DNS over HTTPS in a snap

Background Story

With the recent news about the ISP UK association proposing Mozilla as “Internet villain of the year” for enabling DNS over HTTPS (and subsequently changing their mind and dropping the whole category of villain of the year. Good move I think.) I figured it was probably about time that I looked at enabling DoH at home.

Cloudflare have a suite of open source tools called cloudflared which has, among other things, a DNS over HTTPS proxy. By default it points at their 1.1.1.1 service, but you can change that if you want to. Note, at the time of writing there is a bug which seems to stop Google’s DNS service working. If you’re looking to stop people seeing your DNS traffic then Google probably isn’t the right DNS service to use anyway.

I already have dnsmasq running as my DNS server and I have quite a lot of config which I wanted to keep (e.g. adblocking) so I figured I would add cloudflared’s proxy-dns alongside dnsmasq and have dnsmasq use proxy-dns as it’s upstream server, which would in turn pass the DNS lookups to 1.1.1.1 over HTTPS. dnsmasq would then cache the results locally.

So far, so good. I’d built cloudflared on my desktop to test it, now I wanted to move it on to the Raspberry Pi, run it as a service, and ideally have a package so that I didn’t have to mess around rebuilding it in loads of places if I wanted to move to a different box.

Make a snap

Making a snap of proxy-dns would give the the package I wanted, and could allow me to run proxy-dns as a daemon with two words in the YAML. Snapcraft’s build service would build me an ARM binary, as well as loads of others, for free.

I downloaded the source for cloudflared and added three files:

  1. A snapcraft.yaml which describes how to build cloudflared and sets it to be run as a daemon
  2. A configure hook which lets me set some config options
  3. A launcher script which sets the config at run time

None of these are very complicated, as you can see. Hat-tip to Popey for help with the snapcraft.yaml.

The I pushed these back to my project on GitHub and added that project to the Snapcraft.io build service. Now, whenever I push a new change back to GitHub the snap will get rebuilt automatically and uploaded to the store! All I would need to do is a snap refresh and I’d be upgraded to the latest version. All my requirements solved in one place.

How to use the snap

If your Pi is running snapd, it’s dead easy (e.g. Ubuntu MATE or Ubuntu Core):

sudo snap install cloudflaredoh --edge

The snap is currently in the edge channel, meaning it’s not ready for the main stage just yet. Once I’ve spent a bit more time on it, I will move it to stable.

sudo snap set cloudflaredoh address=127.0.0.1
sudo snap set cloudflaredoh port=5053

Configure proxy-dns to listen on 127.0.0.1. If you want it to answer DNS queries from other computers on your network try either the IP address of the box, or just 0.0.0.0 to listen on all interfaces. It will also configure proxy-dns to listen on port 5053. If you want it to answer DNS queries from other computers on your network, use the default DNS port of 53.

sudo snap get cloudflaredoh

This will show you the currently set config options.

sudo snap restart cloudflaredoh

Restart proxy-dns and use the new config.

Now you can use something like nslookup to query the DNS server and make sure it’s doing what you expected.

10 Steps To DNS-over-HTTPS

  1. Get a Raspberry Pi
  2. Download Ubuntu Core and write it to an SD card
  3. Put the SD card in your Pi and boot it
  4. Set up the network on Ubuntu Core (tip: register for an Ubuntu One account first)
  5. sudo snap install cloudflaredoh
  6. sudo snap set cloudflaredoh address=0.0.0.0
  7. sudo snap set cloudflaredoh port=53
  8. sudo snap restart cloudflaredoh
  9. Configure your client’s DNS server as the IP address of your Pi
  10. Have a cup of tea

Update 2019-08-01

I’ve got a new Github repo set up with an improved snapcraft.yaml which pulls directly from the upstream project. I’m aiming to get this hooked up to the Snapcraft build service so that we can package the latest version automatically. More on this later. In the meantime, you can clone this and build the latest version yourself:

https://github.com/8none1/cloudflarednsproxy

Ubuntu Desktop goings on. Friday 19th May 2017

Ubuntu Desktop Newsletter

I’m going to start a weekly newsletter style update to keep people abreast of what’s been going on with Ubuntu Desktop as we move to GNOME Shell and build the foundations for 18.04 LTS.  Here’s the first instalment:

Friday 19th May 2017

GNOME

We’re on to the last few MIR (https://wiki.ubuntu.com/MainInclusionProcess) reviews for the packages needed to update the seeds in order to deliver the GNOME desktop by default.
We still have some security questions to answer about how we deal with updates to mozjs/gjs in an LTS release (where mozjs has a support period of 12 months but we need to offer support for a full five years). This is being looked at now, but for 17.10 we are set.
We are aiming to have the seeds updated next week, and this will be the first milestone on the road to a fantastic GNOME experience in 17.10 Artful.

We’ve been fixing bugs in the Ambiance & Radiance themes to make them look crisp on GNOME Shell.
http://www.omgubuntu.co.uk/2017/05/install-improved-ambiance-gnome-theme

We’ve also triaged over 400 GNOME Shell bugs in Launchpad to allow us to more easily focus on the important issues.

We have been working on removing Ubuntu’s custom “aptdaemon” plugin in GNOME Software in favour of the upstream solution which uses PackageKit. This allows us to share more code with other distributions.

LivePatch

https://www.ubuntu.com/server/livepatch

LivePatch delivers essential kernel security updates to Ubuntu machines without having to reboot to apply them. As an Ubuntu user you can sign up for a free account.
We’re working on integrating LivePatch in to the supported LTS desktops to provide a friendly way to setup and configure the service.
This week we started to investigate the APIs provided by the LivePatch services so we can report LivePatch activity to the user, obtain an API key on behalf of the user & set up the service. Work has also started on the software-properties-gtk dialogs (aka Software & Updates in System Settings) to add the options required for LivePatch.

QA

Added upgrade tests from Zesty to Artful for Ubuntu and flavours. Working on making all these tests pass now so that everyone will have a solid and reliable upgrade path.
Work is being done on the installer tests. This will extend the current installer tests to check that not only has the install completed successfully but that all desktop environment is working as expected, this had previously been covered with manual tests.

Package Updates

  • GStreamer is now at 1.12 final in 17.10.
  • Chromium: stable 58.0.3029.110, beta 59.0.3071.47, dev 60.0.3095.5
  • LibreOffice 5.3.3 is being tested.
  • CUPS-filters: 1.14.0
  • Snapd-glib: 1.12

Snaps

More GNOME applications are being packaged as Snaps. There is still some work to do to get them fully confined and fully integrated into the desktop. We’re working on adding Snap support to Gtk’s Portals to allow desktop Snaps to access resources outside their sandbox.
We will start tracking the Snaps here:
https://wiki.ubuntu.com/DesktopTeam/GNOME/Snaps

In the news

Interview with Ken VanDine on the GNOME Desktop in Ubuntu:  http://www.omgubuntu.co.uk/2017/05/ubuntu-switch-to-gnome-questions-answered

There’s also a survey running to get feedback on some extensions which could be shipped with Ubuntu Desktop: http://www.omgubuntu.co.uk/2017/05/ubuntu-desktop-gnome-extensions-survey-1710

This was picked up by the Linux Unplugged podcast as their headline story: http://www.jupiterbroadcasting.com/114701/that-new-user-smell-lup-197/

 

Raspberry Pi powered heating controller (Part 2)

In which one Raspberry Pi is seen.

In part one of this series I explained how the central heating system was wired up and what electrical connections you needed to make to switch your heating and hot water on and off.

Heating Controller - breadboard

I ordered all the parts and now I’ve plugged them all together.  Here’s a quick video demonstrating how it will all work.

Further Updates

 

And we’re back…

I’ve moved to another server, and in the process I’ve had a whole lot of problems.  For anyone that’s read any of my blog before that won’t come as a surprise.

Once I’ve got all the kinks worked out, I’ll tell you how I fixed it.  For now, this is just a test…

Fixing “warning: Please check that your locale settings”

I took an Amazon AWS t1.micro instance for a spin the other day. A free server is not to be sniffed at. Of course I installed Ubuntu 12.04 on it.

I was getting a lot of locale errors, things like this:

perl: warning: Setting locale failed.
 perl: warning: Please check that your locale settings:
 LANGUAGE = (unset),
 LC_ALL = (unset),
 LC_MESSAGES = "en_GB.UTF-8",
 LC_COLLATE = "en_GB.UTF-8",
 LC_CTYPE = "en_GB.UTF-8",
 LANG = "en_US.UTF-8"
 are supported and installed on your system.

I thought this would just go away by itself, but it didn’t – so I had to fix it. Note: I’m in the UK, so I’m using en_GB as my locale, change yours to en_US or whatever.

Type:

export LANGUAGE=en_GB.UTF-8
sudo locale-gen en_GB.UTF-8
sudo dpkg-reconfigure locales

And you should be all set.

More Asterisk hints

Wow – a day of fixing loads of niggling little Asterisk problems!

  • Max duration

My calling plan gives me unlimited free calls as long as those calls are under an hour in duration. Pretty standard BT stuff. If you do make a call over an hour you don’t just get charged for that bit of the call over the hour, oh no, you get charged for the whole call.
Anyway – we have the technology to defeat them!

In FreePBX under General Settings change your Asterisk Outbound Dial command options to include:

L(3360000,3240000,10000)

which will drop the call after 3360000ms (56 minutes) and should alert you at 3240000ms.

  • Courtesy Tone

The above works very well and drops the calls, but without a bit of extra magic you don’t get the warning in your ear – it just drops the call. To enable the warning tones etc edit this:

/etc/asterisk/features_general_custom.conf

and add

courtesytone=beep

substituting “beep” for what ever noise you want to hear.

  • Call Recording

By also adding:

Ww

to the Dial command options in #1 you can press *1 when you’re in a call to start recording.  It plays the courtesy tone to both parties though.

Asterisk VoIP calls causing PPP to drop on ADSL modems

The internet FTW.

I’ve been having this odd problem since I got my Asterisk box back up and running in that whenever a call came in and hung up I’d lose internet connectivity for a few seconds.

I tracked it down to the router dropping the PPP connection, which initially made me think that the polarity reversal indicating the call had hung up was causing the modem to b0rk, perhaps due to the distance between the phone socket and the modem, or my dodgy cat5 cabling, or something.

Turns out it was none of the above.  EDIT:  Bit hasty there.  Hasn’t fixed it al all.

This post:

http://forums.contribs.org/index.php/topic,43733.msg209081.html#msg209081

points to exactly my problem. I disabled the DDoS protection and no more dropped internet connections. I don’t worry about DDoS attacks too much, so for now I’m going to leave it off.

UPDATE:  None of the above actually worked.  In the end it turned out the modem had simply broken.  The NV RAM wasn’t remembering the config after a proper reboot and it was generally broken.  So I replaced the whole thing with a new DrayTek modem.  The old one did pretty well, it worked perfectly for about 3 years non-stop.

Search hints:

DrayTek VoIP Asterisk dropping ADSL PPP drop DDoS SIP