DNS Security and Adblock with OPNSense, Part 2

ADBLOCKING

Now that we’ve secured our DNS, we can move on to improving the quality of our experience on the internet by configuring DNS ad blocking. With the 20.7 version of OPNSense it’s quite easy. Simply go to Services -> Unbound DNS -> Blacklist. Click Enable and select one or more items from the DNSBL drop down. Or if you prefer, paste the URLs of your preferred list in the URLs field. I prefer the Stephen Black list as it is composed of multiple lists and is also the default list for the Pi Hole. Click Save and you’re done.

ADBLOCK LIST UPDATE

Now that we’ve configured the block list, we want to make sure that it updates when new domains are found. This doesn’t happen automatically when you configure it but is easy to add. Go to System -> Settings -> Cron. Once there you’ll click on the + button and create a new job. The default options are fine and will update the block list daily at midnight. Select “Download Unbound DNSBLs and restart” from the Command list and provide a descriptive comment in the Description field. There may be two items with the same name in the Command field. Either one should work but you should check back after each update to ensure it’s correctly configured once the bug is fixed. If you wish to investigate further, you will want to look at /var/cron/tabs/nobody and you should see /usr/local/sbin/configctl unbound dnsbl

DNS LOCKDOWN

Now that we’ve configured our DNS to block malware and ads, we’re all set, right? Because anyone on the network can configure their device to use a different DNS and they will completely bypass all of the work that we’ve done. Roku, for example, comes configured to use Google DNS in addition to that provided by DHCP. Firefox defaults to a DoH setup.

Now we have two choices. We can either redirect all DNS queries to our server or we can simply block all queries except for our server. Since the server hands out a DNS configuration with every DHCP lease, I choose to block the queries. It also makes for easier troubleshooting as you don’t query one server but resolve a different one.

In order to block the servers you’ll need to go to Firewall -> Rules -> Floating. This ensures that you’ll block DNS on all interfaces. Click on the Add button and we’ll configure the rule as follows. Select Block as the Action. Select all appropriate interfaces. Select IPv4+IPv6 for your TCP/IP Version.darkness Select TCP/UDP as the Protocol. Select Invert and This Firewall for your Destination. The Destination port is DNS. Provide an appropriate description and click Save. Once that’s done, click on the Clone button for the rule you just made. Change the Port to 853 and give it an appropriate description. Then click on Apply Changes.

You can easily test the standard DNS block by using nslookup like we tested the original Quad9 setup. However, in order to test the DoT block you will need to install kdig or a similar tool. It is part of the knot-dnsutils package so you will need to install that. Then you can make a DoT call to determine if you are able to connect.

DNS OVER HTTPS LOCKDOWN

Do to the way DoH works it’s not as simple to block. Since it runs over HTTPS you can’t just block 443 as that will block all of the internet. As far as I can tell there isn’t a list of DoH servers available so you will have to handle them manually and determine yourself if it’s worth the effort.

Most DoH connections use standard DNS to bootstrap the connection in order to know which DoH server to use. For example, they will query dns.google.com. Obviously, you can add dns.google.com and other DoH domains to your DNS domain block list and that will cover most cases. However, some DoH servers will accept connections via IP. Which means that in order to stop those you will need to completely block all traffic to the IP.

I’m still contemplating how I want to handle DoH, so please pass along any ideas or suggestions you may have.

DNS Security and Adblock with OPNSense, Part 1

If you’re not familiar with DNS, you can think of it as the contact list in your phone. You don’t remember anyone’s phone numbers. You just know their name and have the number stored in their contact entry. DNS is similar in that you just need to know the domain of a website and your computer will lookup the IP address of the site. Here is a primer that goes into a bit more detail.

With OPNSense, you can run a DNS resolver called Unbound. This will validate and cache DNS queries for your local network. It can improve your network performance but it’s usually not noticeable as your browser and other software generally have their own DNS cache. The real benefit of Unbound is that we can modify the DNS for the entire network to provide more security, privacy, and piece of mind.

Continue reading

Installing Plex on FreeNAS 9.3

If you are not familiar with Plex then you should take a look at their website.

Plex organizes your video, music, and photo collections and streams them to all of your screens.

What this explanation leaves out is that Plex will handle all of the details for you fairly seamlessly. Whatever format your collection is in, Plex will automatically ensure that it is compatible with whatever device you are using to view the collection. First I will explain how to install it on FreeNAS and then I will talk more about the software itself.

Continue reading

FreeNAS Xeon D Build Journal

While my existing FreeNAS server works well and has not had a single problem, there are some things I wish I had done differently. Thus I present to you version two of my FreeNAS server.

* Do not use this case. Get the SuperChassis 743TQ-865B-SQ instead.

Continue reading

First Impressions of the Steam Link

The Steam Link is a counterpoint to the Steam Machines that were announced previously. Unlike a Steam Machine, HTPC running Steam, or a PC running SteamOS, Steam Link will not run any games. Instead, it leverages your existing desktop through Steam In-Home Streaming. This allows the Steam Link to be small, low power, and low cost.

steam link

Continue reading

Dual booting Windows 8 and encrypted Arch Linux

Now that I have Windows 8 installed on my desktop, I will be installing encrypted Arch Linux and dual booting between the two.  I have added more memory to the machine and am reusing the SSD from my original encrypted install.  Because I am dual booting and this machine supports UEFI I am electing to reinstall from scratch.  The new specs are as follows.

  • Intel i7-3770
  • Asus Sabertooth Z77
  • 2 x Corsair Vengeance 8GB
  • EVGA GTX 770 SC
  • Corsair HX 850
  • Corsair Obsidian 650D
  • Western Digital Black 1TB 3.5″ HDD
  • Kingston SVP100S2B 512GB SSD

Much of the install will be similar.  I will clarify the differences as they come up.  The first step in the process is to securely wipe the drive.  My preferred tool for this is Darik’s Boot And Nuke.  While DBAN does not guarantee SSD data removal, it does implement the US DoD 5220.22-M standard.  According to this paper that results in less than a 4.1% chance of recovering any data.  But in this case I am using dm-crypt to erase the drive by creating an encrypted container and filling it.  This provides the benefit of obscuring the upcoming usage patterns of the drive.  Either option is a lengthy process and best run overnight.

Continue reading

Using Steam In-Home Streaming with Windows 8

I recently acquired a new desktop and before I started loading Linux on it I decided to check out Windows 8 and retry Steam In-Home Streaming.  The machine has the following specs.  It idles around 70W at the Windows login screen.

  • Intel i7-3770
  • Asus Sabertooth Z77
  • Corsair Vengeance 8GB
  • EVGA GTX 770 SC
  • Corsair HX 850
  • Corsair Obsidian 650D
  • Western Digital Black 1TB 3.5″ HDD

Surprisingly, Windows recognized all of my hardware.  Unfortunately, it did take several hours to download and install all of the updates.  Once the updates were finished I was able to install Steam and quickly download several games.

Continue reading

Installing SteamOS and using Steam In-Home Streaming

I’ve been using Steam for some time now.  While it is a form of DRM, it actually provides benefits to the end user unlike most DRM.  Since I had a spare machine I decided to give SteamOS a try.

I am using the same machine that I have installed Arch on.  I swapped the SSD for a 500GB hard drive.

  • AMD FX-6300
  • GA-78LMT-USB3
  • 2 x 8GB DDR3 1333
  • WD Blue 500GB 2.5″ HDD
  • Radeon HD 4350

I am unable to use the regular SteamOS installer as my machine does not support UEFI.  Fortunately, Valve provides a SteamOS iso that supports BIOS.  Unfortunately, the first installation did not complete.  The installer gave me an error message that simply said the base system could not be installed.  Upon further research, I determined that SteamOS only contained the latest video drivers.  My HD 4350 was not supported.

Continue reading

Installing and configuring Xfce in Arch Linux

When we last left our Arch Linux install we had a lovely command prompt.

login-prompt

This is fine for a server, but as this is a desktop, it would be nice to have a GUI.  We will be installing Xfce.  I started using Xfce when looking for a lighter weight GUI than KDE or Gnome.  Openbox and Fluxbox are certainly lighter but require more configuration and setup than I prefer.  Xfce was a nice compromise.  Light enough for my needs while still remaining a full desktop environment.

Continue reading

Installing encrypted Arch Linux on an SSD

This article will document the decisions and process of my building an Arch Linux desktop. Arch Linux is a rolling release distro. There are no specific releases as there are with Fedora, Ubuntu, etc. Due to this I will not be posting a step by step procedure. That is covered very thoroughly in the Beginners’ guide located on the Arch wiki. I will be discussing the choices that I make and why I make them.

I am re-purposing some hardware that I had laying around for this build.

  • AMD FX-6300
  • GA-78LMT-USB3
  • 2 x 8GB DDR3 1333
  • Kingston SVP100S2B 512GB SSD

Continue reading