1

Let's say I have a techno-illiterate friend I would like to set up with a PiHole (DNS Blackhole). Would it be possible (and relatively secure) to configure a Raspberry Pi to be a plug and play device to do this? Specifically what I was imagining was a two-step process:

  1. Configure the Pi to automatically perform an ARP spoofing "attack" on all devices on the LAN to intercept traffic headed for the router
  2. From there, do DNS spoofing to blackhole any requests to sites on the blacklist while ignoring non-blacklisted requests

From some searching around, it seems like both of these steps should be fairly straightforward on a simple home network. This question seems to indicate that this is possible, but I'm not a security whiz and was curious if there were good reasons not do this that I am unaware of or if a better approach exists for this situation.

Zino
  • 13
  • 2
  • 1
    Why not do it properly? Set up the raspberry pi somewhere near the router (and maybe even powered by the router USB port if any) - and then configure the router to give the PI a DHCP reservation (giving it a static IP), and also set the router to advertise (over DHCP) the DNS server being the raspberry pi IP address? – Darius Apr 26 '21 at 13:30
  • The spirit of the question is that I'm not physically there to do these steps and so I want to be able to mail a little box to a friend and have them plug it in so it "just works". Certainly what you're suggestion is the better approach, but it requires someone willing and able to mess around with their router settings. – Zino Apr 26 '21 at 13:43
  • > "perform an ARP spoofing "attack" on all devices on the LAN" Another problem is that in many home networks the DNS server advertised by DHCP will also be the routers IP address in the LAN. This will probably lead to issues since your raspberry pi may also become the default gateway. A similar scenario would be thinkable for other services provided by the router. – jvda Apr 26 '21 at 13:54
  • Could the DNS issue be resolved by running a DNS/DHCP server in parallel with (or instead of) the DNS spoofing? I am also sort of assuming the user isn't running anything beyond a standard WiFi router that serves as DNS/DHCP server because if they are they're certainly capable of setting up their own PiHole. – Zino Apr 26 '21 at 14:08
  • Yes, you could have a DHCP server running on that raspberry, pihole even ships with a DHCP server. However, since DHCP uses a first-come first serve approach - so you would have to turn off the DHCP server in the router for this to work properly. In that case it would probably be easier to just reconfigure that DHCP server in the router to advertise your raspberrypi IP as the DNS server. – jvda Apr 26 '21 at 15:04
  • Unfortunate -- I assume there isn't any way to automatically interfere with the default DHCP service from the router so that my Pi becomes the one that the clients use? – Zino Apr 26 '21 at 16:09

2 Answers2

1

Yes. This is easily done provided that the Pi is in the same Local Area Network. It doesn't matter whether the Pi physically sits in the middle. This post would probably get you going. However, the Pi's network interface may become a bottleneck and slow everything down if traffic is high. If you wanna avoid that and perform only DNS spoofing without first intercepting all packets destined to the router, then I'm afraid @jvda is right: I don't see how you could do it in an easy "plug & play" manner. You may also experience problems with some routers (or wireless access points) that segregate address resolution (ARP) between wireless and wired clients.

Hermógenes Oliveira
  • 171
  • 5
0

This isn't easily possible without doing one of these implications:

  • Reconfiguring the DHCP server of your router to advertise that raspberry pi as the DNS server of your local network.
  • Making substantial changes to the network topology. Having the raspberrypi spoof the IP of the router will only work well when you can actually place the raspberry pi "in the middle" between LAN and router. The raspberry pi will have to be configured to forward packets and/or adopt some of the services provided by the router (e.g. serving DHCP requests).

Either of these options requires some adaption of the network equipment or topology. Therefore I think just attaching your raspberry pi in a "plug and play" manner will not easily work.

jvda
  • 592
  • 4
  • 12