Skip to content

Latest commit

 

History

History
640 lines (486 loc) · 40.5 KB

README.md

File metadata and controls

640 lines (486 loc) · 40.5 KB

The project that protects your devices

The Pi-hole_list project is an initiative that aims to lock down and secure the entire network through its own hardware. In this repository, it is installed via Docker®. Pi-hole® and Adguard Home® are DNS sinkholes that protect your devices from unwanted content without the need to install any software on client devices.

Pi-hole AdGuard Home

Network-wide ad blocking via its own hardware.

 

GitHub last commit (by committer) commit activity

Links to installation or developer

PROJECT INSTALLER LINK DEVELOPER LINK
AdGuard Home Adguard Home® INSTALLATION DEVELOPER
Pi-Hole Pi-hole® INSTALLATION DEVELOPER

Version docker latest Pi-hole®

Docker Image Version (tag latest)

Version docker latest Adguard Home®

Docker Image Version (tag latest)

⚠️ This README has been translated into Spanish .
Este README ha sido traducido a español .
➡️ here.

Details

These lists were created because I wanted something with a bit more control over what gets blocked. A lot of lists are all-or-nothing. We set out to create lists with more control over what gets blocked, which is why I recommend my lists to you, as they are tested and we block only what is unnecessary.

Versions:

Original version:

 All urls in this version are preceded by an IP address in the txt or host file:

  0.0.0.0 example.com – It will forward the domain example.com to the address 0.0.0.0 (but not for its subdomains).

  127.0.0.1 example.com – will return the address 127.0.0.1 for the domain example.com (but not for its subdomains).

 
Version without IP on the left:

 All urls in this version no are preceded by an IP address in the txt or host file:

  example.com

Our users have reported to us that some devices give an error if the url is preceded by an IP address.

 
Adguard version:

 All urls from this version of the **AdGuard** list appear in the hosts file as follows:

  ||example.org^ – blocks access to the domain example.org and all its subdomains

  @@||example.org^ – unlocks access to the example.org domain and all its subdomains.

  /REGEX/ – blocks access to domains matching the specified regular expression. For example, the rule /example.*/ will block hosts matching the example.*

  $ – This is the delimiter, which indicates that the rest of the rule is a modifier. Modifiers must be placed at the end of the rule after the character and separated by commas. For example, the modifiers must be placed at the end of the rule after the character and separated by commas. ||example.org^$important.

  $important – The modifier applied to a rule increases its priority over any other rule without the modifier. Even above the basic exception rules.

  * – the wildcard character. It is used to represent any set of characters. It can also be an empty string or a string of any length.

  ^ – the separator character. Unlike browser ad blocking, there is nothing to separate in a hostname, so the only purpose of this character is to mark the end of the hostname.

  | – a pointer to the beginning or end of the host name. The value depends on the location of the character in the mask. For example, the rule ample.org| corresponds to example.org, but not to example.org.com. |example corresponds to example.org but not to test.example.org

The instructions are current as of AdGuard Home v0.107.2. AdGuard supports older versions. The instructions it supports AdGuard Home.

 
Comments on the lists:

 All urls for this version of the list appear in the hosts file in the following way

  # comment – just a comment

  ! comment – just a comment

 

Use:

Use with Pi-Hole Pi-Hole:

Instructions for use with Pi-Hole:

  1. Copy the link to the Pi-hole format of the desired list (from the corresponding table below).
  2. Add the URL to your Pi-hole block lists (Login > Groups management > Lists > Paste the URL of the list in the "Address" field, add a comment > Click "Add ").
  3. Update Gravity (Tools > Update Gravity > Click on "Update " )

  Current instructions as of Pi-hole 5.2.4. Instructions may be slightly different at present. Instructions will be updated when version 6 is released.

 
Use with AdGuard Home AdGuard Home:

Instructions for use with AdGuard Home:

  1. copy the link to the AdGuard format corresponding to the desired list (from the corresponding table below).
  2. Add the URL to your AdGuard block list (Login > Filters > DNS block lists > Add block list > Add a custom list > Enter name > Paste the URL of the copied link).
  3. The list is automatically activated and is ready to start blocking.

  Instructions are current as of AdGuard Home v0.107.2

 

Adguard Home® AdGuard Home

General configuration

  • One of the recommendations, in AdGuard settings, General configuration, Filter update interval in 1 hour. It will update the rules every hour.

Change password in Adguard

In order to change the password in Adguard we can access these websites and create a username and password:

  • web2generators
  • ipvoid
  • wtools

We create the user and password. Once created, it has this format:

user:$apr1$x4gcjzrl$qSvcJK46C2rQUGRl4z1kl0

Once the user and password have been created, we proceed to access the adguard configuration file, AdGuardHome.yaml.

We look for the following line in the configuration file and replace the created data.

  • For the user: user
  • For the password: $qSvcJK46C2rQUGRl4z1kl0
users:
  - name: user
    password: $apr1$x4gcjzrl$qSvcJK46C2rQUGRl4z1kl0

Once the data has been changed, restart adguard.

Setting to have DNS over TLS or DNS over HTTPS enabled

In AdGuard settings, DNS settings:

  • Upstream DNS servers, copy one of these URLs:

For Cloudfare DoH-DoT:

https://dns.cloudflare.com/dns-query
tls://1dot1dot1dot1.cloudflare-dns.com

For DoH-DoT de Quad9:

https://dns.quad9.net/dns-query
tls://dns.quad9.net

and check the option: "Load balancing", by default this option is checked.

  • Boot DNS servers, we put the DNS of our choice:

Cloudflared in both IPv4 and IPv6:

1.1.1.1
1.0.0.1
2606:4700:4700::1111
2606:4700:4700::1001

Quad9 in both IPv4 and IPv6:

9.9.9.9
149.112.112.112
2620:fe::fe
2620:fe::fe:9
  • DNS server configuration, check the option "Enable DNSSEC".

Add domain for DoH and DoT:

Create the certificate with Let's Encrypt

Create the self-signed personal certificate with Let's Encrypt:

Create the self-signed personal certificate with Let's Encrypt:

Installing a free SSL certificate with CertBot:

1️⃣ We update the list of packages.

sudo apt update && sudo apt upgrade

2️⃣ Install the Certbot package

sudo apt install certbot

Cerbot Documentation: Certbot

3️⃣ In this section we are going to see the most important options of the command. You can choose the options that you consider most convenient.

Certbot supports a lot of command line options. Here’s the full list, from certbot --help all:

👉 3.1 You can add as many domains as you wish with the --domain variable. Example:

Description example
--domain --domain example.com --domain example.org
--domain --domain example.org,www.example.org
-d -d example.com -d example.org
-d -d example.org,www.example.org

👉 3.2 You can change the variable --rsa-key-size to the size:

Bit size Description
512 Insecure
1024 Basic security
2048 Recommended security
4096 Increased security
8192 Maximum security

👉 3.3. --csr The csr variable and a .cnf file can perform the following functions. Currently --csr only works with the certonly subcommand.

  • Follow this tutorial that I have added separately to create the csr Link

👉 3.4. --config-dir You can configure the configuration file with the variable.

  • The certificate specific configuration options must be set in the .conf and I attach an example: example.org.conf

👉 3.5. --test-cert, --staging Use the Let's Encrypt staging server to obtain or revoke test (invalid) certificates; equivalent to --server acme-staging

👉 3.6. --hsts Add the Strict-Transport-Security header to every HTTP response. Force the browser to always use SSL for the domain.

👉 3.7. --key-type {rsa,ecdsa}. Type of generated private key. Only ONE per invocation can be provided at this time.

👉 3.8. --quiet Silence all output except errors.

👉 3.9. --cert-name Certificate name to apply. This name is used by Certbot for housekeeping and in file paths; it doesn't affect the content of the certificate itself.

👉 3.10 --debug Show tracebacks in case of errors

👉 3.11 --dry-run Perform a test run against the Let's Encrypt staging server, obtaining test (invalid) certificates but not saving them to disk.

👉 3.12 --dns-cloudflare Obtain certificates using a DNS TXT record (if you are using Cloudflare for DNS).

👉 3.13. --server Choose the ACME Directory Resource URI for your server.

Description Server
Certificate for production server https://acme-v02.api.letsencrypt.org/directory
Certificate for test server https://acme-staging-v02.api.letsencrypt.org/directory

👉 3.14. --elliptic-curve (default: secp256r1) The SECG elliptic curve name to use.

Type algorithm Bit size Description
secp192r1 192 Insecure
secp224k1 224 Basic security
secp224r1 224 Basic security
secp256k1 256 Recommended security
secp256r1 256 Recommended security
secp283k1 283 Basic security
secp283r1 283 Basic security
secp384r1 384 Recommended security
secp409r1 409 Maximum security
secp409k1 409 Maximum security
secp521r1 521 Maximum security
secp571r1 571 Maximum security
secp571k1 571 Maximum security

For the choice of the key to be chosen the difference in the definition of the base point has two important consequences:

  • The secpXXXk1 curve has a higher computational efficiency than the secpXXXr1 curve. This is because the base point of the secpXXXk1 curve is a generation point, which means that it can be used to generate all the other points of the curve. The base point of the secpXXXr1 curve, on the other hand, is not a generation point, so more operations need to be calculated to generate all the other points of the curve.
  • The secpXXXr1 curve has higher security than the secpXXXk1 curve. This is because the base point of the secpXXXr1 curve is a more random point than the base point of the secpXXXk1 curve. This makes it more difficult for attackers to find points on the curve that are not in the set of generation points. In general, the secpXXXXk1 curve is a good choice for applications that require computational efficiency, while the secpXXXr1 curve is a good choice for applications that require security.

Examples of applications that could use each curve:

Feature secpXXXk1 secpXXXr1
base point Lower Higher
Type Computational Security
Computational Efficiency Higher Basic
Security Basic Higher
Common uses Digital signature, Cryptocurrencies, public keys encryption Public key encryption for critical applications, encryption, Public Key Infrastructure (PKI)

Run the following command modifying the valid email and options as you see fit for your example.

This example is for acquiring a Wildcard certificate:

certbot certonly --manual --preferred-challenges=dns --rsa-key-size 4096 --email [email protected] --agree-tos
--server https://acme-v02.api.letsencrypt.org/directory -d "*.your_domain"

4️⃣ Finally, it will ask to make an _acme-challenge TXT record in our name server provider with the content it tells us: With cerbot, when using the dns challenge, certbot will ask you to place a TXT DNS record with specific contents under the domain name consisting of the hostname for which you want a certificate issued, prepended _acme-challenge. For example, for the domain example.com, a zone file entry would look like:

_acme-challenge.example.com. 300 IN TXT "gfj9Xq...Rg85nM"

It creates the following files, in the directory /etc/letsencrypt/live/:

  • fullchain.pem – your SSL certificate encrypted in PEM.
  • privkey.pem – your private key encrypted in PEM.

Configuración de Lets encrypt

To check if the certificate will self-renew:

  • Renewal test (simulación):certbot renew --dry-run
  • Check the status of the Certbot timer service: systemctl status certbot.timer
  • To renew a certificate: certbot renew
    • To force self-renewal: --force-renewal
  • To list jobs: systemctl list-timers --all Debe aparecer el siguiente configurado para la renovación automática: certbot.timer - certbot.service
  • Listing certificates: certbot certificates

To revoke a certificate:

  • Delete a certificate completely: certbot delete --cert-name example.com --reason keycompromise
  • From the account for which the certificate was issued: certbot revoke --cert-path /etc/letsencrypt/archive/${YOUR_DOMAIN}/cert1.pem --reason keycompromise
  • Using the certificate's private key: certbot revoke --cert-path /PATH/TO/cert.pem --key-path /PATH/TO/key.pem --reason keycompromise

If you do not want to follow all these steps, you can obtain the certificate with ZeroSSL, but the wildcard certificate is charged.

ZeroSSL

Create the self-signed personal certificate with OPENSSL:

Create the self-signed personal certificate:

Create a self-signed personal certificate:

Steps you can follow to create a self-signed RSA certificate using OpenSSL with SHA-512 and Subject Alternative Names (SAN).

To learn more about on useful openssl commands for certificates:

Link

  1. We update the list of packages.
sudo apt update && sudo apt upgrade
  1. Make sure you have OpenSSL installed on your system before proceeding. Install the openssl package:
sudo apt install openssl
  1. Create the directory where we want to store the certificates:
mkdir certs &&\
cd certs/
  1. Create certificate with the following command, changing the certificate path or leave the name of the .key and dot crt to store it in the directory:

    4.1 Generate an RSA private key:

    openssl genpkey -algorithm RSA -out privkey.key -pkeyopt rsa_keygen_bits:2048

    4.2 Next, we will create a certificate request (CSR) which will contain the certificate information:

    vi csrconfig.cnf
    [req]
    distinguished_name = req_distinguished_name
    req_extensions = v3_req
    
    [req_distinguished_name]
    commonName = your website domain name
    organizationName = Your Company Name
    countryName = ES
    
    [v3_req]
    subjectAltName = @alt_names
    
    [alt_names]
    DNS.1 = example.com
    DNS.2 = www.example.com

    4.3 We generate the self-signed certificate with the CSR data:

    openssl req -new -key privkey.key -out chain.csr -sha512 -config csrconfig.cnf
    

    4.4 Create self-signed certificate in PEM format:

    openssl x509 -req -in chain.csr -signkey privkey.key -out fullchain.pem -sha512 -days 365 -extfile csrconfig.cnf -extensions v3_req
    

    4.5 After creating the self-signed certificate, we can verify the content of the certificate if it has been created correctly:

    openssl x509 -in fullchain.pem -text -noout

Configure certificate in AdGuard Home:

  1. Open the AdGuard Home web interface and go to configuration.
  2. Scroll down the menu to settings: Encryption settings.
  3. Enable checkEnable encryption (HTTPS, DNS via HTTPS and DNS via TLS).
  4. Enable Redirect to HTTPS automatically.
  5. Enter your domain name in Server name. If you are entering a wildcard, enter the domain name only"example.com".
  6. Copy/paste the contents of the file fullchain.pem in Certificados.
  7. Copy / paste the contents of the file privkey.pem in Private key.
  8. Click Save configuration.

Configure the domain to allow private DNS DoH and DoT clients:

To create a zone in your domain to enable clients, follow these steps:

  1. Mainly in the encryption Adguard section, you must enable the domain example.org.
  2. You have the wildcard *.example.org certificate created.

Instructions for use:

  1. Log into the control panel of your web hosting provider or domain registrar where you purchased the domain name.
  2. Find the DNS Zones option.
  3. Create a new DNS Zones entry. To add the entry for each client, e.g. one.example.org. This will allow the client created in the Client Configuration panel to connect.
  4. Configure Settings/Client Configuration/Persistent clients. Click Add Clients and under Identifier create a name.

Current instructions in the developer's documentation documentación.

List for Pihole Pi-Hole and AdGuard Home AdGuard Home

Main safelist

List Link Description
safelist repository Link safelist JuanRodenas
safelist hagezi Link safelist hagezi (Not tested)

Main BlockLists

Column Link: Pi-hole® | Adguard Home®.

Host

List Host Link Description
List oisd Link | Link To Block host Adguard and domains dbl.oisd
The big list Link | Link The big list oisd
urlhaus-filter-domains Link | Link urlhaus-filter DEV Link
everything Link | Link To Block everything
energized pro Link | Link To Block energized
d3ward Link | Link d3ward popular list

Malware / Shock / Porn / Adult

List Link Description
The NSFW list Link | Link The NSFW list oisd
Gambling-porn Link | Link To Block Gambling and porn
Malware Link | Link To Block malware
Ransomware Link | Link To Block ransomware
phishing Link To Block phishing

Tracking/Ads

List Tracking/Ads Link Description
SmartTV Link | Link To Block SmartTV
WindowsSpyBlocker Link To Block WindowsSpyBlocker
GoodbyeAds-Ultra Link | Link To Block hagezi and jerryn70
ads-and-tracking-extended Link To Block ads-and-tracking-extended
Adblock_Plus Link | Link To Block Tracking AdBlock
Android tracking Link Android tracking for AdGuard Home
Disconnect.me Link | Link To Block disconnect.me

Adguard team filters

List Tracking/Ads Link Description
AdGuardSDNSFilter Link AdGuard team DNS filter
AdAway Link AdAway default blocklist
Game Console Adblock List Link Game Console Adblock List
SmartTV-AGH Link Smart-TV Blocklist for AdGuard Home
Peter Lowe's List Link Blocklist for use with Adblock Plus

Services

List Services Link Description
Youtube Link | Link To Block youtube
Facebook Link To Block Facebook/Instagram/Whatsapp
Whatsapp open Link To Block Facebook/Instagram but leave Whatsapp open
Google Link To Block Google
Mozilla Link | Link To Block Mozilla tracking
Microsoft Link To Block Microsoft
VideoGamesAdiction Link To Block VideoGames Adiction

uBlock Origin uAssets

List Services Link Link dev Description
uBlock filters Link Link DEV uBlock filters
Badware risks Link Link DEV uBlock filters – Badware risks
Privacy Link Link DEV uBlock filters – Privacy
Quick fixes list Link Link DEV Quick fixes list
Resource abuse Link Link DEV uBlock filters – Resource abuse
Unbreak Link Link DEV uBlock filters – Unbreak
i-dont-care-about-cookies Link Link DEV i-dont-care-about-cookies
urlhaus-filter Link Link DEV urlhaus-filter

A tab has been added for AdGuard with lists adapted to its format.

Check your SelfHosted:

fivefilters:

 Page to check your selfhosted from fivefilters

  Link

 
d3ward:

 Page to check your selfhosted from d3ward

  Link

 
canyoublockit:

 Page to check your selfhosted from canyoublockit

  Link

 
No more ads:

 Page to check your selfhosted from No more ads

  Link

 
AdBlock Tester:

 Page to check your selfhosted from AdBlock Tester

  Link

 

Check DoH, DoT and DDNSSEC:

1.1.1.1 de Cloudflare:

 Page to check encryption of 1.1.1.1 de Cloudflare

  Link

 
Tenta VPN Browser:

 Page to check encryption of Tenta VPN Browser

  Link

 
Cloudflare:

 Page to check encryption of Cloudflare

  Link

The technologies analysed are:

  1. Secure DNS: a technology that encrypts DNS queries and includes DNS-over-TLS and DNS-over-HTTPS.
  2. DNSSEC: a technology designed to verify the authenticity of DNS queries.
  3. TLS 1.3: the latest version of the TLS protocol that includes many improvements and closes security holes from previous versions.
  4. Encrypted SNI: stands for Server Name Indication encryption that reveals the hostname during a TLS connection. This technology aims to ensure that only the IP address can be leaked.

The only browser that supports all four technologies is Firefox.

To activate the technologies, go to about:config and activate:

  network.security.esni.enabled - pulsamos en el + y se ponga en true.

  network.trr.mode – (valor 2)

  network.trr.urivalor en la web Mozilla.

  HTTPS-Only Mode - pulsamos en el + y se ponga en true.

 
DNSSEC Resolver Test:

 Page to check DNSSEC

  Link

  Link

  Link

  Link

 Page to check DNSSEC encryption

  Link

 
DNS leak test:

 Page to check DNS leakage

  Link

 

Applications for Pi-hole® or Adguard Home®.

Link to the developer of the application: GitHub

Pi-hole® android application

Adguard Home® android application

Desktop applications for Adguard Home®.

Any and all rights and responsibilities pertaining thereto remain the property of the respective developer.

Help me and contribution 🙌

 If you want to contribute to improve the lists, open a issue here:

Link

Credits 🚀

This repository is made with all my love and affection.

GitHub

🎉 ¡Ready!

 

These files/texts are provided "AS IS", without warranties of any kind, express or implied, including, but not limited to, warranties of merchantability, fitness for a particular purpose and non-infringement. In no event shall the authors or copyright holders be liable for any claims, damages or other liability arising out of or relating to the files or the use thereof.

I will be updating with information and adding procedures in my spare time. The author of the content is JuanRodenas. You can contact me at mailto and the author's website is website.

Any and all trademarks are the property of their respective owners.