I wanted to ditch using browser extensions for adblocking and do this via the network instead as blockers are often resource intensive and can be circumvented by advertisers to restrict access to websites. There is also very little way of doing it on mobile devices unless you root or jailbreak your device.
With doing this across my network, I can eliminate ads and thus improve the general security of the network as most will know malicious ads are a thing and ads are ridden with them. This will also help for the mobile devices across the house as my parents could carry on playing their mobile games and not be bombarded with advertisements.
I also wanted to segment my Internet of Things devices or as I like to call them, Internet of Shit. It’s probably not a good idea to call your ssid “internet of shit” like I did as you will get a telling off by your neighbour.
For this, I used VLANs and firewall rules and create multiple SSIDs for each of the networks:
| Network | Trust | Purpose |
|---|---|---|
| Main | Full | Connect to the internet and other devices on the network |
| Internet of Shit | Minimal | Connect to the internet and respond to requests from the main network (e.g, multicasting) |
| Guests | Zero | Connect to the internet |
I have the following LAN in firewall rules so that my IoT devices can only go out to the internet but still respond to requests from my main network and I have the MDNS service turned on.
| Firewall Rules | RULE INDEX | ENABLED | NAME | ACTION | PROTOCOL | SOURCE | DESTINATION | ACTIONS |
|---|---|---|---|---|---|---|---|---|
| 2000 | Allow Established/related sessions | Accept | All | Network: IoT Type: IPv4 Subnet | Network: LAN Type: IPv4 Subnet | EDITDELETE | ||
| 4000 | drop IoT to Main | Drop | All | Network: IoT Type: IPv4 Subnet | Network: LAN Type: IPv4 Subnet | EDITDELETE | ||
I also wanted to control the upstream DNS, while I’ve always been a fan of just using 1.1.1.1, it didn’t provide me with any control of what is or isn’t blocked, this is where Cloudflare for Teams comes into place, which basically gives you, your own Cloudflare 1.1.1.1 Service which you can configure at your choosing on what categories, URLs and domains are blocked or allowed. https://www.cloudflare.com/en-gb/teams/
I also plan to go down the zero trust model and remove dependency on using a VPN to access my network when external to access my internal resources so gave me more reason to use Cloudflare for Teams.
So to achieve this, I created two PiHoles VMs on my ESX Host. If you wanted you could also install Pi-Hole on a Rasperry Pi hence the name or use a docker container.
I followed the following instructions to install PiHole on Ubuntu via PiHole’s Github page: https://github.com/pi-hole/pi-hole/#one-step-automated-install (it’s basically a one liner to install)
It will then give you an option in PiHole to choose your upstream provider, however I did not want this. I wanted to use DNS over HTTPS (DOH). Unfortunately, PiHole does not support this out of the box so this is where cloudflared comes along. You will need to install this onto your operating system that PiHole is installed on.
I will write a blog post later on and link to it here on how to install cloudflared and configure it your Cloudflare for Teams service as by default it will point to 1.1.1.1. If you wish to, you could use Cloudflared and point to Quad9 or Google’s DOH for example. Again, I will touch on this, in a later blog post.
All I had to do now was point my router’s DNS settings to both my Pi-Holes, in my case I am using Unifi.
Now obviously a user could change their DNS servers on their device and bypass all this, which is fine as I wanted this to “just work” when you connect to the network which it does. If you wanted to be that guy and force people to only use the Pi-Holes what you could do is block outbound requests over port 53 and doing a WAN out reject rule (in the case of Unifi).
Once this is all done, what this now looks like:
Your device asks the Pi-Holes for the address to facebook.com. If Pi-Hole consults its blocklist, and if the domain is blocked, returns 0.0.0.0. The domain becomes unreachable. The PiHole forwards the request to cloudflared, which encrypts the request via DoH to Cloudflare for Teams. Cloudflare for Teams consults the malicious sites blocklist you have made, and if the domain is blocked, returns a Cloudflare IP and direct you to https://blocked.teams.cloudflare.com/?url=url.com and will say the access is restricted.
The experience will be completely transparent to the devices on your network and will just work as you have control over the DNS, if something is blocked/allowed by Pi-hole or upstream to Cloudflare, you will be able to make changes to block or allow.