A Quick and Dirty DNS server using FreeBSD ( #100DaysToOffload Day 28)

In today's post i'm going to show you how to setup up something i should have done a long time ago. Knowing now how easy it could be. What is this thing? Setting up a in-home DHCP/DNS server. At first i was just looking for a DNS server thinking like a Pi-Hole but i knew i wanted to use FreeBSD as the OS. I want to use BSD's more mainly just to learn about them not because i think they are better(yet). FreeBSD is my choice simply because i've had the best experience with it. This would work from any of the BSD's but some step might differ a little. So Looking around i found out that the “Pi-Hole” only runs on linux. Looking a little further i found out that a Pi-Hole really is just a DNS server plus a block list. Doing this also means i don't have to maintain a host file on each device i own.

Enter dnsmasq

This little piece of software is just what i was looking for. Plus it's also a DHCP and TFTP server. And it's native to BSD's(It can also be found on linux).

The setup was quite easy. I am using a Raspberry Pi Model B rev 2(A second one i had laying around) for now but this is going to be upgraded to something else as it does struggle a little. But it is very usable and any slow downs are only noticeable when the TTL of the DNS record expires.

So step one was to flash the SD card with the FreeBSD image this i did using dd from my linux PC

dd if=FreeBSD-12.1-RELEASE-arm-armv6-RPI-B.img of=/dev/sdX

Pop that in the Pi and boot it up. I always do the initial Pi boot up with it connected to a display just in case something goes wrong and plus then i don't have to try and look at DHCP lease tables to find out what the IP address of it is.

After initial boot next task should be to change the default password(s) for root account and freebsd account. You can do that using the same passwd command as on linux.

Next you really should set a static IP on any server and also set a hostname to do that on FreeBSD you edit /etc/rc.confand add these lines

hostname="hyperion"
ifconfig_ue0="inet 192.168.2.6 netmask 255.255.255.0"
defaultrouter="192.168.2.1"

ue0 above is the name of the network interface. This could be different on your system. You can find the interface name using the ifconfig command.

Now i know i could have these changes take effect with a few command but i always reboot when making changes like this.

What i always do next is somewhat optional but HIGHLY recommended. Make SSH use public key authentication. I'll assume you know how to do this and move onto the setup of the actual DHCP/DNS server. At this point i would also disconnect the Pi from the display, Place it in it's final resting place and do the rest of the setup over SSH.

The only package we need to install is dnsmasq

pkg install dnsmasq

Once that is installed it's a matter of configuring it. dnsmasq is a caching DNS server by default but can also be a DHCP and TFTP server. I decided to also use it as the DHCP server on my network to ensure that all clients use it as DNS server. dnsmasq parses /etc/hosts and turns those into DNS records/responses.

Here is my config

# Never forward plain names (without a dot or domain part)
domain-needed
# Never forward addresses in the non-routed address spaces.
bogus-priv

no-resolv
server=9.9.9.10
server=149.112.112.10
dhcp-range=192.168.2.20,192.168.2.150,24h
dhcp-option=3,192.168.2.1
dhcp-authoritative

# Send microsoft-specific option to tell windows to release the DHCP lease
# when it shuts down. Note the "i" flag, to tell dnsmasq to send the
# value as a four-byte integer - that's what microsoft wants. See
# http://technet2.microsoft.com/WindowsServer/en/library/a70f1bb7-d2d4-49f0-96d6-4b7414ecfaae1033.mspx?mfr=true
dhcp-option=vendor:MSFT,2,1i

cache-size=300
conf-dir=/usr/local/etc/dnsmasq.d

# If a DHCP client claims that its name is "wpad", ignore that.
# This fixes a security hole. see CERT Vulnerability VU#598349
dhcp-name-match=set:wpad-ignore,wpad
dhcp-ignore-names=tag:wpad-ignore

# Always allocate the host with Ethernet address 11:22:33:44:55:66
# The IP address 192.168.0.60
#dhcp-host=11:22:33:44:55:66,192.168.0.60
# If this line is uncommented, dnsmasq will read /etc/ethers and act
# on the ethernet-address/IP pairs found there just as if they had
# been given as --dhcp-host options. Useful if you keep
# MAC-address/host mappings there for other purposes.
#read-ethers

Most of those options are explained or self-explanatory so i'll explain the less obvious ones.

no-resolv by default dnsmasq gets it's list of upstream dns servers to pass onto clients by reading /etc/resolv.conf this disables that and makes it get it's upstream server from it's own config file.

server=9.9.9.10
server=149.112.112.10

These are the 2 upstream DNS server i use. They are provided by Quad9. These are the unsecured non-blocking servers as i will supply my own blocking list.

So then in /etc/resolve.conf you just need to have nameserver 127.0.0.1

and then disable resolvconf by creating /etc/resolvconf.conf with the following content

resolvconf=NO

dhcp-option=3,192.168.2.1 this sets DHCP option 3(Default gateway) for all clients to 192.168.2.1 dhcp-authoritative This makes dnsmasq forcefully become the only DHCP server on the network so it will takeover leases from other servers(if i understand that correctly)

I've left the addresses reservation lines because i may use them someday.

conf-dir=/usr/local/etc/dnsmasq.d this makes dnsmasq parse all files under that folder

in that folder i have the block list found here

This list get updated everyday and is a large list blocking AD and malware domains.

So with that all in place all that is left to do is to enable/start the service

To enable add this to /etc/rc.conf

dnsmasq_enable="YES"

Then to start it right now

service dnsmasq start

That's it the server is now running and will answer DHCP and DNS requests. Any clients you have set with static network configurations you will need to update the DNS server on those to point to this newly setup server.

The other thing i did was create a small script to update the block list everyday and restart dnsmasq.

#!/usr/local/bin/bash
wget -O /usr/local/etc/dnsmasq.d/dnsmasq.blacklist.txt https://raw.githubusercontent.com/notracking/hosts-blocklists/master/dnsmasq/dnsmasq.blacklist.txt
service dnsmasq restart

and add that to /etc/crontab

0 1 * * * root /root/upblocklist.sh >/dev/null 2>&1

I have that set to go at 1AM every day as the blocklist repo is updated right around 12am in my time zone. You'll have to adjust this so you grab it after it's been updated.

And that is it. Like i said the Pi model B is not the best deivce to do this with. I think anything more recent with more than 1 CPU core would work just fine. My plan is to get a Rock64.

Well i hope this post was helpful to someone.

Until next time Stay safe!

@mgrondin@youdabomb.social

#Tech #BSD #Selfhost

Until next time. Stay safe!

G @mgrondin@youdabomb.social

Weekly music review and a new service offering (#100DaysToOffLoad Day 26)

So this week i have been listening to Cataclysm by Electric Dragon. To no surprise i have been enjoying every minute. This artist is a bit darker than most other Synthwave artists i've listened to but that's what makes it so great. It's like being down in the under belly having a party.

I'm not sure where the inspiration came for this album but i suspect that 2020 had a general impact on it. Most of the songs make reference to the end of days in some way but it's put together in such a way that is very enjoyable. I'll be listening to this one again for sure and you should as well.

Now for next weeks album we are going to stick in the Synthwave genre but a little different still.

This album is by a band that has interested me for a while but i never really checked it out.

The band is called Master Boot Record. I think you can see why the name would interest me.

Anyways the album i'll be listening to is Floopy Disk Overdrive. Please go and check it out. If you are more skilled in those things than me maybe you can unlock the secret track. Come back next week for more music.

---

As a hobbyist self-hoster i'm almost always looking for something else to host. One because i like to see what else is available in terms of self-hostable stuff and two because i just enjoy the setup process.

So when @selea@social.linux.pizza put out a call for someone to take over https://tempmail.linux.pizza (now redirects to my server) i saw it as something i could throw onto my recently uncovered Raspberry Pi model B and i jumped at the chance. So https://tempmail.youdabomb.social is born(Literally just yesterday). What does it offer:

Random Disposable Mailbox ✅
No Access Logs ✅
Mail Deleted after 2 days ✅

2 domains to choose from anon.ymous.xyz nullnvoid.xyz More domains to come later(Maybe...Probably)

It is made possible by Disposable-Mailbox.

So if you want to avoid some spam associated with some websites or just want to be able to use/join a website without giving your regular email well now you can.

Keep in mind that this is running on quite the small device so while it can't handle all of you at once it should be able to service everyone given time. If it's in high enough demand i'll look at upgrading the hardware it's on. For now it should do.

Well that is all for now

Until next time Be Safe!

@mgrondin@youdabomb.social

#Music #Tech #SelfHost #BSD #Raspi

Until next time. Stay safe!

G @mgrondin@youdabomb.social

Weekly Music review and a GopherHole (#100DaysToOffload Day 24)

So for today's post we start off with the weekly music review.

This wee i've been listening to Virtual Trails by Milchomalefic. I must say that with this week it's confirmed that my love for Metal(at least the heavier kind) is diminishing. I enjoyed this weeks album much more than last weeks.

The album lives up to it's name. It really makes you feel like you are traveling around some wonderful world. It is great music to be driving to. It's both calming and invigorating. It was pleasant to listen to when leaving work. Got me out of the workday mood. At the same time it's great to listen to while going to work. Helps me to wake up. I look forward to listening to this one for many years to come.

Now for the next album i'm going to cheat a little. What i'm going to do is use the album that i've already been listening to for #mmbc with @uxintro@social.chinwag.org and @mike@social.chinwag.org. Since this is the review week for #mmbc i figured i could double review it. The album is Punk/HC by Lavage. I wont say much but do yourself a favor and pick it up. Really pick up both albums i've mentioned here.

Check back next week for more music.

---

Now onto the next topic for today.

Recently(as in like Friday) i found out about #Gopher. A protocol that was around very early in the days of the internet i think it even pre-dates http. It basically does the same as http in which it serves content over the internet.

From wikipedia

The Gopher protocol /ˈɡoʊfər/ is a communications protocol designed for distributing, searching, and retrieving documents in Internet Protocol networks. The design of the Gopher protocol and user interface is menu-driven, and presented an alternative to the World Wide Web in its early stages, but ultimately fell into disfavor, yielding to the Hypertext Transfer Protocol (HTTP). The Gopher ecosystem is often regarded as the effective predecessor of the World Wide Web

It really only support serving basic text but really that's all you need to get a point across. Mind you i'm still learning about it and i have seen mention of images and sound it can support but i have not experimented with those functions yet.

So i decided this was something i could do with one of my old Raspberry PI Model b(Rev.2) i have around. So i went about setting up a server. I also decided that it would be a great opportunity to really give BSD a go. So i went with FreeBSD for the operating system. So far i'm really enjoying it. It was fairly easy to setup and is even more easy to publish content to. Write up a text file and upload it. Voila that's it. I'm going to keep playing with this for sure and might even open up the server to some users if there is interest. I think it's nice to go back to that point in time of the internet. No ADs no one was really in it to make money. Much of it(The internet) was about sharing and exchanging ideas. That is now so often lost...

Anyways if you want to check it out have a look at my GopherHole(Writefreely wont make the link clickable you will have to copy paste):

gopher://gopher.pizza

Sadly most modern browsers have long dropped support for the gopher protocol but thanks to some add-ons it can still be browsed. The add-on i use/recommend is OverbiteWX/NX as it works with all major browsers. Other browsers that support it that i have tired are lynx(CLI based) and Dooble. One thing that i'm still figuring out is if all clients are created equal. So far it seems not or it seems some documentation on the syntax supported is inaccurate. But the basics should work across all clients.

Anyways that is all for today.

Until next time. Be Safe!

@mgrondin@youdabomb.social

#Music #Gopher #BSD

Until next time. Stay safe!

G @mgrondin@youdabomb.social

Adventures with BSD Episode 2(AKA Yub(sd)ico)

So this is going to be a relativity quick post. I got my yubikey working on GhostBSD.

This was something really simple and stupid in the end(As i suspected). In the process of moving away from systemd on linux i had to re-enable all boot time services. One of which was pcscd which is a service for interacting with smart cards which the yubikey is one(or at least that's how it's interface to)

So all that was needed was to install pcsc-lite from the software station. Then run

sudo service pcscd start

And the yubico authenticator desktop app now finds my yubikey and is able to generate OTP codes!! YAY!

Then to ensure the service is started at boot

sudo rc-update add pcscd default

and voila working yubikey on BSD.

That's all for now

G

#bsd #tech

Until next time. Stay safe!

G @mgrondin@youdabomb.social

Adventures with BSD Episode 1 (AKA:Hello from BSD)

So back in November I won a small little HP laptop from my work Christmas party. First I figured I would just distro hop around on it for fun. Then I decided that since I always wanted to try out BSD I would do so on it.

So first order of business was to pick a distribution of BSD to try. I settled on GhostBSD as a first go for no real reason other than it's a Canadian distribution.

Booting into live environment and performing the install went smooth. I went with all the defaults to have a higher chance of success.

First boot things started looking bleak. The touchpad was not working at that point I was not sure if the whole system froze or if it was just the touchpad. I stole the wireless mouse from my desktop and to my delight the cursor started moving. YAY!

Got logged in and started looking around. Really if you did not see the system boot or if you don't run uname -a from terminal you would have almost no clue it's not linux.

So i launched a terminal and did just that:

marcg@marc /u/h/marcg> uname -a
FreeBSD marc.ghostbsd-pc.home 12.1-STABLE FreeBSD 12.1-STABLE GENERIC  amd64

I was also quite pleased to see fish as the default shell it's what I use on Linux and I love it (maybe a post for another day).

So next I ran dmesg just to see how the output differs from Linux and I was greeted with this:

So even tho the system seemed to be running just fine I would not have that error constantly spamming system logs.

A quick google search turned up that the issue was because the emmc in the laptop does not support the trim command and offered a solution. Add the following to /etc/sysctl.conf:

vfs.zfs.trim.enabled=0

So I did that and rebooted. But after reboot the error still repeated. Now during boot I noticed systemd complain about something so I did ctrl+F1 to see what was up and caught something about how the above directive should be in /boot/loader.conf so I moved it to that file and rebooted again. Either things differ between FreeBSD and GhostBSD or the info on placement under FreeBSD was outdated. Either way No more error! Yay!

I will keep using it for a while. Things to fix/For future posts:

1. Get WiFi working. Not much of a laptop if I have to be plugged in. Hopefully this is doable

2. Fix touchpad. Otherwise I'll have to get a new mouse since going back and forth is annoying.

3. Get sleep working properly. It goes to sleep good(like when i close the laptop lid) but it does not wake up. Screen stays black.

4. Get yubikey working. Tried using it and even tho the software is available something must be missing kernel side or something as it is never detected by any of the yubi apps. Not as big a deal since I can use my phone.

That's all for now.

G

#bsd #tech

Until next time. Stay safe!

G @mgrondin@youdabomb.social