I'm wondering if anyone has used PiHole to secure anything more than their homelab or personal network?
Context: I just started using PiHole this week. From what I've seen so far, if configured properly, PiHole on a light-weight distro offers tremendous value for the $ in terms of hardening a network from threats (not just ads & tracking). It sparked a debate with a friend with 10+ years as a sysadmin: their view is that it would better for a small business to invest that money in a highly-rated vendor security device, ex: UniFi Express router and just use OpenDNS to handle network filtering. My friend was STRONGLY against the idea of using a RaspberryPi or Pihole for anything outside of a homelab or personal project and I'm curious what this community might have to say about that
Pi-hole is not a security product and won't secure either your homelab or personal network.
Pi-hole is a domain blocker (runs on the DNS port - 53). You tell Pi-hole which domains to block (either by subscribing to public adlists or by directly entering your own domains to block).
While writing i am on a video conference with a group that has 8 CubeSats based on raspberry 4 in space. Maybe the above sentence was true for raspberry pi 1/2 but not with 3/4/5.
By default configuration, you're right in that the Pihole is designed is to blocks ads and tracking. But even by default, it does prevent user data from being collected and later sold to less reputable data brokers.
That said, the Raspberry Pi and PiHole can easily be configured to block traffic to known and knowable sites that host malware, cryptojacking, and ransomware to name a few from just one of the several curated OSINT sites I've come across this week: GitHub - blocklistproject/Lists: Primary Block Lists.
While not its initial design, so far I'm finding that in practice, with a bit more configuration and hardening, the PiHole is an easy to use defense-in-depth networking solution that blocks anything that made it past your firewall. Its accessibility with the admin console makes it a more viable solution than I believe people are giving it credit for.
That said, jfb I have to respect that you have your reasons for saying it is not a security product- I'm just a bit more curious about what they are. Feel free to DM me.
Thing is, with Pi-hole alone, you would not be able to prevent users from changing DNS settings on the client to bypass Pi-hole.
Or users configuring devices to use DoT or browsers to use DoH.
So its lacking that "security" aspect if expecting all DNS queries to be processed by Pi-hole.
Combining Pi-Hole with Unbound and Wireguard and you have a very competitive security that can compete with the like of Sophos UTM (retired). I've used Sophos UTM for 10yrs until the Dell died on me. I used to have an IT consultant business (retired) focus solely on small and medium size businesses. Had I known about what I can do with Pi-Hole I would have recommended the above configuration instead of Sophos UTM to my customers. With Pi-Hole, Unbound, Wireguard, and ER605 router.
1. Pi-Hole (blocking domain including (ads, tracking, redirect, crypto, ransomware, malware, etc...)
2. Unbound (privacy and speed)
3. Wireguard (encryption and privacy, etc....). Used on iPhone, Android TV, etc...
4. ER605 - lockdown mode (FW rules enforcing all devices on multiples VLAN to only use Pi-Hole Allowing on DNS traffic, Block all).
This is hardly the case. Pi-hole works at the domain level only. Malware or other tracking methods can be sent by a URL that has a domain that is not blocked. JavaScript, tracking links, other elements linked in a URL, etc.
It is easy to bypass Pi-hole by using IPs instead of domain names, or by using any method of DNS bypass (hard coding a DNS server, using DoH or DoT, etc.).
I wouldn't suggest relying on any singular device, it will inevitably become a single point of failure. Using defense-in-depth, you implement layers of protection on what matters most to you.
Fair enough, I shouldn't have said it blocks anything - it wouldn't handle anything that doesn't use DNS, like .onion and direct IP addresses. These are risk factors in the efficacy, but every tool has limitations.
