Smoothwall Firewall project

Thursday, 23 April 2020

Switching on DNS over HTTPS on various browsers



A new feature that is hitting all new modern web browsers is the ability to turn on DNS over HTTPS, which in my opinion is a very good idea - to keep the ISP snoopers off your traffic - so they have no idea where you are looking up or searching for. Not all Browsers have this facility at the moment - but I will cover those that do.

This by association is a recommendation for those that do.

Mozilla Firefox:

To turn this feature on in Firefox go to Preferences/Network/Settings and the just select the DNS over HTTPS as shown below.


Google Chrome Chromium:

To turn this feature on in Chrome or Chromium, open a new tab and type chrome://flags and in the search bar type dns and enter. The following will appear and just select enable for DNS over HTTPS

Opera:

As this browser is based on Chromium you have to type opera://flags and then follow the above.

Microsoft Edge:

Again, this browser is based on Chromium, only this time just type edge://flags and then follow the above.

Apple Safari and Microsoft Internet Explorer:

I'm afraid at the time of writing the above two don't support it. Safari may well in the future, but I very much doubt Internet Explorer ever will.

Wednesday, 15 April 2020

Switching to a small footprint Intel NUC computer to do everything - unexpectedly surprised at performance


I don't know about you, but I have a variety of computer systems in my house for a whole range of uses. Everything from a Mac mini to an Amazon Firestick, all doing their job for the task required. However the Mac minis I have serve as media servers and players but are getting a bit long in the tooth, so I decided to upgrade the media server with an Intel NUC.

I decided to spec it as fully as possible and gave it a 6 Core processor, 32 GB RAM, and a 1TB M2 SSD drive. This should make it future proof for a good few years, that was the thinking. It came in at around £700, which was way less than a new Mac Mini.

Its main purpose in life was to support 4 USB 3.1 Gen2 external hard drive boxes (Akitio) for all my media and backups. If it was capable of anything else that would be a bonus, but not expected. It is attached to a 32" Samsung curved monitor with 144Hz refresh at 2.5+K - crystal clear and super responsive.

I installed Xubuntu as the base operating system, though I only use openbox window manager on it to reduce the overhead of the host operating system even further. That has been a great learning curve to show how little GUI you actually need just to get stuff done.

However, the real surprise happened when I spun everything up, was just how fast this little box is. The memory wasn't being used by the media software (Plex) so I thought let's try running a few docker containers on here as well to do other network jobs for me. No issue at all. I currently have the following running on the box 24/7
  1. Pi-hole DNS service
  2. Portainer container manager service
  3. Jenkins job management service
  4. OpenVPN service
So, I thought, I wonder how it would perform if I stuck a few virtual machines on there as well whilst it's doing everything else.

No problem at all, I'm currently running a beta version of Ubuntu and a separate Arch Linux using KVM and QEMU, and it still is not scratching the sides of what this little box can do. It's currently using 8GB of RAM and the load on the server is never above 3, even while everything is running and I'm streaming HD content to other parts of the house.

Considering I used to have tower machines cluttering up my workspace to do this sort of thing, I now have one device to do it all.

Intel have just brought out a new edition of these, with even faster processors and RAM capacity, so I will be getting one of those to work alongside this one when my other Mac Mini dies.

The Mac mini's served me well, but I have now found a better device and with all the cost savings of not buying Apple kit again, I can literally have three for the price of one.

Monday, 13 April 2020

Building a small footprint Ubuntu desktop or server for old,singleboard or virtual machines.


So the lockdown offers time to try out things I have put on the back burner for a while. This little project was to build as easily as possible a diminutive Linux install that can be used for many use cases, like single board computers, virtual machines and my older hardware that I use for various tasks. Also offering complete control over what you do and don't install.

I have tried all sorts of Linux distributions, but I think I have found the ideal solution with this one.

Starting with the Ubuntu mini iso this makes the starting point very easy. You can install as much or as little as you like as you go through the installation process. Burn the iso file onto a USB drive or use it directly for your virtual machines. I basically didn't install anything that I didn't need to - especially towards the end when it ask's about GUI desktops - select nothing.

One thing to look out for is when partitioning the disk, whether virtual, SD or SDD don't set up a swapfile - it allocates 500MB on a device with 4GB of ram - which is pretty common these days.

Once all is installed you are presented with a standard command line when you reboot - which can be enough for a lot of people if you are going to run this as a server for some purpose. That takes up around 1.5GB disk space. This could be pruned further if needed, but even with a 16GB SD card, that's not too shabby. Especially compared to a full Gnome Ubuntu install which will eat around 6.5GB.

Now to get a simple working desktop on top of that I recommend using openbox - the following command installs all you need to get going, and give you the desktop above - minus the wallpapers - more of that in a mo.

sudo apt install openbox obconf obmenu vim xterm lightdm lightdm-gtk-greeter tint2 nitrogen ncdu xfce4-terminal arandr
The above is one command on one line.

Reboot your machine and you will be greeted with a login screen - login with the user you set up and you will be presented with a blank screen and a cursor - that is Openbox's starting place - immediately right-click the mouse and select the terminal.

Then carry out the following:
  1. Launch tint2 to give you a panel
  2. Launch arandr to set your video resolution - and save it to a file name to be used later.
  3. Copy any wallpaper from any machine or website using ssh to your users home directory
  4. Launch nitrogen to set that wallpaper you just saved. You can install more later.
  5. Make these changes permanent.
To make option 5 happen:

Create a folder in /home/your username/.config called openbox.
In that directory create a file called autostart.

Add these lines to that file

nitrogen --restore &
tint2 &
/home/your username/.screenlayout/name-you-saved-it-as &

Once you have done this - you are good to go. Logout and back in, and you will have similar to the above image.

Now with the Ubuntu eco-system, you can install anything you like. This can be a Bastion, NFS, Samba, DNS server - whatever.

If you want to make it into a full-function desktop, add Firefox, VLC, Spotify, etc, etc.

However, the base from which you now start is 2.4GB of disk space used, which is the key to this.

You now have complete control over whatever you want to install and make this device into something you have designed and like.

It also minimises your security attack vector - as you have a lot less installed, less to update and less to keep an eye on. This is a massive plus for the whole process.

Updated: 14/4/2020



Saturday, 28 March 2020

Getting DNS working with an Ubuntu 20.04 virtual machine installed on an Ubuntu 19.10 host

While taking a look at the next LTS release of Ubuntu - I found after I had spun up the new image in KVM on an Ubuntu 19.10 host that the DNS would not resolve - which scuppered me taking a really good look at it.

Now, they have moved DNS resolution into systemd for a while now, and on the host machine this has not caused me an issue. I have to say though, it appears to me that using systemd to resolve DNS is not only overly complicated but a waste of everyone's time - but I'm sure someone must appreciate the value of it.

I tested that the network was working correctly and the virtual machine could access the DNS resolver if it had been configured correctly with the following command:

dig @192.168.1.1 www.ubuntu.com

This worked, so I knew that the virt. machine would work if the DNS resolver was working correctly.

So, how to fix the issue. I tried several methods - each trying not to disable the systemd service - but all met with failure with my testing , so in the end I decided to just turn it off and use the tried and trusted /etc/resolv.conf

The commands to achieve this are:

systemctl stop systemd.resolved
systemctl disable systemd.resolved

Then edit the following line in the file 
/etc/NetworkManager/NetworkManager.conf 
[main]  
dns=default
Then remove the link in /etc
rm resolv.conf
Now create a new resolv.conf in /etc with the name of the nameserver you wish to use i.e.
namesever 192.168.1.1 < or whatever yours is >
The you need to restart the NetworkManager 
sudo systemctl restart NetworkManager
This worked perfectly and the virtual machine is now happily resolving DNS correctly.
None of the above is destructive and can be reversed if the systemd could be made to work, but as this was only a test machine, I decided I had wasted enough time on it.

NB. While working on some more virtual machines I came across this blog post which offers a more elegant solution to this DNS problem for Ubuntu/Debian based distros.It allows you to keep DNS resoltion in systemd - so I can't have been the only person having issues with it.

Solve local DNS issues in Ubuntu and Debian
 



Wednesday, 13 November 2019

How to use pi-hole with a Docker container on your Mac Laptop to stop unwanted internet adverts.

If you are fed up with pointless internet advertising on sites you visit, here is a great additional service you can install on your local machine - or more importantly for your network to stop it dead. I shall not go through what this product is as here is a link - Pi-Hole.

Basically, you need to install the Docker application on you laptop or desktop so that running up the pi-hole docker container is straight forward. You can get docker for Mac here. For the network installation, a Linux server virtual machine or docker container on a machine continuously running would make sense.

Then you need to clone the pi-hole docker git repository to your local machine

https://github.com/pi-hole/docker-pi-hole.git

Change into that directory and run docker_run.sh 

Once the script has run - it will spit out an admin password that you will need to remember to log into the web-based admin screen.

You can look at that by pointing a browser tab at http://127.0.0.1

Once logged in you will see something like this.


 The last part of getting this working on your laptop is to point the DNS resolution of OSX to point to the localhost - as pi-hole is now listening on port 53. Again for network-based installation you would point this at the IP address of your server running the service. You can also then setup that IP address in your routers DHCP settings so any machine on your LAN will get the same protection as they will push all their traffic through the new DNS server.



You can then run a test from the command line to make sure all your DNS requests are going via your new DNS service like so:

dig www.ubuntu.com

;; Query time: 23 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Wed Nov 13 11:16:40 GMT 2019
;; MSG SIZE  rcvd: 139


You will notice the response comes from your machines localhost - so all is working. With the settings of pi-hole you can specify several upstream DNS resolvers which also keeps your DNS queries out of the clutches of Google. There are many options - but I tend to use OpenDNS and 1.1.1.1

Enjoy. 

 

Saturday, 9 March 2019

Staying safe on the Web - what can I do to make my browsing more secure and leach less data?


Friends and family often ask me about technologies they can use to make their lives just that little bit safer on the Web. So to save me having to answer the same questions repeatedly - I thought I would write a blog post to just highlight the tools,apps and extensions I use to make it better than just connecting to the web and hoping for the best.
  • Use a VPN whenever and wherever you are. There are so many good and inexpensive examples to use these days - there is really no excuse not too. I hear good things about this one ExpressVPN. I use my own - but this should be a good one. This will work with you PC, Ipad, mobile phone. So you will be covered whenever you decide to get some free internet in a cafe  you have never been to before :-)
  • Use Mozilla Firefox, Safari or Opera as your main browser. I know Google Chrome offers many features, but can you honestly trust Google to not be constantly looking to take your data and use it? I certainly don't trust Chrome anymore.
  • Install a good set of extensions to stop trackers and unwanted information leaching.
  • Don't use Google as your default search engine - switch to using DuckDuckGo - it is an option on all modern browsers - just change the default. You will be amazed at how all the targeted ads suddenly stop appearing everywhere - because you will have stopped Google building a complete profile of you on the web.
  • Never use Facebook or Twitter to log into another site - always select to create a new account with your email and a strong password.
  • Use a password manager to ensure strong passwords on all sites you use. Three good examples are Bitwarden, Lastpass or 1Password
  • Where sites allow it use 2FA - 2 Factor Authentication - on all sites. Not all sites do - but check and where you can implement it. There are many apps you can use , FreeOTP, YubiKey Authenticator, Protectimus Smart OTP, Lastpass Authenticator.
  • Turn on Firefox browsers "DNS over HTTPS" to keep your ISP and snoopers - it's to be found in Preferences/General/Network Settings
  • If you must use Facebook - I recommend you don't - then install an extension that puts it in a sandbox container - Firefox FB Container. This will reduce the amount of data you will leach from that app. 
  • Also for facebook - also look at this article and turn it off - How to delete Facebooks of page tracking of you web surfing.
  • Always look to use an anti-virus product - there are many to choose from - I use AVG
  •  Make regular backups - so if you machine does get hijacked your have always got access to you valuable files. This can be to a secure cloud storage area as well as local USB type storage.
  • Glasswire is a great tool for keeping an eye on your Windows and Android machines activity and is worth installing https://www.glasswire.com/
  • Useful YouTube video on securing Google Chrome if you must use it https://youtu.be/9lIMSzrjUrU

There are other add-ons to stop javascript - which can stop a lot of nasty attacks - however - it can make a huge difference to the way the web looks and feels and a lot of sites depend on it. So unless you know what you are doing , I would stay clear of that to start.

I have also just started using pi-hole, a network-wide tool to stop unwanted advertising in its tracks. I will be writing an article shortly on how to set this up on your local laptop or network server.

Updated: 15/7/2019 
Updated: 13/11/2019
Updated: 9/02/2020
Updated: 1/3/2020
Updated: 16/6/2020

Updated: 11/09/2020

Useful reading on the Topic :

Saturday, 4 November 2017

DNS resolution in Docker containers with Ubuntu Artful on AWS

This post is solution to a problem I discovered - so I hope others will find it useful.
Spinning up AWS Ubuntu Zesty - 17.04 - images with Docker installed was straight forward with Ansible and Terraform , but then arrived Ubuntu Artful - 17.10 , and the containers spun up could not resolve DNS, regardless of which version of Docker I installed.
After a lot of testing , it appeared to me that the host computer was passing through the wrong DNS server entry into resolv.conf within the container - so it would never work.
The Solution:
With systemd and docker, the preferred way to change a daemon setting is to create a new file in /etc/docker called daemon.json.
In that file add the following to get it use the AWS VPC default DNS resolver - 10.0.0.2 - like so
{
   "dns": ["10.0.0.2"]
}
Restart the docker daemon , and the containers can now resolve DNS. There may be other ways to resolve this issue, but this works perfectly , and uses methods preferred by the docker community.
I hope this helps others who may run into this problem.
Other settings that can be made in that file can be found here. Dockerd settings documentation