Pihole and Cloudflare Gateway Event

Pre-work Guide

Revisions

• 07/19/2021 Minor revisions - clarification of steps on DNS requirements

• 07/17/2021 First Version Published

Overview

Hello and thanks for signing up for the Pi-hole and Cloudflare Gateway Event!

Why do we need to do prework?

To ensure we can get straight to the task-at-hand, we ask that you take a few minutes to do a few steps before the event.

The following is a summary of the steps required during the pre-work exercise:

1. Create a Cloudflare account

2. Select an existing domain or register a new domain

3. Add a Site to Cloudflare - Making Cloudflare Authoritative for your Domain

4. Assemble your Raspberry Pi

5. Download and install Raspberry Pi OS

6. Configure Network Settings

7. Update Raspberry Pi OS

Not too bad, right?

If you do not already have a domain you are willing to bring over to Cloudflare, we ask that you please register one. We wish it wasn’t the case, but there is typically a fee associated with domain registration ($12 to $20) however there are free domain registrars available. More information is available in the Domain Registration and Authoritative DNS section.

HELP!

At any point, if you run into any issues or have questions, please contact us at:

cloudflare-gateway-pihole-support@cloudflare.com

Please right-click and choose Open in New Tab when selecting any of the embedded links

Cloudflare Account (Required)

The first step along the way is creating a Cloudflare account. How exciting!!! Really…it’s pretty incredible what you get for free!

Creating a Cloudflare account and adding a website

NOTE - The title of the link above includes “adding a website” is a little confusing. You will not be hosting a website on Cloudflare. In fact, aside from our JAMstack platform Cloudflare Pages, Cloudflare does not host websites. Cloudflare is a CDN and provides performance, security, and reliability for web applications, but we are not a hosting provider.

Some additional background information:

How does Cloudflare work? – Cloudflare Help Center

How to Create an Account on Cloudflare

The process of creating an account on Cloudflare couldn’t be easier!

1. Navigate to https://dash.cloudflare.com/sign-up

2. Provide an email address and password

3. Confirm the email you received

Don’t proceed through the ‘Add a Site’. We’ll get to that part soon!

DNS

As DNS resolution is at the core of this exercise, we need to ensure that Cloudflare is your authoritative DNS provider.

You have one of two options:

1. If you already have a domain, you can use it with Cloudflare simply by updating the NS records with your current registrar

2. If you do not have a domain, or if you do not want to transfer an existing domain to Cloudflare, you will need to register a new domain

Keep in mind that there are two aspects to domain management:

• Domain Registration - the organization that is responsible for helping you select and register your domain name

• DNS Resolution - in order to resolve hostnames to IP addresses, a DNS server must be authoritative for your domain

Cloudflare as your Authoritative DNS

Since you’ll be using Cloudflare’s Free Plan for this exercise, Cloudflare needs to be the authoritative DNS provider.

Cloudflare Plans

Customers on our Business and Enterprise plans have another option known as a Partial Setup (a.k.a. CNAME setup), but topic is outside the scope of this exercise.

Adding a Site to Cloudflare - Making Cloudflare Authoritative for an Existing Domain (Required)

As mentioned earler, since we will be using Cloudflare’s Free plan for this exercise, this requires that Cloudflare is Authoritative for domain.

The required steps are:

1. Add a Site (DNS Zone) to Cloudflare via the Cloudflare Dashboard

2. Add DNS records to Cloudflare

3. Update the nameserver records via your current registrar to reflect the Cloudflare assigned nameservers

Changing your Domain Nameservers to Cloudflare

Head back to the Creating a Cloudflare account and adding a website documentation and follow the instructions in the Add a Domain to Cloudflare section.

When you get to the page where you are asked to select a plan, please choose the FREE plan (below Pro/Business/Enterprise).

Disable Cloudflare Proxy Services (Required)

If you opt to bring an existing domain to Cloudflare, we want to ensure that you don’t break any of your existing applications.

You’ll hear a couple of terms during the event:

• Orange Clouding (Proxied) - the process of enabling Cloudflare’s proxy services

• Grey Clouding (DNS Only) - standard DNS resolution - traffic bypasses Cloudflare’s proxy services

During the Add a Site wizard, Cloudflare will automatically import existing DNS records from your current provider. The default behavior is to enable Proxied status for the following record types:

• A

• AAAA

• CNAME

Simply click on any of the Proxied (Orange Cloud icons) records in the Proxy Status column to revert to DNS Only.

Cloudflare Registrar (Optional)

Not only does Cloudflare provide domain resolution, we’ve recently become a Registrar! The prices are very competitive and simply cover administrative costs. You pay what we pay! There are no mark-ups, surprise renewal fees, or any hidden charges!

Cloudflare Registrar | New Domain Registration Info

Cloudflare offers domain registration with very attractive pricing! We encourage you to use us to register your domain, but it is not a requirement!

Cloudflare Registrar | Documentation

Cloudflare supports registration of over a hundred Top-Level Domains (TLDs):

Cloudflare TLD Policies

Free Domain Registration

If you do not want to incur any expenses in this process, there are several registrars that offer free domain registration. The catch is they do not offer the more popular top-level-domains.

Freenom provides free domain registration services!

Freenom

Transfer In to Cloudflare (Optional)

It is possible to transfer the registration for an existing domain to Cloudflare in addition to making Cloudflare your authoritative DNS provider, but it is not required.

If you are interested in using Cloudflare’s Registrar services, take a look at the following documentation:

Transferring and Renewing Domains | Cloudflare Registrar

Step-by-Step Instructions | Transferring Your Domain to Cloudflare

Transfer Out from Current DNS Provider (Optional)

Go to your existing domain registrar and search for their instructions on the “transfer out” process. Here are links for several providers:

• GoDaddy | Transfer My Domain Away from GoDaddy https://www.godaddy.com/help/transfer-my-domain-away-from-godaddy-3560

• Google Domains | Transfer a Domain to Another Registrar https://support.google.com/domains/answer/3251178?hl=en

• Name.com | Transfer Away from name.com https://www.name.com/support/articles/205188898-Transfer-away-from-name-com

• DynDNS | Transfer a Domain Away from Dyn https://help.dyn.com/domain-registration/transfer-a-domain-registration/

• Amazon Route 53 | Transferring a Domain from Amazon Route 53 to Another Registrar https://docs.aws.amazon.com/Route53/latest/DeveloperGuide/domain-transfer-from-route-53.html

Assemble Raspberry Pi

Hopefully you received a package from Cloudflare! You should have received one of each of the following:

• Raspberry Pi 3B+

• 32 GB SD Card

• Raspberry Pi Case/Enclosure

• Power Supply

If you have not received any/all of the aforementioned items, or they were damaged in transit, TIME OUT!

Send an email to cloudflare-gateway-pihole-support@cloudflare.com and let us know! Our team will make our best effort to ensure that you receive any missing items in time for the event!

Go ahead and mount the Raspberry Pi in the case and ensure that it powers on when you connect it with the power supply.

You may be tempted to use an alternative method for powering the Raspberry Pi. We strongly encourage you to use the included power supply as it meets the requirements as laid out by the Raspberry Pi Foundation. One of the most common reasons for instability with Raspberry Pi devices is inadequate power. Using the included power supply will go a long way to ensure that power is not a contributing factor to any instability you may experience.

Install and Configure Raspberry Pi OS

There are a couple of options for installing Raspberry Pi OS:

Use the official Raspberry Pi Imager - this is the easiest method! Manually download a Raspberry Pi OS image and write it to the SD card with Balena Etcher (or equivalent)

Which version do I install?

For this exercise, the best option is to use the Raspberry Pi OS Lite image. It provides the most simplistic, streamlined installation. Note that it does not include a graphical user interface. If you would prefer to install Raspberry Pi OS with a GUI, you can download the Raspberry Pi OS with Desktop image.

Do Not Pass Go!

Don’t remove the MicroSD card from your computer quite yet!

Once the image is successfully written to the SD card, since the Raspberry Pi will run “headless” (no display, keyboard, or mouse), we need to make sure that you are able to access the device across the network. Otherwise this will be a very short exercise!

Before ejecting the MicroSD card from your computer and booting the Raspberry Pi, there are a few steps we still need to complete:

• Establish Network Connectivity

• SSH Access

Network Connectivity

The Raspberry Pi 3B+ supports Ethernet and Wi-Fi connectivity (2.4 & 5 GHz). If you prefer Ethernet, then simply connect the Raspberry Pi to your network via an Ethernet cable.

SSH Access

The SSH server does not start by default. There’s a little trick to making sure that it does!

The process of writing the Raspberry Pi OS image to the MicroSD card creates two partitions on the MicroSD card:

• / [root] (this will only be visible if you’re using a Linux-based computer as Windows & macOS are unable to recognize the ext4 filesystem)

• /boot - (this is the partition that is visible in Windows Explorer, macOS Finder, and Linux and is the one we care about)

Create a file with the name ssh (no file extension) in the boot partition.

Raspberry Pi OS will check for the presence of the ssh file in the /boot directory (boot partition) which will ensure the SSH server starts automatically.

Pretty cool, huh?

Wi-Fi

The easiest way connect to your Wi-Fi network, is to create the configuration file and save it to the boot partition. There are some web-based tools available that will allow you to generate the file, but it’s simple enough to create one with a text editor.

Create a file named wpa_supplicant.conf and save it in the boot partition. Ensure that the file contains the SSID and password for your wireless network.

You can even copy and paste the example below and update the ssid and psk values with your SSID and pre-shared key respectively:

  ctrl_interface=DIR=/var/run/wpa_supplicant GROUP=netdev
  update_config=1
  country=US
 
  network={
  	ssid="YOUR SSID"
  	psk="YOURPASSWORD"
  	scan_ssid=1
  }

NOTE: once the Raspberry Pi boots, the file will be copied automatically from /boot/wpa_supplicant.conf to /etc/wpa_supplicant/wpa_supplicant.conf.

Disable IPv6 (Optional)

Cloudflare and Pihole both support IPv6, however you may experience some connectivity issues with your Internet Service Provider due to IPv6 addressing issues.

If you’re savvy with IPv6, ROCK ON! We salute you! Feel free to keep it enabled.

If IPv6 isn’t your thing, you may want to disable IPv6 altogether. This is a simple process!

First, let’s take a look at what the IP address configuration looks like with both IPv4 and IPv6 enabled:

        pi@pihole:/etc $ ip a

  1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
  	link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
  	inet 127.0.0.1/8 scope host lo
  		valid_lft forever preferred_lft forever
  	inet6 ::1/128 scope host 

   valid_lft forever preferred_lft forever

  2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
  	link/ether b8:27:eb:dd:eb:5d brd ff:ff:ff:ff:ff:ff
  	inet 192.168.20.109/24 brd 192.168.20.255 scope global eth0
  		valid_lft forever preferred_lft forever
  	inet6 2600:1700:c4e0:50a0::49/128 scope global noprefixroute dynamic 
  		valid_lft 3351sec preferred_lft 3351sec
  	inet6 2600:1700:c4e0:50a0:9472:a1d8:b0a7:c62d/64 scope global mngtmpaddr noprefixroute dynamic 
  		valid_lft 3375sec preferred_lft 3375sec
  	inet6 fe80::47ad:5aaf:88ad:3dd3/64 scope link 
  		valid_lft forever preferred_lft forever
  3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
  	link/ether b8:27:eb:88:be:08 brd ff:ff:ff:ff:ff:ff

Make a backup copy of sysctl.conf before proceeding:

  sudo cp /etc/sysctl.conf /etc/sysctl.conf.orig

Using your favorite text editor, edit sysctl.conf:

  sudo nano /etc/sysctl.conf

Add the following three lines to the bottom of the sysctl.conf file:

  net.ipv6.conf.all.disable_ipv6 = 1
  net.ipv6.conf.default.disable_ipv6 = 1
  net.ipv6.conf.lo.disable_ipv6 = 1

Then save the file. You can confirm the changes:

  sudo sysctl -p

This should print the above values to the terminal.

  pi@pihole: $ sudo sysctl -p

  net.ipv6.conf.all.disable_ipv6 = 1
  net.ipv6.conf.default.disable_ipv6 = 1
  net.ipv6.conf.lo.disable_ipv6 = 1

If you see these values, you’re in great shape! If not, go back and double-check your work.

Reboot the device!

  sudo reboot

Once the Raspberry Pi finishes rebooting, SSH back into the terminal and verify that you no longer see any IPv6 addresses bound to the network interface(s):

  pi@pihole: $ ip a

  1: lo: <LOOPBACK,UP,LOWER_UP> mtu 65536 qdisc noqueue state UNKNOWN group default qlen 1000
      link/loopback 00:00:00:00:00:00 brd 00:00:00:00:00:00
      inet 127.0.0.1/8 scope host lo
  		valid_lft forever preferred_lft forever
  2: eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
  	link/ether b8:27:eb:dd:eb:5d brd ff:ff:ff:ff:ff:ff
  	inet 192.168.20.109/24 brd 192.168.20.255 scope global eth0
  		valid_lft forever preferred_lft forever
  3: wlan0: <NO-CARRIER,BROADCAST,MULTICAST,UP> mtu 1500 qdisc pfifo_fast state DOWN group default qlen 1000
  	link/ether b8:27:eb:88:be:08 brd ff:ff:ff:ff:ff:ff

Static IP Address (Required)

Once the Raspberry Pi boots, log into your Internet router (or whatever you are using as your DHCP server), and check the active DHCP leases - look for a device with the hostname raspberrypi.

That’s the IP address we’re going to need to use for the rest of the exercise.

Since the idea is to make this Raspberry Pi the DNS server on your home network, it is highly recommended that you configure the device with a static IP address.

This can be accomplished in a couple of different ways:

• Create a DHCP reservation in your router (not ideal)

• Configure a static IP address (preferred)

It’s always a good idea to back up the original config files before making changes:

  sudo cp /etc/dhcpcd.conf /etc/dhcpcd.conf.orig
  sudo nano /etc/dhcpcd.conf

If you opted for Ethernet connectivity, the default interface name is most likely eth0. If you opted for Wi-Fi connectivity, the interface name is most likely wlan0.

You can either uncomment the static IP address entries and modify the example IP addresses or you can simply add the following lines to the end of the configuration file:

Ethernet:

  interface eth0
  ipv4only
  static ip_address=192.168.20.10/24
  static routers=192.168.20.1
  static domain_name_servers=127.0.0.1 1.1.1.1

Wi-Fi:

  interface wlan0
  ipv4only
  static ip_address=192.168.20.10/24
  static routers=192.168.20.1
  static domain_name_servers=127.0.0.1 1.1.1.1

NOTE: Don’t forget to SSH in via the static IP from now on - especially if you picked an IP address outside your DHCP scope!

Update System Settings

There are several system-wide settings we can quickly and easily configure using the Raspberry Pi Software Configuration Tool (raspi-config).

  sudo raspi-config

Change Default Password

First things first - change the password! We’re all security conscious, right?

Don’t let your Raspberry Pi get pwn3d!

Select Option 1 - Change User Password

Next, set a hostname. This is accomplished by choosing Option 2 -> then N1 Hostname. I used pihole for mine. Original, huh?

Change the localization settings (Recommended)

Raspberry Pi OS defaults to EN_GB (Great Britain). We can update this so the Raspberry Pi displays date, time, temperature, and other parameters based on US English.

Go back to the main menu, then choose Option 4 - Localization Options

Select I1 - Change Locale - scroll down to EN_US.UTF-8 and tap the spacebar to select it. Then tab to OK and hit Enter. You can leave EN_GB.UTF-8 enabled - it won’t hurt anything.

When prompted to select the default locale, arrow down to EN_US.UTF-8, Tab to OK, then let it do its thing. This may take a minute or two.

Update the Timezone

Back at the main menu, choose Option 4 - Localization Options, -> I2 - Change Timezone - we’ll assume you know what to choose here.

Wi-Fi Country Code

Lastly, choose Option 4 - Localization Options -> I4 - Change Wi-Fi Country, then scroll down to US, tab to OK, and hit Enter.

Tip - if you press ‘U’ it will quickly advance you to the first ‘U’ value.

You should be back at the main menu. Tab to Finish and reboot when prompted.

Update Raspberry Pi OS

OK - we’re in the home stretch! Let’s update Raspberry Pi OS so we have all the latest updates!

  sudo apt update
  sudo apt upgrade -y
  sudo reboot

Thank You and Next Steps

And…WE ARE DONE! Nice work!

Thank you so much for taking the time to do this ahead of the event! With these steps behind us, we can jump right into the exercise on the day of the event.

You will receive another link at the beginning of the event on July 22. See you in class!

In the meantime, feel free to familiarize yourself with the Cloudflare Dashboard.

If you are interested in reviewing any of the Cloudflare documentation, this is the best place to start:

Cloudflare Developers

This is only a test