Nginx error404 from pihole

anon820263 · February 26, 2019, 3:13pm

Please follow the below template, it will help us to help you!

Expected Behaviour:

Seeing the normal error404 page of PiHole (when using lighttp)

Actual Behaviour:

ERR_INVALID_RESPONSE

So currently i got PiHole working again on my VPS, even have it working with my custom domain and also made the switch from lighttp to nginx (and therefore got https also working!)

Even the load on the top left suddenly works (always had crazy values like 10) and the only last thing what is left to do is to get the error404 from lighttp setup.

My current configuration with NGINX:

I hope someone is able to tell me how i can set the Pihole error back.

~~unrelated question: is there also a darkmode for the dashboard? Would i need to change anything else if i would make a subdomain like pihole.betavpn.tk?~~

jfb · February 26, 2019, 3:21pm

Are you referring to the blocking page that shows that a domain is blocked and has the option of whitelisting that page?

anon820263 · February 26, 2019, 8:31pm

(post deleted by author)

ExIT · February 26, 2019, 10:57pm

Are you trying to get NGINX to serve a specific page, when encountering a 404 situation?

If so, that is more of an NGINX configuration issue rather than Pi-hole specific. But this should help you out:
https://www.cyberciti.biz/faq/howto-nginx-customizing-404-403-error-page/

anon820263 · February 27, 2019, 7:27am

(post deleted by author)

ExIT · February 27, 2019, 5:02pm

Would it be sufficient to copy the code from the Pi-hole one to the NGINX one? Its a pretty straight forward HTML/CSS page that Pi-hole serves by default. So that should probably do the trick? Or am I missing something?

deHakkelaar · February 27, 2019, 6:00pm

lighttpd from Pi-hole has got these directives if might help:

pi@noads:~ $ cat /etc/lighttpd/lighttpd.conf
[..]
server.document-root        = "/var/www/html"
server.error-handler-404    = "pihole/index.php"
[..]

So full path to the 404 handler with a default install is:

/var/www/html/pihole/index.php

deHakkelaar · February 27, 2019, 6:52pm

index.php and blockingpage.css can be found on git:

deHakkelaar · February 27, 2019, 8:09pm

Ohw and make sure your not running an open resolver:

http://www.openresolver.com/

deHakkelaar · February 27, 2019, 8:13pm

OOps:

http://www.openresolver.com/?ip=betavpn.tk

Thats not a good idea:

https://discourse.pi-hole.net/search?q=open%20resolver

Please close down port 53 UDP with the firewall and only allow trusted IP´s or setup VPN on clients and Pi-hole:

deHakkelaar · February 27, 2019, 8:44pm

Its still resolving:

pi@noads:~ $ dig +short test.openresolver.com TXT @betavpn.tk
"open-resolver-detected"

deHakkelaar · February 27, 2019, 8:46pm

Removing the domain doesnt help.
Addressing the IP address directly instead of name would still result in an open resolver.

EDIT: eg

pi@noads:~ $ dig +short test.openresolver.com TXT @64.52.86.238
"open-resolver-detected"

pi@noads:~ $ dig +short version.bind TXT @64.52.86.238 CHAOS
"dnsmasq-pi-hole-2.80"

deHakkelaar · February 27, 2019, 9:29pm

This bit below:

deHakkelaar · February 27, 2019, 10:22pm

That did the trick:

pi@noads:~ $ dig +short test.openresolver.com TXT @64.52.86.238
;; connection timed out; no servers could be reached

Now make it persistent by putting it in for example new file:

/etc/network/if-pre-up.d/my-iptables-rules

EDIT: Ohw you might want to add the interface to that iptables rule or else all DNS traffic gets dropped.

Reboot and test with openresolver.com.

deHakkelaar · February 27, 2019, 10:42pm

Ohw I forgot one thing, DNS is closed now for UDP thats used for the amp attacks.
But TCP is still open for the public just so you know:

pi@noads:~ $ dig +short +tcp test.openresolver.com TXT @64.52.86.238
"open-resolver-detected"

Also not really advised to do so

DanSchaper · February 28, 2019, 11:28am

Visiting a bare root URL like your link will automatically redirect to /admin/. You will not see the block page for htttps as that's considered a man in the middle attack, unless your clients have your Certificate Authority installed in their browsers.

DanSchaper · February 28, 2019, 12:46pm

https://pihole.deltabot.me/ already redirects to https://pihole.deltabot.me/admin/

If you want it to do / show something else then you will need to modify the webserver to do as such.

deHakkelaar · February 28, 2019, 7:42pm

Oops I gave you that hearth too quickly.
No its worse.
UDP is open again:

pi@noads:~ $ dig +short test.openresolver.com TXT @64.52.86.238
"open-resolver-detected"

And TCP as well so you know:

pi@noads:~ $ dig +short +tcp test.openresolver.com TXT @64.52.86.238
"open-resolver-detected"

deHakkelaar · February 28, 2019, 8:17pm

As long as you run an open resolver, your susceptible to participating in a DDoS attack.
They will find your server quick enough and you'll be wondering where the load and queries are coming from.
Worst case, your server gets kicked by the VPS provider.

deHakkelaar · February 28, 2019, 8:45pm

As said before:

Best is to close down everything with the firewall and only allow trusted IP's.
Trusted IP's could be the servers from Cloudflare who are hitting your DNS setup.
Let Cloudflare take the full grunt of an DDoS attack if any.

Some poor advise maybe but try install some text based Firewall software on the VPS:

apt search firewall

And configure firewall to only allow the Cloudflare servers to connect to 53 UDP & TCP.
I cant advise you on which one because the way I setup a firewall (if needed) is way more complicated and bit difficult to explain here.