Better local DNS

For what’s felt like forever, I’ve run dnscrypt-proxy as a local DNS resolver for my LAN. Queries initially hit a BIND instance for my “local” domains and dnscrypt-proxy is the forwarder for this setup. This configuration doesn’t lend itself well to query logging or to individually unblocking “semi-desirable”1 trackers with the ad-blocking lists I’ve configured through dnscrypt-proxy. I could finagle something with BIND’s views, but why not look at something like Pi-Hole?

I’ve looked at Pi-Hole off and on before. I usually come back to the same problem: local DNS.There are several forward and reverse zones I run in a split DNS setup with BIND. Pi-Hole partially supports something like this with conditional forwarding; however, I’ve got more than one zone to contend with forwarding. dnsmasq has the option to set several upstreams per domain and Pi-Hole seems to have maintained this functionality as they progress with their own fork.

So as long as this upstream server setting remains, I create /etc/dnsmasq.d/99-forwarders.conf with the following type of content to enable all this forwarding:

server=/example.com/192.168.1.x
server=/1.168.192.in-addr.arpa/192.168.1.x
server=//192.168.1.x

This setup allows BIND to still answer for the zones it’s responsible for while letting Pi-Hole do what it does best. Now, if you’re wondering where dnscrypt-proxy is in my setup – it’s still there! I have Pi-Hole querying it as an upstream resolver. It took me a minute to figure out that the Pi-Hole GUI wants the upstream DNS port to be expressed with a # vs a : though. Now I’ve got the ability to group my “clients” with Pi-Hole and maintain my local DNS. Truly, the best of both worlds.

  1. So many sites become useless if you block their tracker and telemetry hosts. Chipotle and other online restaurants are good examples of this. Both their app and website simply fail with an unknown error if you block Traffic Manager, which seems to occasionally appear on crowd sourced DNS blocklists. ↩︎

Weekend DIY project

Ambient Orb

Ambient Orb

Anyone remember the Ambient Orb by Mathmos? When they came out years ago, I very much wanted one for my desk at work to keep track of emails, ticket queues, etc.  The price was pretty high for what was ultimately a toy, so I never bought one.  If I remember right, they weren’t open source and were difficult to work with as well.

A similar, pre-IoT device came out to help you track things, the Nabaztag “Rabbit.”  It also did cute tricks and spoke to you, much like the Furby toy.  Funny how both of these devices ended up in my office via coworkers.  Ironically both are now pretty defunct, though I think are a lot of FOSS efforts to keep the Rabbits working via reverse engineering and DNS masquerading.

Nabaztag Rabbit

Nabaztag Rabbit

Well, I decided I wanted to do something fun.  Back when the Raspberry Pi craze hit, I never really bought one.  They were constantly out of stock and I had better things to spend money on.  When a coworker became infatuated with Chromebits for his kiosk needs, he chucked his Raspberry Pis in the garbage.  I rescued one and it ended up falling into one of my electronics junk boxes.  (I really do need to go through and clean those out someday.)

My original visions for the Pi were to setup a VPN for remote tech support for parents, family, and friends.  Today however, I’m settling for an alarm clock.  Voice assistant based alarms, like Alexa and Google Assistant, are too easy to yell, “shut up,” at across the room.  I’ve developed an almost subconscious “rollover and disable” maneuver for my phone’s alarm.  So what’s left? Clocky is tempting, but I’m always worried about knocking things over or injuring pets.  Enter the Raspberry Pi.

Raspbian plus a simple shell script with an ffplay fade puts me in business.  I can have the “alarm” loop forever with a heavy metal song that fades in slowly.  Why a fade? In the oft chance I actually get up before it reaches peak intensity and to also not completely jar me awake when the song starts at full blast.  To disable the alarm, I’ll have to SSH in and “kill” the script.  Pretty hard to do that from bed, much less half awake.  A simple Monday through Friday rotation is in cron and I’m looking forward to a successful test tomorrow 🙂

Oh, and for added fun: I added a blink(1) to the setup to monitor important emails, server status, etc.  It’s kind of like having my own Ambient Orb or Nabaztag Rabbit again.  Albeit this time, it’s a heck of a lot cheaper.  The blink(1) is only about $30 USD on Amazon.

Server hard drive failures

This week, the server hosting this blog, and a number of my online services, failed from a dying hard drive.  I maintain daily snapshots of critical directories like /home and /etc with rsnapshot.  Periodically, I’ll also rsync over a full copy of root.  I figured a quick swap of the drive, a long rsync, and we’d be back in business.

I was wrong.

The backup drive where I held the full backup wouldn’t spin up.  The daily snapshots were intact, but the OS was shot.  I’ve used Gentoo on my servers, off and on, for almost the past ten years now.  If there’s a prevalent Linux server distribution out there, I’ve probably used it.  I’ve also had my share of the BSDs.  I always come back to Gentoo … until now.

A sysadmin gig a few years back exposed me to Debian.  I enjoyed the rapid installation of packages that came with a binary distribution.  I’ve also come to appreciate the stability and maturity of Debian.  While a few upgrades bit me in the ass over the years; new tools like etckeeper help minimize this problem.

Truthfully, though, I’ve grown tired of the compile times associated with Gentoo.  There’s also the occasional upgrade that breaks shit in true WTF fashion.  These are the upgrades that send me scrambling to the IRC channel and forums for help.  And while the people there are very friendly and very helpful, I can easily kill a day or two fixing a problem I shouldn’t have had in the first place.  QA just seems more “effective” on Debian.

Now before you think I’m totally tearing down Gentoo, stop.  Gentoo still has its place.  It’s still a great Linux distribution.  If you’ve never used Portage or USE flags, try them out sometime.  I guarantee you’re in for a treat! The system is just that powerful.  I still run a fair number of Gentoo machines at home and I don’t see that ending anytime soon.

I find I’m at a stage in my life where I really don’t want to be banging my head against the wall with system upgrades on critical servers (i.e., machines serving my email, DNS, et cetera).  Yes, we need upgrades, especially security upgrades.  If I can spend less time doing upgrades and more time enjoying my life, I’m going to do that.  I still enjoy running my own systems and don’t see myself converting to Google Apps anytime soon.  I just figured I’d try and rationalize the sudden switch in Linux distributions.