quarta-feira, fevereiro 27, 2019
curl IPv6 + https test
https://forum.netgate.com/topic/134243/http-test-ipv6-com-works-but-https-test-ipv6-com-doesn-t-tls-handshake-stuck-with-ipv6
If somehow you get error using IPv6 and https, this curl example might help
curl -XGET -I -vvvv https://wiki.archlinux.org/index.php/Table_of_contents
terça-feira, fevereiro 26, 2019
Archlinux my install procedure
https://wiki.archlinux.org/index.php/installation_guide
timedatectl set-ntp true
fdisk -l ...
#OR https://wiki.archlinux.org/index.php/RAID
mdadm --create /dev/md0 --level=6 --raid-devices=4 /dev/sdb1 /dev/sdc1 /dev/sdd1 /dev/sde1
mdadm --create /dev/md1 --level=6 --raid-devices=4 /dev/sdb2 /dev/sdc2 /dev/sdd2 /dev/sde2
mount /dev/md1 /mnt
pacstrap /mnt base
genfstab -U /mnt >> /mnt/etc/fstab
arch-chroot /mnt
---
passwd
ln -sf /usr/share/zoneinfo/America/Sao_Paulo /etc/localtime
hwclock --systohc
locale-gen
vi /etc/hostname
vi /etc/hosts
pacman -S grub
cat /etc/mdadm.conf
vi /etc/mkinitcpio.conf
BINARIES=(mdmon)
HOOKS=(base udev autodetect modconf block mdadm lvm2 mdadm_udev filesystems keyboard fsck)
mkinitcpio -p linux
vi default/grub
GRUB_PRELOAD_MODULES="... mdraid09 mdraid1x"
cd /boot/
grub-install /dev/vda
grub-mkconfig -o /boot/grub/grub.cfg
cp /etc/netctl/examples/ethernet-static /etc/netctl/enp0s3
(edit file as needed...) https://www.ostechnix.com/configure-static-dynamic-ip-address-arch-linux/
netctl start ens3
netctl enable ens3
netctl list # (check interfaces)
timedatectl set-ntp true
fdisk -l ...
#OR https://wiki.archlinux.org/index.php/RAID
mdadm --create /dev/md0 --level=6 --raid-devices=4 /dev/sdb1 /dev/sdc1 /dev/sdd1 /dev/sde1
mdadm --create /dev/md1 --level=6 --raid-devices=4 /dev/sdb2 /dev/sdc2 /dev/sdd2 /dev/sde2
mkfs.ext4 /dev/md1
mkswap /dev/md0
swapon /dev/md0mkswap /dev/md0
mount /dev/md1 /mnt
pacstrap /mnt base
genfstab -U /mnt >> /mnt/etc/fstab
mdadm --detail --scan >> /mnt/etc/mdadm.conf
---
passwd
ln -sf /usr/share/zoneinfo/America/Sao_Paulo /etc/localtime
hwclock --systohc
locale-gen
vi /etc/hostname
vi /etc/hosts
pacman -S grub
cat /etc/mdadm.conf
vi /etc/mkinitcpio.conf
BINARIES=(mdmon)
HOOKS=(base udev autodetect modconf block mdadm lvm2 mdadm_udev filesystems keyboard fsck)
mkinitcpio -p linux
vi default/grub
GRUB_PRELOAD_MODULES="... mdraid09 mdraid1x"
cd /boot/
grub-install /dev/vda
grub-mkconfig -o /boot/grub/grub.cfg
cp /etc/netctl/examples/ethernet-static /etc/netctl/enp0s3
(edit file as needed...) https://www.ostechnix.com/configure-static-dynamic-ip-address-arch-linux/
netctl start ens3
netctl enable ens3
netctl list # (check interfaces)
sábado, fevereiro 23, 2019
archlinux with RAID install error Failed to connect to lvmetad. Falling back to device scanning.
to install grub with raid you need to trick some files before boot...
if using intel platform follow as said in guide
$ edit /etc/mkinitcpio.conf
change:
BINARIES=(mdmon)
add
HOOKS=(base udev block mdadm filesystems)
save file and run:
$ mkinitcpio -p linux
make sure mdadm in hooks was added, when generating should see output (line above)
run grub-mkconfig -o /boot/grub/grub.cfg (when you get the error above)
If get error warning: failed to connect to lvmetad. falling back to device scanning. raid
instructions
leave chroot /mnt
$ mkdir /mnt/hostlvm
$ mount --bind /run/lvm /mnt/hostlvm
$ arch-chroot /mnt
$ ln -s /hostlvm /run/lvm
-- alternativa --
mkdir /mnt/hostrun
mount --bind /run /mnt/hostrun
Then, we chroot into the guest, and mount our host's /run/lvm in the guest's /run
arch-chroot /mnt
mkdir /run/lvm
mount --bind /hostrun/lvm /run/lvm
rerun grub-mkconfig -o /boot/grub/grub.cfg (when you get the error above)
if using intel platform follow as said in guide
$ edit /etc/mkinitcpio.conf
change:
BINARIES=(mdmon)
add
HOOKS=(base udev block mdadm filesystems)
save file and run:
$ mkinitcpio -p linux
make sure mdadm in hooks was added, when generating should see output (line above)
If get error warning: failed to connect to lvmetad. falling back to device scanning. raid
instructions
leave chroot /mnt
$ mkdir /mnt/hostlvm
$ mount --bind /run/lvm /mnt/hostlvm
$ arch-chroot /mnt
$ ln -s /hostlvm /run/lvm
-- alternativa --
mkdir /mnt/hostrun
mount --bind /run /mnt/hostrun
Then, we chroot into the guest, and mount our host's /run/lvm in the guest's /run
arch-chroot /mnt
mkdir /run/lvm
mount --bind /hostrun/lvm /run/lvm
rerun grub-mkconfig -o /boot/grub/grub.cfg (when you get the error above)
quarta-feira, fevereiro 20, 2019
PXE Boot setup custom menu default
https://www.syslinux.org/wiki/index.php?title=PXELINUX#Custom_Menu_Example_with_sub-menus
Its password protected from modification during PXE boot, very useful to prevent tampering.
Note: this example uses the legacy way to generate submenus, which is compatible with older Syslinux versions. Syslinux 3.62 supports a slightly different syntax, which is faster and somewhat more flexible.
Directory Structure:
/tftpboot/pxelinux.cfg/fixes.menu:
Custom Menu Example with sub-menus
Many advanced options here. Read full documentation on Syslinux to understand it all.Its password protected from modification during PXE boot, very useful to prevent tampering.
Note: this example uses the legacy way to generate submenus, which is compatible with older Syslinux versions. Syslinux 3.62 supports a slightly different syntax, which is faster and somewhat more flexible.
Directory Structure:
/tftpboot/ /tftpboot/memdisk /tftpboot/pxelinux.0 /tftpboot/menu.c32 /tftpboot/pxelinux.cfg/ /tftpboot/pxelinux.cfg/default /tftpboot/pxelinux.cfg/graphics.conf /tftpboot/pxelinux.cfg/fixes.menu /tftpboot/pxelinux.cfg/setup.menu /tftpboot/TRK/ /tftpboot/TRK/chkdsk.trk /tftpboot/TRK/initrd.trk /tftpboot/TRK/kernel.trk /tftpboot/Memtest/memtest.x86 /tftpboot/Suse/ /tftpboot/Suse/initrd92 /tftpboot/Suse/linux92 /tftpboot/Floppy/ /tftpboot/Floppy/kbfloppy.img/tftpboot/pxelinux.cfg/default:
DEFAULT menu.c32 PROMPT 0 MENU TITLE PXE Special Boot Menu MENU INCLUDE pxelinux.cfg/graphics.conf MENU AUTOBOOT Starting Local System in # seconds LABEL bootlocal MENU LABEL ^Boot Point of Sale MENU DEFAULT LOCALBOOT 0 TIMEOUT 80 TOTALTIMEOUT 9000 LABEL FixesMenu MENU LABEL ^Fixes Menu KERNEL menu.c32 APPEND pxelinux.cfg/graphics.conf pxelinux.cfg/fixes.menu LABEL SetupMenu MENU LABEL ^Setup Menu KERNEL menu.c32 APPEND pxelinux.cfg/graphics.conf pxelinux.cfg/setup.menu/tftpboot/pxelinux.cfg/graphics.conf:
MENU COLOR TABMSG 37;40 #80ffffff #00000000 MENU COLOR HOTSEL 30;47 #40000000 #20ffffff MENU COLOR SEL 30;47 #40000000 #20ffffff MENU COLOR SCROLLBAR 30;47 #40000000 #20ffffff MENU MASTER PASSWD yourpassword MENU WIDTH 80 MENU MARGIN 22 MENU PASSWORDMARGIN 26 MENU ROWS 6 MENU TABMSGROW 15 MENU CMDLINEROW 15 MENU ENDROW 24 MENU PASSWORDROW 12 MENU TIMEOUTROW 13 MENU VSHIFT 6 MENU PASSPROMPT Enter Password: NOESCAPE 1 ALLOWOPTIONS 0Change ALLOWOPTIONS to 1 (one) so to be able to edit any of the entries while booted with PXE on the menu system for testing purposes. Also change NOESCAPE to 0 (zero) for the same reasons.
/tftpboot/pxelinux.cfg/fixes.menu:
MENU TITLE Fixes Menu LABEL MainMenu MENU LABEL ^Return to Main Menu KERNEL menu.c32 APPEND pxelinux.cfg/default LABEL fsck MENU LABEL ^File system check KERNEL TRK/kernel.trk APPEND initrd=TRK/chkdsk.trk ramdisk_size=32768 root=/dev/ram0 vga=0 LABEL memtest MENU LABEL ^Memory Test: Memtest86+ v1.65 KERNEL Memtest/memtest.x86 LABEL trk3 MENU LABEL ^Trinity Rescue Kit KERNEL TRK/kernel.trk APPEND initrd=TRK/initrd.trk ramdisk_size=32768 root=/dev/ram0 vga=0 trknfs=IPADDR:/trk ip=::::::dhcp splash=verbose/tftpboot/pxelinux.cfg/setup.menu:
MENU TITLE Setup Menu LABEL MainMenu MENU LABEL ^Return to Main Menu KERNEL menu.c32 APPEND pxelinux.cfg/default LABEL setupkb MENU LABEL ^Any floppy disk image KERNEL memdisk APPEND initrd=Floppy/kbfloppy.img LABEL linux MENU PASSWD yourpassword MENU LABEL Install - ^Classic KERNEL Suse/linux92 APPEND initrd=Suse/initrd92 ramdisk_size=65536 vga=0 textmode=1 install=http://IPADDR serverdir=/9.2/install autoyast=http://IPADDR/9.2/scripts/ay92.xml LABEL trkclone MENU PASSWD yourpassword MENU LABEL Install - ^Faster KERNEL TRK/kernel.trk APPEND initrd=TRK/initrd.trk ramdisk_size=65536 root=/dev/ram0 vga=0 install=Y trknfs=IPADDR:/trk ip=::::::dhcp splash=verbose LABEL linuxfull MENU PASSWD yourpassword MENU LABEL Install - ^Developer KERNEL Suse/linux92 APPEND initrd=Suse/initrd92 ramdisk_size=65536 vga=0 textmode=1 install=http://IPADDR serverdir=/9.2/install autoyast=http://IPADDR/9.2/scripts/develdesktop.xml
--------
https://forums.fogproject.org/topic/8488/how-to-pxe-boot-cent-os-7/61
:MENU menu item --gap -- ---------------- iPXE boot menu ---------------- item mac Macrium Reflect item clonezilla Clonezilla 2015 item ubuntu6 Ubuntu 16:04.1 x64 item ubuntu6 Ubuntu 16:04.1 x32 item ubuntu Ubuntu 15:10 x64 item ubuntu Ubuntu 15:10 x32 item kubuntu6 Kubuntu 16:04.1 x64 item kubuntu6 Kubuntu 16:04.1 x32 item kubuntu Kubuntu 15:10 x64 item kubuntu Kubuntu 15:10 x32 item mint18 Linux Mint 18 "Sarah" - MATE (32-bit) item Mint18 Linux Mint 18 "Sarah" - MATE (64-bit) item mint Linux Mint 17.2 "Rafaela" - MATE (32-bit) item Mint Linux Mint 17.2 "Rafaela" - MATE (64-bit) item mint Linux Mint 17.2 "Rafaela" - Cinnamon (32-bit) item Mint Linux Mint 17.2 "Rafaela" - Cinnamon (64-bit) item BOOTCD Hirens 15.2 BOOTCD item pgon Paragon Harddisk Manager 12 item ubd Ultimate Boot Disk item ez EZ Gig IV Cloning Software item centos Centos item centos2 Centos Live item hostinfo details about this computer item shell ipxe shell item return return to previous menu choose --default return --timeout 5000 target && goto ${target} :mac initrd http://${fog-ip}/fog/service/ipxe/mac/mac.iso chain memdisk iso raw || goto MENU :clonezilla kernel http://${fog-ip}/bootimgs/clonezilla/vmlinuz initrd http://${fog-ip}/bootimgs/clonezilla/initrd.img imgargs vmlinuz boot=live username=user fetch=http://${fog-ip}/bootimgs/clonezilla/filesystem.squashfs locale=en_US.UTF-8 keyboard-layouts=NONE boot || echo failed to boot prompt goto MENU``` :ubuntu6 kernel http://${fog-ip}/bootimgs/16.04.1_64/casper/vmlinuz.efi initrd http://${fog-ip}/bootimgs/16.04.1_64/casper/initrd.lz imgargs vmlinuz.efi root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/16.04.1_64/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US boot || goto failed goto start :ubuntu6 kernel http://${fog-ip}/bootimgs/16.04.1_32/casper/vmlinuz initrd http://${fog-ip}/bootimgs/16.04.1_32/casper/initrd.lz imgargs vmlinuz.efi root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/16.04.1_32/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US boot || goto failed goto start :ubuntu kernel http://${fog-ip}/bootimgs/15.10_64/casper/vmlinuz.efi initrd http://${fog-ip}/bootimgs/15.10_64/casper/initrd.lz imgargs vmlinuz.efi root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/15.10_64/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US boot || goto failed goto start :ubuntu kernel http://${fog-ip}/bootimgs/15.10_32/casper/vmlinuz initrd http://${fog-ip}/bootimgs/15.10_32/casper/initrd.lz imgargs vmlinuz root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/15.10_32/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US boot || goto failed goto start :kubuntu6 kernel http://${fog-ip}/bootimgs/kubuntu6_64/casper/vmlinuz.efi initrd http://${fog-ip}/bootimgs/kubuntu6_64/casper/initrd.lz imgargs vmlinuz.efi root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/kubuntu6_64/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US boot || goto failed goto start :kubuntu6 kernel http://${fog-ip}/bootimgs/kubuntu6_32/casper/vmlinuz initrd http://${fog-ip}/bootimgs/kubuntu6_32/casper/initrd.lz imgargs vmlinuz root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/kubuntu6_32/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US boot || goto failed :kubuntu kernel http://${fog-ip}/bootimgs/kubuntu5_64/casper/vmlinuz.efi initrd http://${fog-ip}/bootimgs/kubuntu5_64/casper/initrd.lz imgargs vmlinuz.efi root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/kubuntu5_64/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US boot || goto failed goto start :kubuntu kernel http://${fog-ip}/bootimgs/kubuntu5_32/casper/vmlinuz initrd http://${fog-ip}/bootimgs/kubuntu5_32/casper/initrd.lz imgargs vmlinuz root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/kubuntu5_32/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US boot || goto failed goto start :mint18 kernel http://${fog-ip}/bootimgs/lm18_32/casper/vmlinuz initrd http://${fog-ip}/bootimgs/lm18_32/casper/initrd.lz imgargs vmlinuz root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/lm18_32/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US boot || goto failed goto start :Mint18 kernel http://${fog-ip}/bootimgs/lm18_64/casper/vmlinuz.efi initrd http://${fog-ip}/bootimgs/lm18_64/casper/initrd.lz imgargs vmlinuz root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/lm18_64/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US boot || goto failed goto start :mint kernel http://${fog-ip}/bootimgs/lm_32/casper/vmlinuz initrd http://${fog-ip}/bootimgs/lm_32/casper/initrd.lz imgargs vmlinuz root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/lm_32/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US boot || goto failed goto start :Mint kernel http://${fog-ip}/bootimgs/lm_64/casper/vmlinuz initrd http://${fog-ip}/bootimgs/lm_64/casper/initrd.lz imgargs vmlinuz root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/lm_64/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US boot || goto failed goto start :mint kernel http://${fog-ip}/bootimgs/lmc_32/casper/vmlinuz initrd http://${fog-ip}/bootimgs/lmc_32/casper/initrd.lz imgargs vmlinuz root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/lmc_32/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US boot || goto failed goto start :Mint kernel http://${fog-ip}/bootimgs/lmc_64/casper/vmlinuz initrd http://${fog-ip}/bootimgs/lmc_64/casper/initrd.lz imgargs vmlinuz root=/dev/nfs boot=casper netboot=nfs nfsroot=${fog-ip}:/var/www/html/bootimgs/lmc_64/ locale=en_US.UTF-8 keyboard-configuration/layoutcode=la mirror/country=US boot || goto failed goto start :centos initrd http://${fog-ip}/bootimgs/centos/images/pxeboot/initrd.img chain http://${fog-ip}/bootimgs/centos/images/pxeboot/vmlinuz initrd=initrd.img method=http://${fog-ip}/bootimgs/centos/ devfs=nomount ip=dhcp boot || goto MENU :centos2 initrd http://${fog-ip}/bootimgs/centos/images/pxeboot/initrd.img chain http://${fog-ip}/bootimgs/centos/images/pxeboot/vmlinuz initrd=initrd.img root=live:http://${fog-ip}/bootimgs/centos/LiveOS/squashfs.img ip=dhcp rootflags="loop" rootfstype=auto ro rd.live.image quiet rhgb rd.luks=0 rd.md=0 rd.dm=0 boot || goto MENU :BOOTCD initrd http://${fog-ip}/bootimgs/bootcd/hirensboot.iso || chain memdisk iso raw || boot || goto MENU :pgon initrd http://${fog-ip}/bootimgs/pgon/phdman12.iso || chain memdisk iso raw || boot || goto MENU :ubd initrd http://${fog-ip}/bootimgs/ubcd/ubcd535.iso || chain memdisk iso raw || boot || goto MENU :ez initrd http://${fog-ip}/bootimgs/ez/EZGIG438.iso || chain memdisk iso raw || boot || goto MENU :hostinfo echo This computer : || echo MAC address....${net0/mac} || echo IP address.....${ip} || echo Netmask........${netmask} || echo Serial.........${serial} || echo Asset number...${asset} || echo Manufacturer...${manufacturer} || echo Product........${product} || echo BIOS platform..${platform} || echo || echo press any key to return to Menu || prompt goto MENU :shell shell || goto MENU :return chain http://${fog-ip}/${fog-webroot}/bootimgs/boot.php?mac=${net0/mac} || prompt goto MENU Autoboot
terça-feira, fevereiro 19, 2019
GParted Live on PXE Server
https://gparted.org/livepxe.php
GParted Live on PXE Server
Besides GParted Live CD and Live USB, we can put the GParted Live image on a PXE server so that a client can boot via the network to use GParted. The steps to do this are as follows:
- Set up a PXE server. You might refer to documentation, such as setting up a server for PXE network booting, or DRBL (Diskless Remote Boot in Linux) to assist you.
In these steps we assume the pxelinux config file is /tftpboot/nbi_img/pxelinux.cfg/default, and the image files are in /tftpboot/nbi_img/. - Set up an http service on the PXE server.
- Download GParted live zip file. You have to use 0.3.7-2 or later because network drivers are only included after that.
- Unzip all the files in a temp dir /tmp/gparted/. You can do this with a command such as:
mkdir -p /tmp/gparted; unzip gparted-live-*.zip -d /tmp/gparted/
NOTE: Replace gparted-live-*.zip with the file name you just downloaded. - Copy the necessary boot files (vmlinuz and initrd.img) to /tftpboot/nbi_img/. For example:
cp /tmp/gparted/live/{vmlinuz,initrd.img} /tftpboot/nbi_img/
- Copy /tmp/gparted/live/filesystem.squashfs to your http server. For example:
cp /tmp/gparted/live/filesystem.squashfs /var/www/
- Edit your PXE config file /tftpboot/nbi_img/pxelinux.cfg/default, and append the following:
label GParted Live MENU LABEL GParted Live kernel vmlinuz append initrd=initrd.img boot=live config components union=overlay username=user noswap noeject ip= vga=788 fetch=http://$webserverIP/filesystem.squashfs
If the GParted live version you are using is <= 0.22.0-1, then the config file is like:
label GParted Live MENU LABEL GParted Live kernel vmlinuz append initrd=initrd.img boot=live config union=aufs noswap noprompt vga=788 fetch=http://$webserverIP/filesystem.squashfs
NOTE1: Replace $webserverIP with the IP address of your http server.
NOTE2: Remember to check the boot parameters in syslinux/syslinux.cfg from the zip file. You should replace the above listed parameters with these more recent ones because these newer boot parameters might be different. For example the vmlinuz path might be different.
NOTE3: Do not use the parameter "ip=frommedia" in your PXE config file.
For more information about pxelinux, refer to the following article on PXELinux.
Change linux password error asking Current Kerberos password:
The error is:
# passwd user1
Current Kerberos password:
This user1 is a local user not an AD or remote user, so why this happens...
Run;
# pam-auth-update
Check if Kerberos is enabled, if is, "disable"
This is done on Linux Debian 8.6
Now the password can be changed via command line using shell
# passwd user1
Current Kerberos password:
This user1 is a local user not an AD or remote user, so why this happens...
Run;
# pam-auth-update
Check if Kerberos is enabled, if is, "disable"
This is done on Linux Debian 8.6
Now the password can be changed via command line using shell
sexta-feira, fevereiro 15, 2019
firebird 3.0 error Statement failed, SQLSTATE = 08004 connection rejected by remote interface
https://stackoverflow.com/questions/30390465/connection-rejected-by-remote-interface-connecting-to-firebird-3-with-pdo
setting to change in firebird.conf
setting to change in firebird.conf
Find
firebird.conf
, uncomment (if using fbclient 2.x) and change the following parameters to disable WireCrypt and set higher priority for legacy authentication:WireCrypt = Disabled
AuthServer = Legacy_Auth, Srp, Win_Sspi
AuthClient = Legacy_Auth, Srp, Win_Sspi
sábado, fevereiro 02, 2019
Stopping DNS leakage with pfSense - avoid dns leak on pfsense
Stopping DNS leakage with pfSense - ZenCoffee Blog
Stopping DNS leakage with pfSense
I’ve recently changed my core router over from OpenWRT to pfSense. I was pretty happy with OpenWRT, but I wanted something more powerful since it was running in a VM anyway.
A few days ago, CloudFlare announced their new 1.1.1.1 service. This is a public DNS service very much like Google’s 8.8.8.8 DNS service, with a notable difference. It supports TLS.
Why should you care? Because DNS requests are normally not encrypted, and therefore visible to your ISP to record, use for research / marketing purposes, or even (in the case of some nefarious actors) manipulate or change. Running DNS over TLS prevents that, by encrypting your DNS traffic so that it can’t be manipulated or collected.
In this post, we’ll be configuring pfSense to do three things – provide a local standard unencrypted port 53 DNS resolver which uses CloudFlare’s 1.1.1.1 encrypted service on the WAN end, and then set up a NAT redirect so any attempts on the internal network to use port 53 DNS servers outside the network instead are intercepted and resolved by the internal resolver. Lastly, it will also make sure that it blocks any outbound requests to port 53 just to be sure.
NOTE: There’s one piece here I haven’t figured out yet. How to pin a cert for the DNS endpoints listed here, so it’s not perfect. When I figure that out, I’ll edit this post.
Let’s get started.
Configuring the pfSense Local Resolver
In pfSense, go to Services -> DNS Resolver, then put the following block into Custom Options:
server:
ssl-upstream: yes
do-tcp: yes
forward-zone:
name: "."
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853
forward-addr: 2606:4700:4700::1111@853
forward-addr: 2606:4700:4700::1001@853
You will also need to make sure that the
DNS Query Forwarding
option is NOT selected, otherwise the above settings will conflict. It’s OK to set the resolver to listen on all interfaces, since the firewall rules on the WAN will prevent Internet hosts from using your resolver anyway. Follow the prompts, then test it with something like;dig www.google.com @yourrouter.local
You should see a resolve against your router’s local DNS resolver that works. If you really want, use Diagnostics -> Packet Capture, and capture port 853 to verify that requests are being triggered.
Redirect all DNS requests to outside DNS servers to pfSense
Follow the article you can find here. You will need to do this once for each of your interfaces (in my case, LAN, DMZ, and VPN). Obviously don’t configure this for the WAN interface. This then causes any requests to addresses that are not on your internal network to be resolved through the local pfSense resolver (which goes out to port 853 anyway).
To test this, try and dig something against an IP that you know is not internal and is not a DNS server. It should work, since the request will be NATted. Something like;
dig www.google.com @1.2.3.4
Assuming that’s all fine, you should now be able to configure a broad block rule to bar all outbound port 53.
Block all outbound non-encrypted DNS
This shouldn’t really be required if the NAT rule is working, but we’ll do it anyway to be sure we’re stopping any DNS leaks.
In pfSense, go to Firewall -> Rules, and for the WAN interface, define a new rule at the top of the list. This rule should use these settings;
Action: Block
Interface: WAN
Address Family: IPv4+IPv6
Protocol: TCP/UDP
Source: any
Destination: any
Destination Port: DNS (53)
Description: Block outbound insecure DNS
After doing this, verify that you can still resolve against the local resolver (your router’s IP), and that you can still resolve against what seems to be external resolvers (eg, 8.8.8.8). You should also check that when you do so that nothing passes on the WAN interface on port 53.
If that all passes, you’re done. It’s up to you if you use the ‘Block’ target or the ‘Reject’ target. Block causes a simple timeout if something hits 53 (which shouldn’t happen anyway), Reject causes an immediate fail.
Assinar:
Postagens (Atom)