Infrastructure Series -- Recursive DNS and Adblocking DNS over TLS w/NGINX

Additionally you can change all the servers of your pihole if you want to remove the bigger names and just want to use them.

To do so you edit the dns-servers.conf

In my case I want to leave opennic as a fallback. Preserved the accent mark in Québec :wink: (pour les incultes )

[eric@baldr pihole]$ sudo cat dns-servers.conf 
UncensoredDNS (1: AnyCast 2:Unicast | DNSSEC | NOLOGS);91.239.100.100;89.233.43.71;2001:67c:28a4::;2a01:3a0:53:53::
FreeNom (DNSSEC | Anonymized);80.80.80.80;80.80.81.81;;
OpenNIC (NS5.CA | Toronto | DNSSEC | NOLOGS);142.93.148.79;;2604:a880:cad:d0::685d:e001;
OpenNIC (NS12.CA | Toronto | DNSSEC | NOLOGS);165.22.224.164;;2604:a880:cad:d0::d9a:f001;
OpenNIC (NS8.CA | Québec | DNSSEC | NOLOGS);198.50.135.212;;2607:5300:203:7f27:5054:ff:fe57:4a07;
OpenNIC (NS4.CA | Québec | DNSSEC | NOLOGS);66.70.228.164;;2607:5300:203:439c::102;
OpenNIC (NS4.GA.US | Atlanta | DNSSEC | NOLOGS);45.76.254.23;;2001:19f0:5401:2a4a:5400:03ff:fe2b:271f;
OpenNIC (NS4.NJ.US | Piscataway | DNSSEC | NOLOGS);192.3.165.37;;2001:470:1f07:ed6::;
OpenNIC (NS6.NY.US | New York City | DNSSEC | NOLOGS);162.243.19.47;;2604:a880:0:1010::b:4001;

FORMAT:
Name;DNS4_1;DNS4_2;DNS6_1;DNS6_2

Easy peazy

1 Like

boringly stable is a meme to me. I like rolling it simplifies my life haha

1 Like

ADDITIONAL NOTE

To harden your TLS sessions/sockets with the same level of encryption

you need to add this to your stream{} block configurations

    ssl_dhparam            <path>/dhparam.pem;
    ssl_protocols TLSv1.2 TLSv1.3;
    ssl_ciphers         !AES128:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384;
    ssl_prefer_server_ciphers on;
    ssl_ecdh_curve secp521r1:secp384r1;
    ssl_trusted_certificate       <path>/fullchain.pem;
2 Likes

@PhaseLockedLoop still love you for this series. I’ve been reading through and looking things up as needed for my own understanding. Thank you for these again.

2 Likes

why not just add it to the beginning of the block and not have to add it to each config?

2 Likes

Because nginx won’t start

It tells me it doesn’t belong there

1 Like

No problem. I expand notes as I find little tweaks lol

I do go further than others about hardening though

2 Likes

That’s why I’m enjoying it so much… looking into a firewall pc atm.

2 Likes

Any basic system will do that’s post sandy bridge.

You just have to decide are you going to put multiple NICs in there or do a trunk? Lol

2 Likes

OK, I’m in over my head… I guess I need to start with Nginx? lol

1 Like

yes… where are you lost. 1 step at a time

2 Likes

Where should I try to have Nginx? Or should I start with the firewall first? Lol ug…boo… Im just too disorganized. I need to get sorted…

2 Likes

Clean slate

Do you have pihole running?

1 Like

Yes on my home machine. Not all systems use it as a DNS because wife would freak but my machines use it. Its not on any testing equipment. Its on a LXC container in the ryzen 2700 Fractal 804 Server.

2 Likes

Lets talk about groups

Assign static IPs both 6 and 4 to your home clients

Create groups… and use different block lists for each. On your wives do the basics… block malware and stuff… and on your block all you want and on guests… block malware and things you dont want them accessing

(I dont use the function but I hear its powerful)

3 Likes

that said does it have a static IP and IP6 (assuming you have public 6 infrastructure like me)

1 Like

Yes for 4 for sure, that’s all I’ve used at home so far.

Just discovered a add group is faulty…ooops https://mirror1.malwaredomains.com/files/justdomains

I only have one list… https://raw.githubusercontent.com/StevenBlack/hosts/master/hosts

2 Likes

I have 97 lists

Okay well then make sure its a static 4. Disable 6 since you don’t need it. And using nginx is the next step. Do you have a reverse proxy setup outside the house? Like have you bought a 5 dollar linode?

1 Like

I have not. No domain at this time. Should I put this on test equipment? (IE I have the Dell T420, Protectli, Fractal X470d4u r2700(production working server), Ryzen 9 B550 system, and raspberry Pi4)… LOL Lot to choose from not to mention the cisco switches.

I’m asking if I can get a domain from the site you recommend. Waiting for wife to respond.

Where should I got for lists to add? is there a good website?

2 Likes

So we can experiment with some internet work then yes.

So what you would do is on your spare pi setup nginx…

On your pihole image point the main domain you are thinking of like haastyle.cat → to the IP of the pi.

Use Cnames to point to subdomains on that internal nginx server if you want to get the grasp of this

But it won’t work for this guide as this deals with TCP proxying external to internal

1 Like