So I have gone a little crazy lately in my home lab. I have created a anycast address in the LAN of 10.10.10.10 that goes to the nearest pihole. (Local, Datacetner 1 or Datacenter 2) While that was nice I still wanted a way to have pihole while on the go. I thought about a VPN, that works but is not perfect for what I want. A little more pondering and I found that Android 9 supports “Private DNS”. Turns out that it is a simply DNS over TLS. (DoT) That just makes this so much easier now.
How does one make a DoT server then? Again answer is really simple, stunnel4 is all you need. A quick bit of googling will get you to this page, which will walk through a more indepth setup of stunnel4. Boiled down, and assuming you have a SSL cert handy/installed on the system:
# yum install stunnel4
# cat /etc/stunnel/dnstls.conf
cert = /etc/letsencrypt/live/mindlesstux.com/fullchain.pem
key = /etc/letsencrypt/live/mindlesstux.com/privkey.pem
accept = 853
connect = 10.10.10.10:53
# systemctl enable stunnel4
# systemctl start stunnel4
After that, it was a matter of punching a hole in the firewall to allow 853 in to the server running the stunnel4 daemon. Once that was up I added a DNS record for exampledot.mindlesstux.com to the ip where the firewall hole was punched. Finally in my android Settings -> Network & Internet -> Advanced -> Private DNS. I set that to “Private DNS provider hostname” and put the mentioned hostname in the text field. Bam, now anywhere I go my phone is covered by one of my piholes.
Now to look into providing DNS over HTTPS (DOH) the same way…
So I have a few “hand me down” dell servers. The ones I use right now have iDRAC 7 in them. I have always been annoyed at the SSL warning that comes up. I thought about rolling my own CA and generating my own certs. I shot that down though as some times I pull up the iDRACs remotely from systems where I don’t want to install the custom root cert. I finally took the time to figure out how to take the Let’s Encrypt free SSL cert and apply it to the iDRACs. This is mainly due to they started issuing wildcard certs as of today.
So step one, reissue all my certs into one nice wildcard cert. Took a bit of effort but to make things simple for others that may find this. Install certbot-auto on a linux system and run something like:
./certbot-auto certonly --rsa-key-size=4096 -d domain.com -d *.domain.com --server https://acme-v02.api.letsencrypt.org/directory --manual
Follow the prompts and setup the verification checks as requested. If all goes well you will get a nice little dump of you have a new cert and it lives at /etc/letsencrypt/live/domain.com/.
From there I scp’ed the private key and the full chain down to my windows vm where I have racadm installed. For quick finding for those that need racadm installed on a windows system. (Download, unzip, run installer, good to go) After that all that was needed is to run 3 commands in a command prompt in the directory where the two files I scp’ed to the system.
racadm -r idrac1.domain.com -u adminuser -p adminpass sslkeyupload -t 1 -f privkey.pem
racadm -r idrac1.domain.com -u adminuser -p adminpass sslcertupload -t 1 -f fullchain.pem
After the iDRAC reset itself after those commands, I now had a shiny and valid SSL cert. There can be a small hiccup, and you may get a system that says “The Remote RACADM interface is disabled”. As long as you have trust in your firewalls, Overview->iDRAC Settings->Network->Services->Remote RACADM->Tick the enabled box and apply.
Next up to see if I can make Java not complain when loading the virtual console. Or perhaps scripting this some how to automatically check daily if new cert was issued and pull/push.
So with this new server I am setting up I wanted to install the Dell OpenManage software but got a headache from doing so. Just about everything I was finding was pointing me to CentOS based info and I am using an Ubuntu based system. Hence my headache. After hours of googling I finally found the page I did and it helped me get Dell OpenManage installed. Of course I had to mangle their instructions some but it was not to bad. Below is what I used and a link to the page that was helpful.
sudo echo 'deb http://linux.dell.com/repo/community/ubuntu trusty openmanage' | sudo tee -a /etc/apt/sources.list.d/linux.dell.com.sources.list
gpg --keyserver hkp://pool.sks-keyservers.net:80 --recv-key 1285491434D8786F ; gpg -a --export 1285491434D8786F | sudo apt-key add -
sudo apt-get update
sudo apt install srvadmin-base srvadmin-storageservices srvadmin-idrac7
# sudo apt install srvadmin-webserver
# sudo service dsm_om_connsvc start && sudo update-rc.d dsm_om_connsvc defaults
I ran into an issue recently where I tracked back that the systemd resolver was trying to be a tad to helpful and causing me pain through DNS. So I set out to kill and keep it disabled across reboots. In some quick googling I found a good answer on askubuntu.com.
Regurgitating what the answer is for my reference later and for anyone to find. (Along with a reference link below)
- Disable systemd-resolvd service:
sudo systemctl disable systemd-resolved.service
sudo systemctl disable systemd-resolved-update-resolvconf.service
sudo service systemd-resolved stop
- If file exists, add to “[main]” section in /etc/NetworkManager/NetworkManager.conf
- Delete symlink and replace /etc/resolv.conf
- Restart network-manager
sudo service network-manager restart
The newer version of the play store on Android phones moved the check box from what I would call a ideal location to one that while makes sense is the last place I would check.
For my personal note and anyone that find this:
Home screen, press hold
Scroll to bottom, toggle 'Add icon to Home screen'