Category: Google

All Google stuff

NextDNS + EdgeRouter + Redirecting DNS requests

Post author By Yeri Tiete
Post date Tuesday, April 21, 2020
No Comments on NextDNS + EdgeRouter + Redirecting DNS requests

Realised I haven’t updated this in a long while (life happened).

Couple of weeks ago I started to play with NextDNS — and I really recommend anyone that’s something privacy minded and cares about the stuff happening on their network.

I’ve set up several configs (home, parents, FlatTurtle TurtleBox (the NUCs controlling the screens)) and Servers. Once it’s out of beta and better supported on Unifi and Ubiquiti hardware I might deploy it to our public WiFi (well, most access points don’t look like that — but you get the point) networks too.

Looking at the logs was an eye-opener seeing what goes through your network. You can play around and block (or whitelist) certain domains.

I figured out my Devialet does an insane amount of requests to cache.radioline.fr for example. This domain has a 30s TTL. It shows that the majority of my DNS requests are actually automated pings and not in any way human traffic.

Anyhow — I’ve since installed the NextDNS CLI straight on my EdgeRouter Lite acting as a caching DNS server and forwarding using DoH.

I’ve turned off dnsmasq (/etc/default/dnsmasq => DNSMASQ_OPTS="-p0") and have NextDNS listen to :53 directly.

Note that every EdgeOS update seems to wipe out the NextDNS installation, and requires a fresh install… Pain in the ass and doesn’t seem like that’s fixable.

This is my ERL NextDNS config (/etc/nextdns.conf)

hardened-privacy false
bogus-priv true
log-queries false
cache-size 10MB
cache-max-age 0s
report-client-info true
timeout 5s
listen :53
use-hosts true
setup-router false
auto-activate true
config 34xyz8
detect-captive-portals false
max-ttl 0s

The explanation of every flag is explain on their Github page and they are very responsive via issues or through their chat on my.nextdns.io.

All right — next thing I’ve noticed is that my Google Home devices are not sending any DNS requests — which means the devices use hard coded DNS servers.

I have a separate vlan (eth1.90) for Google Home (includes my Android TV, OSMC, Nest Home Hub and all other GHome and Chromecast devices). For this vlan I set up a deflector to be able to cast and ping/ssh from my “main” network/vlan to GHome vlan.

Using this guide I redirected all external DNS traffic to the ERL so I can monitor what’s happening. The important part was the following:

yeri@sg-erl# show service nat rule 4053
destination {
port 53
}
inbound-interface eth1.90
inside-address {
address 10.3.34.1
port 53
}
protocol tcp_udp
type destination

This allows to “catch” all UDP and TCP connections to :53 and redirect them the ERL DNS server (10.3.34.1). The GHome devices were acting a bit weird after committing the change, but a reboot of the device fixed it.

Note that you need to set this up per vlan. If you want to catch DNS requests for your Guest or IoT vlan, you’ll need to do the same.

Tags debian, dns, nextdns, router, ubiquiti

Google Hardware

Yard Sale: Nexus 6

Nexus 6

Details
New device from end of September (used for one month; I’ve owned a N6 for a longer time, but due to a battery problem, Google swapped it for a brand new device; then I swapped to a Nexus 6P)
Midnight Blue edition
64Gb
4G and stuff (side note: reception & signal is a million times better than a Nexus 5)
You do of course receive the Moto TurboPower charger with it
Bought via Google Play store (comes with warranty, support, etc), original phone bought July 2015, so plenty of warranty left
No scratches or anything
Comes with Android 6
Selling because I own a Nexus 6P
Price: offer
2dehands

Includes original packaging/boxes.

Email: [email protected]

Tags nexus, yard sale

Google Linux Networking

Postfix delete mails from/to one address

Post author By Yeri Tiete
Post date Friday, March 25, 2016
No Comments on Postfix delete mails from/to one address

Monit suddenly sending 18.000 e-mail? Gmail blocking your mx IP & getting all other incoming emails to your Gmail account (as it’s getting forwarded to Gmail) delayed?

Have no fear…

mailq | grep [email protected] | cut -d' ' -f1 | xargs -rn1 postsuper -d

Edit the e-mail address.

Note: mainly a reminder for myself. 😉

Tags mail

Errors Google Hardware

Nexus 5: boot loop

I had a Nexus 5 stuck in a boot loop (Android logo/animation in a loop, not actually booting).

This is what I think I’ve done to fix the issue. It seemed that /persist partition was corrupt. I tried a factory reset, flash new stock images, and clear cache, etc before trying the following.

Note that I managed to boot Android 4.4, but nothing else; it did throw a shit load of errors though (Google Play crashes, etc).

First of all, get ADB & Fastboot here. You’ll also need an hex editor (mac).

This will unlock your phone’s OEM mode; and thus potentially voiding warranty and erasing all data (!).

Edit file paths as needed, this is a copy paste of what I can still see on my terminal.

If you know your device’s WiFi MAC & Bluetooth address that’ll be useful for later, as apparently that gets wiped.

Boot into recovery boot by turning off your device and then holding the power + volume down button.

$ ./fastboot-mac oem unlock ... OKAY

Flash openrecovery (TWRP):

./fastboot flash recovery ../openrecovery-twrp-2.8.5.2-hammerhead.img sending 'recovery' (13918 KB)... OKAY writing 'recovery'... OKAY

Boot into recovery mode (using volume buttons) from the recovery boot. ADB should work now. This will find a bunch of errors and destroy the partition.

nazgul ~/Android $ ./adb-mac shell

~ # e2fsck /dev/block/platform/msm_sdcc.1/by-name/persist e2fsck 1.42.9 (28-Dec-2013) Superblock has an invalid journal (inode 8). Clear<y>? y yes *** ext3 journal has been deleted - filesystem is now ext2 only *** Superblock has_journal flag is clear, but a journal inode is present. Clear<y>? yes /dev/block/platform/msm_sdcc.1/by-name/persist was not cleanly unmounted, check forced. Pass 1: Checking inodes, blocks, and sizes Journal inode is not in use, but contains data. Clear<y>? yes Pass 2: Checking directory structure Pass 3: Checking directory connectivity Pass 4: Checking reference counts Pass 5: Checking group summary information Block bitmap differences: -(75--1098) Fix<y>? yes Free blocks count wrong for group #0 (2972, counted=3996). Fix<y>? yes Free blocks count wrong (2972, counted=3996). Fix<y>? yes Recreate journal<y>? yes Creating journal (1024 blocks): Done. *** journal has been re-created - filesystem is now ext3 again *** /dev/block/platform/msm_sdcc.1/by-name/persist: ***** FILE SYSTEM WAS MODIFIED ***** /dev/block/platform/msm_sdcc.1/by-name/persist: 30/1024 files (3.3% non-contiguous), 1124/4096 blocks

~ # e2fsck /dev/block/platform/msm_sdcc.1/by-name/persist e2fsck 1.42.9 (28-Dec-2013) /dev/block/platform/msm_sdcc.1/by-name/persist: clean, 30/1024 files, 1124/4096 blocks

~ # make_ext4fs /dev/block/platform/msm_sdcc.1/by-name/persist Creating filesystem with parameters: Size: 16777216 Block size: 4096 Blocks per group: 32768 Inodes per group: 1024 Inode size: 256 Journal blocks: 1024 Label: Blocks: 4096 Block groups: 1 Reserved block group size: 7 Created filesystem with 11/1024 inodes and 1102/4096 blocks Allocating group tables: done Writing inode tables: done Writing superblocks and filesystem accounting information: done

So far, so good. Persist partition was corrupt and recreated.

The original howto (see below) said root (su) was needed here; however it worked without root for me (?).

Download this file (kudos to whoever made it) and unrar it. Use your hex editor to edit last 6 digits (“00 00 00”) to a valid hex value, or even better, your actual MAC address if you can remember/find it.

Now upload these two (hidden) files to /sdcard/:

nazgul ~/Android $ ./adb-mac push .bdaddr /sdcard/.bdaddr 0 KB/s (6 bytes in 0.078s) nazgul ~/Android $ ./adb-mac push .macaddr /sdcard/.macaddr 1 KB/s (6 bytes in 0.004s)

And run these commands:

nazgul ~/Android $ ./adb-mac shell ~ # su /sbin/sh: su: not found ~ # cd /persist /persist # ls /persist # mkdir bluetooth wifi /persist # chown bluetooth:system ./bluetooth /persist # chmod 770 ./bluetooth /persist # ls bluetooth wifi /persist # cp /sdcard/.bdaddr /persist/bluetooth /persist # chown bluetooth:system ./bluetooth/.bdaddr /persist # chmod 660 ./bluetooth/.bdaddr /persist # chown wifi:system ./wifi /persist # chmod 770 ./wifi /persist # cp /sdcard/.macaddr /persist/wifi /persist # chown wifi:system ./wifi/.macaddr /persist # chmod 660 ./wifi/.macaddr /persist # rm /sdcard/.bdaddr /persist # rm /sdcard/.macaddr /persist # reboot

Go back into recovery boot and flash Android (I flashed 4.4 first, made sure it worked, and then flashed 6.0.1 (latest at this time); but you can probably flash latest version right away. Also unzip the zip file with all the images inside the .tar.gz — we’ll need the files later:

nazgul ~/Downloads/hammerhead-mmb29k.6 $ ./flash-all.sh sending 'bootloader' (3120 KB)... OKAY writing 'bootloader'... OKAY rebooting into bootloader... OKAY sending 'radio' (45425 KB)... OKAY writing 'radio'... OKAY rebooting into bootloader... OKAY archive does not contain 'boot.sig' archive does not contain 'recovery.sig' archive does not contain 'system.sig' -------------------------------------------- Bootloader Version...: HHZ12k Baseband Version.....: M8974A-2.0.50.2.28 Serial Number........: 0644c9920b105eb5 -------------------------------------------- checking product... OKAY checking version-bootloader... OKAY checking version-baseband... OKAY sending 'boot' (9154 KB)... OKAY writing 'boot'... OKAY sending 'recovery' (10012 KB)... OKAY writing 'recovery'... OKAY sending 'system' (1020405 KB)... OKAY writing 'system'... OKAY erasing 'userdata'... OKAY erasing 'cache'... OKAY rebooting...

Note that it won’t actually boot yet, so go back into recovery boot, and flash userdata and cache (not sure why they go missing or get entirely erased):

nazgul ~/Downloads/hammerhead-mmb29k.6 $ ./fastboot flash userdata image-hammerhead-mmb29k/userdata.img sending 'userdata' (137318 KB)... OKAY writing 'userdata'... OKAY nazgul ~/Downloads/hammerhead-mmb29k.6 $ ./fastboot flash cache image-hammerhead-mmb29k/cache.img sending 'cache' (13348 KB)... OKAY writing 'cache'... OKAY

Execute a normal boot now, and wait 5 to 10 minutes.

Android should boot up normally now.

You can also OEM lock your phone again, if you wish (but a sticky bit has been set).

I’ve followed these forum posts.

Tags android, nexus

Google Hardware Misc

Yard Sale: Nexus 6 & Nexus 9

Post author By Yeri Tiete
Post date Thursday, November 5, 2015
No Comments on Yard Sale: Nexus 6 & Nexus 9

For sale:

Nexus 9

Details
White edition
16Gb
No 3/4G
bought via Amazon UK, comes with UK charger, in May 2015
Comes with latest Android (6)
Pretty much as new. Barely used to be honest.
Selling because I don’t see the point of owning a tablet (I’ve tried, a Nexus 7, and now this, but nah)
Available: yesterday 🙂
Price: offer

Nexus 6

Details
New device from end of September (just over a month old; I’ve owned a N6 for a longer time, but due to a battery problem, Google swapped it for a brand new device)
Midnight Blue edition
64Gb
4G and stuff (side note: reception & signal is a million times better than a Nexus 5)
You do of course receive the Moto TurboPower charger with it
Bought via Google Play store (comes with warranty, support, etc), original phone bought July 2015, so plenty of warranty left
No scratches or anything
Comes with Android 6
Selling because I want a Nexus 6P
Available: when I receive my Nexus 6P (2? more weeks?)
Price: offer

Both include original packaging/boxes.

Mail me at: yeri+nexus @ tiete.be

Tags nexus, yard sale