I noticed the market emergence of nano-computers like Android boxes or Raspberry Pi which allow to easily setup services that may have been prohibitely expensive in the past.

So, I decided to pruchase a Raspberry Pi 3 B+ (a rather cheap network little box, with low power consumption, able to stay online permanently, and easily configurable). I wanted to start by deploying the minimal network services to give me maximum agency.

Minimum feature set included:

• A DHCP server (to assign IP addresses on the local network with ability to fix some of them in a static list, for easier management)
• A DNS server providing
  • DNS request cache (to speed up the overall Internet access of my Internet users)
  • Delivery of local network names
  • Capacity to allow future DNS filtering (I don’t care much about adult-content filtering, but I’d like to stop some of the phishers, even if these two activities are technically identical)

In the future, some more services may come handy (nothing of this has been studied here):

• An NTP server (for time)
• A WINS Windows names server

Comparison

As a matter of fact, I noticed that two serveurs seemed able to simultanesouly provide DHCP and DNS: Unbound and dsnmasq.

Unbound highlights:

• Lightweight server
• DNSSEC support
• rather security-oriented
• No DNS authoritative server (but able to handle a local domain)

dnsmasq highlights:

• Lightweight server
• DNSSEC support
• DHCP and DNS are integrated in the same server
• May use /etc/hosts to feed DNS
• No DNS recursive server (only forward to an authoritative/recursive like 8.8.8.8 or 9.9.9.9 or your ISP DNS server)
• No DNS authoritative server (but able to handle a local domain)

I chose dnsmasq, mainly because of the DNS + DHCP integration.

Some surprising discoveries

Première information vite découverte : les serveurs NAS Synology sont tout à fait incompatibles avec le filtrage de DNS de CleanBrowsing. Celui-ci compte synology.me (service nécessaire pour le DDNS de Synology) dans les domaines à risque. De nombreux services du NAS cessent immédiatement de fonctionner.

Je n’ai pas vérifié mais il est probable que de nombreux autres services DDNS (Dynamic DNS) soient black-listés pour les mêmes raisons : devant le nombre de petits serveurs Synology (ou autres) mal configurés, ces DDNS renvoient sans doute vers une forte proportion de domaines qui ont été pris en otage par les hackers.

Il faut donc pouvoir gérer cela plus finement si vous avez vous-même votre propre NAS Synology (et sans doute d’autres marques).

Observations

After a few months of dnsmasq use on Rapsberry Pi, it is time to comment and share my experience.

First, this worked really well. Even if I had one case of locked down DHCP server (no warning, no error, but killed). I tried finding why, but it was far easier to reboot the server box (On-Off switch) to restore the service. Of course, a few minutes of digging into logs did bring me some worried looks from another network user…

The DNS filter setup to remove access to some risky domains work perfectly well. But, I have to admit that nothing seems to have triggered that (except my tests). Since this is not the only security barrier on my network, this may be OK. For the record, here is the filter creation script I use:

#!/bin/sh
#Dated 2020-11-10 1.0 Addition of --quiet to wget (to reduce clutter to /var/mail/pi)
#                     *** STABLE RELEASE ***

cd /var/lib/work

#Get anti-phishing filter lists from Internet
wget -q -O ./isc-low.txt 'https://isc.sans.edu/feeds/suspiciousdomains_Low.txt'
wget -q -O ./isc-med.txt 'https://isc.sans.edu/feeds/suspiciousdomains_Medium.txt'
wget -q -O ./isc-hig.txt 'https://isc.sans.edu/feeds/suspiciousdomains_High.txt'
wget -q -O ./yoyo.dnsmasq.txt 'https://pgl.yoyo.org/adservers/serverlist.php?hostformat=dnsmasq&hostformat=nohtml&showintro=0&mimetype=plaintext'
#Remodel the lists into DNSmasq filters
catcherIP='192.168.1.250'
inputfile="./isc-med.txt"
tmpfile="/tmp/.adlist.$$"
tmpconffile="/tmp/.dnsmasq.conf.$$"
configfile="/etc/dnsmasq.filter.conf"
configheader="/etc/dnsmasq.filter.header"

#Start with putting our own header
    [ -f "$configheader" ] && cat $configheader >> $tmpconffile
#check if TmpFile could be init'd with header
if [ ! -s $tmpconffile ]
then
    echo "temp fil '$tmpconffile' could not be found or is empty; quitting"
    exit
fi
#Remove list headers
cat $inputfile | grep -v "^#" | grep -v "^Site$" > $tmpfile
#Buid list to DNSmasq format, and add it to the file
sed "s/(.*)/address=\/\1\/${catcherIP}/" $tmpfile >> $tmpconffile
#Move the final list to destination
sudo cp $tmpconffile $configfile

One of the advantages of this server is its speed. I may have been slightly worried (or attentive) before knowing the Raspberry Pi, but there was no reason. Maybe because of the low workload (despite an HTTP server, some distant connexions, and a few local scripts) and because of the good power developed by the CPU, everything is fine and dandy even when a dozen clients are pounding the DNS server (the iPhones are quite insistant in using the netowrk on a continuous basis)).

dnsmasq is perfectly able t manageIPv6 DHCP, and correspondingIPv6 DNS. Documentation about this is terse (if not simply lacking), but it works well and I learned quite a few things. The Raspberry Pi was so reliable that it was IPv6 proxy during some of my tests without any perceptible impact. (I was rightfully impressed).

After initially using dynamic address allocation, I moved the DHCP server into a nearly exclusively static configuration (my own choice in order to have easier local client identification). No big deal, neither in IPv4 nor in IPv6.

Conclusion: Totally positive.

In the future, I may be tempted to deploy more powerful servers for DHCP and DNS for a wider support (maybe or maybe not) and to try a network spy like SNORT or SURICATA. But this is a completely different story. And, in this case, I may be tempted to go to a really powerful solution (I have an Avenger96 under initial trial, but its software support seems to be a real mess).

A few other interesting links

• A few other solutions for a DHCP server:
  • DNSmasq installation (DHCP only)
  • Dragon: DNSmasq installation (DHCP + DNS)
  • Instructables: installation for DNSmasq (DHCP & DNS)
  • ISC-DHCP server on Debian
  • ISC-DHCP server on Ubuntu
  • Tools designed to work with ISC-DHCP
  • Fast instructions for installing DHCP, DNS, and NTP on Raspberry Pi
• Some data about installation of another DNS server:
  • BIND local-mode DNS server on Debian 9
  • BIND authoritative DNS server on Ubuntu
  • BIND “caching” or “forward-only” DNS server on Ubuntu
• DNS filters:
  • THE guide on cleaning DNS from public domain lists
• Setup of a LaSynology NAS or router:
  • Configuration of a DNS server on DSM
• Server comparisons:
  • BIND vs. dnsmasq vs PowerDNS vs Unbound
    
    
    
    

I’ve got a Fiber connexion to the Internet (at Numéricable, one of the main ISP in France) which is forcing a dynamic IP address on me (no fixed IP address, even with a premium; They’ve settled in the XXth century). This would not be very serious except that I host a RAID server from Synology (a DS413j DiskStation with 4 hard drives in RAID-5 redundant mode) which provides several services I would like to share with the Internet (while I’m travelling with my iPhone or my laptop, I’d like to get access to my files through FTP, or my email server).

So, I decided to set things right in order to appropriately locate the Synology DiskStation in a sub-domain of my own (e.g. mail.roumazeilles.net).

The solution I opted for:

Dynamic IP addess:

Since my IP address is dynamic, there’s no way I can progress until I solved this single issue. I chose to use the DDNS service DDNS from Synology. Since I use DSM 5.0 (the most recent software version from Synology), I can reach the appropriate option through the control panel and the “External access” menu. I just added a DDNS, selecting Synology as a service supplier, and I recorded the name I wanted (let’s say ds). From this point, despite the IP address changes, my DiskStation is always accessible at ds.synology.me.

DNS subdomain:

After that, I need to point mail.roumazeilles.net onto ds.synology.me. This is slightly more complex because my roumazeilles.net domain nam is reserved atz Gandi and it is pointed toward a server hosted by OVH. It’s the hosted server (rented from OVH) which includes all the information relating to roumazeilles.net. So, I went to my server control panel and, in its DNS configuration, I modified (in your case, you may need to add) a CNAME record.

mail 10800 IN CNAME ds.synology.me. (Don’t forget the final dot/period in your CNAME entry, or it won’t work!)
Since I am lucky, my control panel at OVH includes an easy way to get the correct syntax (it’s safer): I tell it the mail subdomain is described by a CNAME record pointing to ds.synology.me (a bit terse, but not difficult).

Then, I only had to wait for the DNS information to “propagate” (from a few minutes to a few hours, sometimes up to 24-48 hours). And a little check using ping mail.roumazeilles.net confirmed that it answered from my Numéricable IP address.

There are few things that you can do to significantly improve the speed of your Internet connection. Of course, you can switch to another Internet Service Provider, but it’s a mess. On the opposite, it is easy to have an sub-optimal connection because of the response time of the DNS server of your Internet Provider. This server offers a translation service a domain name (for example, www.roumazeilles.net) into its equivalent numeric IP address (the only one that the web browser really understands and needs).

But all DNS servers are not born equal and if those offered by your Internet Service Provider (ISP) have an advantage (they are nearer to your own computer), they are not always the fastest ones. NameBench gives you the opportunity to easily and automatically check what DNS server is the most efficient (and to compare it with your own current DNS configuration).

In my own personal case, I just reduced DNS times by 50% (no less!) while I thought I had a rather good configuration. As a matter of fact, Neuf Telecom servers are faster that those from Free…

This works on Windows, MacOS as well as GNU/Linux.

By the way, for those of you who may be wondering, Yes! I included the all new Google DNS as one of the tested options and it was far slower than most of the other freely available possibilities.