Child’s Play: pi-hole set up for a safer internet

I have been running a pi-hole to block ads on my home network for a while. It’s great! Not only are ads blocked, but it speeds up internet browsing because… the ads do not load. I wondered if it would be possible to use a pi-hole to make a child-safe internet experience to protect the little people in the house.

Sure, there are ways to do this in most routers but they are not ideal. I have an Orbi mesh from Netgear and this has two parental control options: “Live Parenting Control” which is seemingly being deprecated as they push “Circle” by Disney. If the words “by Disney” alone were not enough to trouble anybody, 1) it works by doing an ARP poisoning attack on the router, 2) Disney (or whoever) would be logging all requests from the network, and 3) the free version is limited and you have to pay for full protection. So, can a pi-hole be used to make a (free) child-safe internet experience? Yes! The trick is how to do that while maintaining a full-bodied internet for everyone else (and maintain ad-blocking for everyone).

Existing set-up

I have the Orbi router doing DHCP assignment (static IPs for some stuff and a range for dynamic assignment). DNS points to the ad-blocking pi-hole which is wired to the router. Yes, I know I can have the pi-hole doing DHCP and I have run it this way with a different router but this configuration is how I have it right now. The router doesn’t allow DNS settings to be assigned to each device. I’ll describe how I made the second pi-hole and then how I integrated it into this set up.

Making a blockhole

I bought a RPi Zero W, with pibow case, power supply and 8 GB SD card. My ad-blocker pi-hole runs on a RPi 3B+ and has a bigger card, but there was no need for something that would not handle much traffic.

I installed Raspbian Stretch Lite (I wasn’t sure if pi-hole is supported under Buster). Legacy downloads of Stretch are available from the Raspberry Pi website. The RPi zero has miniHDMI out to connect to a monitor for the setup. I customised it a bit, enabled ssh and VNC so that I could control it headlessly. Next I gave it the name blockhole to distinguish it from the other RPis on the network. I assigned a fixed IP via the router and then ran the pi-hole installation as described on the pi-hole site. I could see the dashboard and log in OK, so all was good.

At this point, I simply had a second ad-blocking pi-hole on my LAN with no device(s) on the network using it. Firstly, let’s turn it into a parental control device. I wanted three things:

1. Force safe search on Google, Bing, Duckduckgo and YouTube

There is a great thread on how to do this on the pi-hole discourse site. The relevant link is here. Jayke Peters made a really simple bash script to modify the appropriate files on a pi-hole to do this (other people in the thread worked out how to force safe search). In case that link disappears:

wget https://raw.githubusercontent.com/jaykepeters/Scripts/Deployment/Pi-hole_SafeSearch.sh
mv ./Pi-hole_SafeSearch.sh /usr/local/bin/
chmod a+x /usr/local/bin/Pi-hole_SafeSearch.sh
Pi-hole_SafeSearch.sh --enable

This can all be done via ssh to the blockhole. The last line needs to be run as sudo. You can check that it has generated the appropriate file by:

cd /etc/dnsmasq.d/
ls

You should see a file called 05-restrict.conf in there if everything went OK.

Enforcing safe search is such a great idea. Kids can type in a rude word into a search engine and get all kinds of inappropriate content. This change forces the search to be done via the “safe search” settings. It really works. The same rude word search with enforced safe search brings down harmless results on Google for example.

2. Block inappropriate sites outright

The script adds wildcard blocks to common terms found in adult site URLs. This means that these sites are just blocked outright. This is a good method. The alternative is to add blocklists to the pi-hole. There are some available on GitHub. Even those that have 1 million URLs will not block the sites that will spring up tomorrow or next week. So just blocking based on common terms like xxx should work better.

3. Add some more blocks

YouTube is forced into safe search, but what if you just want to block it outright? Or any other site? You can blacklist any site using the pi-hole admin page. Log in and select blacklist. The wildcard function will deal with URL variants. The script mentioned above adds to the blacklist other search engines, e.g. ecosia that have no safe search capacity. I added a bunch of other sites here that I wasn’t happy about, e.g. FaceBook to round off the blockhole.

Upstream DNS

On the ad-block pi-hole I use Cloudflare 8.8.8.8 as the upstream DNS. It is possible to use a service which has family filtering instead. OpenDNS has an option for doing this (which may be pay-for-service – I’m not sure). Neustar or other services will give filtering of inappropriate content. Note that they will be logging requests, but only from the kids devices, so it’s different to the Disney scenario mentioned above.

Integration into the network

The next step was to get it working with the existing network. As described above, we want to maintain a full-bodied but ad-blocked experience for everyone else.

The simplest method was to alter the DNS settings on the devices that the kids use. The DNS address is the blockhole and so they get child-safe internet. Depending on the device, the setting is quite obscure and can be locked in the case of a kid’s account on a Mac. If they figure out how to change the DNS, it is possible to hand out the blockhole address from the router and manually assign the ad-blocker pi-hole DNS to devices used by adults. It’s not perfect but it will do.

The blockhole in action. This is the dashboard showing queries etc.

Finally, what about time-limiting the internet? Well, the router has options to pause the internet per device and it is possible to run the blockhole on a scheduler to only allow internet at certain times. This is not as sophisticated as the Circle system where there is an option to have x minutes of internet per day and the possibility to reward more minutes for good behaviour etc.

The point of this post was to share how to set up this system and integrate it with an existing pi-hole. None of the work is mine, it was all done with a bit of searching, but I thought it was worth posting my solution in case it helps other parents or carers out there.

If you use pi-hole to block ads or to make a blockhole, consider donating to this useful project.

The post title comes from the track “Child’s Play” from African Head Charge’s Akwaaba LP.

Experiment Zero: Using a Raspberry Pi Zero camera

This is the first post at quantixed about Raspberry Pi computing.

Pi Zero is a minimalist Raspberry Pi that can be coupled to a camera. With this little rig, you can make time-lapse footage amongst other things. I’ve set up a couple of these now. One was to make a time-lapse movie of some plants growing through a plastic maze. The results were pretty good and I thought I’d upload the video and a brief how-to guide.

After a delay, you can see four beans sprouting and then one eventually makes it to the top of the maze. This footage was shot over 27 days. The Pi took pictures every 5 min, but I sampled at 10 min in order to make the movie (after discarding the pictures after the sun went down). Everything was automated.

The camera shoots at 3280 × 2464. I downsampled the images to make the video. The camera didn’t focus well on the maze which was a bit too close. Other units are shooting scenery and the autofocus on the unit is great.

How I did it

Pi Zero

Pi Zero with camera module (without IR filter) and a case are available for around £40. I bought mine from the Pi Hut. Power supplies and SD cards are readily available. I put together the PiCam with a fresh Raspbian full image on a 16GB SD card. Another option is to use a smaller card and get the Pi to save the images to a server.

I used PiBaker to format the SD Card, load on Raspbian and add a startup script that would connect the Pi Zero to WiFi and enable VNC. That meant I could plug it in and start using it headless. Well in theory! It turns out that VNC via Mac does not work with the UNIX style password which is the default on the Pi. I needed to connect to a monitor to rectify this by changing to VNC password in the VNC GUI. After this I could log in and use the Pi Zero remotely.

A few more minor steps were needed for full functionality:

  1. I enabled ssh and camera port in Raspberry Pi Configuration, disabled bluetooth and set the correct timezone (this can probably be done in PiBaker but I forgot).
  2. Since I have several Raspberry Pis on the LAN. I needed to give this one its own identity to prevent network conflicts.
  3. I needed to set up SMB sharing on the new Pi.

Instructions for how to do these things are just one google search away.

Now the Pi was ready to start taking images. I built a little stand for it out of Lego and set up the plant maze.

Taking pictures with the Pi

I wrote a shell script to take pictures using raspistill.

I made a directory called camera in home/pi

mkdir camera

Then made a camera.sh file home/pi that looked like this:

#!/bin/bash
DATE=$(date +"%Y-%m-%d_%H%M")
raspistill -o /home/pi/camera/$DATE.jpg

Then I made it executable

chmod +x camera.sh

Using CRON, I execute the shell script on a schedule. I wanted to take pictures every 5 minutes. You can consult cronguru for your needs.

*/5 * * * * /home/pi/camera.sh 2>&1
sudo modprobe bcm2835_wdt
sudo nano /etc/modules

Adding the line “bcm2835_wdt” and saving the file

Next I installed the watchdog daemon

sudo apt-get install watchdog chkconfig
chkconfig watchdog on
sudo /etc/init.d/watchdog start
sudo nano /etc/watchdog.conf

I uncommented two lines from this file:

  • watchdog-device = /dev/watchdog
  • the line that had max-load-1 in it

Save the watchdog.conf file.

There are guides online that describe how to set up the Pi so that it sends you an email or SMS when there’s a crash/reboot. I figured I didn’t need this – as long as it reboots OK.

What now?

Well, you wait for it to take photos! You can log in via VNC and check that the images are being acquired, or go in via ssh and watch the camera directory fill up. The size of the images is 3280 × 2464 and they are around 4.5 MB each, so the disk can quickly fill.

After a while you’ll want to assemble a movie. I wrote a shell script on my Mac in order to to pull down the images, take a copy of the ones I want and then make a movie file and upload it to Dropbox so I could look at it on the go.

#!/usr/bin/env bash
# move to the location of the images
cd /local/disk/folder2/
# pull down all images to a local folder - only new images are copied
rsync -trv /Volumes/HOMEPI/camera/ /local/disk/folder/
# overnight images are dark and less than 1.5 MB
# copy the ones we want to keep
rsync -trv --min-size=1000K /local/disk/folder/ /local/disk/folder2/
# or you could filter on size like this - delete <2MB
find . -name "*.jpg" -size -2000k -delete
# scale the images down to 480 px wide and make movie
ffmpeg -framerate 30 -pattern_type glob -i '*.jpg' -c:v libx264 -pix_fmt yuv420p -vf scale=480:-2 out.mp4
# move to dropbox
mv out.mp4 /My/Dropbox/Folder/out.mp4

This script means that I had to manually delete the pictures from the Pi once they’d been copied but that was OK. My plan is to write a script to do this for the longer running projects so that it is automated.

While it is possible to make the movies on the Pi itself, I did it on the Mac as that computer is beefier and is not busy taking pictures every 5 min! ffmpeg is a great tool for this and the documentation is impressive. For example if you have set up the camera in the wrong orientation you can do transposition in ffmpeg. If you don’t have ffmpeg, it is a simple install on the command line.

ruby -e "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/master/install)" /dev/null 2> /dev/null
brew install ffmpeg

Hopefully this guide is useful to you. The Pi Zero Camera can be used for streaming video as well as taking a series of still images. I’m planning to test this out soon.

The post title “Experiment Zero” comes from the title of the album by Man or Astro-Man?