How to detect if your devices are trying to circumvent your pihole

As I described in my previous blog post, you can set up a pi.hole DNS server to optimize your network traffic and your browsing experience. But not every device will be respecting your DHCP DNS settings it seems. Some devices have hardcoded DNS entries and just ignore your settings. Scott Helme wrote on his blog how to redirect those naughty devices and redirect their traffic to your pihole instead.

But before we start doing that I was curious to find how many of those devices I actually had on my network. To figure this out I had to setup my USG firewall to catch the TCP/UDP request on port 53 which are not originating from my pi-hole (on IP address 192.168.1.10). The USG firewall can be configured to log certain events on your firewall (without blocking the actions). This will show up in the log file on your USG. The log file can be found in /var/log/messages. You can view this file with the command:

tail -f /var/log/messages

Depending on your firewall configuration you will see almost nothing or a ton of information coming by. The goal is to capture these kind of events:

Oct 21 17:53:42 USG kernel: [WAN_OUT-2000-A]IN=eth1 OUT=eth0 MAC=80:2a:a8:f0:0a:49:94:9a:a9:23:23:40:08:00 SRC=192.168.1.186 DST=8.8.8.8 LEN=58 TOS=0x00 PREC=0x00 TTL=127 ID=59302 PROTO=UDP SPT=58633 DPT=53 LEN=38

What you see here is a request from IP address 192.168.1.186 doing a DNS request (DPT=53 meaning destination port 53 which is the port a DNS server listens to) to the DNS server at IP address 8.8.8.8.

A legitimate event would look like this:

Oct 21 17:55:05 USG kernel: [WAN_OUT-2000-A]IN=eth1 OUT=eth0 MAC=80:2a:a8:f0:0a:49:b4:fb:e4:8c:32:67:08:00 SRC=192.168.1.10 DST=1.1.1.1 LEN=57 TOS=0x00 PREC=0x00 TTL=63 ID=20414 DF PROTO=UDP SPT=23724 DPT=53 LEN=37

This is a DNS request coming from my pihole server on 192.168.1.10 and it’s configured to forward DNS requests to 1.1.1.1

Let’s set up the firewall to start generating these logs in your log file. I have done this with Unifi version 5.9.29 Go to your cloud key settings page. Click Routing & Firewall. Click on firewall on the top of your screen. Click WAN OUT and click on Create New Rule. This is how my screen looks like:

At the buttom you have to create a new Port group for the Destination. Click on create port group button and create one for DNS like I did below:

Make sure you click on the Add button after you filled in the port number (DNS listens to Port 53) before you hit save. Click Save again, This will cause your USG to be provisioned. SSH into your USG.

To only see all DNS request in your USG log file you can use the following command:

tail -f messages |grep -F “DPT=53 “

This will show any DNS requests going out to the internet, including the ones from your pihole. To only see the naughty devices you can use the following command (another grep, perhaps there is a more efficient way but this worked for me :)) where the IP address is the IP address of your pi-hole:

tail -f messages |grep -F “DPT=53 “| grep -v “SRC=192.168.1.10”

This one takes a while before it starts showing the log, but it worked for me. Now you will only see the DNS requests coming through your USG from your naughty devices. So how do you test this? The following command performs a DNS request and you can add a DNS server where the request is sent. This is a great way to test your setup:

nslookup techmeme.com 8.8.4.4

So far I have only seen a Samsung Galaxy S7 going to a Google DNS server directly. So the devices on my network seem to be well behaved.

 

 

 

Installing pihole on your Cloudkey gen2+

The other day I bought myself a Gen2 cloudkey plus from Ubiquiti and replace my old cloudkey. It comes installed with the Unifi SDN and the new Unifi Protect. The device looks really nice and has a little display which shows you information about the applications running on the device.

image

Since I have been playing with pi-hole lately on one of my Raspberry Pi’s, I was wondering if I could install pi-hole on the cloudkey so I would have everything from my network on a central place. With help of Google I managed to get it working by following the steps below:

First you have to install a DNS server on the cloudkey, since that’s used by the pi-hole software. ssh into your cloudkey and enter the following commands:

sudo –i

apt-get update

apt-get install dnsmasq

Than we can install the pi-hole software. I choose to download the install script and execute it on my device.

cd /tmp

wget -O basic-install.sh https://install.pi-hole.net
bash basic-install.sh

Keep all the defaults. the only thing I had to do was say no to keep the ip address from DHCP since it didn’t copy the IP adres, I entered it myself. During the install the lighttpd webservice will be installed too. This is used by the admin page.

Last thing is to change the default port of the website since that’s already taken by the cloudkey management interface. During pihole install lighttpd was installed

make a backup of the config:

cp /etc/lighttpd/lighttpd.conf /etc/lighttpd/lighttpd.conf.backup

sed -ie ‘s/= 80/= 81/g’ /etc/lighttpd/lighttpd.conf

or use vi/nano to edit the config file and change the server port

restart the webserver

/etc/init.d/lighttpd restart

 

http://<IP>:81/admin should bring up the pi-hole interface

 

Every time you run the pihole install you have to set the port of the webserver back to a non 80 port again

 

Let me know if this works for you or if I forgot to document a step.

New job in the Azure Identity team

Just posted the email to my colleagues and send an email to our wonderful Windows Development MVPs. Today is my last day in Windows (DEP, developer platform team). I am starting a new job in the Azure Identity organisation in the CxP team. I will be working with developers to evangelize and drive adoption of our Azure Active Directory platform. The full job description is below:

 

Senior Program Manager

Azure Active Directory Premium, B2C

The Digital Transformation era is upon us! Applications and data are moving to the cloud; employees want to be productive on devices they love from locations of their choice; organizations want to give seamless access to employees and partners; self-service is in and helpdesks are past. In the middle of all these exciting changes, security breaches are getting more sophisticated by the day. The single common factor in this journey that our customers are undertaking is … Identity.

The @Scale CXP team in the Identity engineering division within Cloud+AI works with partners, developers and customers from all over the world to drive service adoption and we work directly with engineering to shape the product. The best of both worlds!

As Microsoft cloud services adoption continues their rapid growth, Developers play a critical role in helping to drive usage of our services. Developers are at the center of enabling key customer scenarios building solutions ranging from enterprise scale applications and services to niche departmental business process apps. Assuring Developers have the technical skills and Identity developer platform necessary to build and sustain a vibrant Identity business is extremely important to our shared success. Assuring our developers needs are evangelized throughout our engineering organization as part of the engineering lifecycle is critical to our long-term business growth and sustainability.

Responsibilities

In this role you will help drive usage and adoption of the Identity dev platform by supporting awareness and growth of product expertise within the developer ecosystem, and define, build, and execute on engagements with developers to get feedback, evangelize their product needs, and drive enhancements through the engineering lifecycle. This work is instrumental for our business to learn from developers across the globe as we understand how our technology is adopted. Our world evolves at the speed of cloud and we are looking for active learners who can collaborate across a diverse team and global business.

Key Responsibilities:

Evangelize the Identity developer platform and drive its adoption

Drive usage: More active third-party apps built on the Microsoft Identity developer platform getting used more broadly across a larger customer base.

Drive engagement model with B2C developers to grow the inventory of apps in our marketplace, remove technical roadblocks and discuss product roadmaps. Connect with developers at major Microsoft or Industry events and road shows.

Own Technical Enablement and Readiness: Drive Identity dev platform awareness through calls, webinars, office hours, Yammer, training sessions, etc.

Define performance measure to provide our Identity leadership with crisper actionable insights.

Channel Developer feedback to the feature teams to help with prioritization.

Track and improve Developer satisfaction with our platform.

Partner with other Microsoft teams to align with their developer ecosystem strategy.

Regularly report out on impact and opportunities.

Qualifications

Basic Qualifications:

Minimum seven years of work experience in the computer software industry including two years of technical experience in security, cloud, and/or identity solutions.

Bachelor’s Degree in computer science or related discipline, or equivalent experience.

Preferred Qualifications:

Ability to Ramp to L400+ on Identity Platform Technology

Direct experience working with developers is highly desired

Collaboration/ in cross-teaming skills.

Comfortable working autonomously in a fast-paced environment where new challenges exist around every corner.

Ability to prioritize, time management and organizational skills.

Ability to take on complex systems and processes and drive simplification and improvements.

Self-starter, who can deal with ambiguity, maintains focus, drives to clarity and provides innovative solutions.

 

I had a amazing time in Windows. The last year working for one of the best managers I had in my career (thank you Lora!). I am going to miss working with the fantastic Windows Developer community and I hope our paths cross again. I will take some time off before I start the new role. Lots of new things to learn and I can finally talk and blog about my work again, so I expect to take you along, on my blog, during the Azure Identity journey I am about to make.