Ad-Blocking at the DNS server

Prerequisites

  • Ubuntu 16.04
  • Machine or VM with accessible port 443/80 (will not work in container without extra steps)
  • Local terminal or SSH access
  • Upstream DNS/DHCP server (not using PiHole for this)

On the DHCP server, set a reservation on so IP doesn't change. For pfsense this is done using DHCP reservation

Install PiHole

Note: Piping scripts to bash is a terrible idea, you should examine the script before executing this command
curl -sSL https://install.pi-hole.net | bash

Check admin interface

Visit URL provided in console after install (usually https://yourIP/admin/)
You will need the password.

Configure on Pihole

The DNS forward/lookup server is your normal router/gateway box (for example: 192.168.1.1)
My setup is a bit different than the reccommended setup, as I use the upstream gateway for resolution and not one of the built-in DNS options (google, quad9, et al.)

If you'd like the clients to be identified by their DNS names uncheck the following options:
Never forward non-FQDNs
Never forward reverse lookups for private IP ranges

For additional domain validation (if supported upstream check:
use DNSSEC

I exclude my local network domain from appearing in webui [under what option]. This prevents local network chatter making the top domain lists useless.

Setup UFW to allow PiHole and deny everything else

Change the IP ranges below to match your internal network

# configure firewall for PiHole
sudo ufw default deny incoming && \
# allow SSH admin from LAN
sudo ufw allow from 192.168.1.0/24 to any app OpenSSH && \
sudo ufw allow from 192.168.2.0/24 to any app OpenSSH && \
# reject HTTPS to fail ads faster
sudo ufw reject https && \
# allow Pihole web admin from LAN
sudo ufw allow proto tcp from 192.168.1.0/24 to any port 80 && \
sudo ufw allow proto tcp from 192.168.2.0/24 to any port 80 && \
# allow DNS traffic from LAN
sudo ufw allow from 192.168.1.0/24 to any port 53 proto any && \
sudo ufw allow from 192.168.2.0/24 to any port 53 proto any && \
# allow FTL pihole engine from LAN
sudo ufw allow from 192.168.2.0/24 to any port 4711 proto tcp && \
sudo ufw allow from 192.168.1.0/24 to any port 4711 proto tcp && \
# enable firewall
sudo ufw enable

Reload firewall if needed

sudo ufw reload

Port notes

DNS traffic is over port 53 (udp and tcp) and the web interface traffic is over port 80, FTL goes over 4711. FTL may change or not be needed except for localhost, need to test.