DNSSEC on a Raspberry PI in 5 minutes
DNS resolver messages are still an easy way to trap you into trouble, cause you never know if the DNS answer is the real answer.
As per WiKi:
DNSSEC was designed to protect applications (and caching resolvers serving those applications) from using forged or manipulated DNS data, such as that created by DNS cache poisoning. All answers from DNSSEC protected zones are digitally signed. By checking the digital signature, a DNS resolver is able to check if the information is identical (i.e. unmodified and complete) to the information published by the zone owner and served on an authoritative DNS server.
While I had 5 minutes and an unused Rasperry PI left, I used a cool project to enhance my home LAN by DNSSEC and add some ad blocking to my network.
As I had a ready to go PI at hand, the installation was quite easy:
curl -sSL https://install.pi-hole.net | bash
Rather use Quad9 then Google. ;-)
The installation will now complete and you can connect to your PiHole with: http://[IP of PiHole]/admin
Login as admin and activate the DNSSEC.
After saving above settings, you can verify your DNSSEC working by testing yourself at https://en.internet.nl/
To use additional adblock's check out https://wally3k.github.io/ and add the resource of your interest at the blocklist tab within "settings".
Welcome to a saver world now.... :-)
Block suspicious (phishing) domains with a piHole
In the consequence of an article I did on detecting bad domains from the Google transparency service, I thought of using the outcome on my piHole to block the findings right away.
Install it the usual way:
git clone https://github.com/x0rz/phishing_catcher.git
pip install -r requirements.txt
And add the logfile to the piHole config
Click [save & update]
Done …. and you're a bit more secured now :-)
DNS over httos (DoH) on pihole
How to use the cloudflare DoH service via your pihole.
Here we are downloading the precompiled binary and copying it to the
/usr/local/bin/ directory to allow execution by the cloudflared user. Proceed to run the binary with the
-v flag to check it is all working.
wget https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-arm.tgz tar -xvzf cloudflared-stable-linux-arm.tgz sudo cp ./cloudflared /usr/local/bin sudo chmod +x /usr/local/bin/cloudflared cloudflared -v
cloudflared to run on startup¶
Create a cloudflared user to run the daemon.
sudo useradd -s /usr/sbin/nologin -r -M cloudflared
Proceed to create a configuration file for
cloudflared by copying the following in to
/etc/default/cloudflared. This file contains the command-line options that get passed to cloudflared on startup.
# Commandline args for cloudflared CLOUDFLARED_OPTS=--port 5053 --upstream https://220.127.116.11/dns-query --upstream https://18.104.22.168/dns-query
Update the permissions for the configuration file and
cloudflared binary to allow access for the cloudflared user
sudo chown cloudflared:cloudflared /etc/default/cloudflared sudo chown cloudflared:cloudflared /usr/local/bin/cloudflared
Then create the
systemd script by copying the following in to
/lib/systemd/system/cloudflared.service. This will control the running of the service and allow it to run on startup.
[Unit] Description=cloudflared DNS over HTTPS proxy After=syslog.target network-online.target [Service] Type=simple User=cloudflared EnvironmentFile=/etc/default/cloudflared ExecStart=/usr/local/bin/cloudflared proxy-dns $CLOUDFLARED_OPTS Restart=on-failure RestartSec=10 KillMode=process [Install] WantedBy=multi-user.target
systemd service to run on startup, then start the service and check its status.
sudo systemctl enable cloudflared sudo systemctl start cloudflared sudo systemctl status cloudflared
Now test that it is working! Run the following
dig command, a response should be returned similar to the one below
dig @127.0.0.1 -p 5053 google.com ; <<>> DiG 9.10.3-P4-Ubuntu <<>> @127.0.0.1 -p 5053 google.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65181 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1536 ;; QUESTION SECTION: ;google.com. IN A ;; ANSWER SECTION: google.com. 299 IN A 243.65.127.221 ;; Query time: 3 msec ;; SERVER: 127.0.0.1#5053(127.0.0.1) ;; MSG SIZE rcvd: 65
Finally, configure Pi-hole to use the local
cloudflared service as the upstream DNS server:
You can test the setup at https://22.214.171.124/help