legal contact
 

DNSSEC on a Raspberry PI in 5 minutes

DNS resolver messages are still an easy way to trap you into trouble, cause you never know if the DNS answer is the real answer.

As per WiKi:

DNSSEC was designed to protect applications (and caching resolvers serving those applications) from using forged or manipulated DNS data, such as that created by DNS cache poisoning. All answers from DNSSEC protected zones are digitally signed. By checking the digital signature, a DNS resolver is able to check if the information is identical (i.e. unmodified and complete) to the information published by the zone owner and served on an authoritative DNS server.

While I had 5 minutes and an unused Rasperry PI left, I used a cool project to enhance my home LAN by DNSSEC and add some ad blocking to my network.

Checkout Jakob Salmelas PiHole on GitHub

As I had a ready to go PI at hand, the installation was quite easy:





curl -sSL https://install.pi-hole.net | bash

Rather use Quad9 then Google. ;-)

The installation will now complete and you can connect to your PiHole with: http://[IP of PiHole]/admin

Login as admin and activate the DNSSEC.

After saving above settings, you can verify your DNSSEC working by testing yourself at https://en.internet.nl/

 

To use additional adblock's check out https://wally3k.github.io/ and add the resource of your interest at the blocklist tab within "settings".

Welcome to a saver world now.... :-)

05.05.2019 16:16

Block suspicious (phishing) domains with a piHole

https://www.mpauli.de/dnssec-on-a-raspberry-pi-in-5-minutes.html

In the consequence of an article I did on detecting bad domains from the Google transparency service, I thought of using the outcome on my piHole to block the findings right away.

Install it the usual way:

git clone https://github.com/x0rz/phishing_catcher.git
phishing_catcher/
pip install -r requirements.txt
./catch_phishing.py

And add the logfile to the piHole config

Click [save & update]

Done ….  and you're a bit more secured now  :-)

15.09.2019 10:52

DNS over httos (DoH) on pihole

How to use the cloudflare DoH service via your pihole.

Here we are downloading the precompiled binary and copying it to the /usr/local/bin/ directory to allow execution by the cloudflared user. Proceed to run the binary with the -v flag to check it is all working.

wget https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-arm.tgz
tar -xvzf cloudflared-stable-linux-arm.tgz
sudo cp ./cloudflared /usr/local/bin
sudo chmod +x /usr/local/bin/cloudflared
cloudflared -v

Configuring cloudflared to run on startup

Create a cloudflared user to run the daemon.

sudo useradd -s /usr/sbin/nologin -r -M cloudflared

Proceed to create a configuration file for cloudflared by copying the following in to /etc/default/cloudflared. This file contains the command-line options that get passed to cloudflared on startup.

# Commandline args for cloudflared
CLOUDFLARED_OPTS=--port 5053 --upstream https://1.1.1.1/dns-query --upstream https://1.0.0.1/dns-query

Update the permissions for the configuration file and cloudflared binary to allow access for the cloudflared user

sudo chown cloudflared:cloudflared /etc/default/cloudflared
sudo chown cloudflared:cloudflared /usr/local/bin/cloudflared

Then create the systemd script by copying the following in to /lib/systemd/system/cloudflared.service. This will control the running of the service and allow it to run on startup.

[Unit]
Description=cloudflared DNS over HTTPS proxy
After=syslog.target network-online.target

[Service]
Type=simple
User=cloudflared
EnvironmentFile=/etc/default/cloudflared
ExecStart=/usr/local/bin/cloudflared proxy-dns $CLOUDFLARED_OPTS
Restart=on-failure
RestartSec=10
KillMode=process

[Install]
WantedBy=multi-user.target

Enable the systemd service to run on startup, then start the service and check its status.

sudo systemctl enable cloudflared
sudo systemctl start cloudflared
sudo systemctl status cloudflared

Now test that it is working! Run the following dig command, a response should be returned similar to the one below

dig @127.0.0.1 -p 5053 google.com


; <<>> DiG 9.10.3-P4-Ubuntu <<>> @127.0.0.1 -p 5053 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65181
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1536
;; QUESTION SECTION:
;google.com.            IN  A

;; ANSWER SECTION:
google.com.     299 IN  A   243.65.127.221

;; Query time: 3 msec
;; SERVER: 127.0.0.1#5053(127.0.0.1)
;; MSG SIZE  rcvd: 65

Configuring Pi-hole

Finally, configure Pi-hole to use the local cloudflared service as the upstream DNS server:


You can test the setup at https://1.1.1.1/help