Infrastructure Series -- Recursive DNS and Adblocking DNS over TLS w/NGINX

Once I get a OK I’ll let you know. What OS is recommended for the PI.

Manjaro ARM (headless)

1 Like

She has to review it when she gets home. I cant do it on my own. :frowning: I’ll work on getting that OS installed. Could I run the service as a VM or is it best to be its own device?

it sounds like you need to just read up on what you want to do and make no decision or action until you and your wife are on the same page bud.

As for manjaro arm its directory and workflow structure isnt as transferable. If you want something standard go with Fedora 34 AARCH64 HEADLESS

2 Likes

Shes fine with it just wants to see the form for the contract… Its a pain but I have to do it this way for a while. Im out for a while and Ill be back.

1 Like

lol then take things slow. You dont need to deploy in a day… for example I did but @Novasty takes months to implement … he takes time to understand what he is doing…

If you are like him then do it that way…

2 Likes

I am. I got manjaro installed but cheated and did the i3 version…wow its different. I was going to install the scripts for the fan on my argo1 but it wont take… doesnt recogmize apt-get so i assume it use another package manager like yum? I’m just guessing here. AND a big no go on the domain name… :frowning: can I set up something similar locally for certificate checks? I wont need a step by step just a pointer and i’ll do some research.

DDNS works technically. Free ones provide a domain… to which you can point to nginx and with that you can do sort of a similar thing but this is subject to whether your ISP allows it…

alternatively you my DDNS to a linode. Im not familiar with this setup and its beyond this particular guide/not related.

Hey DM me for a bit on something

1 Like

OK well I got Coreboot to install the first go. There was a few steps I had to do beforehand to make it go smoothly. I have the FW4B with 8GB samsung ram.

Somehow I got down the wrong path thinking I needed to create a boot USB… I dunno how I got that impression but I did. I did rectify that and read up on the flashi option.

I did the following:

Make Ubuntu Live USB
DEL key on boot to get into BIOs settings
Set Protectlili CSM to "legacy only"          #This is what coreboot uses
In BIOs select boot to ubuntu live USB
THEN
Follow documentation on website... https://protectli.com/kb/how-to-use-flashli/

But now I cant log into it lol boooo

I also have a

Sep 3 12:28:21	kernel		(ada0:ahcich0:0:0:0): WRITE_FPDMA_QUEUED. ACB: 61 00 4f 04 81 40 08 00 00 01 00 00
Sep 3 12:28:21	kernel		(ada0:ahcich0:0:0:0): CAM status: Uncorrectable parity/CRC error
Sep 3 12:28:21	kernel		(ada0:ahcich0:0:0:0): Retrying command`

This, somewhat. While you can compile stuff, some distros don’t have software in their main repos, so that’s a differentiator for me and very few have a way to update / compile automatically (e.g. AUR for Arch and xbps-src for Void). But for software compatibility, yeah, basically the same.

Oh, hell no. Stay away from Manjaro on anything. Get Arch, or stick with Ubuntu server. Or compile Void or Gentoo, but that’s a little hard and takes some a lot of time, so probably not those. Or, as mentioned afterwards, Fedora.

The reason why I avoid Manjaro is its stupid update policy: waiting for updates for 1-2 weeks then giving you 2GB+ of updates and they don’t even do anything, just waiting to see if Arch users have issues - and sometimes the delays makes it worse. I’ve had Arch installs stay stable and fast more than I had Manjaro installs.

2 Likes

Ive seen opinion go both ways. You can do the same delays on arch if you configure pacman properly.

If I rebase to arch i want to go rebootless rolling which means Live kernel patching

1 Like

I want to be able to reboot whenever there are kernel updates, so I’m taking the opposite approach (haven’t tried it yet though): live migrating LXD containers between systems (maybe eventually HA if I ever need to). LXC uses the host OS kernel, so I see no reason why I can’t just juggle containers around like I do with VMs… UNLESS LXC can’t live migrate between systems with different kernels (without rebooting the container, so basically offline migration).

I’ll do a post on the forum when I’ll be happy with the setup, will probably take a while (at least a month maybe?).

1 Like

I primarily use docker. I would love rebootless stateless updates. It would be so nice for arch uptime tbch

https://wiki.archlinux.org/title/Kernel_live_patching

2 Likes

I will post about OCI containers as well. Apparently there’s a limit of 100 pods in Kubernetes per node (not sure about Docker), if you want to go over, you need LXD to split the resources (and reallocate them on the fly) in order to get passed the 100 limit per host.

I read somewhere between the lines that you can increase to 110 all the way up to 250, but it’s not recommended and you have to test stuff. There are people who use LXD to make multiple Kubernetes nodes on a host (some community somewhere for Pokemon go or something). In that case you don’t need HA, but you should have a good group split and management between worker nodes, since the LXD containers will be the workers and if one host goes down, you should have your application be replicated on nodes on different hosts, so a host doesn’t take all the worker nodes the application was running on, all at once.

Edit for your edit: I’m only slightly familiar with Ubuntu’s version of LKP, but never did any live kernel patching myself. I really like reboots. Long uptimes are cool and all, but nothing solves problems better (or makes them more apparent) than turning it off and on again.
:wink:

1 Like

Public solicitation:

Do you or does anyone else know about any OPEN root servers alliance thats still going. As an alternative to the ICANN or a supplement?

Would be a good update to this

2 Likes

OpenNIC. They seem to be the only ones left around that resolve alternative TLDs and also mirror ICANN’s domains. Namecoin resolves only .bit TLD.

Handshake tries to decentralize ICANN using blockchain.

Then, there are the pseudo-TLD hidden service variety baked into darknets, like .onion in Tor and .i2p in i2p.

3 Likes

(Im sorry this upload is redacted. Please DM me for an update or preferablly contact me off forum)

@ThatGuyB @HaaStyleCat @Shambles @Novasty @harrypnyce @Argone @SgtAwesomesauce @qtwork et al and anybody interested in the config

Rename the extension from .txt

  [✓] Storing downloaded domains in new gravity database
  [✓] Building tree
  [✓] Swapping databases
  [✓] The old database remains available.
  [i] Number of gravity domains: 8088086 (3755432 unique domains)
  [i] Number of exact blacklisted domains: 26
  [i] Number of regex blacklist filters: 0
  [i] Number of exact whitelisted domains: 9646
  [i] Number of regex whitelist filters: 7
  [✓] Flushing DNS cache
  [✓] Cleaning up stray matter

  [✓] DNS service is listening
     [✓] UDP (IPv4)
     [✓] TCP (IPv4)
     [✓] UDP (IPv6)
     [✓] TCP (IPv6)

  [✓] Pi-hole blocking is enabled

I think I finally have it tweaked to maximally block the bad… and unblock the legit. Its been battle tested by a very normie family. I think this is a good base for any of you to start with. Excluding novasty you can pick and choose cuz you know this shit.

Ive sanitized it of salted passwords but not IP config so you will have to help it a long a bit or selectively choose what you want out of it

5 Likes

Why not backup your original config using pihole -a -t, sanitize the system with a generic ass password, then re-run pihole -a -t again so the people you tagged have a base template to work from by simply restoring from the sanitized backup for ease of use?

Once you’ve finish sanitizing and creating a backup template, restore back to your customized setup from the first backup.

By doing that, most people shouldn’t run into the same IP conflicts that you’ve listed.

1 Like

Ahh yes I could have done that. Ill probably do that this afternoon then or I wont get to it. One of the two haha

It is pretty efficient.

37% blocked no breakage on the fams stuff (iphone users and normal folks in comparison to technical forums)

the proxy helps anonymize all requests IPs

1 Like

I have booked marked this for implementation. In the new apartment I pointed my router to pi-hole as DNS and has been blocking all IOT and trackers I can see with what I have to every device on the network. I still need to step up and get firewall done besides relying on ASUS Ai Suite.

Also, funny side note… My wife said “I keep trying some links and it blocks them” I told her thats because those links have trackers and analytics as a part of them… she said…it was priceless “they can do that that easily?” LOL Thanks for the update @PhaseLockedLoop

2 Likes