Tips For Accessing Your Pi-hole Remotely
It is possible to use your Pi-hole remotely for ad-blocking on-the-go. We don’t have a guide on this process for several reasons, which you will read about below.
It’s been challenging to keep up because the project is growing larger then any of us ever imagined. And because each member of the Pi-hole dev team has a full-time job; we just work on this project in our free time, so it’s your donations that keep us motivated. Those donations have also allowed us to grow from a team of one, to a team of five. It’s not enough to live off, but it gives some some incentive to keep trying.
(A Long) Foreword
Software and hardware are inherently flawed because they are created by humans. There are discovered and undiscovered security problems with both. Take macOS for example: it’s built using many other people’s software (both open and closed source).
Each of those pieces of software has their own version, their own development team, their own bugs, and their own vulnerabilities. If you combine all of those into a new piece of software, you are bringing along all that luggage on top of your own software’s issues. You now have a piece of software that has an infinitesimal number of flaws or security holes.
And that’s just software meant to be legitimate and serve a useful purpose. Throw in malware, software specifically designed to take advantage of exploits, and you’re in for a big mess.
When you see software like macOS, you may want to use it because of all the cool features. However, you probably don’t think of all the components that make up that software or how many vulnerabilities you are opening yourself up to. This is mainly because people work hard to squash these problems and some have not even been discovered yet.
In addition, if the software does what you want it to, there’s not much reason to think it’s doing something bad. You also have the reputation of the company to make you feel more comfortable with using the software (but that’s not completely trustworthy either).
So if there are so many potential problems, why use software at all? Mostly because it helps us accomplish something or add value to our life. Even with all of the risks (perceived or unperceived), it is still worth it for many. Driving around a four-wheel box carrying flammable materials at 97km/h doesn’t exactly sound safe when phrased that way, yet we do it anyway because most of the time, everything works as it was meant to. But that doesn’t mean something can’t go wrong.
If you actually read this far in the foreword, there are several security risks with making your Pi-hole publicly available, so it’s not something we are ready to instruct you to do. So this post isn’t a guide but rather some suggestions for setting it up securely if it is something you are planning on doing at your own risk.
Recommended Setup: Use A VPN
This is one of the best ways to keep your information private over the Internet. Once you have a VPN setup (not necessarily an easy task to begin with), you can configure it to hand out the Pi-hole as the client’s DNS server, so any device that connects to your VPN will automatically block advertisements.
Port Forwarding (Not Recommended)
When you forward ports to a device on your network (this can be any device, not just a Pi-hole), you are making it publicly available over the Internet, which makes you vulnerable to attack.
Some router settings might be useful, or you could use some
iptables rules to help mitigate this, but port forwarding is not a method we generally recommend. And if you think publicly available devices can’t be found online, you would be wrong.
DNS Is Powerful
The 13 root DNS servers around the world are hardened and managed by teams of people. So if you blindly throw up a publicly available DNS server (i.e. your Pi-hole), hackers will try take advantage of them.
Change Default Passwords
You should definitely change the default password on your router as well as any other default users, like
pi. This isn’t exclusive to port forwarding as it is something you should always do before you bring your devices online.
Port 53 (DNS) is a dangerous one to forward because you could unwittingly become a zombie in a DNS reflection attack. Also, if you decided to forward port 80 (for the dashboard) and port 22 (for remote SSH access), these are two more ports that an attacker can use to gain access to your system). If you are not locking it down with a password, public keys, and/or some other software, you are making the attackers job a lot easier.
Make sure you are running the latest version of Pi-hole, which includes a password-protected dashboard.
The safest computer is one that is off and never connected to the Internet.
There isn’t one solution that will magically protect your network. Many information security folks will probably tell you a layered security model is a good approach and they would be right. Simply having a VPN doesn’t mean you’re immune to any attack. And how do you know you can trust the VPN software in the first place?
You will never be 100% safe because humans developed computers and humans are prone to error and mistakes. These faults are inherently imbued into software and hardware. Be cognizant and learn as much as you can before acting.