Running my free cloud-based Pihole, notes


#1

Google Compute Engine offers a free f1-micro VM (free forever tier).

Provision it using the Debian GNU/Linux 9 (stretch) image.

Add a static public IP for this instance.

Installation of Pihole was flawless using the curl/bash command-line. Use Google DNS as the backend resolver.

Add a firewall rule (using the Google Cloud VPC network settings) to allow public DNS queries (allow 0.0.0.0/0 to access TCP/UDP port 53) for this instance. If you are only using Google cloud to run this little instance, then you might as well apply this firewall rule to all instances in your VPC instead of specifying which instances the firewall rule is applicable to (which may require you to tag instances etc.).

Replace the DNS server entry in /etc/resolv.conf on this instance with 127.0.0.1.

Test out the Pihole resolver from your home computer by setting the instance’s public IP to be your DNS server in your TCP/IP settings.

…

To ensure I am always using it, I added the public IP of this instance to my wi-fi router. But the wi-fi router was still adding itself as a secondary DNS server and there was no way to override it. So, sometimes, since the latency to the Google instance was obviously greater, my computer was using the wi-fi router as the DNS server which was in-turn getting its DNS queries resolved via the ISP. Not good.

But there was an easy fix. In the router’s WAN settings, I updated the DNS server to be again the Pihole. So, even if my home computer was referring to the router’s IP address as the DNS server, I was still able to use Pihole.

Now that the home network was ad-blocked, the next step was to ad-block my phone, no matter which network I was using.

I installed the DNS Changer app ( https://play.google.com/store/apps/details?id=com.burakgon.dnschanger&hl=en_US) on my Android phone. This app creates a virtual VPN which uses your specified DNS server on all networks (even on mobile data). Keep the VPN running, it doesn’t consume much in terms of CPU/RAM.

This is working beautifully so far.

There was a hiccup when Pihole showed “0 domains blocked” for some reason. I just updated the gravity (query lists) again and all was well.

The easiest way to test was to to go to an ad-block test site, or to nslookup retailwith.com. It should return 0.0.0.0.

It has been running for a few days now, and the cpu usage on the google instance is less than 0.1%. I see many clients depending on how many IP addresses my phone gets as it roams through cell towers.

Hope you find it useful.


#2

Please do not operate an open DNS resolver: http://openresolverproject.org/

It is recommended to instead use a VPN: https://docs.pi-hole.net/guides/vpn/overview/


Massive requests - tail log (open DNS resolver)
#3

Have you created a DNS server (Pi-Hole) that is open to the internet?


#4

yes, so far. but i intend to install OpenVPN to restrict it.


#5

This is a very bad practice. Just one of many articles on this subject: https://www.us-cert.gov/ncas/alerts/TA13-088A.


#6

Running it under OpenVPN now. No open ports and no public DNS. Thanks guys!


#7

Here is a step by step guide for others looking to accomplish this on Google Cloud Platform:

Set up a Pi-Hole Ad Blocking VPN Server with a static Anycast IP on Google Cloud’s Always Free Usage Tier and configure Full Tunnel or Split Tunnel OpenVPN connections from your Android, iOS, macOS, & Windows devices

Both Full Tunnel and Split Tunnel VPN connections provide DNS based ad-blocking over an encrypted connection to the cloud. The differences are:

  • A Split Tunnel VPN allows you to interact with devices on your Local Network (such as a Chromecast or Roku).
  • A Full Tunnel VPN can help bypass misconfigured proxies on corporate WiFi networks, and protects you from Man-In-The-Middle SSL proxies.
Tunnel Type Data Usage Server CPU Load Security Ad Blocking
full +10% overhead for vpn moderate 100% encryption yes
split just kilobytes per day very low dns encryption only yes