Setting up Raspberry Pi 3 with PiHole

I decided to try PiHole as a DNS sinkhole. Here I logged how I set up my Raspberry Pi 3 with ArchLinux to run it.

The idea is to have a way to block advertisement and trackers on my entire network. uBlock Origin is a great browser plugin that blocks those things on webpages, but I am lazy and want a solution that works for my laptop, phone, and guest’s devices as well. And that’s what PiHole tries to do.

I have an old Raspberry Pi 3 B+ that is now unused. Here is how I set it up to use PiHole.

System set up

Raspberry

This part is setting up a new computer, not much to discuss here:

• follow the installation instructions, with the AArch64 thingy.
• update the system
• user configuration
  • change alarm pass to something better
  • change root pass to something better
  • enable alarm user to sudo things
• system configuration
  • install vim, tmux and base-devel
  • set up ssh
    • allow only ssh keys
    • disable root login
    • generate and enable a new ssh key
  • change GPU memory to 16 MB
  • set up hardware RNG (I like randomness)
    • remove haveged
    • install rng-tools and configure it:

    $ cat /etc/conf.d/rngd
    RNGD_OPTS="-o /dev/random -r /dev/hwrng"
    

    • entropy increased from ~3700 to ~4000
    • can read from /dev/random at ~71 MB/s:

    $ dd if=/dev/random of=/dev/null bs=1024 count=500000 iflag=fullblock
    500000+0 records in
    500000+0 records out
    512000000 bytes (512 MB, 488 MiB) copied, 7.19274 s, 71.2 MB/s
    

  • set up time and timezone
    • systemd-timesyncd.service as an NTP client
    • time zone: timedatectl set-timezone America/Sao_Paulo
  • move to permanent location
  • set up fixed IP address with systemd-networkd
  • set up en_US.UTF-8 locale
  • install yay, configure pacman
  • install raspberrypi-userland-aarch64-git (AUR)

Some nice commands to run after everything is in place, just because:

$ uname -a
Linux alarm 5.8.0-1-ARCH #1 SMP Sun Aug 9 00:03:44 UTC 2020 aarch64 GNU/Linux

$ lscpu
Architecture:                    aarch64
CPU op-mode(s):                  32-bit, 64-bit
Byte Order:                      Little Endian
CPU(s):                          4
On-line CPU(s) list:             0-3
Thread(s) per core:              1
Core(s) per socket:              4
Socket(s):                       1
Vendor ID:                       ARM
Model:                           4
Model name:                      Cortex-A53
Stepping:                        r0p4
CPU max MHz:                     1200.0000
CPU min MHz:                     600.0000
BogoMIPS:                        38.40
Vulnerability Itlb multihit:     Not affected
Vulnerability L1tf:              Not affected
Vulnerability Mds:               Not affected
Vulnerability Meltdown:          Not affected
Vulnerability Spec store bypass: Not affected
Vulnerability Spectre v1:        Mitigation; __user pointer sanitization
Vulnerability Spectre v2:        Not affected
Vulnerability Srbds:             Not affected
Vulnerability Tsx async abort:   Not affected
Flags:                           fp asimd evtstrm crc32 cpuid

$ free -h
          total      used      free      shared  buff/cache   available
Mem:      899Mi      76Mi      41Mi       0.0Ki  781Mi        808Mi

And this system needs almost 19 seconds to boot:

$ systemd-analyze
Startup finished in 7.670s (kernel) + 10.919s (userspace) = 18.590s
graphical.target reached after 10.904s in userspace

It takes roughly 3 times longer than my 5-year old x86_64 laptop.

PiHole

Following the instructions in ArchWiki:

1. install pihole-server: yay -S pi-hole-server
2. install php things: pacman -S php-sqlite and enable the necessary extensions
3. install lighttpd and php-cgi for the web interface
4. enable/start pihole-FTL.service and lighttpd.service
5. configure /etc/pihole/pihole-FTL.conf:
   • change DBINTERVAL to 60.0 to minimize writes to the SD card
6. set up DoH for DNS over HTTPS:
   • $ yay -S cloudflared
   • add some IPv6 entries in /etc/cloudflared/cloudflared.yml
   • start/enable cloudflared.service
   • in the web settings page:
     • disable all DNS servers and use 127.0.0.1#5300 only
     • enable DNSSEC

Router

I have a very low quality modem/router from my ISP. It randomly resets the admin password, hopefully it will retain my custom DNS/DHCP configuration. The only configuration needed is to set the Raspberry Pi as the only DNS server in the DHCP settings. This was the most “complicated”/boring part of the setup, mainly because I had to reset the modem to log in.

My thoughts so far

My SD card is slow as hell. It takes forever to update something and/or move data in it. Maybe I got used to my laptop with a good SSD and everything slower became a headache? Or maybe the combination of a medium quality, old SD card plus a Raspberry Pi is indeed slow.

The fan I added to the rasp is very noisy. That is annoying and I will probably turn it off. I should monitor the temperature under high load to see if it needs active cooling. It shouldn’t need, but I have a 3D printed case, so air circulation is limited.

AArch64 support is still crappy. This is the most disappointing thing I noticed. Years of product in the market and yet no decent support. I expected more from the Raspberry Foundation.

PiHole is more efficient than I previously thought. Usually I have two or three devices connected to my network, and the Pi shows the total RAM usage is about 150 MiB (~15% of the total). The load average is below 0.1. I’m impressed.

It took me about two days to set this thing up. Well, not exactly whole days: a more precise description would be around 2.5 evenings, with some breaks. Was it worth it? Using a Raspberry for something is better than using a Raspberry to collect dust in a shelf. So, probably worth it, although I wouldn’t recommend buying a rasp for this.