Pi-Hole on Lightsail with 5 Million Blocked Sites

I decided to take my own advice and deploy Pi-Hole on Amazon LightSail. I made a couple of changes to the deployment that make it easier and more efficient. The changes make it more secure and expand its scope to include all of the blocklists from University of Toulouse. That brings the total of blocked sites to almost 5 Million!

Lightsail vs EC2

I had been using instances on EC2 but they just weren’t reliable. The instances of t2.micro and t2.nano both work fine for Pi-Hole. But EC2 instances are much harder to deploy and manage and in my experience they tended to simply vanish. One day they would be running great and the next day they were simply gone. If anyone has insight into why this tends to happen I’d love to hear about it. Clearly the solution is implementing higher level monitoring and failover, snapshots, and storage backup. But that all costs extra and why bother when LightSail is so damn easy?!?

LightSail is just so easy, cheap, and reliable (No, this is not an ad). And, given the price point of the t2.nano and the smallest instances in LightSail, I’d say they are really the same compute behind the interfaces. The article suggests deploying VPN to increase security at both ends. To avoid having to deploy a VPN Service and configure on each device in your home, just configure the LIghtSail firewall to only allow traffic from your home. The red rectangles below show examples of how to enter your local ISP WAN address as the only allowed source. In theory your WAN IP Address changes but in reality it is rare your ISP changes your WAN address. After all, that would just complicate tracking and reselling everything you do online!

Networking Settings for your LightSail instance

5 Million Blocklist Entries

The blocklists from the University of Toulouse (in France) are the standard-bearer in my experience. The exception is the advertiser blocklist that comes with Pi-Hole (from Steven Black) but why not have a choice? The Toulouse lists give you access to blocking all sorts of content that increases security like Malware, Phishing, StalkerWare, CryptoJacking and more. It also allows you to fine tune your blocking for the little ones (or Older Ones) in your home. Prevent access to Social Media, Forums, Dating, Celebrity Sites, Blogs, Manga, and more. Did I mention Porn? Toulouse has the definitive Porn blocklist with Millions of entries. In fact, when you see commercial offerings for DNS Filtering and content blocking, they likely started with the Toulouse lists.

The Toulouse blocklists aren’t immediately usable in Pi-Hole so I’ve created links you can use to add to your instances (in the cloud or at home) of Pi-Hole. I’ll update them monthly so that the Pi-Hole update engine (Gravity) will grab them automatically. I have them hosted at Amazon S3 and the URLs can just be added to your Pi-Hole server via the Web Interface. Just copy and paste the URLs into the Address Bar, name them in the comment section, and press Add.

Adlist options in the Pi-Hole Web Interface

Pi-Hole Blocklist Links

So here are links you can add to your instance for Pi-Hole Blocklists based on the Toulouse Blocklists. Just copy and past the URLs below like in the image above. If you wonder what the categories mean specifically, just check out the Toulouse site for explanations. As I mentioned above, I will be updating them Monthly for my own instances.

Redirector Siteshttps://cogtropolis-pihole-lists.s3.us-west-2.amazonaws.com/redirector/domains.txt
Social Mediahttps://cogtropolis-pihole-lists.s3.us-west-2.amazonaws.com/social_media/domains.txt

Pi-Hole Blocklist Caveat

Here’s a little unexpected surprise: one of the entries in the Toulouse advertiser blocklists will block your login to AWS! I haven’t had time to dig into specifically just which domain/url is the offender. However, AWS is obviously using a shared resource for their login experience and user tracking. Go figure.

One other little note to keep in mind: Pi-Hole really only works with resolvable Domain Names. Pi-Hole doesn’t enforce traffic that doesn’t need to be resolved by domain names. Therefore, if your kids are smart enough to manually resolve a domain name and then simply enter an IP Address, they can skirt any Pi-Hole Blocklist items. It also means that any malware, phishing, or viruses that don’t rely on domain resolution will also fail to be blocked. On the other hand, Pi-Hole is transparent and requires no configuration like a proxy does. So, keep your audience (users) in mind and the overall level of security you have in place in your environment. If you want foolproof web filtering and url blocking, check out IPFire.