Infrastructure Series -- Recursive DNS and Adblocking DNS over TLS w/NGINX

I want to be able to reboot whenever there are kernel updates, so I’m taking the opposite approach (haven’t tried it yet though): live migrating LXD containers between systems (maybe eventually HA if I ever need to). LXC uses the host OS kernel, so I see no reason why I can’t just juggle containers around like I do with VMs… UNLESS LXC can’t live migrate between systems with different kernels (without rebooting the container, so basically offline migration).

I’ll do a post on the forum when I’ll be happy with the setup, will probably take a while (at least a month maybe?).

1 Like

I primarily use docker. I would love rebootless stateless updates. It would be so nice for arch uptime tbch

https://wiki.archlinux.org/title/Kernel_live_patching

2 Likes

I will post about OCI containers as well. Apparently there’s a limit of 100 pods in Kubernetes per node (not sure about Docker), if you want to go over, you need LXD to split the resources (and reallocate them on the fly) in order to get passed the 100 limit per host.

I read somewhere between the lines that you can increase to 110 all the way up to 250, but it’s not recommended and you have to test stuff. There are people who use LXD to make multiple Kubernetes nodes on a host (some community somewhere for Pokemon go or something). In that case you don’t need HA, but you should have a good group split and management between worker nodes, since the LXD containers will be the workers and if one host goes down, you should have your application be replicated on nodes on different hosts, so a host doesn’t take all the worker nodes the application was running on, all at once.

Edit for your edit: I’m only slightly familiar with Ubuntu’s version of LKP, but never did any live kernel patching myself. I really like reboots. Long uptimes are cool and all, but nothing solves problems better (or makes them more apparent) than turning it off and on again.
:wink:

1 Like

Public solicitation:

Do you or does anyone else know about any OPEN root servers alliance thats still going. As an alternative to the ICANN or a supplement?

Would be a good update to this

2 Likes

OpenNIC. They seem to be the only ones left around that resolve alternative TLDs and also mirror ICANN’s domains. Namecoin resolves only .bit TLD.

Handshake tries to decentralize ICANN using blockchain.

Then, there are the pseudo-TLD hidden service variety baked into darknets, like .onion in Tor and .i2p in i2p.

3 Likes

(Im sorry this upload is redacted. Please DM me for an update or preferablly contact me off forum)

@ThatGuyB @HaaStyleCat @Shambles @Novasty @harrypnyce @Argone @SgtAwesomesauce @qtwork et al and anybody interested in the config

Rename the extension from .txt

  [✓] Storing downloaded domains in new gravity database
  [✓] Building tree
  [✓] Swapping databases
  [✓] The old database remains available.
  [i] Number of gravity domains: 8088086 (3755432 unique domains)
  [i] Number of exact blacklisted domains: 26
  [i] Number of regex blacklist filters: 0
  [i] Number of exact whitelisted domains: 9646
  [i] Number of regex whitelist filters: 7
  [✓] Flushing DNS cache
  [✓] Cleaning up stray matter

  [✓] DNS service is listening
     [✓] UDP (IPv4)
     [✓] TCP (IPv4)
     [✓] UDP (IPv6)
     [✓] TCP (IPv6)

  [✓] Pi-hole blocking is enabled

I think I finally have it tweaked to maximally block the bad… and unblock the legit. Its been battle tested by a very normie family. I think this is a good base for any of you to start with. Excluding novasty you can pick and choose cuz you know this shit.

Ive sanitized it of salted passwords but not IP config so you will have to help it a long a bit or selectively choose what you want out of it

5 Likes

Why not backup your original config using pihole -a -t, sanitize the system with a generic ass password, then re-run pihole -a -t again so the people you tagged have a base template to work from by simply restoring from the sanitized backup for ease of use?

Once you’ve finish sanitizing and creating a backup template, restore back to your customized setup from the first backup.

By doing that, most people shouldn’t run into the same IP conflicts that you’ve listed.

1 Like

Ahh yes I could have done that. Ill probably do that this afternoon then or I wont get to it. One of the two haha

It is pretty efficient.

37% blocked no breakage on the fams stuff (iphone users and normal folks in comparison to technical forums)

the proxy helps anonymize all requests IPs

1 Like

I have booked marked this for implementation. In the new apartment I pointed my router to pi-hole as DNS and has been blocking all IOT and trackers I can see with what I have to every device on the network. I still need to step up and get firewall done besides relying on ASUS Ai Suite.

Also, funny side note… My wife said “I keep trying some links and it blocks them” I told her thats because those links have trackers and analytics as a part of them… she said…it was priceless “they can do that that easily?” LOL Thanks for the update @PhaseLockedLoop

2 Likes

yes they can but you should probably tune the pihole conservatively as I have. Then use plugins in the browser to help remove and obfuscate the tracking. It helps a bit on letting legit stuff true and not getting hung up because pihole said NXDATA

1 Like

Yeah I’ve noticed that there are some weird things happening (IE like no menus in Amazon store, just words with links etc to navigate the page, NOT a probloem for me, but my wife…oieee). I’ll look up how to get this into pihole for use. It shouldnt mess with anything but my lists correct? IE Unbound pipe and settings etc?

I also just upgraded to WPA3 personal (highest wifi I have thats not enterprise), so devices have having to relog in. I’ll prorbably reboot router just to see if that helps or if I manually have to redo passwords on all my devices. It didnt change, but some may not be able to use that security method? Time will tell.

Yeah Alexa doesn’t like WPA3, it enables protected management frames which seems to be the sticking point keeping it from being able to access the network :frowning: Its working now though.

1 Like

Did you include my whitelist

It fixes this

1 Like

Yeah and what I’m tired of is AES being used for WPA as well

We can use ED25519. Its optimized to not need AES-NI and its state of the art and strong. It would remove a ton of that WPA overhead

1 Like

Not yet. Im trying to parse out the info I needed from the text file to add into the GUI (because importing the file and restring from it is beyond me as yet lol…BUT I’m looking it up and trying lol.

1 Like

Rename it to (whatever).tar.gz

Restore

Only check white lists and black lists and the stuff associated with blocking domains

1 Like

Actually @HaaStyleCat I have another update to that listing. My old one blocked .gov sites for some dumb reason. :joy: I have white listed a few more things

1 Like

Yeah, I need to get it too the pi (maybe wget and youyr link address) then find the command and file location to restore from that file lol…Im learning but slowly… No knowledge of the correct terminology limits my “google fu” to find solutions as CLI is not native to me lol I spent 30 min copying and pasting each web address into the GUI for pi yesterday…lol :crazy_face: :rofl: :sweat_smile: :joy:

Okay here is HOW I would do it

Make a fresh install of your pihole. Configure it how you need to FIRST

(Upload redacted please DM me for a copy)

then download this and rename it to pi-hole-bi-frost_yggdrasil-teleporter_2021-12-17_19-09-29.tar.gz and upload it to the teleporter with the following settings

Once thats fully complete.

Update Gravity

Reboot the pi

This will give you my configuration.

YMMV

1 Like

There we go…it seems to be working just give it a while to get all the data…Thanks now I know what that tab was for lol.

Also considering a display using PADD and a case with a built in display…just an idea :slight_smile:

[✓] Storing downloaded domains in new gravity database
  [✓] Building tree
  [✓] Swapping databases
  [✓] The old database remains available.
  [i] Number of gravity domains: 0 (0 unique domains)
  [i] Number of exact blacklisted domains: 0
  [i] Number of regex blacklist filters: 0
  [i] Number of exact whitelisted domains: 0
  [i] Number of regex whitelist filters: 0
  [✓] Cleaning up stray matter

  [✓] DNS service is listening
     [✓] UDP (IPv4)
     [✓] TCP (IPv4)
     [✓] UDP (IPv6)
     [✓] TCP (IPv6)

  [✓] Pi-hole blocking is enabled

So weird because they are activated…humm reboot time

  [✓] Storing downloaded domains in new gravity database
  [✓] Building tree
  [✓] Swapping databases
  [✓] The old database remains available.
  [i] Number of gravity domains: 6542973 (2583079 unique domains)
  [i] Number of exact blacklisted domains: 27
  [i] Number of regex blacklist filters: 1
  [i] Number of exact whitelisted domains: 9688
  [i] Number of regex whitelist filters: 10
  [✓] Cleaning up stray matter

  [✓] DNS service is listening
     [✓] UDP (IPv4)
     [✓] TCP (IPv4)
     [✓] UDP (IPv6)
     [✓] TCP (IPv6)

  [✓] Pi-hole blocking is enabled

GOT IT, after a reset of DNS and reboot working :slight_smile:

@PhaseLockedLoop THAT had to take a ton of work man thank you so much sir o7

1 Like

Yes. Yes it did. You are welcome lol

1 Like