Some questions before installing pi-hole

Hello, I have some questions before installing pi-hole on a raspberry pi model B with the raspbian image

1. Do I need to be logged in as root for the pi-hole to work or can it be run under a non root account?
2. Are there any suggestions for securing the raspberry pi before installing pi-hole? I have so far only changed the default user and password, I'm only planning on using this pi for pi-hole and nothing more
3. I'm only interested in using the web interface within my network, so no outside access, what services can I disable to make the pi and pi-hole more secure?
4. I know that the answer to this question can be very biased but I will still ask it. I'm concerned with privacy and do realized that no DNS server can be 100% trusted but would still like some advice on which is the most trusted?

thanks

1. The user has to be able to run sudo. Using root is a bad idea under all circumstances as it defeats the security model of the operating system. Through sudo, the Pi-hole will get privileges for administrative (like when installing dependencies, etc.), but the user doesn't have to be (and shouldn't be) root.

2. Only one thing: Keep your operating system (Raspbian?) up-to-date with security updated. And don't use rpi-update

3. Do you plan it operate it at home (behind a NAT, which is in personal environments often provided by the DSL router)? If that is the case (can be seen as that the Pi does not get an valid internet IP but some address in the range of 192.168.x.x or 10.x.x.x) then you are good to go. Pi-hole is designed for privacy and there is nothing in it that tries to get public. If the web UI is publically available that means that
   3.1. The user wanted that to happend and forwarded the corresponding ports to his Rapsberry, or
   3.2. Installed Pi-hole on a server that it publicaly available through the internet.
   If you install it in your local network at home (or at work) it is already protected against outside access and there is nothing you would have to disable.

4. You are right, "trusted" is a very biased word here. Every request sent through a DNS server can be logged and that data can be collated and analyzed.
   Let me expand on this: Google DNS is the most often used one because it is highly-available and never seems to fail. But you should, of course be aware of the (potential privacy issue): Up to date, Google only knows which page you are accessing if you use Google Search to find it. However, as soon as you use Google DNS as upstream server it will know all addresses you access - even if you visit them directly or if you visit some site from within another site. Google would have the ability to track everything. However, for a company like Google, the value is probably more in the aggregate - their DNS servers give them an idea which Web sites are most popular, and may also tell them about Web sites that Google's crawlers haven't discovered yet.
   So, to this point we think that we might not want to use Google's DNS servers, but that does not yet tell us which one we would like to use. I haven't found the perfect solution myself, but I fell comfortable with using the OpenDNS servers. Be aware that they might be slightly slower in their answer since there aren't too many of them (see here). However, they use Anycast so the difference should be minimal (there are actually a number of users where the OpenDNS servers are by far the fastest ones!).

DL6ER, thanks for the reply

1. I was under the impression that the pi came with the pi account and a root account, but reading on it, it seems as there is only the pi account which I have already changed, is this correct?
2. ok will do that
3. Yes it will be behind a NAT, and I wont be forwarding any port on my router, hence why I dont care about SSH, I might turn off SSH or at least regenerate the keys
4. I'm on the fence with OpenDNS since there where some stories back in the day when they never really said if there logging info, have you ever used comodo? as well can you explain what do I really gain by using dnscrpyt? I have read on it, but I don't fully understand what advantages/disadvantages it offers, as I understand it my DNS gets encrypted but once I reach my DNS resolver (Google) they will decry my DNS traffic which in my mind its useless because then Google still know what I'm looking for, em I correct?

1. Using root as account is always dangerous and I never recommend it to anyone. I don't use root myself but always use the normal user + sudo only if necessary.

2. 

3. You don't have to regenerate the keys, because they (obviously) have been generated just for you on your Raspberry Pi at first boot. Regenerating them won't increase your security by any means.

4. You are right, the upstream DNS server surely knows which domains you are requesting, because otherwise it could not work. DNSCrypt simply turns regular DNS traffic into encrypted DNS traffic that is secure from eavesdropping and man-in-the-middle attacks, increasing your security over the transport path between you and the upstream DNS server.
   If you use Google as upstream server, then they will surely log what you do. The same might happen when you use OpenDNS, I agree. My point is that we know that Google is logging everything. I don't know the status concerning OpenDNS. I never used another server, since tests revealed that the OpenDNS servers are (by far) the fastest at my location (at work as well as at home).

Hi

Well I been using the pi-hole for some time and I just had some extra questions

1. I installed pi-hole thru the script, so that got me thinking if there is a way to verify thru an sha or gg key the authenticity of the download and or the installation, is this possible?
2. I found a similar question to mine but it didn't really have a good answer at least for me, I do not know entirely how the pi-hole works. but I do know all the code is open, so can the pi-hole be used against me (us) to mount MITM attacks, meaning lets say I go and check my email and the pi-hole is blocking ad's from the email provider, can the pi-hole be used to get my credentials? or lets say I go to my banking website but there is no ads to block, can the pi-hole be used to log my credentials?

Thanks

Hi, resident Pi-hole developer and part time paranoid security guy. Some very good questions.

The https:://install.pi-hole.net is just a short cut to the actual basic-install.sh script on GitHub, we can show how that works if you'd like to know.

The code is entirely up on GitHub, our repository. Anyone can see all of the code and can review it at any time. There is a small group of people that can 'push' code to the area that is released. And it requires the full team of developers to agree in order for us to release the code out to be used. If anyone put in a back door, we'd be the only ones capable of doing that, and we'd basically be ending the project by doing that. By developing on GitHub, we can accept submissions to code changes from anyone that wants to submit them, but that process is all reviewed and in the open, so if things were going south, there's about 10k people that would see it, and of that I know about 1k people that could spot in less than a second any attempts to do anything malicious with the code.

We keep everything on the Pi-hole device itself. There is nothing that phones home or gives us any feed back to what is happening. It's black box, you as the admin of the Pi-hole are the only ones that can see. We can't even figure out what your password is. Let me put that in perspective. There is a process, pihole -d that runs some routines that collects information, and you are given the option to upload that to a secured server for us to take a look, but that requires you to actively approve the upload of information, and you see exactly what we see, so you can tell if we are grabbing sensitive stuff. The code for the debug script is on GitHub as well, so it is reviewed by the community. And that process only provides us with the unreversible hash of your password, we couldn't figure it out. I'm working to reduce the amount of information that is collected to reduce the transfer of information. But that's always in process.

If you have any specific questions, or want something further explained, you can either message me here, or email me directly at dan.schaper@pi-hole.net and I'll be happy to be way more verbose than I have been here, and walk through the steps we take to make sure we are transparent and yet still protect your privacy at the same time.

Hi Dan

Thanks a lot for the information, I will replay here so others have access to the information, as for "he actual basic-install.sh script on GitHub, we can show how that works if you'd like to know" Yes I would like to know more.

I know you already answered the question quite elegantly but for others that might want a yes or no answer is it safe to say that "the current release of the pi-hole has NO way of mounting an MITM for password gathering and that the pi-hole has NO way of calling back home" is my statement correct

thanks Dan

Sure, https://install.pi-hole.net is a CNAME for https://raw.githubusercontent.com/pi-hole/pi-hole/master/automated%20install/basic-install.sh so you can install from the GitHub link, we just provide a short name for user ease of install. You can see that the script is pulled directly from GitHub and is the exact script in the Master Branch of our public repository. We do suggest that users download the script and run it directly instead of curling the script if they have some concerns, and that really is a better practice than blind curls to the internet.

I will state with full and total commitment, we can NOT MITM, we do not have that kind of access. There is NO call home code, with the exception of the user run pihole -d debugging script that explicitly requires the user to approve any upload of data, and that approval is required each time the script is run. And a copy of what is uploaded is saved to the local Pi-hole so that you can see what is sent. (I can expand upon the security we use for the debugging server, it's multilayered and uses current security practices, only 7 people have access to the log files, and if anything goes wrong the whole system closes. We have an open bounty for anyone that can gain access to that server and invite users to try.)

And I'm happy to discuss things here to be transparent with what I'm saying and to go on the record with my comments. I think users should be way more informed of the steps we take, and what they should be doing and asking before installing any software in the current environment.

Dude that was by far the best answer ever, so glad to be using this software and I totally agree that user should be informed before using any software instead of rushing to install the latest cool gadget. I will re-install and follow the steps so I can learn more.

Thanks Dan