Categories
Google Linux Networking

NextDNS + EdgeRouter + Redirecting DNS requests

Realised I haven’t updated this in a long while (life happened).

Couple of weeks ago I started to play with NextDNS — and I really recommend anyone that’s something privacy minded and cares about the stuff happening on their network.

I’ve set up several configs (home, parents, FlatTurtle TurtleBox (the NUCs controlling the screens)) and Servers. Once it’s out of beta and better supported on Unifi and Ubiquiti hardware I might deploy it to our public WiFi (well, most access points don’t look like that — but you get the point) networks too.

Looking at the logs was an eye-opener seeing what goes through your network. You can play around and block (or whitelist) certain domains.

I figured out my Devialet does an insane amount of requests to cache.radioline.fr for example. This domain has a 30s TTL. It shows that the majority of my DNS requests are actually automated pings and not in any way human traffic.

Anyhow — I’ve since installed the NextDNS CLI straight on my EdgeRouter Lite acting as a caching DNS server and forwarding using DoH.

I’ve turned off dnsmasq (/etc/default/dnsmasq => DNSMASQ_OPTS="-p0") and have NextDNS listen to :53 directly.

Note that every EdgeOS update seems to wipe out the NextDNS installation, and requires a fresh install… Pain in the ass and doesn’t seem like that’s fixable.

This is my ERL NextDNS config (/etc/nextdns.conf)

hardened-privacy false
bogus-priv true
log-queries false
cache-size 10MB
cache-max-age 0s
report-client-info true
timeout 5s
listen :53
use-hosts true
setup-router false
auto-activate true
config 34xyz8
detect-captive-portals false
max-ttl 0s

The explanation of every flag is explain on their Github page and they are very responsive via issues or through their chat on my.nextdns.io.

All right — next thing I’ve noticed is that my Google Home devices are not sending any DNS requests — which means the devices use hard coded DNS servers.

I have a separate vlan (eth1.90) for Google Home (includes my Android TV, OSMC, Nest Home Hub and all other GHome and Chromecast devices). For this vlan I set up a deflector to be able to cast and ping/ssh from my “main” network/vlan to GHome vlan.

Using this guide I redirected all external DNS traffic to the ERL so I can monitor what’s happening. The important part was the following:

[email protected]# show service nat rule 4053
destination {
port 53
}
inbound-interface eth1.90
inside-address {
address 10.3.34.1
port 53
}
protocol tcp_udp
type destination

This allows to “catch” all UDP and TCP connections to :53 and redirect them the ERL DNS server (10.3.34.1). The GHome devices were acting a bit weird after committing the change, but a reboot of the device fixed it.

Note that you need to set this up per vlan. If you want to catch DNS requests for your Guest or IoT vlan, you’ll need to do the same.

Categories
Google Hardware

Yard Sale: Nexus 6

Nexus 6

  • Details
  • New device from end of September (used for one month; I’ve owned a N6 for a longer time, but due to a battery problem, Google swapped it for a brand new device; then I swapped to a Nexus 6P)
  • Midnight Blue edition
  • 64Gb
  • 4G and stuff (side note: reception & signal is a million times better than a Nexus 5)
  • You do of course receive the Moto TurboPower charger with it
  • Bought via Google Play store (comes with warranty, support, etc), original phone bought July 2015, so plenty of warranty left
  • No scratches or anything
  • Comes with Android 6
  • Selling because I own a Nexus 6P
  • Price: offer
  • 2dehands

Includes original packaging/boxes.

Email: [email protected]

IMG_20160716_113744  IMG_20160716_113752

Categories
Google Linux Networking

Postfix delete mails from/to one address

Monit suddenly sending 18.000 e-mail? Gmail blocking your mx IP & getting all other incoming emails to your Gmail account (as it’s getting forwarded to Gmail) delayed?

Have no fear…

mailq | grep [email protected] | cut -d' ' -f1 | xargs -rn1 postsuper -d

Edit the e-mail address.

Note: mainly a reminder for myself. 😉

Categories
Errors Google Hardware

Nexus 5: boot loop

I had a Nexus 5 stuck in a boot loop (Android logo/animation in a loop, not actually booting).

This is what I think I’ve done to fix the issue. It seemed that /persist partition was corrupt. I tried a factory reset, flash new stock images, and clear cache, etc before trying the following.

Note that I managed to boot Android 4.4, but nothing else; it did throw a shit load of errors though (Google Play crashes, etc).

First of all, get ADB & Fastboot here. You’ll also need an hex editor (mac).

This will unlock your phone’s OEM mode; and thus potentially voiding warranty and erasing all data (!).

Edit file paths as needed, this is a copy paste of what I can still see on my terminal.

If you know your device’s WiFi MAC & Bluetooth address that’ll be useful for later, as apparently that gets wiped.

Boot into recovery boot by turning off your device and then holding the power + volume down button.

$ ./fastboot-mac oem unlock
... OKAY

Flash openrecovery (TWRP):

./fastboot flash recovery ../openrecovery-twrp-2.8.5.2-hammerhead.img
sending 'recovery' (13918 KB)... OKAY
writing 'recovery'... OKAY

Boot into recovery mode (using volume buttons) from the recovery boot. ADB should work now. This will find a bunch of errors and destroy the partition.

nazgul ~/Android $ ./adb-mac shell

~ # e2fsck /dev/block/platform/msm_sdcc.1/by-name/persist
e2fsck 1.42.9 (28-Dec-2013)
Superblock has an invalid journal (inode 8).
Clear<y>? y
yes
*** ext3 journal has been deleted - filesystem is now ext2 only ***
Superblock has_journal flag is clear, but a journal inode is present.
Clear<y>? yes
/dev/block/platform/msm_sdcc.1/by-name/persist was not cleanly unmounted, check forced.
Pass 1: Checking inodes, blocks, and sizes
Journal inode is not in use, but contains data. Clear<y>?
yes
Pass 2: Checking directory structure
Pass 3: Checking directory connectivity
Pass 4: Checking reference counts
Pass 5: Checking group summary information
Block bitmap differences: -(75--1098)
Fix<y>?
yes
Free blocks count wrong for group #0 (2972, counted=3996).
Fix<y>?
yes
Free blocks count wrong (2972, counted=3996).
Fix<y>?
yes
Recreate journal<y>?
yes
Creating journal (1024 blocks): Done.
*** journal has been re-created - filesystem is now ext3 again ***
/dev/block/platform/msm_sdcc.1/by-name/persist: ***** FILE SYSTEM WAS MODIFIED *****
/dev/block/platform/msm_sdcc.1/by-name/persist: 30/1024 files (3.3% non-contiguous), 1124/4096 blocks

~ # e2fsck /dev/block/platform/msm_sdcc.1/by-name/persist
e2fsck 1.42.9 (28-Dec-2013)
/dev/block/platform/msm_sdcc.1/by-name/persist: clean, 30/1024 files, 1124/4096 blocks

~ # make_ext4fs /dev/block/platform/msm_sdcc.1/by-name/persist
Creating filesystem with parameters:
Size: 16777216
Block size: 4096
Blocks per group: 32768
Inodes per group: 1024
Inode size: 256
Journal blocks: 1024
Label:
Blocks: 4096
Block groups: 1
Reserved block group size: 7
Created filesystem with 11/1024 inodes and 1102/4096 blocks
Allocating group tables: done
Writing inode tables: done
Writing superblocks and filesystem accounting information: done

So far, so good. Persist partition was corrupt and recreated.

The original howto (see below) said root (su) was needed here; however it worked without root for me (?).

Download this file (kudos to whoever made it) and unrar it. Use your hex editor to edit last 6 digits (“00 00 00”) to a valid hex value, or even better, your actual MAC address if you can remember/find it.

Now upload these two (hidden) files to /sdcard/:

nazgul ~/Android $ ./adb-mac push .bdaddr /sdcard/.bdaddr
0 KB/s (6 bytes in 0.078s)
nazgul ~/Android $ ./adb-mac push .macaddr /sdcard/.macaddr
1 KB/s (6 bytes in 0.004s)

And run these commands:

nazgul ~/Android $ ./adb-mac shell
~ # su
/sbin/sh: su: not found
~ # cd /persist
/persist # ls
/persist # mkdir bluetooth wifi
/persist # chown bluetooth:system ./bluetooth
/persist # chmod 770 ./bluetooth
/persist # ls
bluetooth
wifi
/persist # cp /sdcard/.bdaddr /persist/bluetooth
/persist # chown bluetooth:system ./bluetooth/.bdaddr
/persist # chmod 660 ./bluetooth/.bdaddr
/persist # chown wifi:system ./wifi
/persist # chmod 770 ./wifi
/persist # cp /sdcard/.macaddr /persist/wifi
/persist # chown wifi:system ./wifi/.macaddr
/persist # chmod 660 ./wifi/.macaddr
/persist # rm /sdcard/.bdaddr
/persist # rm /sdcard/.macaddr
/persist # reboot

Go back into recovery boot and flash Android (I flashed 4.4 first, made sure it worked, and then flashed 6.0.1 (latest at this time); but you can probably flash latest version right away. Also unzip the zip file with all the images inside the .tar.gz — we’ll need the files later:

nazgul ~/Downloads/hammerhead-mmb29k.6 $ ./flash-all.sh
sending 'bootloader' (3120 KB)... OKAY
writing 'bootloader'... OKAY
rebooting into bootloader... OKAY
sending 'radio' (45425 KB)... OKAY
writing 'radio'... OKAY
rebooting into bootloader... OKAY
archive does not contain 'boot.sig'
archive does not contain 'recovery.sig'
archive does not contain 'system.sig'
--------------------------------------------
Bootloader Version...: HHZ12k
Baseband Version.....: M8974A-2.0.50.2.28
Serial Number........: 0644c9920b105eb5
--------------------------------------------
checking product... OKAY
checking version-bootloader... OKAY
checking version-baseband... OKAY
sending 'boot' (9154 KB)... OKAY
writing 'boot'... OKAY
sending 'recovery' (10012 KB)... OKAY
writing 'recovery'... OKAY
sending 'system' (1020405 KB)... OKAY
writing 'system'... OKAY
erasing 'userdata'... OKAY
erasing 'cache'... OKAY
rebooting...

Note that it won’t actually boot yet, so go back into recovery boot, and flash userdata and cache (not sure why they go missing or get entirely erased):

nazgul ~/Downloads/hammerhead-mmb29k.6 $ ./fastboot flash userdata image-hammerhead-mmb29k/userdata.img
sending 'userdata' (137318 KB)... OKAY
writing 'userdata'... OKAY
nazgul ~/Downloads/hammerhead-mmb29k.6 $ ./fastboot flash cache image-hammerhead-mmb29k/cache.img
sending 'cache' (13348 KB)... OKAY
writing 'cache'... OKAY

Execute a normal boot now, and wait 5 to 10 minutes.

Android should boot up normally now.

You can also OEM lock your phone again, if you wish (but a sticky bit has been set).

I’ve followed these forum posts.

Categories
Google Hardware Misc

Yard Sale: Nexus 6 & Nexus 9

For sale:

Nexus 9

  • Details
  • White edition
  • 16Gb
  • No 3/4G
  • bought via Amazon UK, comes with UK charger, in May 2015
  • Comes with latest Android (6)
  • Pretty much as new. Barely used to be honest.
  • Selling because I don’t see the point of owning a tablet (I’ve tried, a Nexus 7, and now this, but nah)
  • Available: yesterday 🙂
  • Price: offer

Nexus 6

  • Details
  • New device from end of September (just over a month old; I’ve owned a N6 for a longer time, but due to a battery problem, Google swapped it for a brand new device)
  • Midnight Blue edition
  • 64Gb
  • 4G and stuff (side note: reception & signal is a million times better than a Nexus 5)
  • You do of course receive the Moto TurboPower charger with it
  • Bought via Google Play store (comes with warranty, support, etc), original phone bought July 2015, so plenty of warranty left
  • No scratches or anything
  • Comes with Android 6
  • Selling because I want a Nexus 6P
  • Available: when I receive my Nexus 6P (2? more weeks?)
  • Price: offer

Both include original packaging/boxes.

Mail me at: yeri+nexus @ tiete.be