DNS

Raspberry Pi Project 02 – Ad Blocking DNS and DHCP

Raspberry_Pi_LogoI’ve been at a bit of a loss for a while on what to do with my RaspberryPi B+.  I have a B+ and two RaspberryPi B 2s.  The B2s are so much more useful and powerful than the B+ that the poor B+ has kind of been tossed to the wayside.  I was using it as a server for ZNC, an IRC Bouncer.  When I set up my milti-monitor set up, I tried running X-Chat on the B+ with ZNC but the lag was too much.  I’m not sure if the load was from XChat or from ZNC or from Synergy, but the short of it is, the B+ wasn’t useful to my array of machines and needed a headless activity assigned to it.

Sure, I could let it continue to run ZNC, but dedicating two Pis to IRC seems like overkill, so I moved ZNC to the B2 that I run Xchat on and freed the B+ for whatever I wanted.

Pi-Hole for DNS

I started out by setting up Pi-Hole.  It has a fancy name and is simple to install, but at the core, Pi-Hole is just a DNS server that filters sites based on some predefined public lists.  Specifically, it filters ads.  There is a whole debate to be made on the pluses and minuses of ad filtering, but it is what it is and I’m not getting into that debate here.  Pi-Hole has a white list anyway, for “good ads”.  Mostly, it’s a way to filter on mobile, where it’s not easy to install an ad blocker.

Installing Pi-Hole is as simple as entering the following into the command line over SSH or even on the RaspberryPi itself:

sudo curl -L install.pi-hole.net | bash

Though you will also need to set up the Pi with a static IP and then later point your computer’s DNS records to the IP of the Pi.

On a bit of a side note, DNS is Domain Name Server.  The easy analogy is that it is a phone book to the Internet.  Servers where websites live all have IP addresses assigned in various ways, but in order to keep things simple for humans, these servers get friendly names, like Microsoft.com or Facebook.com.  The DNS is where your computer looks up “Facebook.com” to find out what IP address it’s located at.  In this case, ads come from specific servers and providers, often not related to the core domain.  So Website.com may serve ads from advertiser.org.  With Pi-Hole, your computer looks up both domains when you connect to Website.com, but the RaspberryPi Pi-Hole simply replies “I don’t know where Advertiser.org is located”.  You computer then fetches what it can from Website.com, but displays nothing from Advertiser.org.

ISC-DHCP for DHCP

Sort of tangentially related, I recently changed ISPs.  I went from a 3Mbps DSL to 50Mbps Cable modem.  I keep my home network crazy organized since there are a ton of devices on it.  For every person in my house there are something like 4 devices, and this doesn’t count game consoles, media devices, or my own little IOT devices.  On the old modem, I set up MAC assignments on the router so that wireless devices like my phone, where I can’t assign a static IP, get assigned a specific IP.  I went through and set all of this up on the new modem, but none of the assignments seem to have taken.  I’m not entirely sure why, I have theories, but I’ve instead decided to use this as an excuse to re-purpose my B+ and to learn more about managing a DHCP server.

So what is DHCP.  DHCP stands for Dynamic Host control Protocol.  I mentioned earlier that DNS was the way to connect the firstly domain name to an unfriendly IP address.  DHCP assigns those IP addresses.  Some static devices like routers or desktop computers that never go anywhere can pick and self assign an IP but things like phone that move between networks need to be given a temporary IP address as they come and go.  DHCP handles this.  Every device on a network has a unique IP address, though small networks like the one in your home, all tend to share IP ranges since to the outside world they appear to be one node/thing/device.  DHCP can be used to give out reserved “static like” IPs to these roaming devices though based on the device’s MAC Address.  A MAC Address is a device unique identifier.  For example, when the DHCP server or router sees a specific MAC, it can say “I know you, you get IP 192.168.1.50”.  When a strange device shows up, it will simply say “Here, this time you are 192.168.1.103, which is the next free IP in my pool of IPs”.

The set up for DHCP is a bit more involved than for Pi-Hole.  There is a detailed guide below but I’ll run through the cliff notes version.  There is a lot more that can be done but I’m not going to get super detailed here.  This is essentially for a simple home network with one subnet.  The first steps are to set up and configure the server, it will likely error out in the middle, just keep going with it.

sudo apt-get install isc-dhcp-server

sudo nano /etc/dhcp/dhcpd.conf

This is where it gets a little trickier.  You will need to edit the options in the config file.

option domain-name “your_domain”
option domain-name-servers

Your Domain can be more or less anything really, it’s often just “Workgroup” by default in Windows.  It should be all one word though.  Domain Name Servers are specific however.  If you are using Pi-Hole, set the IP of the Pi running Pi-Hole into this list.  You can add additional DNS servers with a comma between each one, some suggestions, 8.8.8.8, and 8.8.4.4 are Google’s DNS servers.  OpenDNS uses 208.67.222.222 and 208.67.20.220.  It’s a good idea to have more than one in case there are issues.

The only other thing you NEED to set is the ip information and range found under

subnet 10.0.0.0 netmask 255.255.255.0
{ range  10.0.0.1 10.0.0.200;
option routers 10.0.0.254;
}

You will need to replace the IP information in this block.  the subnet should be the first three octets of your network followed by a .0.  The most common ones in a home network are 192.168.1.0, 192.168.0.0, and 10.110.1.0.  The range is the range of IPs to give out.  If you are going to use static IPs, i would recommend setting this range beyond your static IP ranges.  For example, I have a spreadsheet blocking off reservations through 192.168.1.100, I added some extra for my router to serve as a backup DHCP server and set the range on the RaspberryPi as 192.168.1.175 192.168.1.250.  This means, when a device connects, it will be assigned an IP starting at the next available at .175.

The final option is routers, chances are really good that you have only one, and chances are the IP ends in .1 or .254.  This will assign the router IP so that devices know how to get out to the Internet.

If you want to ensure your Pi DHCP server is assigning IPs over anything else on the network (ie your router) you will need to find the line that reads “If this DHCP is the official DHCP server…” and uncomment the line “authoritative”.

Finally at the bottom, there are blocks to assign static IPs using a format like:

host MACHINENAME
{
hardware ethernet MACADDRESS;
fixed-address FIXED_IP_YOU_WANT_TO_ASSIGN;
}

An easy way, if you are running Windows, to find out MAC addresses of devices is to run Netscan.  This will give you a list of everything connected to your home network.  There are a few ways to decipher which IP/MAC is which.  Some will have the MAC printed on them, often near the network port.  In the case of phones or tablets, it’s simplest to simply disable the WiFi or turn them of and rescan to see which disappears.  Some may show up with names you may recognize.  You can also sometimes search for the first 3 sets of numbers (IE 45:3b:a3) which is manufacturer specific to decipher that “That’s a Sony device, the only Sony thing I own is the Blu Ray player”.

Setting reserve assignments is entirely optional.  The main purpose is to better organize your home network.  If you only have a half dozen devices, it really probably isn’t necessary at all.

Once you are done editing, CTRL+O (for Output) to save the file, and CTRL+X to close it. If you get an error that you can’t write the file then you forgot to do a”sudo” and you will need to do it all over again.

Wrap Up

Things are not quite finished yet.  You will need to start the DHCP server, since it error-ed out earlier.  You can do this using the following commands:

service isc-dhcpd-server stop
service isc-dhcpd-server start

HOWEVER, I still got an error when I did this.  A little searching and I found a similar issue and fix which I used.

sudo pico /etc/default/ifplugd

Then change this:

INTERFACES=”auto”
HOTPLUG_INTERFACES=”all”
ARGS=”-q -f -u0 -d10 -w -I”
SUSPEND_ACTION=”stop”

To match this:

INTERFACES=”eth0″
HOTPLUG_INTERFACES=”eth0″
ARGS=”-q -f -u0 -d10 -w -I”
SUSPEND_ACTION=”stop”

then reboot and after the reboot start the server with:

sudo reboot

service isc-dhcpd-server start

Everything should be working now.  You can run Netscan later and see if IPs are being assigned into the range you chose.  This may not happen immediately since IPs have a lease time and devices may hold on to the old IP for a bit.

Reference:

Pi-Hole

Configuring the Raspberry Pi as a DHCP Server under Raspbian Wheezy

How To : Use The Raspberry Pi As A Wireless Access Point/Router Part 3…B!

Some Thoughts on SOPA and PIPA

The whole internet is abuzz with SOPA and, to a lesser extent, PIPA talk.  Basically, these two bills in congress, one for the House, one for the Senate.  You can get plenty of information through Google or if you’d like, try the Electronic Frontier Foundation.

The gist of this bill, is that it would allow media companies, through the government, to block websites with “pirated content” through manipulation of the Internet DNS system.  Without proper due process of law.  DNS, is essentially the phone book of the internet.  You could also compare it to a road map.  It’s what computers use to know how to find the websites you look for online.  All websites are in fact a series of numbers called an IP address, however remembering 74.125.227.114 is tricky.  Remembering “Google.com” is not.

Feel free to use that link, it leads to Google.  Which brings up one major flaw with this bill.  Pirates will easily circumvent these blocked DNS entries by using IP addresses.  If say, the Pirate Bay is blocked, people will just use it’s IP address instead.

Also likely there will simply be “rogue DNS” servers.

I am not endorsing piracy, I am saying the bill will not do anything to stop it.  People also may suggest the idea of “if you’re not doing anything wrong, you have nothing to be afraid of”.

The problem with this logic, in every situation, is that the question of “what is wrong” is extremely subjective and often changes.  Guess what, in a world where SOPA passes and becomes law, it starts off simply as it’s told.  Places which host “pirate content” are effectively removed from the internet.  Nevermind that there will also be legal content taken off as well when sites like Megaupload are taken offline.  The block is not single file or even single subsite specific. 

But hey we’re all happier now without The pirate Bay and Megaupload right?

Until people start hosting their content through loopholes on blogger or WordPress.  Sure, it’s against the TOS and both companies work to remove them as they are found but hey, guess what, now they need to be blocked.  Thousands, probably millions, of independent bloggers are now silenced.

Or perhaps the definition of “piracy” and “copyright infringement” gets pushed out even more.  Universal studios puts out a big blockbuster movie, it cost them a shitload of money top make and it gets totally panned by the internet.  Nobody wants to see this movie, all this negative press floating around, well hey look, Blogger Bob used the movie poster in his review.  Nevermind that this may fall under the fare use clause, that’s infringement, let’s close down BloggerBob.com because his negative reviews may be hurting ticket sales.

Just remember, governments generally don’t start off deciding to become repressive totalitarian regimes.  (NOTE: Link will not work 1/18/2012)

I mean hey, we have a precedent now, plus, once a site is “gone” people won’t notice right?  Universal killed BloggerBob, why not suppress a few of those “anti government kooks” out there spreading bad spirits through the country while we’re at it.  We have the mechanism in place after all.  John Q Public doesn’t know what DNS is, he thinks it’s a new sandwich at Subway.

It’s not even that it’s a terribly BAD idea, it’s more that, in an effort to make things “move more quickly” it rejects the idea of due process, and facts, and evidence.

Which also brings up what really is a whole different rant.  The world is changing.  The world is not the US, or Europe, or China, or the Northern Hemisphere.  It’s an entire globe.  The internet is even more-so, and it’s the driving force of the world these days.  Which is the real problem here.  Because despite the best effort to push more crap on what used to be a pretty ignorant and docile public, it’s not working anymore.  Any sort of exaggeration or lie in favor of “marketing” is almost instantly debunked.  People who used to be made to feel better or pushed aside as isolated cases of problems realize that they are not alone.  The internet is the ultimate engine for real democracy.  look at the whole election system, when it took days and months to ride a horse across the country, then things like congress or the electoral college etc were a great idea.  is it even necessary anymore when people can express their opinion and desires to the world instantly?