Posts tagged ‘DNS’

Adventures in DNS

I just posted about my new PA-220 firewall and mentioned URL filtering.  I have a number of categories blocked, including web-advertising, adult content, malware, etc.  But you can always make something better, right?

The PA-220 has a feature to enforce safe search with various search engines.  Unfortunately, it seems to not work very well on my iPhone, or in Safari on my Mac.  It could be the 8.0.2 firmware, or perhaps it’s something that I’m doing wrong.  In any case, I wanted to fix it, as it was annoying.

Both Google and Bing support a feature to enable Safe Search for your network via DNS.  What you have to do is, when someone requests google.com, make your DNS return a CNAME record for forcesafesearch.google.com.  While this might sound easy, as I discovered, its a bit more complex than perhaps it should be.

First, the DNS proxy feature in my PA-220 does support configuring static entries, so I could add an entry for http://www.google.com, but I can’t set it to CNAMEs, only IP addresses.  I  would have to hard code the IP address for forcesafesearch.google.com, which could potentially change at any time, breaking things.

After a bit of research, my first candidate to truly do the CNAME change was found.

DNSmasq

On my unRaid box, I installed a docker of Pi-Hole, which is a DNS based system (meant for the Raspberry Pi, but capable of running on other platforms) which blackholes DNS queries to Web advertising sites, etc.  It uses DNSmasq and has the ability to run DHCP as well as DNS.  With this integration, it can resolve local hostnames to their DHCP assigned addressing.  I could do that now by adding static entries to my DNS Proxy instance on the PA-220, but it wouldn’t pick up on DHCP entries.  But, alas, DNSmasq treats a CNAME entry added manually differently than I had hoped.  It will ignore it unless it has that record defined somewhere, such at a static definition or via DHCP…  It won’t resolve an external CNAME like a normal query and return it.  And since if I were to define forcesafesearch.google.com as an A record in DNSmasq, that would really defeat the whole purpose of using the CNAME.

Pi-Hole does have a very nice modern web interface with statistics, graphs, and it looks extremely easy to whitelist or blacklist sites.  It gives you great visibility into what devices on your network are doing the most DNS lookups, and if you are wondering where your IoT devices go on the Internet, you can even filter the logs to see what an individual device is performing lookups against, assuming you have all your devices directly querying Pi-Hole, instead of chained like I’m doing here.  In fact, you can even disable the blocking functionality if you like.  With it disabled, it won’t block, but you’ll be able to see all the statistics and logs it has to offer, even showing you what it would have blocked.  Today, it has blocked about 8.8 percent of my DNS queries, though I haven’t really noticed much different than when I simply go through my PA-220.

Dingo

While looking for other DNS packages that could do this CNAME trick, I ran across one that looked very interesting for a different reason.  Dingo is effectively a DNS resolver that takes requests in on port 53, and resolves them over encrypted HTTP/2.  It can be used with both Google and OpenResolve (by OpenDNS).  I installed it as another docker and it seems to work fine.  I did increase it to use 25 worker threads instead of the initial 10.  I don’t know if I’ll keep using this or not, but I’ll see how it goes.

Bind

Other research turned up some settings for Bind that would let me add the CNAME records I needed to for Google and Bing to enforce safe search, and yet another Docker was installed.  The one I chose included Webmin for easy administration of Bind.  It worked just fine.

So, now I have the initial DNS queries pointing to the PA-220, taking advantage of the Threat/URL Filtering there, then forwarding to a docker running Bind to handle google and bing domains, which forwards to Pi-Hole (which I may end up removing from this chain), and finally to Dingo to perform the actual DNS lookups over encrypted HTTP/2.

Whew!

That sounds like a lot, but not including the PA-220 (which was doing this job before), I’ve added three hops that all exist on the same box.

May 21, 2017 at 7:48 pm Leave a comment

OpenDNS discussion part 3, building a custom DNS solution

In my last entry, I talked about creating a custom solution to get the advantages of OpenDNS’s filtering capabilities, while still getting access to CDN servers that are located in your neighborhood.

Since I didn’t want to re-invent the wheel and write my own DNS server, I started out by looking at open-source DNS servers.  I found a few, but a good many of the ones out there weren’t well maintained, or building them for Windows was daunting.  (Yes, I run Macs, but I wanted to run this on a Windows box that serves as my Plex server.)

I have previous experience with a Windows DNS server called SimpleDNS Plus.  It’s not open-source, nor is it free, but it is a very good Windows DNS server that does have a plug-in architecture so that you can build your own plug-ins.

They have a screencast showing how to build a basic plug-in for SimpleDNS 5.0/5.1, but the current version is 5.2, and there have been some changes that make those screencasts obsolete.  After sending a few emails to support explaining what I wanted to do, then asking for more information, I got a good reply telling me how I would implement my idea as a plug-in, but they were not willing to provide any further documentation than what was already on their website.  No example projects or anything.  Disappointed at the lack of assistance from the devs, and severely out of practice with C#, I started trying to hack away at it.

I’ll skip all the boring stuff that took a few days to get through…  I used an open-source .NET library to perform my DNS lookups, but had to embed it in my project because I was unable to use any additional assemblies from my .dll.  I’m not sure if that was a restriction of the plug-in, or something I wasn’t doing right, but I finally got a version of it working on my home network.

The way it worked was to perform a lookup against OpenDNS for every request it was sent.  I had hoped that SimpleDNS Plus would cache my answer, and look in the cache before sending the request to my plug-in, but that’s not the way SimpleDNS handles plug-ins.

So, I wrote a rudimentary caching system.  It doesn’t obey the TTLs, simply building up and emptying on a regular schedule, but it works.  Once my plug-in has resolved an address, it will skip lookups for that address, and just let Simple DNS Plus handle the resolution, unless it was a “blocked” site, in which case it will direct you to the blocked website.

My result?  We’ll it seems to work well enough for personal use…  I’ve ran GRC’s DNS Bench against it, and if it’s benchmarked against the default list, it is (predictably) slower, but reliable… However, if you remove all the others and only benchmark SimpleDNS Plus with my plug-in, it has some reliability issues…  Like down around 75-85% reliable, though I’m not 100% what the figure is telling me, exactly.  With my plug-in turned, off, I’m sitting at 100% reliability, so it’s definitely something I’m not doing right… It could also be the DNS Client library I’m using, I suppose…

It’s not terrible, but I’m a perfectionist, so I’m still trying to figure out why the performance isn’t as good as I’d like it to be…

Update:Woohoo!  A few hours after this blog entry was published, I cracked it.  I replaced the open-source .NET DNS Client library I was using with the library from ARSoft.Tools.Net, and now it works wonderfully well!  The GRC DNS bench tool now shows 100% reliability after multiple tests.  Now, I just need to watch it and see if it is stable.

June 18, 2013 at 8:26 pm Leave a comment

Synology DSM 4.2 is out! Radius Alert!

DSM version 4.1 has been my standard since I got my Diskstation sometime last summer.  Today, I happened to check and found that version 4.2 is now available.

NOTE:  Right now there is a screaming good deal on a 3TB WD Red drive at NewEgg ($139).  Check out hotdealsclub.com for the coupon code.  I ordered one minutes after seeing the price, as that’s a very good buy on this drive, which NewEgg normally sells for $179.

Anyhow, I installed DSM 4.2 not expecting much, with it being a point upgrade.  Looking around at it though, I’m surprised, and in a good way!

The first thing I noticed was that the GUI for the Package Center is different.

The second thing I noticed was that there were a bunch of new packages that look really good.

DHCP Server
I remember this being a feature of 4.1, but I believe it was lacking reservations.  They are supported now, along with screen to show you the current leases, plus you can do multiple scopes now.
DNS Server
I’ve wanted a decent DNS server for my NAS, and now I’ve got one.  It’s got a nice GUI interface for setting up zones, and it seems pretty fast.  Not sure whats under the hood, but I’m using it as mine now.
Radius Server
This was a surprise, and it’s the Gem of the upgrade, in my opinion.  It’s got a deceptively simple GUI.   It was nice to see that it comes out-of-the-box with options to authenticate local users, LDAP users, or Domain users (the only options on the Settings panel).  The Clients panel allows you to add clients… I added a quick client (a newly created SSID on my OpenWRT box), set the Shared secret, and Applied it.   It’s got a Block List panel, which appears to allow you to set certain users (or groups) that you wish NOT to be authenticated.  Lastly, it has a Log panel, which lets you see what it’s been up to.

Perhaps most surprising of all, my simple test worked with very little effort.  I connected to my new WPA2 Enterprise SSID via my iPhone, and it prompted me to accept the Certificate, put in my new username and password, and it authenticated.  My iPhone was connected and working.  I may just move all of my Enterprise Auth to the Radius server on my Diskstation, if it proves to work well.

Other new features that I’ve only looked at briefly, but look good:Antivirus by McAfee – Not saying this is a good thing, but more A/V options aren’t really bad.
Syslog Server – Nice looking GUI interface.  It’s not Splunk, but it’s decent.
Directory Server – Was this in 4.1?  I plan to check into this one when I have some time…

There are lots more packages, that look to be useful in a business setting as well.

I’ve already turned off DHCP for my router and started using this as my caching DNS server.  Perhaps this weekend, I’ll move my “main” SSID over to let my DiskStation handle the Radius auth as well.

March 14, 2013 at 12:06 am 1 comment


Calendar

January 2022
S M T W T F S
 1
2345678
9101112131415
16171819202122
23242526272829
3031  

Posts by Month

Posts by Category