This is a practical article to discuss DNS and Security and to show you how to practically upgrade the PiHole DNS Server and advertisement Blocker than I discussed earlier
(& Can I Bother?)
Via this Blog, Social media and multiple public sources Marcus and Agata selectively share aspects of their lives not just techy information.
The key is selectively.
We are increasingly aware of the arms race between us the users and websites and applications and even Internet of Things devices in our own home trying to extract information from us. We want to control what is shared and given away for free.
Here are three ways to approach computer security
I'm not that technical but don't take any active security measures. I don't have time to do anything but I have plenty of excuses. And if I get hacked of compromised I am sure it is somebody else's fault
I am wealthy. I pay somebody a lot of money, they come around and install a terrific security and privacy infrastructure. (If this is you, you are about to call us right :-)
We have a home and we personally setup an increasingly elaborate computer infrastructure to protect our privacy, automate our home and defend it physically and digital from nasty people
Marcus and Agata self identify as category 02
We now discuss a way to enhance the security of your DNS name resolution so that all data passed to the Internet outside from your Home and Home Router is done using Encryption and not as is the current standard in plain text.
And of course that those DNS name resolutions be done not via a DNS server of your local Internet Service Provider who could and may be under a duty to record all such transactions to provide a log to governments upon request of all websites that you have visited.
You have one or more client computers e.g. desktops, laptops, smarphones
They talk to a custom Pi-Hole DNS Server which is a small 10 GBP Raspberry Pi Computer running inside your home
That Pi-Hole server is now modified to incorporate DNSCrypt 2.0
As such, any names that need to be resolved on the Internet are sent using a secure protocol not in plaintext
The DNS server makes the secure request via the Router then returns the DNS lookup IP address back to the requesting client
The Client then uses the IP address to browse the web, talk to the destination etc.
Having a secure DNS setup is just one part of a secure Computer Infrastructure. Above is a more accurate representation of Marcus and Agata's home network.
First we suggest multiple networks NET1, NET2, NET3 ... which serve different purposes. They are isolated from each other by a Hardware Firewall.
The Hardware Firewall is programmed to allow access from more secure e.g. NET2 to NET1, but disallow from less secure to more e.g NET1 to NET2
Every Client such as a Laptop also runs its own Firewall and Anti Malware and Anti Virus software wherever possible
Clients can choose to use a TOR anonymiser. Actually this is still in testing, but this can further hide your identity from those who could snoop on your network packets et al
As before, any client using a DNS name e.g. majzel.blogspot.com needs name resolution and this occurs in the manner I already detailed in the Simple Setup section.
With the Modified PiHole we will build below you can be confident that all outbound DNS requests to the Internet are made securely because the PiHole is configured with DNSCrypt 2.0 to always do so
The client application having got its DNS goes out its Client Firewall, out the Hardware Firewall and then to the MikroTik Router. This also contains a further firewall! MikroTik also contains rules to pass the request out to one of many Internet connections (3 are shown).
This finally gets to our 4G router and then out to the Internet and back. Oh, and each 4G router also contains a firewall.
I covered this very recently
DNSCrypt Modifications to PiHole
I followed the instructions given in article
https://github.com/pi-hole/pi-hole/wiki/DNSCrypt-2.0 to implement DNSCrypt, but there are things to know
- Level set. The PiHole for us is running on a Raspberry Pi Zero W computer.
- The instructions talked about downloading dnscrypt-proxy files. I thought rubbish and tried using apt-get install dnscrypt-proxy. This does not work :-( as the installed proxy level is too low! Don't go there, I also had to cleanup and eat humble pie.
So lets see what I actually did that worked
Install and Configure DNSCrypt 2.0
# All the action takes place on the PiHole Raspberry Pi Zero W computer
# install the latest code and dont use apt-get
# remember Raspberry Pi runs a 32bit not a 64 bit Operating System
# You will be installing into /opt/dnscrypt-proxy
# Like all good techies I am root for this proceude
# ksh is installed via apt-get install ksh so
# get the code
tar -xvpf dnscrypt-proxy-linux_arm-2.0.8.tar.gz
mv linux-arm dnscrypt-proxy
# now configure
cp example-dnscrypt-proxy.toml dnscrypt-proxy.toml
# Some of the lines that I changed are below (in bold)
# this command lists all the possible based on your config
# ./dnscrypt-proxy --list-all
# server_names = ['scaleway-fr', 'google', 'yandex']
server_names = ['cloudflare' ]
# 20180404 mwb was: listen_addresses = ['127.0.0.1:53', '[::1]:53']
listen_addresses = ['127.0.0.1:53210', '[::1]:53210']
# Server must support DNS security extensions (DNSSEC)
# 20180404 mwb was: require_dnssec = false
require_dnssec = true
## Load-balancing strategy: 'p2' (default), 'ph', 'fastest' or 'random'
# lb_strategy = 'p2'
lb_strategy = 'fastest'
## log file for the application
log_file = '/opt/dnscrypt-proxy/dnscrypt-proxy.log'
fallback_resolver = '188.8.131.52:53'
ignore_system_dns = true
# end of my changes to config file
ignore_system_dns = true
# end of my changes to config file
# Install the Proxy service
/opt/dnscrypt-proxy/dnscrypt-proxy -service install
# finally start the service
/opt/dnscrypt-proxy/dnscrypt-proxy -service start
Tell PiHole to use only DNSCrypt
# Remove existing servers from PiHole configuration
# comment out with # hash character all lines
# of the form server =
# so lines are now like # server = ...
# Tell PiHole to use DNSCrypt20
# The file contains the single line (bold)
# Commands entered as root on pihole/dnscrypt system
# Restart dnscrypt
/opt/dnscrypt-proxy/dnscrypt-proxy -service restart
#In another shell window tail logfile
tail -f /opt/dnscrypt-proxy/dnscrypt-proxy.log
[2018-04-04 20:59:43] [NOTICE] Stopped.
[2018-04-04 20:59:43] [NOTICE] Service restarted
[2018-04-04 20:59:43] [NOTICE] Source [public-resolvers.md] loaded
[2018-04-04 20:59:43] [NOTICE] dnscrypt-proxy 2.0.8
[2018-04-04 20:59:43] [NOTICE] Now listening to 127.0.0.1:53210 [UDP]
[2018-04-04 20:59:43] [NOTICE] Now listening to 127.0.0.1:53210 [TCP]
[2018-04-04 20:59:43] [NOTICE] Now listening to [::1]:53210 [UDP]
[2018-04-04 20:59:43] [NOTICE] Now listening to [::1]:53210 [TCP]
[2018-04-04 20:59:46] [NOTICE] dnscrypt-proxy is waiting for at least one server to be reachable
[2018-04-04 20:59:57] [NOTICE] [cloudflare] OK (DoH) - rtt: 59ms
[2018-04-04 20:59:57] [NOTICE] Server with the lowest initial latency: cloudflare (rtt: 59ms)
# check resolution
# /opt/dnscrypt-proxy/dnscrypt-proxy -resolve majzel.blogspot.com
Domain exists: probably not, or blocked by the proxy
Canonical name: blogspot.l.googleusercontent.com.
IP addresses: 184.108.40.206, 2a00:1450:4009:812::2001
SummaryI now run a PiHole DNS server on a Raspberry Pi Zero W
It is modified to talk to the Internet DNS servers only via dnscrypt
All clients in my home network point to this humble 10 GBP computer to resolve any and all DNS queries
We also employ other security features including a lot of firewalls, TOR anonymisers, and isolated networks.
The combination makes for a more secure system :-)
220.127.116.11 meets 18.104.22.168 and 22.214.171.124
DNS Privacy Project
What is DNS over TLS