Noticed that NextDNS was reporting old hostnames in the logs. For example old device names (devices that changed hostnames), devices that were definitely no longer on the network, or IPs that were matched to the wrong hostnames.
The culprit is how EdgeOS deals with its hosts file. Basically it just keeps all the old hosts added and just adds a new line at the end of the file.
NextDNS searches for the first valid entry in that file, which is always going to be an older record.
So the simplest solution I found was the turn off hostfile-update every so often. This clears the hosts file.
So ssh into the device, run configure, and then run these commands:
set service dhcp-server hostfile-update disable
commit
set service dhcp-server hostfile-update enable
commit
save
Update 22 Jun ’23:
Be sure to restart NextDNS, or it won’t actually publish the up-to-date client hostnames.
Realised I haven’t updated this in a long while (life happened).
Couple of weeks ago I started to play with NextDNS — and I really recommend anyone that’s something privacy minded and cares about the stuff happening on their network.
I’ve set up several configs (home, parents, FlatTurtle TurtleBox (the NUCs controlling the screens)) and Servers. Once it’s out of beta and better supported on Unifi and Ubiquiti hardware I might deploy it to our public WiFi (well, most access points don’t look like that — but you get the point) networks too.
Looking at the logs was an eye-opener seeing what goes through your network. You can play around and block (or whitelist) certain domains.
I figured out my Devialet does an insane amount of requests to cache.radioline.fr for example. This domain has a 30s TTL. It shows that the majority of my DNS requests are actually automated pings and not in any way human traffic.
Anyhow — I’ve since installed the NextDNS CLI straight on my EdgeRouter Lite acting as a caching DNS server and forwarding using DoH.
I’ve turned off dnsmasq (/etc/default/dnsmasq => DNSMASQ_OPTS="-p0") and have NextDNS listen to :53 directly.
Note that every EdgeOS update seems to wipe out the NextDNS installation, and requires a fresh install… Pain in the ass and doesn’t seem like that’s fixable.
The explanation of every flag is explain on their Github page and they are very responsive via issues or through their chat on my.nextdns.io.
All right — next thing I’ve noticed is that my Google Home devices are not sending any DNS requests — which means the devices use hard coded DNS servers.
I have a separate vlan (eth1.90) for Google Home (includes my Android TV, OSMC, Nest Home Hub and all other GHome and Chromecast devices). For this vlan I set up a deflector to be able to cast and ping/ssh from my “main” network/vlan to GHome vlan.
Using this guide I redirected all external DNS traffic to the ERL so I can monitor what’s happening. The important part was the following:
yeri@sg-erl# show service nat rule 4053 destination { port 53 } inbound-interface eth1.90 inside-address { address 10.3.34.1 port 53 } protocol tcp_udp type destination
This allows to “catch” all UDP and TCP connections to :53 and redirect them the ERL DNS server (10.3.34.1). The GHome devices were acting a bit weird after committing the change, but a reboot of the device fixed it.
Note that you need to set this up per vlan. If you want to catch DNS requests for your Guest or IoT vlan, you’ll need to do the same.
yeri@sg:~$ show vpn ipsec status
IPSec Process Running PID: 20140
1 Active IPsec Tunnels
IPsec Interfaces :
eth0 (no IP on interface statically configured as local-address for any VPN peer)
yeri@sg:~$ show vpn ipsec sa
peer-be.yeri.be-tunnel-1: #9, ESTABLISHED, IKEv1, 85a2d010ada73113:ca439c40ac3bca06
local 'erl.yeri.be' @ 116.87.x.y
remote 'fritz.yeri.be' @ 109.236.x.y
AES_CBC-256/HMAC_SHA1_96/PRF_HMAC_SHA1/MODP_1024
established 1592s ago, reauth in 1333s
peer-fritz.yeri.be-tunnel-1: #1, INSTALLED, TUNNEL, ESP:AES_CBC-256/HMAC_SHA1_96/MODP_1024
installed 1592 ago, rekeying in 1200s, expires in 2009s
in c0bb652e, 1038032 bytes, 10726 packets, 0s ago
out 8d5df3f5, 532685 bytes, 6062 packets, 0s ago
local 10.60.111.0/24
remote 192.168.1.0/24
I haven’t really figured out what no IP on interface statically configured as local-address for any VPN peer means yet though.
First tests at Glaverbel (circle or “O” shaped building) in Watermael-Boisfort with 12 lifts (about a year ago). Internet wiring makes a whole circle from the internet connection at the technical room (near entrance hall). In this design from the 1960s the lift machine rooms had one shared/common room where we installed switches (to avoid having to pull too much cable and to overcome cable length issues). High quality shielded cable was used to avoid signal loss over the distances we did.
We first opted for wired internet to the cabin (TurtleBox being on top of the cabin, with HDMI to the display in the cabin — the idea was to cover the TurtleBox inside the roof/under some protection in case something would fall, and for moist and dust — this was quickly abandoned due to space & time constraints).
The TurtleBox in this case was again an Intel NUC (Celeron for the first two “tests”, Atom afterwards due to fanless design).
After the first initial test, wired internet was not feasible after our first two cabins:
pricing of cable (~€450)
Kone provided wrong cable (some weird color codes, not the regular STP/UTP, coating was too big for STP plugs)
Test lift one tore the cable (probably got stuck somewhere between the cabin and the wall)
In test lift two, during a controlled shut down of the lift (due to other repairs by Kone Refurbishments), Kone Emergencies got called by the customer to start up the shut downed lift (customer not being aware of the shutdown reason). Kone Services didn’t recognise the new wiring as native or normal, and decided to cut down the cable.
=> So wiring is more (expensive) hassle than anything else.
We realized we didn’t want to go through this mess 10 more times.
I can also tell you lifts are way less ‘clean’ than I would have expected.
The idea my technician (can greatly recommend him for doing an amazing, detailed & clean job) had was to try with WiFi. I was skeptic (10ish floors, lots of metal and other crap inside the shaft)… But it would definitely be cheaper and easier to maintain.
NUCs are mounted on top of the cabin for a clear line of sight. However, after testing this was deemed unnecessary and they got lowered/mounted to the side to provide additional protection.
In the end, I have to say due to all the metal and concrete, signal went WAY further than I’d imagine (we could do two entirely separated shafts with one AP, just the -1 and -2 floors had troubles to have a stable signal). Signal is strong enough to have working WiFi in the (metal) lift cabin, and people working not too far from the (metal) lift doors on the floors can still use WiFi as well (albeit not with the best signal).
WiFi (Ubiquiti unifi, again) uses Power-over-Ethernet and remotely managed using Auki making it very easy to manage and install.
The 12 lifts now have FlatTurtle displays in them, using WiFi as internet connection… And it’s working like a charm!
Oh, and on a plus side, Kone technicians (all of them) were a charm to work with, doing a great job!!
