Tips For Accessing Your Pi-hole Remotely

It is possible to use your Pi-hole remotely for ad-blocking on-the-go.  We don’t have a guide on this process for several reasons, which you will read about below.

It’s been challenging to keep up because the project is growing larger then any of us ever imagined.  And because each member of the Pi-hole dev team has a full-time job; we just work on this project in our free time, so it’s your donations that keep us motivated.  Those donations have also allowed us to grow from a team of one, to a team of five.  It’s not enough to live off, but it gives some some incentive to keep trying.

(A Long) Foreword

soapbox

Software and hardware are inherently flawed because they are created by humans.  There are discovered and undiscovered security problems with both.  Take macOS for example: it’s built using many other people’s software (both open and closed source).

Each of those pieces of software has their own version, their own development team, their own bugs, and their own vulnerabilities.  If you combine all of those into a new piece of software, you are bringing along all that luggage on top of your own software’s issues.  You now have a piece of software that has an infinitesimal number of flaws or security holes.

And that’s just software meant to be legitimate and serve a useful purpose.  Throw in malware, software specifically designed to take advantage of exploits, and you’re in for a big mess.

When you see software like macOS, you may want to use it because of all the cool features.  However, you probably don’t think of all the components that make up that software or how many vulnerabilities you are opening yourself up to.  This is mainly because people work hard to squash these problems and some have not even been discovered yet.

In addition, if the software does what you want it to, there’s not much reason to think it’s doing something bad.  You also have the reputation of the company to make you feel more comfortable with using the software (but that’s not completely trustworthy either).

tinfoil_smiley__arvin61r58-800px

So if there are so many potential problems, why use software at all?  Mostly because it helps us accomplish something or add value to our life.  Even with all of the risks (perceived or unperceived), it is still worth it for many.  Driving around a four-wheel box carrying flammable materials at 97km/h doesn’t exactly sound safe when phrased that way, yet we do it anyway because most of the time, everything works as it was meant to.  But that doesn’t mean something can’t go wrong.

If you actually read this far in the foreword, there are several security risks with making your Pi-hole publicly available, so it’s not something we are ready to instruct you to do.  So this post isn’t a guide but rather some suggestions for setting it up securely if it is something you are planning on doing at your own risk.

Recommended Setup: Use A VPN

This is one of the best ways to keep your information private over the Internet.  Once you have a VPN setup (not necessarily an easy task to begin with), you can configure it to hand out the Pi-hole as the client’s DNS server, so any device that connects to your VPN will automatically block advertisements.

Port Forwarding (Not Recommended)

When you forward ports to a device on your network (this can be any device, not just a Pi-hole), you are making it publicly available over the Internet, which makes you vulnerable to attack.

Some router settings might be useful, or you could use some iptables rules to help mitigate this, but port forwarding is not a method we generally recommend.  And if you think publicly available devices can’t be found online, you would be wrong.

DNS Is Powerful

DNS servers are what make the Internet so useful and are critical to it’s functionality.  That is also what makes them an target.

The 13 root DNS servers around the world are hardened and managed by teams of people.  So if you blindly throw up a publicly available DNS server (i.e. your Pi-hole), hackers will try take advantage of them.

Change Default Passwords

You should definitely change the default password on your router as well as any other default users, like pi.  This isn’t exclusive to port forwarding as it is something you should always do before you bring your devices online.

Other Concerns

Port 53 (DNS) is a dangerous one to forward because you could unwittingly become a zombie in a DNS reflection attack.  Also, if you decided to forward port 80 (for the dashboard) and port 22 (for remote SSH access), these are two more ports that an attacker can use to gain access to your system).  If you are not locking it down with a password, public keys, and/or some other software, you are making the attackers job a lot easier.

The Dashboard

Make sure you are running the latest version of Pi-hole, which includes a password-protected dashboard.

Layered Security

The safest computer is one that is off and never connected to the Internet.

There isn’t one solution that will magically protect your network.  Many information security folks will probably tell you a layered security model is a good approach and they would be right.  Simply having a VPN doesn’t mean you’re immune to any attack.  And how do you know you can trust the VPN software in the first place?

Bottom Line

You will never be 100% safe because humans developed computers and humans are prone to error and mistakes.  These faults are inherently imbued into software and hardware.  Be cognizant and learn as much as you can before acting.

 

6 Replies to “Tips For Accessing Your Pi-hole Remotely”

  1. Port forward ssh instead, then you can use ssh local port fowarding to access your pihole interfaces. It will be authenticated and provides an encrypted tunnel.

    Keeps your deployment simple. Just remember use a good password (or better, use ssh keys with good passwords).

    1. If you are going to expose SSH to the world, then at the minimum I’d suggest no password logins, certs only with root login denied. Create a user and only allow that user to SSH in, don’t use the built in Pi login. And if you feel like it, throw in SSHGuard or Fail2Ban just to keep things in check, but honestly they don’t do all that much for security purposes. And don’t bother with changing port numbers, it’s faster in the long run to let the bots hit your SSH instance and fail and then go away instead of causing them to go into port scan and run a profile on your network.

      But if you take anything away from all of that it’s this one point: Do Not Use Pi/Raspberry, everyone in the world knows that user/pass combo and you will be compromised with that pair.

      1. Understood. Though I would like to make a difference between ssh via local network and remote control from outside.

Leave a Reply