Web admin page won't show up, index.php error

That pretty much puts you in the 'Unsupported OS' department. I don't know what changes they may have made to lighttpd or the required cgi backends.

Is there a link or a page that explains what that repository was built for? Where did you find the instructions to install that apt repository?

This is the link that I followed for Plex server.

After install, I rebooted the raspberry. Plex worked as expected but pihole web stopped work since.

That should tell you that Plex broke it.

I am not sure. It is possible.

Also, it was my first time update/upgrade, which could also have the possibility of breaking something too.

Everything else seems to work. Pihole itself seems to run fine.

Hi deHakkelaar,

Just an update. It took me a while to figure out all those quarries for those two brothers printer do come from just one PC. I have hard coded printers' ip addresses in the host file, which cleans up a little. All other apple devices that air print on both printers do not have this problem.

It works for both printers, one with IP, the other attached to raspberry.

However, web GUI of Pihole still not working but since we can do pretty much everything command line, it is not that important.

Thanks.

Probably you have configured your router WAN/Internet DNS setting to point to Pi-hole.
So currently DNS queries go like so:

client --> router --> Pi-hole --> upstream configured DNS server(s)

What you want is to have the clients query Pi-hole directly eg:

client --> Pi-hole --> upstream configured DNS server(s)

That way Pi-hole will log the client IP instead of the router IP and will makes searching the dbase or log files for who does what much easier.
Preferred is to have your router distribute the Pi-hole IP for DNS via DHCP.
Methods 1 or 2 in below FAQ:

Your absolutely right, who needs a web GUI :wink:
Most all can be done from good old trusted bash:

pi@ph5:~ $ pihole -h
Usage: pihole [options]
Example: 'pihole -w -h'
Add '-h' after specific commands for more information on usage

Whitelist/Blacklist Options:
  -w, whitelist       Whitelist domain(s)
  -b, blacklist       Blacklist domain(s)
  --regex, regex      Regex blacklist domains(s)
  --white-regex       Regex whitelist domains(s)
  --wild, wildcard    Wildcard blacklist domain(s)
  --white-wild        Wildcard whitelist domain(s)
                        Add '-h' for more info on whitelist/blacklist usage

Debugging Options:
  -d, debug           Start a debugging session
                        Add '-a' to enable automated debugging
  -f, flush           Flush the Pi-hole log
  -r, reconfigure     Reconfigure or Repair Pi-hole subsystems
  -t, tail            View the live output of the Pi-hole log

Options:
  -a, admin           Web interface options
                        Add '-h' for more info on Web Interface usage
  -c, chronometer     Calculates stats and displays to an LCD
                        Add '-h' for more info on chronometer usage
  -g, updateGravity   Update the list of ad-serving domains
  -h, --help, help    Show this help dialog
  -l, logging         Specify whether the Pi-hole log should be used
                        Add '-h' for more info on logging usage
  -q, query           Query the adlists for a specified domain
                        Add '-h' for more info on query usage
  -up, updatePihole   Update Pi-hole subsystems
                        Add '--check-only' to exit script before update is performed.
  -v, version         Show installed versions of Pi-hole, Web Interface & FTL
                        Add '-h' for more info on version usage
  uninstall           Uninstall Pi-hole from your system
  status              Display the running status of Pi-hole subsystems
  enable              Enable Pi-hole subsystems
  disable             Disable Pi-hole subsystems
                        Add '-h' for more info on disable usage
  restartdns          Full restart Pi-hole subsystems
                        Add 'reload' to update the lists and flush the cache without restarting the DNS server
                        Add 'reload-lists' to only update the lists WITHOUT flushing the cache or restarting the DNS server
  checkout            Switch Pi-hole subsystems to a different GitHub branch
                        Add '-h' for more info on checkout usage
  arpflush            Flush information stored in Pi-hole's network tables

pi@ph5:~ $ pihole -a -h
Usage: pihole -a [options]
Example: pihole -a -p password
Set options for the Admin Console

Options:
  -p, password        Set Admin Console password
  -c, celsius         Set Celsius as preferred temperature unit
  -f, fahrenheit      Set Fahrenheit as preferred temperature unit
  -k, kelvin          Set Kelvin as preferred temperature unit
  -e, email           Set an administrative contact address for the Block Page
  -h, --help          Show this help dialog
  -i, interface       Specify dnsmasq's interface listening behavior
  -l, privacylevel    Set privacy level (0 = lowest, 4 = highest)

Or query the pihole-FTL API:

echo ">stats >quit" | nc localhost 4711

You can lookup the API calls in below doc:

Or checkout the source code:

And you also have the chronometer:

pi@ph5:~ $ pihole -h
[..]
  -c, chronometer     Calculates stats and displays to an LCD
                        Add '-h' for more info on chronometer usage

I did not know we can do this. The idea of being able to monitor the whole network and blocking kids playing games is so attempting...

However, other than those steps I need following in the instructions, some follow up questions to make sure I know what I will be doing.

  1. I will need to run pihole -r again to reconfigure the upstream DNS to point to my router (192.168.1.1), am I right?
  2. On my router, I will need to put in a DNS point to 8.8.8.8 etc...

I really like the idea using pihole as a parent control tool....monitoring the whole network with the telnet functions....

Thanks.

My router Orbi does not allow dnsmasq setup. I wont be able to enable the DHCP 6 option on Orbi. There is a possibility to hack Orbi using telnet but it is a little too involved.

Based on my reading, I can still enable Pihole as DHCP and disable Orbi's DHCP. But I am afraid it is a little beyond what I can handle.

Not necessarily.
You can configure any upstream DNS servers like for example the ones default provided by Pi-hole:

pi@ph5:~ $ cat /etc/pihole/dns-servers.conf
Google (ECS);8.8.8.8;8.8.4.4;2001:4860:4860:0:0:0:0:8888;2001:4860:4860:0:0:0:0:8844
OpenDNS (ECS);208.67.222.222;208.67.220.220;2620:119:35::35;2620:119:53::53
Level3;4.2.2.1;4.2.2.2;;
Comodo;8.26.56.26;8.20.247.20;;
DNS.WATCH;84.200.69.80;84.200.70.40;2001:1608:10:25:0:0:1c04:b12f;2001:1608:10:25:0:0:9249:d69b
Quad9 (filtered, DNSSEC);9.9.9.9;149.112.112.112;2620:fe::fe;2620:fe::9
Quad9 (unfiltered, no DNSSEC);9.9.9.10;149.112.112.10;2620:fe::10;2620:fe::fe:10
Quad9 (filtered + ECS);9.9.9.11;149.112.112.11;2620:fe::11;
Cloudflare;1.1.1.1;1.0.0.1;2606:4700:4700::1111;2606:4700:4700::1001

I currently have the Google ones below configured:

pi@ph5:~ $ grep PIHOLE_DNS /etc/pihole/setupVars.conf
PIHOLE_DNS_1=8.8.8.8
PIHOLE_DNS_2=8.8.4.4

But there is a but.
If Pi-hole doesnt do DHCP, for example your router does that, Pi-hole wont be able to do reverse PTR lookups to figure out the hostnames that belong to device IP's on your LAN:

pi@ph5:~ $ host 10.0.0.220 localhost
Using domain server:
Name: localhost
Address: ::1#53
Aliases:

220.0.0.10.in-addr.arpa domain name pointer laptop.dehakkelaar.nl.

When a client negotiates a DHCP lease with the router, the client advertises its own hostname to the DHCP server:

dehakkelaar@laptop:~$ cat /etc/dhcp/dhclient.conf
[..]
send host-name = gethostname();

And as most routers, or so called smart routers, also run their own caching DNS service, PTR and A records gets created/added automatically for devices that acquire IP details through DHCP.
So only the DHCP device knows of these hostnames.
For that, Pi-hole got the "Conditional Forwarding" option that can be configured via the web GUI:

But as you dont have a GUI, I'll show you a little trick.
Pi-hole stores most of its options in below file:

pi@ph5:~ $ cat /etc/pihole/setupVars.conf
BLOCKING_ENABLED=true
TEMPERATUREUNIT=C
WEBUIBOXEDLAYOUT=traditional
WEBPASSWORD=
DHCP_START=10.0.0.10
DHCP_END=10.0.0.254
DHCP_ROUTER=10.0.0.1
DHCP_LEASETIME=24
PIHOLE_DOMAIN=dehakkelaar.nl
DHCP_IPv6=false
DHCP_rapid_commit=false
DHCP_ACTIVE=false
PIHOLE_INTERFACE=eth0
IPV4_ADDRESS=10.0.0.4/24
IPV6_ADDRESS=
QUERY_LOGGING=true
INSTALL_WEB_SERVER=true
INSTALL_WEB_INTERFACE=true
LIGHTTPD_ENABLED=true
DNSMASQ_LISTENING=single
PIHOLE_DNS_1=8.8.8.8
PIHOLE_DNS_2=8.8.4.4
DNS_FQDN_REQUIRED=false
DNS_BOGUS_PRIV=false
DNSSEC=false
REV_SERVER=true
REV_SERVER_CIDR=10.0.0.0/24
REV_SERVER_TARGET=10.0.0.2
REV_SERVER_DOMAIN=dehakkelaar.nl

The options for you to add to configure Conditional Forwarding are below ones (with 10.0.0.2 doing DHCP on my LAN):

DNS_FQDN_REQUIRED=false
DNS_BOGUS_PRIV=false
REV_SERVER=true
REV_SERVER_CIDR=10.0.0.0/24
REV_SERVER_TARGET=10.0.0.2
REV_SERVER_DOMAIN=dehakkelaar.nl

You just have to add those lines to /etc/pihole/setupVars.conf (check for duplicates) , and run below one selecting repair:

pihole -r

If successful, below lines will be added to the dnsmasq config that allows reverse lookups against the DHCP/DNS server:

pi@ph5:~ $ cat /etc/dnsmasq.d/01-pihole.conf
[..]
rev-server=10.0.0.0/24,10.0.0.2
server=/dehakkelaar.nl/10.0.0.2

Just make sure the router WAN/Internet DSN setting does not point back to the Pi-hole IP thus creating a DNS forwarding loop.

Thats is the only alternative yeah.
If you add below lines to /etc/pihole/setupVars.conf (adjust to your needs!):

DHCP_ACTIVE=true
DHCP_START=10.0.0.10
DHCP_END=10.0.0.254
DHCP_ROUTER=10.0.0.1
DHCP_LEASETIME=24
PIHOLE_DOMAIN=dehakkelaar.nl
DHCP_IPv6=false
DHCP_rapid_commit=false

And run repair:

pihole -r

The Pi-hole DHCP service will be enabled:

pi@ph5:~ $ sudo netstat -nltup | grep 'Proto\|:67 '
Proto Recv-Q Send-Q Local Address           Foreign Address         State       PID/Program name
udp        0      0 0.0.0.0:67              0.0.0.0:*                           7445/pihole-FTL

You can check loggings for client activity with below:

grep dnsmasq-dhcp /var/log/pihole.log

Or tail the logs live:

tail -F /var/log/pihole.log | grep dnsmasq-dhcp

Ps. activate DHCP service on Pi-hole first before disabling the one on the router!
This because some routers re-initialize their interfaces when changing settings causing the clients to shortly loose connection and prematurely trying to acquire a DHCP lease while no DHCP service is active yet.
Also you'll have to renew DHCP leases on all the clients.
Usually disconnecting and reconnecting them does that.

I think I get what you doing. From your setup, you probably do not even have a router in between. I really like it but I probably will not follow this route because if raspberry fails, the whole family will be totally in blind.

I wish I could just set Orbi NDSMasq to option 6. I will keep digging a little more and see if I can get it done...

Thanks for you input. It has been fun learning from all of you.

There is so much to learn. After cleaning up, the top domains start to make sense. However, a few confusing domains remain:

  1. https://app-measurement.com/sdk-exp
  2. useast-www-alb-138904782.us-east-1.elb.amazonaws.com
  3. 22.1.168.192.in-addr.arpa

For 1, I saw discussions about it before. I guess we just leave it alone.
For 2, seems like a amazon aws related, should I blacklist it?
For 3, there seems to be a problem. It seems to be a self reverse referencing for 192.168.1.22. But I did not find a device with that IP on my network.

Any suggestions.

Also, about DHCP on Rpi, I might want to set it up and run for a few weeks so that I understand what domains each devices hit. Blacklist a few if I have to. And then turns it back to DHCP on Orbi. My concern is that if I am not at home, my family wont be able just unplug/plug Orbi to fix some network problems (if DHCP is on Rpi). Is my understanding correct?

Thanks.

Without knowing which devices and installed apps are making those queries, its hard to tell.

I run Pi-hole (with DHCP service enabled) on a dedicated Pi 1B to avoid issues.
Its been running for close to four years now without problems

Yes, I made the change. I have a few legacy static IPs to take care of and then setup a strip of DHCP zone that has about 140 IPs controlled by RPi now. It has been a few days. It is running stable. Thanks for helping to get this done, so that I can target each IPs and see what is going on. This way, I found Orbi marked a nitendo switch as macbook, which had me worried about having a mysterious device connected to our network.

Also, I have a regex domain question. If I need to open up a different discussion, please let me know.

I am still working on blocking youtube ads. I used a regex expression:
r[0-9]—sn-[a-z0-9]*.googlevideo.com$

Good news, it works. Bad news, it blocks everything. Since I do not have GUI, can I just set enable/disable column in the database manually? I want to ask because it can be messy if I manually changing database. Especially for this particular case, I might have to join a few tables.

I want to keep this regex in the tables so that I can turn it on when kids remote schooling, and turn off when they are not in school.

Thanks.

It won't work. There is no way to block Youtube ads (without blocking YT in general) with pihole, no blocklist will do it, no regex will do it.

sudo sqlite3 /etc/pihole/gravity.db "UPDATE domainlist SET enabled=1 where id=XXXX;"

1 Like

Being able to quickly turn on/off is a feature, this should advertised broadly as a plus for pihole.

So, the id in the vw_regex_blacklist will be the same as the one in the aggregated domainlist, with group type =3, am I right. this way I will be able to quickly lookup the id in the shorter regex table. With this enable/disable key, pihole will instantly work as expected, am I right?

As I am digging a little more in this, I like pihole more and more. I am working on setting up an IKEv2 VPN server on the RPi. So that I can install an always on VPN for all kids' iOS devices, this way, they will have a consistent internet experience wherever/whenever, because I know that sooner rather than later, I will have to worry about this anyway.

For this purpose, I have a question, as the VPN server will acting a little part like a DHCP server. Will this potentially conflict with the DHCP conf from pihole. After the GUI conflict with Plex, I need to be careful and think about each step as I am slowly moving forward.

Again, thanks so much for help.

For devices that have a static IP configured and dont invoke DHCP, you can put them in below file:

pi@ph5:~ $ sudo nano /etc/pihole/custom.list
10.0.0.1 router
10.0.0.2 noads
10.0.0.3 nas

Reload:

pi@ph5:~ $ sudo service pihole-FTL reload
pi@ph5:~ $

And test:

C:\>nslookup nas pi.hole
Server:  ph5
Address:  10.0.0.4

Name:    nas
Address:  10.0.0.3

C:\>nslookup 10.0.0.3 pi.hole
Server:  ph5
Address:  10.0.0.4

Name:    nas
Address:  10.0.0.3

The earlier bare Raspi 1 and 2 models are not well suited for running a full pledged VPN server.
This because they dont have gigabit but 100mbit instead thus all traffic, LAN and VPN, need to share that 100mbit.
And the DNS + Pi-hole gravity runs + VPN encryption + DHCP + routing going on might be a bit heavy for the Pi 1's.
Checkout below official guide that also allows the option to only route DNS traffic through the VPN tunnel and let the regular traffic take the default route to internet provided by ISP router or phone operator:

And the ZeroTier way:

I forgot to add, that you need to restart the DNS server after you made changes

pihole restartdns reload-lists

Yes, the id should be the same.

See above. You need to tell Pihole that it should re-read the database.

Thanks for information. Pihole provided a conf file where we can specify static IP for given MACs. It worked very well for me.

I spent the weekend getting the IKEv2 VPN on RPi 4. It has been running for 1 day. Now I have DNS + DHCP + VPN + Plex running, CPU temp is higher than before, 45 C vs 43 C. But it seems holding up fine.

I went with Strongswan IKEv2 setup because IKEv2 is well supported by iOS, my long time goal is to have all kids' devices hard wired with this VPN, always on. So that I would not worry about what internet kids have access to, and they can also watch their videos wherever they are. I am slowly moving towards that direction.

Also, Strongswan provided some extra packages, DHCP and FARP, which will make the remote clients acting as if they are just connected to the local LAN. So it serves my purpose perfectly. There is no conflict with any other services that I am running on RPi 4, as of yet....

The setup is okay, I made some stupid mistakes myself. After reading a lot of documents, I finally made my way out. If anyone wants to do the same, I would be happy to help. This seems to be a very helpful and friendly community and I learnt a lot from here.