Search This Blog

Set up Cloudfared DoH for Pi-hole

I would prefer using DNS over HTTPS (DoH) to increase privacy and security. Mozilla Firefox is the first web browser implementing DoH, and many other browsers follow. But how can I utilize DoH for the non-browser DNS request or enable DoH on each device that connects to my home network?

Pi-hole has a document to configure DNS-Over-HTTPS. To automate the install and configure Cloudfared on a Raspberry Pi running Raspbian, I create a bash script. I also add the steps to lock down the cloudfared account.

Here are how set up Cloudfared DoH using the script.
  • Make sure the Pi-hole is set up on your Raspberry Pi. See my post “Set up Pi-hole on a Raspberry Pi”.
  • Download the script from my Github on your Raspberry Pi
    • curl -O https://raw.githubusercontent.com/sfitpro/pi-hole/master/setup.cloudflared.doh.for.pi-hole.sh
  • Grant the execution permission to the script
    • chmod +x setup.cloudflared.doh.for.pi-hole.sh
  • Run the script
    • sudo ./setup.cloudflared.doh.for.pi-hole.sh
  • Configure the Pi-hole to use custom Upstream DNS server 127.0.0.1#5053
If all the setup is correct, you will notice the DNS queries on Pi-hole are answered by localhost.


Select Upstream DNS server for Pi-hole

Once the Pi-hole is up and running, the first thing I want to configure is its upstream DNS servers. The upstream DNS servers can provide additional filters (e.g. adult-related sites, social networking sites, etc) that are not included in the Pi-hole default installation.
I have been using OpenDNS as my home router's upstream DNS servers for a long time. I sign up an OpenDNS account so I can customize the kind of content to block or the sites to be whitelisted. It works great.
On the Pi-hole admin page, under Settings —> DNS. It has a list of built-in upstream DNS servers, e.g. Google, OpenDNS, Quad9, Cloudflare, etc.

  • OpenDNS: OpenDNS is my original first choice since I have been using its filter for a long time as I mentioned above. My only concern with OpenDNS is that Cisco acquired OpenDNS in 2015; and not sure whether this free service will continue to be maintained. But I don’t have other good options at the time.
  • Google DNS: Google DNS has a relatively fast response time. It doesn’t provide content filtering. Google’s ad tracking business makes me stay away from its products when I can. So I stop using Google DNS.
  • Cloudflare DNS: Cloudflare DNS has a fast response time. It doesn’t provide content filtering. After knowing Mozilla includes Cloudflare DoH in their newer version of Firefox, I trust Cloudflare’s privacy practice. Combining with Pi-hole other filtering feature, I switch to Cloudflare DNS as my upstream DNS servers until I learn about CleanBrowsing DNS.
  • CleanBrowsing DNS: CleanBrowsing DNS’s free filters (Security, Adult, and Family) are silmiar to OpenDNS, except the free plan doesn’t offer custom filters (e.g. gaming, grambling, etc). However, its free adult or family filter can filter the search engines (Google and Bing) result in safe mode, which I don’t see in other DNS filter. So CleanBrowsing DNS’s audlt filter is my choice for the Pi-hole upstream DNS at the home network. (PS. the family filter blocks Reddit site. I agree some contents on Reddit is not appropriate, but it also has many good technical disucssion.)
CleanBrowsing DNS setup on Pi-hole
  • http://<pihole.ip.address>/admin
  • Setting, DNS, Upstream DNS Servers
  • Custom 1 (IPv4): 185.228.168.10
  • Custom 2 (IPv4): 185.228.169.11

Set up Pi-hole on a Raspberry Pi

My first and main usage for a Raspberry Pi is to set up Pi-hole to block Ad for all devices on my home network.

Installation

The Pi-hole instalaltion is simple.

curl -sSL https://install.pi-hole.net | bash

Basic operation command

  • check status
    • sudo pihole status
  • check version
    • sudo pihole -v
  • update Pi-hole
    • sudo pihole -up
  • change Pi-hole admin password
    • sudo pihole -a -p
  • update Pi-hole filter list (gravity.list)
    • sudo pihole -g
  • restart Pi-hole
    • sudo pihole restartdns
  • list domains in whilelist
    • sudo pihole -w -l
  • add a domain to whitelist
    • sudo pihole -w <domain>
  • remove a domain from whitelist
    • sudo pihole -w -d <domain>
  • list domains in blacklist
    • sudo pihole -b -l

Once the pi-hole is up and running, we can change the the DNS setting of the router’s DHCP to the pi-hole IP address, or manaully set it to the devices with the static IP address.

Pi-hole comes the default ad block list. I will discuss the selection of Upstream DNS servers and add additional filter in the next post.

Set up a Raspberry Pi

I’m going to write a series of posts about Raspberry Pi and how I use it to secure and optimize my home network. This first post covers the basic setup procedure. Please refer to the official setup guide if you need the step-by-step instruction.

Hardware

  • Raspberry Pi 3 Model B. At the time of writing, the latest board is Raspberry Pi 4 Mode B, which is more powerful. But any version Raspberry Pi board should work.
  • MicroSD card (minimum 4GB)
  • Micro USB power supply (2.5A). For Raspberry Pi 4, you need the USB-C power supply
  • USB keyboard and mouse
  • Full-size HDMI cable to connect Raspberry Pi to a monitor or TV duing the initial setup. For Raspberry Pi 4, you need the Micro HDMI cable
  • Raspberry Pi case

Operating system

  • Raspbian -  the offical Raspberry Pi operating system. I want to keep the OS footprint small and I don’t plan to connect to a monitor other than the initial setup, so I select Raspbian Lite image.

Basic procedure

  1. Download Raspbian Lite image
  2. Download balenaEtcher
  3. Launch balenaEtcher and write the Raspbian image to the SD card
  4. Insert the SD card, connect the network cable, the keyboard & mouse, monitor and power supply to the board
  5. Power on and walk through the setup
  6. At the console prompt, log in with the default credential: pi / raspberry
  7. passwd
    • change the user pi’s password 
  8. sudo raspi-config
    • configure time zone, locale and keyboard layout
    • enable SSH under Interfacing options
  9. sudo nano /etc/dhcpcd.conf
    • configure a static IP address on eth0 
    • interface eth0
      static ip_address=x.x.x.x/24
      static routers=x.x.x.x
      static domain_name_servers=x.x.x.x
  10. sudo nano /etc/sysctl.conf
    • disable IPv6, by adding a line “net.ipv6.conf.all.disable_ipv6 = 1"
    • sudo sysctl -p
  11. sudo apt update && sudo apt upgrade -y
  12. sudo reboot
  13. after reboot, verify SSH login

Now the Raspberry Pi is fully functional. I’m going to use it to set up Pi-Hole to block Ad, DNS-Over-HTTPS (DoH) for privacy, CUPS to add AirPrint to an USB printer, and more. Stay tuned.

View and Modify Delete On Termination Setting on AWS EBS Volume

When launching an AWS EC2 instance, you can specify whether a EBS volume will be deleted when the instance is terminated. The setting is “Delete On Termination” and it’s on by default.

Once the instance is launched, viewing or modifying this “Delete On Termination” setting is not obvious. This post is to document how I do it.

View “Delete On Termination” Setting on AWS EBS Volume

There are two ways:
  • Use EC2 management console
    • Click on Instances and select the instance
    • Under Description tab,scroll down to “Block devices"
    • Click on the device name to show the “Delete on termination” setting on the pop-up window
  • Use AWS CLI
    • Get the instance ID
      • $ aws ec2 describe-instances --query 'Reservations[*].Instances[*].InstanceId' --output text
    • Query the setting
      • aws ec2 describe-instances --filter "Name=instance-id,Values=i-0d0a326ab6691cf24" --query 'Reservations[*].Instances[*].BlockDeviceMappings[*].Ebs.DeleteOnTermination'

Modify “Delete On Termination” Setting on AWS EBS Volume



I cannot find a way to modify this setting on EC2 management console. It looks AWS CLI is the only way. Here is the CLI.

aws ec2 modify-instance-attribute --instance-id i-0d0a326ab6691cf24 --block-device-mappings file://./change.DeleteOnTermination.json

The json file format is below. Update the DeviceName to match the EBS volume that you wan to modify
[
{
"DeviceName": "/dev/xvda",
"Ebs": {
"DeleteOnTermination": false
}
}
]
After executing the CLI, refresh the management console and click on the volume name under the instance description to verify the setting has been modified.


Using growpart to extend a Linux non-LVM partition

This post is about using growpart to extend a non-LVM Linux partition. For extending a LVM volume, see my other posts - Extend a Linux LVM Volume on a VM part1, part2, and part3.

When increasing the size of a Linux parition, it normally requries the following procedures:

  1. Increase the size of the physical or virtual hard drive
  2. Extend the partition to added drive space
  3. Resize the file system to extended partition

Among these steps, step #2 usually sounds risky. It requires to delete the existing partition and recreating it with the new size. Most people are not confortable to do that, and they end up with adding a new bigger drive, creating a new bigger partition, formatting the new partition, and copying the files from the old partition to the new bigger. This not only is time comsuming, but only requires more physical or vritual disk space.

Recently I learned about growpart that makes step #2 much simpler and error free. Growpart may not be installed by default, but it should be available on your distro. The following is the commands to increase a Linux partition (/dev/sdb1) on CentOS.

  • sudo yum install cloud-utils-growpart
  • increase the disk size (e.g. /dev/sdb) and reboot
  • sudo growpart /dev/sdb 1 ### there is a space between sdb and 1. 1 is the partition number
  • sudo resize2fs /dev/sdb1

See growpart man page for more info.

Installing vSphere Client fails with the error “VMInstallHcmon - Failed to install hcmon driver”

When installing the latest vSphere Client 6.0 on my Windows 10 computer, I got the following error “VMInstallHcmon – Failed to install hcmon driver”

Troubleshooting

  • Try KB2006486. But I don’t see Non-Plug and Play Drivers and VMware hcmon on my Windows 10 computer
  • Try renaming the C:\Windows\System32\drivers\hcmon.sys file. Still get the same error

Solution

  • On my laptop, vSphere Client 5.5 and 6.0 (older build), and their respective Update Manager plug-in are installed
  • Remove these older clients and plug-ins
  • vSphere Client 6.0 installation completes successfully

Use WinSCP to Transfer Files in vCSA 6.7

This is a quick update on my previous post “ Use WinSCP to Transfer Files in vCSA 6.5 ”. When I try the same SFTP server setting in vCSA 6.7...