Setup pi-hole ad filter server on AWS in 2 minutes

Standard

We assume you have an AWS account (if not get one here https://aws.amazon.com/) and you know the basics on how to start an instance in AWS (https://aws.amazon.com/ec2/spot/spot-getting-started/).

  • Start an AWS server type in the region of your choice (they start at US$1 per month for spot instances. I use T3A.NANO or T4G.NANO)
  • Open the right ports in the AWS security group (TCP 80, 53, 443, 4711 and UDP 53 at least for an IPv4 server). Of course only for your own IP addresses. DO NOT OPEN THE SERVER FOR ALL. YOUR MACHINE WILL BE ADBUSED VERY QUICKLY. (Some more info)
  • Use OS: Ubuntu 20.04 LTS
  • Assign fixed IP address (Elastic IP)
  • Log into the command line interface of your new server
  • Update with
    apt -y update && apt -y upgrade && reboot
  • Run
    curl -sSL https://install.pi-hole.net | bash
  • Follow the guided installation process. Suggested settings are fine. Although I disable IPv6, because I don’t want to use it. 
  • Take note of the admin password or change it with
    pihole -a -p
  • reboot
  • Ready to go
  • Assign the fixed public IP address to your computers as a DNS server and enjoy browsing with less ads (you can tweak pihole so it is even better at blocking the right stuff, but this is not a subject for this quick guide. Read https://pi-hole.net/ )

The following is optional. You don’t need it, but I like to use my own caching name server. So I don’t have to use the public DNS servers. Reasoning for this is another discussion and I will not cover here. (see https://docs.pi-hole.net/guides/dns/unbound/ under “caching”) 

  1. Install the DNS server on your pihole server
    apt install unbound -y
  2. Edit unbound configuration
    vim /etc/unbound/unbound.conf.d/pi-hole.conf
    A new file is created. Put the following into it:

    server:
    # If no logfile is specified, syslog is used
    # logfile: “/var/log/unbound/unbound.log”
    verbosity: 0

    interface: 127.0.0.1
    port: 6236
    do-ip4: yes
    do-udp: yes
    do-tcp: yes

    # May be set to yes if you have IPv6 connectivity
    do-ip6: no

    # You want to leave this to no unless you have *native* IPv6. With 6to4 and
    # Terredo tunnels your web browser should favor IPv4 for the same reasons
    prefer-ip6: no

    # Use this only when you downloaded the list of primary root servers!
    # If you use the default dns-root-data package, unbound will find it automatically
    #root-hints: “/var/lib/unbound/root.hints”

    # Trust glue only if it is within the server’s authority
    harden-glue: yes

    # Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
    harden-dnssec-stripped: yes

    # Don’t use Capitalization randomization as it known to cause DNSSEC issues sometimes
    # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
    use-caps-for-id: no

    # Reduce EDNS reassembly buffer size.
    # Suggested by the unbound man page to reduce fragmentation reassembly problems
    edns-buffer-size: 1472

    # Perform prefetching of close to expired message cache entries
    # This only applies to domains that have been frequently queried
    prefetch: yes

    # One thread should be sufficient, can be increased on beefy machines. In reality for most users running on small networks or on a single machine, it should be unnecessary to seek performance enhancement by increasing num-threads above 1.
    num-threads: 1

    # Ensure kernel buffer is large enough to not lose messages in traffic spikes
    so-rcvbuf: 1m

    # Ensure privacy of local IP ranges
    private-address: 192.168.0.0/16
    private-address: 169.254.0.0/16
    private-address: 172.16.0.0/12
    private-address: 10.0.0.0/8
    private-address: fd00::/8
    private-address: fe80::/10


  3. Make Named/Bind start automatically
    systemctl enable --now unbound
  4. reboot
  5. Then log into the admin interface and go to Settings / DNS and add this:

    Disable the other public DNS services. So you only use your own Caching DNS and click save. 
  6. Ready to go. 
  7. If you have a backup from a previous installation you can now go to the GUI / Settings / Teleporter and upload the backup file. I would also reboot after restoring the backup. 

And even more optional is the setup of a swap file, if you chose a server with little RAM. 

These instructions are very good. 

https://www.digitalocean.com/community/tutorials/how-to-add-swap-space-on-ubuntu-20-04

Adding more DNS lists to get a higher degree of blocking, but also the chance to block stuff you may want I add these lists in “Group Management / Adlists” in the Pi-hole GUI: 

https://adaway.org/hosts.txt

https://s3.amazonaws.com/lists.disconnect.me/simple_ad.txt

https://www.technoy.de/lists/blocklist.txt

There are more lists to be found here: 
https://firebog.net/

https://www.technoy.de/lists/blocklists-fuer-pihole/ (in German, but very good)

Remember after adding blocklists you need to update Gravity in “Tools/Update Gravity” in the GUI. Otherwise the list will not be used. 

MAINTANANCE

From time to time you should run the following from the command line to keep everything up-to-date

apt -y update && apt -y upgrade && iphole -up && reboot

BACKUP

You should backup your configuration of pi-hole. So you won’t loose all your hard work in case your server crashes. I do this because I am using AWS spot (Android/ARCH) instances, which are extremely cheap, but AWS can close/terminate them when demand is high on their servers. Backup will help you get back up and running quickly. 

GUI: Settings/Teleporter