Hi, can you suggest me on how to securing public pi-hole? May be some iptables rules to prevent DNS amplification or anything else. Thank you!
In order to protect/secure my Public Pi-hole, I installed fail2ban to block bruteforce login attempts. Additionally, I scheduled security updates to be installed automatically every day. Also, I setup ufw to only allow traffic on a handful of ports and deny traffic on all other ports.
With regards to the iptables rules, have a look at my other post here: https://freek.ws/2017/03/18/blocking-dns-amplification-attacks-using-iptables/
Thank you so much for this.
I came across Pi-hole earlier and installed it on my laptop running Ubuntu 16.04 LTS. However, I quickly realized that my laptop acts as a server so once it’s shut down, the devices using the DNS server are unable to connect to the internet.
I tried looking for a solution, tried AdGuard but it’s not as good as Pi-hole, wanted to get a VPS of my own but it’s expensive, then finally found your site. I couldn’t thank you enough!
Please don’t ever close this service hehe. Or if you will, please notify us (the users) in a way. :P Thanks again!
Thanks for the comment ! I have no plans shutting it down any time soon. If anything changes, I’ll announce it on my blog :) Enjoy!
Hi there Freek, can you add the Energized filter lists to your Pi-Hole if possible?
Sorry for my ultra delayed reply.
I’ve looked at the Energized filter lists before, but I’m afraid it’s a bit too restrictive for daily usage and therefore might break a lot of websites. The audience of my Pi-hole’s is quite broad, which is why I focus on more general lists, such as the ticketed lists from Wally3k. I’ve also looked at the ‘Ultimate Host Blacklist’ and ‘Block List Project’, but their lists contain many false positives, e.g. ikea.com, debenhams.com and logmein.com, which are all perfectly legitimate websites.
How can I setup a public pi-hole server? Do you have some tutorial?
Before you setup a Public Pi-hole, please check with your internet service provider or hosting company if they allow a recursive DNS server on their network… because most will not allow it. This is because public DNS servers are prone to DNS amplification attacks (see my other blog post here: https://freek.ws/2017/03/18/blocking-dns-amplification-attacks-using-iptables/ ). Unless you put some mitigation in place, your Pi-hole will become part of such an attack within days after setting up. If you really want to proceed, here’s a quick and dirty wirteup on how to prepare your server: https://pastebin.com/SvFEssuL . Afterwards, just run the Pi-hole installer as you normally would on your Raspberry Pi :) Good luck!
Here a other public pihole hosted in a Datacenter
Graphs & Stats: http://pihole.sstomp.nl/admin/
Datacenter Location: Gravelines , France
I noticed an overblocking of alternativeto.net.
Could you please whitelist that domain?
In return, have a look at
for further blocking lists.
Thanks a lot,
Done, alternativeto.net should now be whitelisted.
Thank you, I’ll take a look! I’m also in the process of updating the Pi-hole to the latest version, but this needs some further testing. In the latest version, the Pi-hole team built-in native SSL support for the webinterface, something I built-in myself in the previous versions. Before updating, I need to know if the installation doesn’t create any conflicts with the lighttpd config.
Graphs & Stats not working: “500 – Internal Server Error”
Is the server still running?
Hi! The service is still running yes. I tried to fix the graphs and stats yesterday, but there seems to be some issue with lighttpd. Due to the holidays, I won’t be able to fix it anymore before Christmas but the DNS resolution still works :) Kind regards.
Please read this short message regarding the current (stability) issues with the free public Pi-hole service: https://freek.ws/2018/01/23/stability-issues-public-pi-hole-service/
I have configured my ddwrt routers dnsmasq to use your pi-hole server.
Is it normal that Youtube in-video ads still display?
Thanks for your comment. YouTube ads are really hard to block. I found that pi-hole blocks the ads during the video (which are the most annoying ones anyway) but the initial advert is not blocked. Packet captures have shown the initial advert is served from youtube.com so I can’t block that anyway.
Hi very god idea your pi-hole server for the internet but actually the dns server is not running. I have the same problem with my pi-hole raspi. Eventually you must update the os?
My Public Pi-hole is back (up)…. And it’s stronger than ever!
I’ve setup a secondary node in the UK for redundancy, as well as adding 7 new ad-lists and a status page to communicate with you guys about outages and scheduled maintenance. For more information, please visit: https://freek.ws/public-pi-hole/
Thank you for your continued support. Enjoy!
Thank you for making avaliable this service.
I wish to let you know that the Twitter page is not displaying corretly any image when I point my system to your Pihole setup. I think It’s just the case to put it on the whitelist.
Everything else is OK and fast, thanks.
Thanks for your feedback!
I have made a small adjustment to the whitelist, could you please try again and check if the images on Twitter load correctly now? If not, please send me an example link so that I can check it out.
I just made some tests on twitter and now everything is OK there, all imagens loading correctly.
Great to hear! Thanks for your feedback
what is your source DNS ? if you use 220.127.116.11 it supposedly blocks malware… just curious.
Thanks for your message.
I’m using DNS.watch DNS servers. For more information, checkout https://dns.watch .
I am also using anti-malware filtering lists in my Pi-hole. I like full control of the DNS queries, so I’d rather filter them myself instead of having a third party pre-filter them already. Saves a lot of headache while debugging some resolver issues :)
Would it be useful to enable Privoxy, in addition to using your Pi-Hole DNS, at the router level?
I think it might be a bit of overkill, since the blacklists I use also contain hostnames to block tracking etc, but you are free to use it of course. Let me know the results!
Thank you so much for this!
I am trying to use your public pihole server. It’s wonderful!
Actually, i try to deploy the pihole in google cloud platform. I am running VMs and install pihole without problems.
The public ip addr is: 18.104.22.168
Default gateway: 10.142.0.1/24
But the problem is that i couldn’t use my pihole as a DNS server and stuck from that point!
I run the pihole -d:
[?] IPv4 address(es) bound to the eth0 interface:
10.142.0.2/32 does not match the IP found in /etc/pihole/setupVars.conf (https://discourse.pi-hole.net/t/use-ipv6
22.214.171.124/32 does not match the IP found in /etc/pihole/setupVars.conf (https://discourse.pi-hole.net/t/use-
[?] IPv6 address(es) bound to the eth0 interface:
fe80::4001:aff:fe8e:2 does not match the IP found in /etc/pihole/setupVars.conf (https://discourse.pi-hole.net/t/
^ Please note that you may have more than one IP address listed.
As long as one of them is green, and it matches what is in /etc/pihole/setupVars.conf, there is no need for conce
The link to the FAQ is for an issue that sometimes occurs when the IPv6 address changes, which is why we check fo
[i] Default IPv4 gateway: 10.142.0.1
* Pinging 10.142.0.1…
[?] Gateway did not respond. (https://discourse.pi-hole.net/t/why-is-a-default-gateway-important-for-pi-hole/3546)
Hi! Check if port 53 is open/allowed in your firewall. Kind regards.
Hey, how do you go about enabling SSL as I see you did? I’ve tried and I got it working but I wasn’t getting a block page. Do you have a sample of your lighttpd config files or a tutorial on how to do it? My pihole is at 126.96.36.199 in U.S.A, Iowa, Google Cloud and plans are to be public. It is 3:16 P.M. here in Minnesota.
Freek, how do I enable SSL on the admin interface? Thanks!
Here is my current Public Pi-hole Service for the USA and as a backup to Freek’s users if his goes down, as I check the status of mine every day, and get alerts if they go down.
DNS A: 188.8.131.52
Location: Iowa, USA
DNS B: 184.108.40.206
Location: Iowa, USA
DNS C: NOT AVAILABLE
Location (Planned): Frankfurt
GDPR Compliant as
All Pi-holes have Google SafeSearch enabled, as well as OpenDNS blocking adult content on the Low setting. YouTube ad-blocking is experimental and it may be slow at times. Leave feedback at my email: jaykepeters at gmail.com, I am still working on my website and there is NO Help Desk at https://support.jpits.us, but will be available soon…
All of this is hosted on Google Cloud Platform for the Public.
Ehm, makes it sense to host a dns server to prevent add and tracking at the biggest brother watching you?
Update: Server B has been suspended. Also, if you are having issues or need a domain whitelisted, please contact me at jaykepeters at gmail dot com. I will be more than willing to fix the problem.
Please email me if you want to be notified of the transition to DigitalOcean.
For Future Updates and all communication therefore will be available at:
You can access the pi-hole at https://pi-hole.jpits.us/admin
Hi there ?
I was using these DNS servers and until yesterday were working fine. Today I got ads.
I configured my Linux client:
? ~ cat /etc/resolv.conf
# Generated by NetworkManager
Also cleared Chrome cache at chrome://net-internals/#dns
This page reports that AD blocking is not working ? https://blockads.fivefilters.org/?pihole
Sorry for my delayed reply.
Are you still encountering issues? Currently there are no issues known on my end.
So I’ve entered 220.127.116.11 as dns on my smart tv
It seems that adds are bloked but not scripts. So if i click on some site on my tv it still opens pages. They don’t load and give an error but it’s kind of annoying. It this the way it’s supposed to be or am i doing something wrong?
Could you please elaborate a bit more to which scripts you are referring to?
If you’re referring to, for example, popup ads; the script invoking the popup itself won’t be blocked, but the website the popup is trying to display will be blocked and show up as a blank page or ‘connection timeout/refused’ (depending on how smart your TV is).
Yes, about those scripts i was talikin.
The annoying thing is i can’t set my tv browser to not switch to the newly open page so i have to close or switch through all of them to return to my page.
Some ads still load but i think it’s because they are regional ads and they are not an the ad blocking list
Anyway tv browser runs smooth now as no ads are loaded anymore.
Before using your public pihole,tv crashed most of the time from ads and popups
Thanks for your reply.
It could very well be that these are regional/country specific ads that are not on the big ‘general’/universal ad blocking lists. I’ll add looking into country specific EasyList adblock lists to my to-do list, but it will take a while before I have time to do so.
Currently my top priority is to migrate both Pi-holes to Docker images so I can automate the update process using Watchtower and fix the SSL issue on the NL node.
Thanks for your feedback!
I’m not to literate on DNS, but I have used your servers for a few months now and all has worked well.
However, a few days ago a problem started with the BBC News Homepage. I’m in the UK and and used to get the UK New Hompage, but now I get the North American one. By changing back to my ISP DNS all is well, but when switching back again I get the American one once more.
Any ideas what Is wrong?
i think one of your dns server down pihole-nl
can you check ?
thank’s for your service it’s great been using it for past 3days
Port 53 is not opened on 18.104.22.168
Have you ever think to change the DNS resolvers to Cloudflare or Quad9? I think they are faster than DNS Watch and also offer DNSSEC.
Btw, stats for the NL Pi-hole not working anymore and the memory usage for the UK one is currently 81.4%. It is also asking for a update (current version 4.0 vs new version for 4.2.3).
Regards and thanks for you amazing work!
amz.to also is blocked on your piholed dns
Hello, maybe very stupid question. Can i enter this Public PI-hole IPv4: 22.214.171.124
adress as a static DNS adress in my router ? Or is this just for the client (pc) side possible ?
How can I configure an Android phone’s DNS servers? (version 9)
You can do it for Wi-Fi connections only. For data connections, you need to set up a VPN.
What do you mean??? The new feature from android pie “Privé DNS” is only for the wifi connections?? :(
In Google Play Store look for “dnspipe” App.
You can setup nginx to forward all dns over tls request to pihole: https://www.aaflalo.me/2019/03/dns-over-tls/
I have a private server and can confirm it works flawesly.
Thank you very much for the DNS server. This is just amazing. However, Graphs & Stats: https://pihole-NL.freek.ws/admin/
Is not reachable. Does it mean it’s down?
Hi, can you please add dns provider Host name to your post. It’ll be helpful for mobile device users running Android 9 or later. As we can’t always modify the router but we can add this to our phone and start blocking ads in our device.
Thank you for your time and consideration.
I tested 126.96.36.199 dns openresolver.com and it states Open recursive resolver detected on 188.8.131.52
IP address 184.108.40.206 is vulnerable to DNS Amplification attacks.
Is it really vulnerable?
Hi Freek :)
Could it be that something is wrong with your pihole(s)?
Since yesterday I’m seeing delays in DNS response time, even timeouts.
When trying to access the web interface of your UK pihole, Safari tells me that the connection is insecure, which was never the case before…
NL server never loads the UI, which is the case for months now.
Also your general status page is said to be insecure, which led me to the assumption that something might be messed up ;)
Last week some annoying stuff happened.
Smart tv cannot connect to the internet anymorewhile using your dnses. I have to switch bank to auto, turn on/off the tv, switch bak to manual enter your pihole dns, works for a couple of hours maybe days then again.
Don’t know if you played with pihole settings.
Just letting you know
After I got interested in the subject I have some questions, could you help me?
public pihole versus private in combination with anonymous internet use.
If I would install my own pihole on a raspberry pi device connecting to a recursive dns server installed on the same pi device , assume everything works ok. And I would connect a client laptop with openvpn client to an external vpn provider to the other side of the world where I would integrate my own private configured pihole running at home in the openvp clients file so, that I am connected to my vpn providers server, receive the ip address given by my vpn provider, but for dns I configured to connect to my own pihole. If, in the scenario I would go to dnsleaktest.com, what would I see for my dns server? My home routers ip address?
To put it easier, would there ever be a point in setting up a private pihole at home, if you want to be anonymous on the net by using a vpn provider service and connect to that service in first place ?
Will an integrated dns route pointing to your pi device show your routers public ip?
If so, would a possible solution be to configure that same raspberry device with pihole, connect it to your router, but in the pihole configuration you choose in the pihole admin config for upstream dns server, the public dns server of your vpn providers’ instead? (assume that dns is free to use for client s and no clients) … This , to have 1. a vpn connection and recieve ip from your vpn provider . 2 control your own pihole logs 3. integrate your private pihole without exposing it’s fysical ip adress from within your vpn connections config to the outside world….?
pfffff. having privacy is difficult these days….,why don’t we simply pull the plug? :)
This is super awesome and generous of you. Would it be okay if I were to create an https over dns config file hosted somewhere? Or perhaps you could do it if you have time or wanted to?
Feel free to create one and share the link here, so that others can benefit from it as well :)
I got it up and running on an Azure VM, but I need a different domain and I need to figure out how to keep it always running. I also have it running on a small instance, so it probably can’t handle the bandwidth and other stuff.
Works well – hi from Australia
This might not mean much, but I just wanted to thank you for offering this service to the public. I run my own pihole at home, but when I’m away from home, I get extremely annoyed with all the ads again. I can’t afford much right now, but if you got Venmo, I’ll buy you a beer! Thanks again!
P.s. second post because I accidentally replied to someone else’s post instead of creating a new one… I think…
Thanks for your comment :) You’re welcome!
(sorry to post it again i posted as a replay and not as a new comment)
Hello Freek! Thanks a lot for this service ive been using it for months now.
I have a repo for blocking ads, i try to block the most ads as possible, for instance the Twitch ads that are quite difficult to block but my repo blocks it all.
I will let them here if you are interested to check it out and if you wanted to add it to this service, idk if it has to be a different format for the pihole but i can create it if you want.
if not, its here for the interested ones.
Thanks for sharing! I currently use the massive, all-in-one, dbl.oisd.nl blocklist. Perhaps you can contact it’s author to include yours?
This is a really awesome solution since i don’t own my own pi or have a speedy connection (upgrading soon :D) to use my old pc as the server as of now. Thanks for this!
You’re welcome :) !
can’t check stats.
The Public Pi-holes have moved! Please visit their new home at Public-Pihole.com :)
Anyone has a how to, for securing pi-hole for DNS amplification attacks?
I made a blogpost about this a while back, but it’s out of date. I really need to update it… some day.
For now you can use these directions, they should work as well: https://www.marek.tokyo/2019/02/securing-pi-hole-with-fail2ban-to.html
I suggest removing the A query from the custom filter, as amplification attacks usually only focus on ANY queries.
he best fix is to only allow an specific IP to connect to port 53. This can be easily done with IP tables but for a home use, it becones evident that you will have to change “that” IP from time to time. I use this method for the company I work as they have static IP and so it never changes.
Another solution would be to limit bursts from IP. That is passing all packets through a filter that drops if a max value of packets per second comes from a single IP. This mitigates the problem and usually does not affect other users. Tutorials like this one are really great: https://making.pusher.com/per-ip-rate-limiting-with-iptables/ (I made a very good script some time ago from this source)
But personally for home use I would set up pi-hole locally or in the first case you could create a script that changes the IP, like a dynamic DNS.
A commendable service if genuine but this is such a bad idea for so many reasons.
Dns poisoning and blackmail are but the tip of the iceberg…
blackmail, really – i sell tinfoil hats if you need one.
All FreekWS Pi-Holes are vulnerable to DNS Amplification attacks.
No matter which Open Resolver test you try, each test recognizes immediately that the offered DNS-Forwarder (Pi-Hole) of FreekWS are hard unsecure for Amplification attacks.
Hi Manuel. Could you please elaborate a bit more on which tests you’ve used? Naturally, every Open Resolver test will report that the Public Piholes are an open resolver, as that’s exactly what they are…
Here are two new public pi-hole DNS Servers, both updated regular.
It’s only just been up as of 09/02/2020. Feel free to use it.
I forgot to add if anyone wants sites blacklisting or white listing reply here.
I have removed the IP addresses of your Pi-holes from your comment because they were down at the time of checking.
Moreover, I cannot vet, and therefore do not want to appear to vouch for, public DNS servers hosted by individuals I do not know.
Your email address will not be published. Required fields are marked *
Notify me of followup comments via e-mail. You can also subscribe without commenting.