« Unbound - Pihole » : différence entre les versions

De Marmits Wiki
Aucun résumé des modifications
 
(28 versions intermédiaires par le même utilisateur non affichées)
Ligne 1 : Ligne 1 :
== Services ==
== NetworkManager DNS ==
*[[Bookworm#NetworkManager_DNS|Voir DNS local sur le serveur PiHole]]
*[https://www.dnscheck.tools/ dnscheck.tools]
 
== Unbound ==
 
=== Services ===
<pre>
<pre>
DNS local avec unbound et pihole
DNS local avec unbound et pihole
Ligne 5 : Ligne 11 :
une conf pour les domaines en local dans /etc/unbound/unbound.conf.d/local.conf
une conf pour les domaines en local dans /etc/unbound/unbound.conf.d/local.conf
</pre>
</pre>
=== Unbound ===


* https://www.azurs.net/carnet/2016/02/serveur-dns-local-sur-raspberry-pi-sous-arch-linux-arm/
* https://www.azurs.net/carnet/2016/02/serveur-dns-local-sur-raspberry-pi-sous-arch-linux-arm/
Ligne 35 : Ligne 39 :
         endscript
         endscript
}
}


#forcer logrotate
#forcer logrotate
sudo logrotate -f /etc/logrotate.d/unbound
sudo logrotate -f /etc/logrotate.d/unbound
</pre>
</pre>


=== unbound pihole ===
* https://docs.pi-hole.net/guides/dns/unbound/
* https://echolib.in/raspberry-installer-pi-hole-unbound
* https://echolib.in/raspberry-installer-pi-hole-unbound
* https://docs.pi-hole.net/guides/unbound/
* https://docs.pi-hole.net/guides/unbound/
=== DNSSEC ===
[https://wiki.debian-fr.xyz/Utiliser_Unbound_avec_DNSSEC Utiliser Unbound avec DNSSEC]
[https://nlnetlabs.nl/documentation/unbound/howto-anchor/ howto unbound-anchor]
dig com. SOA +dnssec
=== Chiffré ? ===
<pre>
server:
interface: 2001:db8:1::dead:beef@853
ssl-service-key: "/etc/unbound/unbound_server.key"
ssl-service-pem: "/etc/unbound/unbound_server.pem"
ssl-port: 853
</pre>
=== fail: the anchor is NOT ok and could not be fixed ===
Si le serveur DNS unbound ne fonctionne pas :
<pre>
sudo service unbound status
=>
systemd[1]: Starting Unbound DNS server...
package-helper[499]: /var/lib/unbound/root.key has content
package-helper[499]: fail: the anchor is NOT ok and could not be fixed
systemd[1]: Started Unbound DNS server.
solution:
sudo wget -O /var/lib/unbound/root.hints https://www.internic.net/domain/named.root
</pre>
=== Configuration de l'adresse du résolveur ===
[https://papy-tux.legtux.org/doc1150/index.php Configuration de l'adresse du résolveur]
L'adresse du résolveur unbound est 127.0.0.1 et doit-être configurée dans <code>/etc/resolv.conf</code>. Pour que l'adresse soit persistance et ne soit pas remplacée par les adresses des DNS du fournisseur d'accès à chaque reconnexion :
installer openresolv
== pihole ==
* https://docs.pi-hole.net/core/pihole-command/
* https://docs.pi-hole.net/core/pihole-command/
* https://mediacenterz.com/tutoriel-complete-pi-hole-bloqueur-dannonces-pour-toute-la-maison/
* https://mediacenterz.com/tutoriel-complete-pi-hole-bloqueur-dannonces-pour-toute-la-maison/


=== pihole ===
<pre>
<pre>
#mise à jour pihole car pas apt
#mise à jour pihole car pas apt
Ligne 60 : Ligne 98 :


#Rechercher dans la black liste un terme
#Rechercher dans la black liste un terme
pihole -q -all expression
pihole -q -all facebook.com
 
pihole -q -adlist -exact facebook.com
</pre>
</pre>


<pre>
pihole status
sudo netstat -nltup | grep 'Proto\|:53 \|:67 \|:80 \|:471'
</pre>


<pre>
<pre>
Ligne 85 : Ligne 129 :
</pre>
</pre>


=== BDD de pihole===
=== Ports ===
<pre>
We need ports 53, 80, and 4711. Port 80 is optional if you decide not to install the Web dashboard during installation.
 
Port 53(DNS) should be used by dnsmasq
TCP/UDP
If you happen to have another DNS server running, such as BIND, you will need to turn it off in order for Pi-hole to respond to DNS queries.
 
Port 80(HTTP) should be used by lighttpd
TCP
If you have another Web server already running, such as Apache, Pi-hole's Web server will not work. You can either disable the other Web server or change the port on which lighttpd listens, which allows you keep both Web servers running.
 
Port 4711 should be used by pihole-FTL
TCP
FTL is our API engine and by default uses port 4711, but will increment if it's already in use by something else
FTL is our API engine and uses port 4711 on the localhost interface. This port should not be accessible from any other interface.
 
Port 67 (DHCP) should be used by DHCP
IPV4 UDP
(option) pas de service DHCP
The DHCP server is an optional feature that requires additional ports.
 
Port 547 should be used by DHCPv6
IPV6 UDP
(option) pas de service DHCP
The DHCP server is an optional feature that requires additional ports.
Info:
The use of lighttpd on port 80 is optional if you decide not to install the Web dashboard during installation. The use of pihole-FTL on ports 67 or 547 is optional, but required if you use the DHCP functions of Pi-hole.
</pre>
 
=== BDD de pihole ===
<pre>
<pre>
#sqlite3  
#sqlite3  
Ligne 96 : Ligne 170 :
* https://docs.pi-hole.net/ftldns/database/
* https://docs.pi-hole.net/ftldns/database/


=== DNSSEC ===
=== Block lists ===
[https://wiki.debian-fr.xyz/Utiliser_Unbound_avec_DNSSEC Utiliser Unbound avec DNSSEC]
* [https://www.malekal.com/les-meilleures-listes-de-blocage-adlists-pour-pi-hole/ Listes de blocage]
[https://nlnetlabs.nl/documentation/unbound/howto-anchor/ howto unbound-anchor]
* [https://fleuryk.kappatau.fr/pihole-blocklist/ pihole-blocklist]
dig com. SOA +dnssec
* https://raw.githubusercontent.com/deathbybandaid/piholeparser/master/Subscribable-Lists/ParsedBlacklists/Block-EU-Cookie-Shit-List.txt
* https://raw.githubusercontent.com/deathbybandaid/piholeparser/master/Subscribable-Lists/CountryCodesLists/France.txt
* https://easylist-downloads.adblockplus.org/liste_fr%2Beasylist.txt
* https://blocklist.site/app/dl/malware
* https://blocklist.site/app/dl/ransomware
* https://blocklist.site/app/dl/phishing
* https://blocklist.site/app/dl/ads
* https://gist.githubusercontent.com/BBcan177/4a8bf37c131be4803cb2/raw/343ff780e15205b4dd0de37c86af34cfb26b2fbe/MS-2
* https://raw.githubusercontent.com/anudeepND/youtubeadsblacklist/master/domainlist.txt
* https://blocklist.site/app/dl/spam
* https://hosts.ubuntu101.co.za/domains.list
* https://hosts.ubuntu101.co.za/ips.list


=== Chiffré ? ===
=== update pihole ===
<pre>
<span style="color: red;font-weight:bold;">pihole -up</span>
server:
interface: 2001:db8:1::dead:beef@853
ssl-service-key: "/etc/unbound/unbound_server.key"
ssl-service-pem: "/etc/unbound/unbound_server.pem"
ssl-port: 853
</pre>
 
=== Block lists ===
[https://fleuryk.kappatau.fr/pihole-blocklist/ pihole-blocklist]


=== Contrôle parental ===
=== Contrôle parental ===
Ligne 120 : Ligne 196 :
pihole --wild -d facebook.com
pihole --wild -d facebook.com
</pre>
</pre>
[https://tutox.fr/2019/05/27/mettre-en-place-un-controle-parental-avec-pihole/ controle parental avec pihole]
[https://tutox.fr/2019/05/27/mettre-en-place-un-controle-parental-avec-pihole/ controle parental avec pihole]
 
== DNS-Over-HTTPS (DoH) ==
En remplacement de unbound sur 127.0.0.1#5053
: [https://pimylifeup.com/rapberry-pi-dns-over-https/ install cloudflared et utliser par exemple quad9]
 


[[Catégorie: Raspian]]
[[Catégorie: Raspian]]

Dernière version du 30 août 2024 à 17:23

NetworkManager DNS

Unbound

Services

DNS local avec unbound et pihole
unbound avec une conf pour pihole dans /etc/unbound/unbound.conf.d/pi-hole.conf
une conf pour les domaines en local dans /etc/unbound/unbound.conf.d/local.conf
/etc/unbound/unbound.conf.d
sudo service unbound restart
unbound-checkconf

#logrotate
touch /var/log/unbound.log
sudo chmod 640 /var/log/unbound.log
sudo chown unbound:unbound /var/log/unbound.log

/var/log/unbound.log
{
        rotate 7
        weekly
        missingok
        notifempty
        delaycompress
        compress
        size 1M
        create 640 unbound unbound
        postrotate                
            service unbound restart
        endscript
}

#forcer logrotate
sudo logrotate -f /etc/logrotate.d/unbound

DNSSEC

Utiliser Unbound avec DNSSEC
howto unbound-anchor
dig com. SOA +dnssec

Chiffré ?

server:
interface: 2001:db8:1::dead:beef@853
ssl-service-key: "/etc/unbound/unbound_server.key"
ssl-service-pem: "/etc/unbound/unbound_server.pem"
ssl-port: 853

fail: the anchor is NOT ok and could not be fixed

Si le serveur DNS unbound ne fonctionne pas :

sudo service unbound status
=>
systemd[1]: Starting Unbound DNS server...
package-helper[499]: /var/lib/unbound/root.key has content
package-helper[499]: fail: the anchor is NOT ok and could not be fixed
systemd[1]: Started Unbound DNS server.

solution:
sudo wget -O /var/lib/unbound/root.hints https://www.internic.net/domain/named.root

Configuration de l'adresse du résolveur

Configuration de l'adresse du résolveur

L'adresse du résolveur unbound est 127.0.0.1 et doit-être configurée dans /etc/resolv.conf. Pour que l'adresse soit persistance et ne soit pas remplacée par les adresses des DNS du fournisseur d'accès à chaque reconnexion :
installer openresolv


pihole

#mise à jour pihole car pas apt
pihole -up (le repertoire admin doit se trouver ds /var/www/html)

# relancer 
pihole -a -i

#relancer le service DNS
pihole restartdns

#Rechercher dans la black liste un terme
pihole -q -all facebook.com

pihole -q -adlist -exact facebook.com
pihole status
sudo netstat -nltup | grep 'Proto\|:53 \|:67 \|:80 \|:471'
pihole : core
pihole -w, pihole -b, pihole -regex, pihole -wild : Whitelisting, Blacklisting and Regex
pihole debug : Debugger    
pihole flush : Log Flush
pihole reconfigure : Reconfigure
pihole tail : Tail
pihole -a : Admin
pihole : chronometer : Chronometer
pihole : updateGravity Gravity
pihole : logging Logging
pihole : query Query
pihole updatePihole : Update
pihole version : Version
pihole uninstall : Uninstall
pihole status : Status
pihole enable : Enable & Disable
pihole restartdns : Restart DNS
pihole checkout : Checkout

Ports

We need ports 53, 80, and 4711. Port 80 is optional if you decide not to install the Web dashboard during installation.

Port 53(DNS) should be used by dnsmasq 
TCP/UDP 
If you happen to have another DNS server running, such as BIND, you will need to turn it off in order for Pi-hole to respond to DNS queries.

Port 80(HTTP) should be used by lighttpd
TCP
If you have another Web server already running, such as Apache, Pi-hole's Web server will not work. You can either disable the other Web server or change the port on which lighttpd listens, which allows you keep both Web servers running. 

Port 4711 should be used by pihole-FTL
TCP
FTL is our API engine and by default uses port 4711, but will increment if it's already in use by something else
FTL is our API engine and uses port 4711 on the localhost interface. This port should not be accessible from any other interface. 

Port 67 (DHCP) should be used by DHCP
IPV4 UDP
(option) pas de service DHCP
The DHCP server is an optional feature that requires additional ports. 

Port 547 should be used by DHCPv6
IPV6 UDP
(option) pas de service DHCP
The DHCP server is an optional feature that requires additional ports. 
Info:
The use of lighttpd on port 80 is optional if you decide not to install the Web dashboard during installation. The use of pihole-FTL on ports 67 or 547 is optional, but required if you use the DHCP functions of Pi-hole.

BDD de pihole

#sqlite3 
/etc/pihole/pihole-FTL.db

#backup avec un cron
sqlite3 /etc/pihole/pihole-FTL.db ".backup /home/pi/pihole-FTL.db.backup"

Block lists

update pihole

pihole -up

Contrôle parental

#bloquer
pihole --wild facebook.com
#débloquer
pihole --wild -d facebook.com

controle parental avec pihole

DNS-Over-HTTPS (DoH)

En remplacement de unbound sur 127.0.0.1#5053

install cloudflared et utliser par exemple quad9