Pi hole plus

Posted by: @davee

I agree and sympathise with your feeling that an internal low cost NAS might be a smart move ... and concur the commercial offerings are not compatible with my credit card health ... but think Pi-hole and NAS are a place for as much independence from each other as possible.

If I needed an internet facing Pi on my network(I am on the edge of deciding this), I would rather have only one. The more you have(this includes all IOT things), the more vulnerable your network is. Having multiple things on the same device causing a problem/security gap is negligible. I also take all the necessary precautions.

That and the cloud would only be backing up basic files. I wouldn't trust it to contain any credit card information. I can reinstall most of my programs easily enough so I don't even care to back them up.

Posted by: @davee

As for Pi-hole, I only looked quickly at its website, but when the memory requirements were discussed I wasn't clear whether they were discussing RAM or EPROM, and whether these requirements included the operating system or were in addition to the operating system. Hence, if someone was looking to buy a 'minimal' Pi, exactly would you need.

It is referring to RAM. 512MB is almost nothing these days(and I believe all Pi s sold now are above that). I think the barest Pi4 is double that.

Based off of experience, the biggest problem I have run across is finding a good SD card that can actually handle the read/write speeds. I must have missed the warning somewhere. It will work but you will notice issues popping up here and there. I have finally found one that I like and performs well enough but I had gone through a few on multiple Pi now(SSDs are amazing though and worth a look into).

@jbo

Excellent point about the extra adaptors for the Pi Zero. You’d be adding unnecessary potential failure points — and a lot of those adaptors can be pretty flakey at the best of times.

@davee

A Pi 3B (or even earlier as jBo mentioned) would be a very good choice. Also, get a high quality power supply and a case with good passive cooling ventilation. I don’t recommend any case that needs a fan as that is yet another potential failure point.

You really don’t want the Pi-hole to ever go down unintentionally because every DNS lookup must pass through it and there are a LOT of them. There are timeouts and fallbacks and what not (if setup properly) but even so, your network performance can suffer badly.

Posted by: @madmisha

If I needed an internet facing Pi on my network(I am on the edge of deciding this), I would rather have only one. The more you have(this includes all IOT things), the more vulnerable your network is. Having multiple things on the same device causing a problem/security gap is negligible. I also take all the necessary precautions.

I think this is mostly true, but it is a little more complicated than that. Your vulnerability is largely determined by the type and number of functions (i.e. software programs) being performed on your local network, and that is mostly independent of how many different machines they are running on. A larger attack surface entails more potential bugs and weak points. However, there have been a non-zero number of chained exploits that can only occur when the right combination of software apps, libraries, etc. appear on the same machine, so having only one machine is at least potentially more vulnerable (although probably not very much).

Conversely, running a bunch of different machines can be more risky if you don’t keep them ALL patched and updated.

Even so, purely in terms of reliability, the closer you can get to being a single function dedicated appliance, the better off you will be. And the more likely that more people will be running your exact configuration and the more likely that a larger community will discover any weaknesses or bugs quickly. In other words, if you closely follow the Pi-hole news and community, you will quickly find out about any new issues on “Pi-hole only” systems. Weaknesses that only occur on less common configurations may not be discovered or publicized as quickly.

And, as I mentioned earlier, simpler is usually better for reliability and ease of use. Especially for a non-expert Linux user. Less possibility of library incompatibilities or unintended consequences of configuration changes required by various different programs.

Anyhow, this is just the opinion of an admittedly paranoid, retired I.T. person who has too often seen the pain that Mr. Murphy inflicts on unnecessarily complex systems that don’t properly respect his well known law.  

Posted by: @steve-cross

Even so, purely in terms of reliability, the closer you can get to being a single function dedicated appliance, the better off you will be. And the more likely that more people will be running your exact configuration and the more likely that a larger community will discover any weaknesses or bugs quickly. In other words, if you closely follow the Pi-hole news and community, you will quickly find out about any new issues on “Pi-hole only” systems. Weaknesses that only occur on less common configurations may not be discovered or publicized as quickly.

I would actually argue the opposite based on this. You would need someone who is looking for a Raspberry pi on a network(not really common), running Pi Hole(odds goes down here) and they would be looking for one that also runs that cloud service and hope for a hole in security that could possibly be there. Malware is usually targeted at the most likely target to come across. That's why for years, most viruses and malware was targeted at Windows. Now Mac is much higher on the target list(high enough that they finally admitted they had issues with viruses, despite denying it for years). Linux less so and Raspbian is not on most radars although since it is based on Linux, it could be susceptible to the same threats. That is all based on the security aspect though. For bugs and getting it to run, it does not take that long to set up. If it works, it will probably work for a long time. Maybe an update could botch something based off the unusual configuration but that is really unlikely.

Otherwise, it is susceptible to each program individually so that the updates will work to make that part secure. If the problem is in the OS, then they are all at risk. The difference here would be that only one system on your network would be compromised.

Posted by: @madmisha

The difference here would be that only one system on your network would be compromised.

I still think you are looking at this the wrong way. As long as nothing else is running on that system, then great. BUT, if you have anything else, then that function is now also at risk. Say, for example, you have a NAS server (as has been mentioned previously) on the same device. All of those files (maybe including sensitive financial or tax records) are now accessible.

Your belief that a Pi-hole is relatively uncommon and therefore low risk seems logical - but that is not necessarily true. Don't forget that DNS databases are always an attractive target for bad actors. A compromised Pi-hole (or any DNS server) can literally reroute any network traffic. For example, it could send your login attempt to an imposter site that looks and acts just like your real bank -- until it steals your credentials and your money. It is almost certain that at least some criminal types are attempting to exploit any imaginable weakness in any conceivable system.

And then, unfortunately, any discovered exploits are quickly shared on the criminal underground to be used before the good guys can patch the systems. The relative rarity of Pi-holes is not much protection either. Most "probing for weak points" is scripted and automated so the bad guys can easily search millions of systems looking for a few likely targets.

Obviously, things aren't quite as apocalyptic as I have made it sound -- but only because the number of bad guys is much smaller than the number of potential victims. But why take unnecessary risks when the downsides (slight additional cost) are small compared to the upsides (increased reliability and security).

If it is not already obvious from my apparent paranoia, I'm a retired Unix and Linux System Administrator who has been responsible for the reliability and security of hundreds of large and small systems over the years. I've tried to keep up with industry best practices since my retirement and I'm pretty sure that you'll find that the vast majority of experts would make these same recommendations. 

Posted by: @steve-cross

Don't forget that DNS databases are always an attractive target for bad actors. A compromised Pi-hole (or any DNS server) can literally reroute any network traffic. For example, it could send your login attempt to an imposter site that looks and acts just like your real bank -- until it steals your credentials and your money.

Hmm, great point! Now, personally, I would rather not have a Pi Hole. I really wasn't big on the idea to begin with. I might still temporarily test it out to see how it runs and what services they use and if they interfere with each other.

Although my financial data goes on an encrypted partition of the drive I use for my system images(not that I think it's vulnerable, just because it is portable and could get lost). It would mostly be my sketches, projects, pictures and old show files. Nothing I would even care about being out on the internet. Some things that I wouldn't mind being able to access at work though.

Exactly. As should be obvious, most of my sysadmin choices are based on a careful (I hope) risk/benefit analysis. Although the actual likelihood of a Pi-hole compromise to the extent of the worst case scenario I mentioned is probably very low, the potential consequences are drastic enough to completely override any minor annoyances I suffer from having to see some advertisements.

Besides, some of the ads are actually useful as the advertisers learn more about you. Although that is very much a double-edged sword. As I watch more of the Dronebot videos, I have been purchasing more “cool” things to experiment with. And then Amazon (or whoever) suggests “things I might also like” and it can start to get expensive LOL.

I'm going to disagree with the conclusion we've come to here. But first an explanation of what pihole does.

The internet as we know it runs on an IP (internet protocol) based addressing system. Every system online has an IP address that is used by the routing system to identify the route between your IP address (findable if you ask google "what is my ip address") and, to take one example, 159.203.31.177 when you want to. 

Except for some systems on my internal home network, it has been about two decades since I have typed an IP address into a web browser. The system that translates "forum.dronebotworkshop.com" to 159.203.31.177 is called DNS.

DNS has a tiered approach. First, your web browser asks your local operating system "Hey, do you know where forum.dronebotworkship.com is?" If you've been there recently, your OS has stashed away that name -> address translation and uses it. If not, your operating system goes to your home router and asks if it knows how to translate this. If not, your router goes to your ISPs DNS server, asking if it knows the way to dronebotworkshop. This continues until you either get an answer or you land at an authoritative DNS server that can give you an answer.  At this point, all of the servers you asked along the way will update their internal tables to say "For the next X hours, anytime someone asks about dronebotworkshop, this is the IP address".  (some seriously complicated details have been elided here, but this model works for us today)

One of the options you have on both your computer and your router is to say "actually, don't use my router or the ISP's DNS server next... use this computer over there". Pihole is essentially just your own custom DNS server. It is designed so that when someone tries to look up "myadwarevirus.dangerous.com", pihole simply responds "Oh yes, I know that, it's here", and sends the malware you've accidentally downloaded or visited-by-webpage off into the weeds.  When pihole gets a name request that is not on its internal blacklists, it responds with the correct answer if it knows it, otherwise it will forward the request on.

In my opinion, the protection from blacklisted malware sites provided by pihole is so much greater than the increased risk surface by adding another server as to make the latter completely irrelevant.

Most risks of being online today for an individual at home are attacking you through your web browser. Pihole is not something that is going to replace your firewall, but it does interfere with a significant percentage of the threats out there. A firewall mostly blocks network connection requests coming from the network to your systems. Pihole blocks bad requests from your system out to the larger internet... that your system really shouldn't be making.

And setting aside security, there are other side-benefits of running your own dns, such as blocking that idiotic smart-TV ad-spam, having easy names for your internal devices/servers, and creating your own aliases for sites if you feel like it.

@jker,

All great points, and in general, I agree with every single one. At least for a reasonably well-informed and conscientious user / defacto sysadmin. And, TBH, adding a Pi-hole has been on my todo list for years. It has just never moved to the top of the list. Probably because of hubris on my part. I think I’ve just subconsciously assumed that my experience and paranoia would protect me as well as the incremental improvement a Pi-hole offers. 

I think I may bump up the priority, although I still strongly recommend putting it on a standalone system. 

I still suspect the pain involved (small as it may be) for a novice/inexperienced user may outweigh any potential gain. But again, to be brutally honest (with myself), that could just be a reaction to many years of providing “free” tech support to relatives, friends, neighbors and anyone else that knew what I did for a living. I always tend to recommend the least complicated, most bulletproof solutions to everyone who asks because, inevitably, I’ll wind up having to solve any future problems  😆 .

Anyway, as I said, all great points and an excellent summary of DNS basics.

@jker

I think both @steve-cross and I understand that getting through the firewall and compromising a Pi Hole is relatively low risk(or maybe likelihood) but high potential if they do. Although I don't think adding a second service to the device will affect it, I generally don't like the idea of Pi Hole. That slight potential just tipped my decision to never actually implement it for me. Also, since only the addresses it looks up through the DNS is requested from the Pi Hole, everything still passes through the network like normal and won't even involve the Pi. So, if I do access a malicious site or download something I shouldn't, it wouldn't be installed on the Pi and the problem would still be at my computer. The real danger would be from someone finding out the Pi is there and trying to get through the firewall. All fairly unlikely. That decision was just a personal one and Pi Hole still does a good job.

For the add blocking portion, I would rather the website I am on get the money from the ads I see to keep up the free services. Servers are not free. Employees to create, maintain and write the articles have associated costs. For the most part, ads don't bother me. I don't click on them. I will admit that I did fall for the fantastical news stories ads at first when they first appeared. I don't think I clicked on one in years though.

Tracking is a different. There is potential for some malicious acts here but for the most part, it's just demographics shared. I also have software to monitor this.

There are also many browser extensions that do the same thing and they have the ability to update in real time to threats. That does not protect against malware directly running but that would also have to get through antivirus software first(2 if you have Windows Defender running as well, I don't know if Mac has a native defender and Linux you've always been on your own here).

Now to the original intent of the thread, what could safely be running along side Pi Hole? I have still not heard anything that would make me think that a personal cloud service that is not publicly known would make it insecure assuming you set it up right and have all the certificates.