Excuse me sir, where are you headed?

Excuse me sir, where are you headed?

Today I was adding a regex list to my pi-hole. I have been running my pi-hole as both my DHCP and DNS server in my unifi stack for months. I wanted to try out some regex lists and while I was making the edit I realized I never wrote about my DNS over https experience. It’s been a few weeks so it’s the perfect time to comment on it.

So I have seen and heard about DNS over HTTPS for awhile now and just never got around to doing it. Now for people that don’t know and kind of technically apt wikipedia’s first paragraph on the subject explains it well.

For those that don’t understand maybe you have seen something like this while going to a site or searching.

Related image

This generally happens when you are using your ISP DNS servers to lookup websites. For the most part this is a lot of world and a large percentage of everyday users using there ISPs default settings and equipment. Now we can see in the picture that WOW! in this case intercepted and redirected us to a different result instead of just showing us an error page.

This goes a bit deeper though. Other DNS providers like Googles 8.8.8.8 log and keep this data. Like many others they sample some and save others. The usage rights generally state they strip some personal information and permanently store the rest for analysis.

However, this data and other data from other providers including your ISP is also often sold. This allows bigger marketing conglomerates to keep analyse and use the data for targeted advertising. Now while it has happened via data breaches etc, I am not going to soap box about cliche terms like “big data” and scare you about your personal data being stolen and used. It already is and you should already know that. You should also already know this all applies to hackers and malware authors, and that if a marketing dept can do it they can too.

Now, DNS over HTTPS to a reputable company however can help. It encrypts the request between your computer and the server that has to answer. Combined with a service that stands by your privacy rights you have a winning combo. Now while a privacy policy focused on privacy is good they can change; but it’s better to lean towards that as opposed to a company that doesn’t. Take it all with a grain of salt.

Anyway, with the pihole I use cloudflared. I used this specific guide because I’m so smart I could do it myself. Now while it is true like I hinted above that someone needs to be able to see your DNS request for them to well….make it. Encrypting the connection and using a provider that is security conscious is just one more layer to the security onion.

I implemented cloudflared a few weeks ago as I was saying. I also make sure to utilize DNSSEC which is supported by cloudflares name servers (the ones that handle the DNS requests). Now the wife and roommate can be demanding if netflix or other random services don’t work.

However, I can say that thus far with a modest blocklist everything has been going great! DNS requests are quick so things load quickly and otherwise it’s been business as usual. Maybe a little less pomp and circumstance that I would have liked but if nothing changed then it means its working correctly.

The cache, clocklists, and actual resolver are all doing there job. It’s a well oiled machine.

At some point I encourage everyone to utilize DNS over HTTPS. Be it cloudflared or not. Its easy to implement and if you chose pihole as your host as well you now have easy DNS curation built in. I personally run mine on a virtual machine and it hums along nicely.

Go give security a chance. Change your passwords, use good rules, uninstall weird stuff. Tweak your AV. Curate your outlook rules.

Take care of yourself out there.

Permissions to the rescue

Permissions to the rescue

Last night I was changing my default tabs in chrome and decided to add my site as one of them. I figured if I did this it would push me to write more.

Imagine my shock when I was greeted with a 502 proxy error by nginx. After a little digging I found some errors in nginx error.log, specifically.

unix:/var/run/php/php7.2-fpm.sock failed (13: Permission denied) while connecting to upstream

After looking online I saw some old security patches for php5 regarding process ownership and some recommendations regarding www.conf. None of them applied of course and I was stuck again. However, after a little more digging it turns out that this may have been because of an update. As such permissions were modified. It also turns out on older OSs ‘nginx’ is not by default part of the www-data group.

Now while the site was working at some point I figured the problem was because of this broken group/user relationship and thats when I found the command to re-add it to the group.

usermod -a -G www-data nginx

That worked great! Now the site was up! A new problem arose though. I needed to commit some updates to wordpress but some of the plugins would not take. Some were complaining about write permissions. The paths seemed to indicate issues with their respective home directories. A quick glance at permissions showed that either because of initial problems during my install or otherwise the ownership of the folder was set incorrectly.

A quick chown sudo chown -R www-data:stuff and we were back in business. Now my coffee was lukewarm and I have to get ready for work. Atleast I get to complain about things on the internet now though.

Hello world!

Hello world!

Well that was hard. So it’s been I think a year? Since I blogged about my random misadventures in IT. Specifically since I had my misadventure into flash cache and SAN storage. I ended up losing everything in a freak HDD failure combined with an SSD cache drive failing.

So.. last night I spent the time and actually stood up my wordpress install. I configured NGINX a few weeks ago and just never got around to actually doing anything with my domains as I rebuilt my internal services.

What a mess, I think for the most part I do things in a more complex manner than needed. In this case it took me a bit to figure out why my database server wasn’t linking to my nginx server. It ended up being a interface bind issue, but it had been so long that I had to ask myself if it wouldn’t just be easier to install mysql on the web server.

I was adamant though, and continued on. Now I have some semblance of an active website maybe, if not.. well I have another project I guess.