
DoT-Adresse: pihole2.hoerli.net
Standort: Deutschland – Frankfurt

Server 3:
Hostname: pihole3.hoerli.net
IPv4: 74.208.41.31
IPv6: 2607:f1c0

37::1
Port: 53
DoT-Adresse: pihole3.hoerli.net
Standort: USA – New York

Beitrag von **Hoerli** » Sa 25. Jan 2020, 23:45

Hier ist eine Liste für das DNS Benchmark Tool von GRC.
https://www.grc.com/dns/benchmark.htm

INI-Datei:

Hoerlis-Piholes-DNS-Benchmark-List.zip: Stand: 25.01.2020; (278 Bytes) 517-mal heruntergeladen

(Pi-Hole 1 kann nicht getestet werden, da Port 30000 genutzt wird.)

Hoerli's Pi-Hole DNS-Server

Hoerli's Pi-Hole DNS-Server

Die aktuellen Pi-Hole DNS-Server im Internet

Teste die Server