Weekend Project: Part 3 – Installing Pi-hole

As Sunday draws to a close we can finish up this weekend project by installing Pi-hole. What is Pi-hole I hear your ask? Well copied and pasted straight from the Pi-hole website, “The Pi-hole® is a DNS sinkhole that protects your devices from unwanted content, without installing any client-side software.”

Previouly I wrote the first 2 parts of this guide on my Macbook Air, but this final post I have written on my PC, please excuse any formatting of commands between Terminal & Putty.

To begin installing Pi-hole run the below command on you rPi;

paz@raspberrypi:~ $ wget -O basic-install.sh https://install.pi-hole.net
paz@raspberrypi:~ $ sudo bash basic-install.sh

The installer is very handsoff, it preforms a bunch of checks and then installs the whole process was done in a couple of minutes. One of the questions asked by Pi-hole installer is which DNS provider you would wish to use. You can choose any at this time as we will change it to Cloudflared (DNS over HTTPS) later on. The installer also asks if you would like to install a webGUI, this is optional I choose to have the GUI as over the initial weeks I intend to see how everything is going, so having a GUI is nice rather than trawling through endless logs. Once the installer is completed take note of your Pi-hole GUI web address and admin password as we will need this to login.

Installing Cloudflared

What is DNS over HTTPS, again copied directly from the Pi-hole website to save me having to type out my own explantaion.

DNS-Over-HTTPS is a protocol for performing DNS lookups via the same protocol you use to browse the web securely: HTTPS.

With standard DNS, requests are sent in plain-text, with no method to detect tampering or misbehaviour. This means that not only can a malicous actor look at all the DNS requests you are making (and therefore what websites you are visiting), they can also tamper with the response and redirect your device to resources in their control (such as a fake login page for internet banking).

DNS-Over-HTTPS prevents this by using standard HTTPS requests to retrieve DNS information. This means that the connection from the device to the DNS server is secure and can not easily be snooped, monitored, tampered with or blocked. It is worth noting however, that the upstream DNS-Over-HTTPS provider will still have this ability.

To start installing Cloudflared we need to pull down the Cloudflared files with wget

wget https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-arm.tgz
tar -zxf cloudflared-stable-linux-arm.tgz
sudo cp ./cloudflared /usr/local/bin
sudo chmod +x /usr/local/bin/cloudflared

Next we will create a cloudflared user to have the cloudflared service running sepratly from our VPN on our Pi, This user will be for cloudflared only and will not have a SHELL or any login password to prevent other utalising the account.

sudo useradd -s /usr/sbin/nologin -r -M cloudflared

Next create a file in /etc/default/cloudflared and paste the below into the file;

Commandline args for cloudflared
CLOUDFLARED_OPTS=--port 5053 --upstream https://1.1.1.1/dns-query --upstream https://1.0.0.1/dns-query
CLOUDFLARED_OPTS=--port 5054 --upstream https://9.9.9.9/dns-query

Change ownership of the cloudflared files to the cloudflared user

paz@raspberrypi:/etc/default $ sudo chown cloudflared:cloudflared /etc/default/cloudflared
paz@raspberrypi:/etc/default $ sudo chown cloudflared:cloudflared /usr/local/bin/cloudflared

Create the below file in /etc/systemd/system/cloudflared.service to allow automatic startup of the cloudflared service.

[Unit]
Description=cloudflared DNS over HTTPS proxy
After=syslog.target network-online.target

[Service]
Type=simple
User=cloudflared
EnvironmentFile=/etc/default/cloudflared
ExecStart=/usr/local/bin/cloudflared proxy-dns $CLOUDFLARED_OPTS
Restart=on-failure
RestartSec=10
KillMode=process

[Install]
WantedBy=multi-user.target

Once the file has been created as per above, enable cloudflared in systemctl

paz@raspberrypi:/etc/default $ sudo systemctl enable cloudflared
Created symlink /etc/systemd/system/multi-user.target.wants/cloudflared.service → /etc/systemd/system/cloudflared.service.
paz@raspberrypi:/etc/default $ sudo systemctl start cloudflared
paz@raspberrypi:/etc/default $ sudo systemctl status cloudflared
● cloudflared.service - cloudflared DNS over HTTPS proxy
Loaded: loaded (/etc/systemd/system/cloudflared.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2020-01-26 09:34:51 GMT; 3s ago

Test the service is functioning as expected, you should recieve a response from bbc.co.uk similar to the below;

paz@raspberrypi:/etc/default $ dig @127.0.0.1 -p 5053 bbc.co.uk

; <<>> DiG 9.11.5-P4-5.1-Raspbian <<>> @127.0.0.1 -p 5053 bbc.co.uk
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12841
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452

; PAD: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ("………………….")
;; QUESTION SECTION:
;bbc.co.uk. IN A

;; ANSWER SECTION:
bbc.co.uk. 226 IN A 151.101.64.81
bbc.co.uk. 226 IN A 151.101.128.81
bbc.co.uk. 226 IN A 151.101.192.81
bbc.co.uk. 226 IN A 151.101.0.81

;; Query time: 26 msec
;; SERVER: 127.0.0.1#5053(127.0.0.1)
;; WHEN: Sun Jan 26 09:36:56 GMT 2020
;; MSG SIZE rcvd: 164

Now that we have configured Cloudflared its time to head over to the Pi-hole GUI to remove Google DNS and point to Cloudflared DNS servers. Login to your Pi-hole GUI using the username and password provided before. Once you login you should see something similar to this;

Head down to Settings then choose the DNS Tab, un-check Google DNS, add 127.0.0.1#5053 & 127.0.0.1#5054 to the Upstream DNS servers section and finally check ‘Listen on all interfaces’

Everything should now be working, you can use your Pi-hole dashboard to see hosts connected to Pi-hole, see how much has been blocked. You can test if you are using DNS-over-HTTPS here!

This brings me to the end of this weekend project, I could have rattled through all the comands myself in an afternoon, but writing these blog post added extra time. Until next time, happy surfing!

Weekend Project: Part 2 – Configuring a VPN on a Raspberry Pi

Following on from my previous post I will be setting up a VPN on my Raspberry Pi with an aim to better protect my online privacy with a VPN and Pi-hole. Having this setup will allow me to connect various household devices to the Raspberry Pi which will then pass traffic though the VPN. To allow connections we must make sure the Pi has a static IP address.

To set a static IP address we must add the address we want to the /etc/network/interfaces file on the Pi.

Add the address you wish your Pi to have in my case I chose 192.168.1.123 for gateway specify your gateway normally this is the address you us to access your router.

auto eth0
iface eth0 inet static
address 192.168.1.123
netmask 255.255.255.0
gateway 192.168.1.254

Lets start getting the packages we will need to configure our VPN by running the below;

paz@raspberrypi:~ $ sudo apt install openvpn curl iptables-persistent python-requests -y

Next we will begin configuring the VPN. For my VPN provider I use PrivateVPN. They are well respeceted, reasnably priced and keep no logs what so ever.

Download PrivateVPN’s openvpn files to your Raspberry Pi with the below commands;

paz@raspberrypi:/etc/openvpn $ sudo wget https://privatevpn.com/client/install.sh
paz@raspberrypi:/etc/openvpn $ sudo su -
root@raspberrypi:~# cd /etc/openvpn
root@raspberrypi:/etc/openvpn# ./install.sh

Running install.sh prompts you for username/password and creates the a VPN connection on your Pi that can be used on your Pi.

Edit the file /etc/openvpn/privatvpn.conf with the details of the PrivateVPN exist point you wish to connect to PrivateVPN provides a script to allow you to start the VPN called privatvpn. After install this file is located at /usr/bin/privatvpn. Add this file location to /etc/rc.local which will ensure that the VPN starts on startup should your Pi reboot or require a restart.

How Does An Execution Plan Suddenly Change When The Statistics (And Everything Else) Remains The Same ? (In Limbo)

Richard Foote's Oracle Blog

I’ve slipped this post in as there have been a number of discussions recently on how execution plans have changed while nothing else appears to have changed in the database. How can an execution plan suddenly change when no one has made any changes to the database ?
 
By no changes, it means that there have been no alterations to any segments, no new indexes have been added, no changes associated  bind peeking (indeed, there may not even be any bind variables), no parameters changes, no new patches or upgrades, no new outlines or profiles, no new system stats and perhaps most prevalent of all, no changes to any CBO statistics.
 
The DBA hasn’t touched a thing and yet suddenly, for no apparent reason, execution plans suddenly change and (say) an inappropriate index is suddenly used and causes performance degradation.
 
How can this be possible ?
 
There are…

View original post 1,271 more words

The first full day

Japan à Trois

Stephen: It’s 5am, after our first full day in Japan. We’re left feeling a bit like Scarlett Johansson in Lost in Translation at this point, with our body clocks thrown completely out of whack. Sleeping until 2.30pm was probably not our wisest ideas – but the 18 hour journey was pretty gruelling – even for me, who is fairly well accustomed to long haul by now.

We are staying in the famous Shibuya area, and stepping out of the train station to the mass of excited chatter, neon lights, and noise after being on a plane for so long was both a welcome, and overwhelming experience. Despite some serious exhaustion, we wandered out braving the rain and humidity to marvel and take pictures of everything we saw. Now the penchant that Asian tourists seem to have for taking photos of every single minute detail when they travel abroad doesn’t seem…

View original post 751 more words

There’s Been a Murder!

In a bid to do something creative I made this a T-Shirt, if you fancy it you can pick it up from here for £12 + Shipping. T-shirt will be available for 21 Days and will only be shipped if I meet 10 orders.

 

 

Cheers Paz.

Recording an album

Closet Organ

This past week, we headed up into the beautiful Scottish hills to spend three days (four nights) recording our first (and probably last) ever album. We had planned to put down 9 tracks, but ended up doing 12 – a task which has rightfully been described as ‘fucking mental’.

We did it though; fighting through the actual literal blood, sweat, and booze induced tears to record the various guitars, drums, bass, vocals, and random noises that will make up the release – even managing to throw in our first gig as a full band, supporting Living Body at Glasgow’s Broadcast.

closetorgan_1469723919_hd.jpg

This picture was not staged.

Everything started out well enough, with excitement at the prospect of having a dedicated, proper studio space to spend time recording in for a few solid days.

IMG_3765.jpgclosetorgan_1469544378_hd.jpg

We celebrated with our traditional Goldschlager.

goldsch.jpg

And even the scenery was beautiful.

closetorgan_1469378836_hd.jpg

Though the less said about the…

View original post 204 more words