Pi Hole and Imagenio (Movistar's IPTV)
I’m a big fan of Pi-Hole, it’s been an unconditional ally in the war against ads and user tracking in general. In case you don’t know it: it’s a software bundle of several common UNIX tools that you can run easily in a Raspberry Pi and provide seamlessly ad blocking capabilities for your whole network, including any web browser in any of your computer but also mobile devices and all apps.
Normally, you’ll need to install extensions in all your web browsers, in every computer and phone, in order to be free of annoying ads that clutter most websites. And then, there are the apps in your phone, as they are not running in the web browser, the ad-blocking extension you installed in your phone won’t work with them, you need something else.
Pi-Hole works by filtering DNS queries in your network. It can be configured with allow/deny lists of domain names and success responses will be provided accordingly. By default, pi-hole has a deny list quite extensive that can work in most cases, but you can always adapt it to your needs. More on this later.
Anyway, installing pi-hole is quite strait forward: they have the installation instructions on their GitHub page. And the recommended way is just to run this command on the terminal:
curl -sSL https://install.pi-hole.net | bash
And that’s it: you have pi-hole installed, right? Well yes, but if you want to use it, now you need to go to every computer in your network and change the DNS server to pi-hole or you can make it automatically. Besides, been a DNS server (with a deny list) pi-hole can also do other nice functionalities: it can also be a DHCP server.
What’s a DHCP server #
A DHCP server is the one in charge of assigning IP addresses to all devices in your network. When a friend comes to you home, you provide them the WiFi password, their device will connect to your network and ask around for a temporal IP address so it can communicate. The DHCP server will provide some basic information:
- You are going to be: 192.168.1.55 IP address
- Here we all have the prefix: 192.168.1.* Network
- If you want to talk outside ask this guy: 192.168.1.1 Gateway
- If you need to resolve a name ask this guy: 192.168.1.1 DNS server
Usually, the router that your ISP provided, will be both the gateway and the DNS server. Because it will just pass along the DNS queries to the ISP’s DNS servers.
You can change the configuration of you ISP router for DHCP so the IP address of the Pi Hole is provided in place of the DNS server. Or you can disable DHCP server in your ISP’s router completely.
As commented before, Pi hole can be used as DHCP server. By doing so, Pi Hole can know the names of the devices using its services, and have more useful logs. Also, it’s very likely that Pi Hole’s capabilities are beyond those in the free router from your ISP.
In any case, know you’ll have different entries for gateway (it’s still your ISP router) and DNS server (it should be the Pi-Hole). But the Pi-Hole can’t resolve all the names on the Internet, if it is configured as DNS server it will know the names/IP addresses of you local network, but not all of the internet. You need to configure an upstream DNS server.
The easy way it’s to look up in your ISP’s router configuration for the upstream DNS servers and use those. Or enable any combination of servers in Pi Hole settings (you have about nine default services from Google to Cloudflare). Or use a DoH proxy. Because any of the former options would use naked DNS queries and your ISP (or anyone else looking, for that matter) could see what you are accessing.
DoH (DNS over HTTPS) #
DoH or DNS over HTTPS is a workaround to make DNS queries over HTTPS (like normal web pages) so your queries are private: only you and the DNS provider would know the query. Yes, there are other protocols that try to mitigate the provider’s visibility but they are even less commonly used than DoH.
I like to use dnscrypt-proxy for this. This is just a proxy that listens to regular DNS queries and send to the upstream server through DoH (or other protocols). The default configuration has a list of public resolvers and will switch to the fastest one available. I found that this list may contain weird servers and some queries don’t resolve as expected. I end up limiting the resolver to Cloudflare (as it’s very well known and less creepy than Google).
One thing to take into account with dnscrypt-proxy is that it should not listen in the default port (53) as that one will be used by pi-hole. I changed mine to 5054 port by modifying these files:
- Standard configuration file:
/etc/dnscrypt-proxy/dnscrypt-proxy.toml
and - Service configuration file:
/etc/systemd/system/sockets.target.wants/dnscrypt-proxy.socket
After installing and configuring DNSCrypt you
can go to Pi-Hole’s admin page and change the setting for the upstream DNS server. Instead of selecting one of
the default options, enter 127.0.0.1#5054
in the Custom 1 field.
Imagenio (Movistar’s IPTV) #
With this configuration you should be fine. Pi Hole, configured as DHCP server, should provide ad-blocking capabilities to any new device that joins your network, even more with DoH your ISP won’t be able to spy on you and sell you web browsing habits to highest bidder. Everything should be fine except if you have a crappy IPTV service like Movistar’s Imagenio.
Shortly after doing all of this, I realized that Imagenio was not working. I check the logs and saw lots of
domain names that could not resolve. Names like cdvr1.wp0.npvr2.imagenio.telefonica.net
. If you try to
resolve that name with a DNS server that is not from Movistar you’ll get and error. The whole imagenio.telefonica.net
is not publicly registered and only Movistar’s own DNS server would reply to those requests.
Once the problem is identified the solution presents itself: it’s just matter of creating a specific rule
for imagenio’s subdomains: Create a new file /etc/dnsmasq.d/04-imagenio.conf
with the contents:
server=/imagenio.telefonica.net/172.26.23.3
server=/26.172.in-addr.arpa/172.26.23.3
Which means: for anything ending in imagenio.telefonica.net
ask 172.26.23.3
. 172.26.*.*
is
a reserved IP for local networks (much like 192.168.1.*) which defeats the purpose of DNS of being open and
inter-operable.
So, final setup would be like:
Back in a bit!