Krams aus dem NOC

Hardware, Software und all so was

Configuring DNS-Over-HTTPS on Pi-hole

Why use DNS-Over-HTTPS?

DNS-Over-HTTPS is a protocol for performing DNS lookups via the same protocol you use to browse the web securely: HTTPS.

With standard DNS, requests are sent in plain-text, with no method to detect tampering or misbehaviour. This means that not only can a malicous actor look at all the DNS requests you are making (and therefore what websites you are visiting), they can also tamper with the response and redirect your device to resources in their control (such as a fake login page for internet banking).

DNS-Over-HTTPS prevents this by using standard HTTPS requests to retrieve DNS information. This means that the connection from the device to the DNS server is secure and can not easily be snooped, monitored, tampered with or blocked. It is worth noting however, that the upstream DNS-Over-HTTPS provider will still have this ability.

Configuring DNS-Over-HTTPS

Along with releasing their DNS service 1.1.1.1, Cloudflare implemented DNS-Over-HTTPS proxy functionality in to one of their tools: cloudflared.

In the following sections we will be covering how to install and configure this tool on Pi-hole.

Installing cloudflared

The installation is fairly straightforward, however be aware of what architecture you are installing on (amd64 or arm).

AMD64 architecture (most devices)

Download the installer package, then use apt-get to install the package along with any dependencies. Proceed to run the binary with the -v flag to check it is all working.

wget https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-amd64.deb
sudo apt-get install ./cloudflared-stable-linux-amd64.deb
cloudflared -v

ARM architecture (Raspberry Pi)

Here we are downloading the precompiled binary and copying it to the /usr/local/bin/ directory to allow execution by the cloudflared user. Proceed to run the binary with the -v flag to check it is all working.

wget https://bin.equinox.io/c/VdrWdbjqyF/cloudflared-stable-linux-arm.tgz
tar -xvzf cloudflared-stable-linux-arm.tgz
cp ./cloudflared /usr/local/bin
chmod +x /usr/local/bin/cloudflared
cloudflared -v

Configuring cloudflared to run on startup

Create a cloudflared user to run the daemon.

sudo useradd -s /usr/sbin/nologin -r -M cloudflared

Proceed to create a configuration file for cloudflared by copying the following in to /etc/default/cloudflared. This file contains the command-line options that get passed to cloudflared on startup.

# Commandline args for cloudflared
CLOUDFLARED_OPTS=--port 5053 --upstream https://1.1.1.1/dns-query --upstream https://1.0.0.1/dns-query

Update the permissions for the configuration file and cloudflared binary to allow access for the cloudflared user

sudo chown cloudflared:cloudflared /etc/default/cloudflared
sudo chown cloudflared:cloudflared /usr/local/bin/cloudflared

Then create the systemd script by copying the following in to /lib/systemd/system/cloudflared.service. This will control the running of the service and allow it to run on startup.

[Unit]
Description=cloudflared DNS over HTTPS proxy
After=syslog.target network-online.target

[Service]
Type=simple
User=cloudflared
EnvironmentFile=/etc/default/cloudflared
ExecStart=/usr/local/bin/cloudflared proxy-dns $CLOUDFLARED_OPTS
Restart=on-failure
RestartSec=10
KillMode=process

[Install]
WantedBy=multi-user.target

Enable the systemd service to run on startup, then start the service and check its status.

sudo systemctl enable cloudflared
sudo systemctl start cloudflared
sudo systemctl status cloudflared

Now test that it is working! Run the following dig command, a response should be returned similar to the one below

dig @127.0.0.1 -p 5053 google.com


; <<>> DiG 9.10.3-P4-Ubuntu <<>> @127.0.0.1 -p 5053 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65181
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1536
;; QUESTION SECTION:
;google.com.            IN  A

;; ANSWER SECTION:
google.com.     299 IN  A   243.65.127.221

;; Query time: 3 msec
;; SERVER: 127.0.0.1#5053(127.0.0.1)
;; MSG SIZE  rcvd: 65

Configuring Pi-hole

Finally, configure Pi-hole to use the local cloudflared service as the upstream DNS server:

Screenshot of Pi-hole configuration

(don’t forget to hit Return or click on Save)

Windows VPN aktiv halten

Create a scheduled task named "Auto VPN" or something similar

   Tick the Run whether  user is logged  on or not   

   Tick the Run with highest privileges

   Select Configure for Windows 7, Windows Server 2008 R2 in the Configure For drop down box   

   Create a the trigger for the task and set the Begin the task drop down to At startup

   Create an action for the task and set the action to Start a program

      Set the Program/script to c:\windows\system32\rasdial.exe

      Put the name of the connection to be made in the Add Arguments box*

         *If the name contains spaces you will need to enclose the name in quotation marks

         *You may need to additional rasdial parameters to the Add Arguments box dependant on the connection properties

   Clear all task Conditions


The end result should be that your VPN connection is automatically connected on Start up. You can also configure the connection for login or even a specific user's login.

You need to put your username and password into the Add Arguments box as well, at least i did. The full rasdial command is 

rasdial "VPN Connection" username password

so the Add Arguments box should contain "VPN Connection" username password. However, there are obvious security risks about having your vpn username and password stored in plain text in the open.

Die Aufgabenplanung kann nach dem Aufwachen aus dem Ruhezustand beliebige Programme aufrufen. Dazu greift man auf die im System-Protokoll verzeichnete Ereignis-ID „1“ zurück.

Erstellen Sie in der Aufgabenplanung eine neue Aufgabe und wählen Sie als „Neuer Trigger“ die Option „Aufgabe starten: 

Bei einem Ereignis“ und die Einstellung „Benutzerdefiniert“. Klicken Sie auf „Neuer Ereignisfilter“, wählen Sie als Ereignisebene „Informationen“ und markieren Sie in der Dropdown-Liste „Per Protokoll“ den Eintrag „Windows-Protokolle/System“. Tippen Sie schließlich die Zahl „1“ (ohne Anführungsstriche) ins Feld „Ereignis-IDs ein-/ausschließen“ und schließen Sie den Dialog mit „OK“. 

Jetzt ist nur noch unter „Aktionen“ anzugeben, welches Programm der Trigger starten soll.

Darüber hinaus sollte man den Namen des Users per Hand auswählen, da es sonst zu einem Fehler kommt. (Argument ungültig o.ä.)

Philips ISF-Modus sperren/entsperren

Zum Entsperren oder Sperren muss man wie folgt vorgehen:

  • ins TV-Konfigurationsmenü gehen
  • zu den Bild-Presets gehen
  • ISF-Tag oder ISF-Nacht aktivieren
  • jetzt mit der Fernbedienung “473473” eingeben (entspricht “ISFISF” auf SMS-Tastatur)

Präsentiert von WordPress & Theme erstellt von Anders Norén