Infrastructure Series -- Recursive DNS and Adblocking DNS over TLS w/NGINX

HaaStyleCat · February 10, 2022, 4:38pm

I gave the phones static ip reservations… I think they got conflicted in opnsense and that caused the issue. I gave them a full 24 subnet… I have a ton of leases. I’ve just been locking it down to Mac filtering. I don’t have a ton of guests that need wifi, and they are on a separate net.

I was able to set “device MAC” on both the iPhone and the android no problem to resolve the issue. Just wondered if there was a way to translate the randomized mac. From what I read it is sent only once for identification then translated somehow back to the device mac… it was a bit confusing how it could do that and the info wasn’t a full document or a “reliable” source. Just the only place I found info on how MAC randomization works on cell phones.

I’ve been reading a few docs on setting up https locally with certbot…kind of like your guide but just for local traffic. As I don’t have linode I am kinda locked in to personal network with no exposed ports to the wan for now besides regular ports. I’d like to do it to understand it at home, then later translate it to a wireguard vpn to linode at something. I’ll check on @Dynamic_Gravitys posts too to see. There’s another source of good documentation:)

PhaseLockedLoop · February 10, 2022, 4:41pm

MAC filtering is pointless and easily spoofed. I would let the devices and DHCP handle the addresses and shorten the issue time for the WLAN network. /24 is big enough

HaaStyleCat · February 10, 2022, 4:42pm

Roger, good plan. I’ll set that up. Just monitor for strange devices.

PhaseLockedLoop · February 10, 2022, 4:43pm

Honestly WPA2 keeps honest people honest.

If you are super worried you can Switch from Personal → Enterprise using EAP-TLS and use certs to control device access. Thats complicated though and end users dont often like the setup

HaaStyleCat · February 10, 2022, 4:46pm

Yeah not worried, this is all for experience and theory. Once I can get other server up I should be able to do more on a testing network environment.

Just seeing how certs work, and how to do them properly to have “trusted” connections to my services etc. Just for fun

PhaseLockedLoop · February 10, 2022, 4:46pm

Wifi security reference

HaaStyleCat · February 10, 2022, 4:47pm

Sweet thanks I’ll read up on that.

PhaseLockedLoop · February 10, 2022, 4:48pm

There are also a lot of GUIs that automate serving a cert and connecting people to the network with profiles set by the app and stuff. Theres a whole other world to WiFI security. I dont use it at home because its a lot of effort for me to maintain and I have friends and parents over regularly

HaaStyleCat · February 10, 2022, 4:56pm

Yeah, I really want to dig into Nginx and certs locally. Not for everything, but as a test with like OPNsense, Proxmox, Pi-hole etc. I know I can install certs on each machine individually but I’d like to learn to use a service to serve and verify them, keep any traffic on my network with servers firewall etc from being viewed with https and start using my domain locally I got on namecheap (thanks for that advice fyi). I know its way EXCESSIVE, but fun to learn and useful later if I host a website once I can on a proxy server or maybe a DMZ (once I have more knowledge of this before exposing a PC to the internet).

Argone · February 14, 2022, 7:29pm

I have not figured out why reddit and twitch dont load in firefox but do in chromium browser…

PhaseLockedLoop · February 14, 2022, 7:31pm

Sounds like a plugin

Argone · February 14, 2022, 7:32pm

All I am using is ublock to disable javascript. And yea I have made sure that javascript is disabled for reddit… Same as chromium.

PhaseLockedLoop · February 14, 2022, 7:33pm

Well Im really not sure. In any case its not the place for the question if its unrelated to the pihole which it is as you just stated its a browser issue in one or more browsers. Maybe pose the question in the small linux problem thread?

Argone · February 14, 2022, 7:33pm

I just disabled ublock. Still not loading. I know it has nothing to do with pihole. Firefox being shit. Will post a problem thread.

PhaseLockedLoop · April 11, 2022, 6:49pm

Guys im going to back fill this into my guide soon

@here

I now have a much bigger more comprehensive blocklist

Here is the link to the configuration. I have decided against skirting around forum upload restrictions. I will endeavor to keep this link reliable.

(This link is now redacted. Please DM me)

This folder contains the decompressed configuration so you may read the source and 2 compressed configurations. A zstandard for those who have written their own pihole docker image and have forced the teleporter to use it (Me lol) or Gun Zips for the regular deal

Yall know the drill probably but above is what you need to do to import it.

@FaunCB in case you arent notified here you go

After this is done update your gravity

Finally Restart the pihole when everything is set and complete.

Customize to your needs and YMMV

For debugging purposes. Updating gravity the first time should yield this output

  [✓] Creating new gravity databases
  [✓] Storing downloaded domains in new gravity database
  [✓] Building tree
  [✓] Swapping databases
  [i] Number of gravity domains: 15255050 (6179958 unique domains)
  [i] Number of exact blacklisted domains: 30
  [i] Number of regex blacklist filters: 54
  [i] Number of exact whitelisted domains: 15384
  [i] Number of regex whitelist filters: 12
  [✓] Flushing DNS cache
  [✓] Cleaning up stray matter

  [✓] FTL is listening on port 53
     [✓] UDP (IPv4)
     [✓] TCP (IPv4)
     [✓] UDP (IPv6)
     [✓] TCP (IPv6)

  [✓] Pi-hole blocking is enabled
    ~ ▓▒░                                                           ░▒▓ ✔  took 7m 38s   with root@bi-frost  at 13:02:56  

I also hope my list tagging remains so its easier for you to go through the lists

Should your google play store or IOS store stop working. Its possible the google and apple URLs got caught. Consult your query log and proceed to whitelist until functional.

PhaseLockedLoop · April 11, 2022, 8:54pm

You could block DoH endpoints if you got a total and complete list of their domains

dns.aaflalo.me
dns-nyc.aaflalo.me
dns.adguard.com
dns-family.adguard.com
dns.alekberg.net
dns2.alekberg.net
dnsse.alekberg.net
dns.alidns.com
dns.aa.net.uk
doh.42l.fr
dohtrial.att.net
doh-fi.blahdns.com
doh-jp.blahdns.com
doh-de.blahdns.com
doh-sg.blahdns.com
dns.brahma.world
private.canadianshield.cira.ca
protected.canadianshield.cira.ca
family.canadianshield.cira.ca
doh.captnemo.in
doh.opendns.com
doh.familyshield.opendns.com
family-filter-dns.cleanbrowsing.org
adult-filter-dns.cleanbrowsing.org
security-filter-dns.cleanbrowsing.org
doh.cleanbrowsing.org
one.one.one.one
mozilla.cloudflare-dns.com
1dot1dot1dot1.cloudflare-dns.com
cloudflare-dns.com
dns64.cloudflare-dns.com
security.cloudflare-dns.com
family.cloudflare-dns.com
doh.xfinity.com
ns1.recursive.dnsbycomodo.com
ns2.recursive.dnsbycomodo.com
commons.host
dns.containerpi.com
dohdot.coxlab.net
doh.crypto.sx
doh-ipv6.crypto.sx
dns.digitale-gesellschaft.ch
doh.li
dns1.dnscrypt.ca
dns2.dnscrypt.ca
dnsforge.de
dns.dnshome.de
doh.dnslify.com
a.ns.dnslify.com
b.ns.dnslify.com
a.safe.ns.dnslify.com
b.safe.ns.dnslify.com
a.family.ns.dnslify.com
b.family.ns.dnslify.com
doh.seby.io
doh-2.seby.io
doh.dns.sb
resolver1.dyndnsinternetguide.com
resolver2.dyndnsinternetguide.com
doh.ffmuc.net
doh.applied-privacy.net
dns.233py.com
i.233py.com
wdns.233py.com
ndns.233py.com
sdns.233py.com
dns.google.com
dns.google
google-public-dns-a.google.com
google-public-dns-b.google.com
dns64.dns.google
dns.hostux.net
ibuki.cgnat.net
ibksturm.synology.me
jcdns.fun
resolver-eu.lelux.fi
doh.libredns.gr
dns.mrkaran.dev
dns.dns-over-https.com
dns.nextdns.io
uncensored.any.dns.nixnet.xyz
adblock.any.dns.nixnet.xyz
uncensored.lv1.dns.nixnet.xyz
adblock.lv1.dns.nixnet.xyz
uncensored.ny1.dns.nixnet.xyz
adblock.ny1.dns.nixnet.xyz
uncensored.lux1.dns.nixnet.xyz
adblock.lux1.dns.nixnet.xyz
resolver1.opendns.com
resolver2.opendns.com
resolver1-fs.opendns.com
resolver2-fs.opendns.com
resolver1.ipv6-sandbox.opendns.com
resolver2.ipv6-sandbox.opendns.com
dns.oszx.co
dns.pumplex.com
doh.centraleu.pi-dns.com
doh.northeu.pi-dns.com
doh.westus.pi-dns.com
doh.eastus.pi-dns.com
doh.powerdns.org
rpz-public-resolver1.rrdns.pch.net
dns-nosec.quad9.net
dns.twnic.tw
v6.rubyfish.cn
dns.rubyfish.cn
ea-dns.rubyfish.cn
uw-dns.rubyfish.cn
doh.securedns.eu
ads-doh.securedns.eu
fi.doh.dns.snopyta.org
dns.switch.ch
doh.tiar.app
doh.tiarap.org
jp.tiar.app
jp.tiarap.org
dns.t53.de
doh.xfinity.com
dns.dnsoverhttps.net
doh.dnswarden.com
doh.appliedprivacy.net
public.dns.iij.jp
jp.gridns.xyz
dns.flatuslifir.is
odvr.nic.cz
rumpelsepp.org
ordns.he.net
rdns.faelix.net
adfree.usableprivacy.net

ThatGuyB · April 11, 2022, 9:03pm

Does @ here or something notify everyone in the thread? Because I see a notification that I got tagged, but I don’t see my name.

PhaseLockedLoop · April 11, 2022, 9:04pm

Yes thats how it functions. I notifies only everyone who is active in the thread or posted. Its a convenient way to notify and tell everyone … hey update!

ThatGuyB · April 11, 2022, 9:06pm

I’m going to abuse this so much, lmao

PhaseLockedLoop · April 11, 2022, 9:09pm

I know nothing… I heard nothing, I saw nothing