Hallo Pi-hole Community,
ist es möglich eine Kombi Konfiguration aus Pi-Hole + Unbound + DNS-Over-HTTPS + TOR & Pihole zu erstellen, oder nur eine Konfiguration (entweder oder) ???
Mein Hardware:
RockPro64 mit Armbian-Buster-Desktop arm64.
OMV (OpenMediaVault) wird zusätzlich genutzt, auch Pi-Hole wurde über “armbian-config” installiert.
Sowie ein privates / kostenpflichtiges VPN dienst wird verwendet.
Hardware
# cat /etc/debian_version && uname -a && hostnamectl
10.3
Linux 5.4.20-rockchip64 #20.02.1 SMP PREEMPT Mon Feb 17 04:45:00 CET 2020 aarch64
GNU/Linux
Static hostname: RockHomeServer
Icon name: computer
Machine ID: xxxxxxxxxxxxxxxxxxx
Boot ID: xxxxxxxxxxxxxxxxxx
Operating System: Debian GNU/Linux 10 (buster)
Kernel: Linux 5.4.20-rockchip64
Architecture: arm64
Zur Klärung:
Unbound wurde erfolgreich eingerichtet und in Pi-Hole Web GUI ist der Custom 1 (IPv4) auf 127.0.0.1#5353 gesetzt. TOR & Pihole wurde erfolgreich eingerichtet. DNS-Over-HTTPS on Pi-hole wurde erfolgreich eingerichtet. (wegen den arm64 wurde diese Einleitung benutzt)
Unbound service + Test
# sudo service unbound status
● unbound.service - Unbound DNS server
Loaded: loaded (/lib/systemd/system/unbound.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2020-03-08 11:18:49 CET; 24h ago
Docs: man:unbound(8)
Main PID: 1819 (unbound)
Tasks: 1 (limit: 4609)
Memory: 7.0M
CGroup: /system.slice/unbound.service
└─1819 /usr/sbin/unbound -d
Mär 08 11:18:48 RockHomeServer systemd[1]: Starting Unbound DNS server...
Mär 08 11:18:49 RockHomeServer package-helper[1803]: /var/lib/unbound/root.key has content
Mär 08 11:18:49 RockHomeServer package-helper[1803]: fail: the anchor is NOT ok and could not be fixed
Mär 08 11:18:49 RockHomeServer unbound[1819]: [1819:0] info: start of service (unbound 1.9.0).
Mär 08 11:18:49 RockHomeServer systemd[1]: Started Unbound DNS server.
Test
# dig pi-hole.net @127.0.0.1 -p 5353
; <<>> DiG 9.11.5-P4-5.1-Debian <<>> pi-hole.net @127.0.0.1 -p 5353
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18973
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1472
;; QUESTION SECTION:
;pi-hole.net. IN A
;; ANSWER SECTION:
pi-hole.net. 3600 IN A 206.189.252.21
;; Query time: 212 msec
;; SERVER: 127.0.0.1#5353(127.0.0.1)
;; WHEN: Mo Mär 09 11:53:35 CET 2020
;; MSG SIZE rcvd: 56
TOR & Pihole service + Test
# sudo service tor status
● tor.service - Anonymizing overlay network for TCP (multi-instance-master)
Loaded: loaded (/lib/systemd/system/tor.service; disabled; vendor preset: enabled)
Active: active (exited) since Mon 2020-03-09 11:35:27 CET; 3s ago
Process: 29003 ExecStart=/bin/true (code=exited, status=0/SUCCESS)
Main PID: 29003 (code=exited, status=0/SUCCESS)
Mär 09 11:35:27 RockHomeServer systemd[1]: Starting Anonymizing overlay network for TCP (multi-instance-master)...
Mär 09 11:35:27 RockHomeServer systemd[1]: Started Anonymizing overlay network for TCP (multi-instance-master).
Test
# dig @1.1.1.1 api.mixpanel.com A
; <<>> DiG 9.11.5-P4-5.1-Debian <<>> @1.1.1.1 api.mixpanel.com A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63894
;; flags: qr rd ra; QUERY: 1, ANSWER: 4, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
;; QUESTION SECTION:
;api.mixpanel.com. IN A
;; ANSWER SECTION:
api.mixpanel.com. 582 IN A 107.178.240.159
api.mixpanel.com. 582 IN A 130.211.34.183
api.mixpanel.com. 582 IN A 35.186.241.51
api.mixpanel.com. 582 IN A 35.190.25.25
;; Query time: 110 msec
;; SERVER: 1.1.1.1#53(1.1.1.1)
;; WHEN: Mo Mär 09 11:58:38 CET 2020
;; MSG SIZE rcvd: 109
DNS-Over-HTTPS service + Test
# systemctl status cloudflared.service
● cloudflared.service - Argo Tunnel
Loaded: loaded (/etc/systemd/system/cloudflared.service; enabled; vendor preset: enabled)
Active: active (running) since Sun 2020-03-08 19:37:46 CET; 16h ago
Main PID: 31831 (cloudflared)
Tasks: 14 (limit: 4609)
Memory: 12.1M
CGroup: /system.slice/cloudflared.service
└─31831 /usr/local/bin/cloudflared --config /etc/cloudflared/config.yml --origincert /etc/cloudflared/cert.pem --no-autoupdate
Mär 08 19:37:46 RockHomeServer systemd[1]: Starting Argo Tunnel...
Mär 08 19:37:46 RockHomeServer cloudflared[31831]: time="2020-03-08T19:37:46+01:00" level=info msg="Version DEV"
Mär 08 19:37:46 RockHomeServer cloudflared[31831]: time="2020-03-08T19:37:46+01:00" level=info msg="GOOS: linux, GOVersion: go1.13.3, GoArch: arm64"
Mär 08 19:37:46 RockHomeServer cloudflared[31831]: time="2020-03-08T19:37:46+01:00" level=info msg=Flags config=/etc/cloudflared/config.yml no-autoupdate=true origincert=/etc/cloudflared/ce
Mär 08 19:37:46 RockHomeServer cloudflared[31831]: time="2020-03-08T19:37:46+01:00" level=info msg="Adding DNS upstream" url="https://1.1.1.1/dns-query"
Mär 08 19:37:46 RockHomeServer cloudflared[31831]: time="2020-03-08T19:37:46+01:00" level=info msg="Adding DNS upstream" url="https://1.0.0.1/dns-query"
Mär 08 19:37:46 RockHomeServer cloudflared[31831]: time="2020-03-08T19:37:46+01:00" level=info msg="Starting DNS over HTTPS proxy server" addr="dns://localhost:5053"
Mär 08 19:37:46 RockHomeServer cloudflared[31831]: time="2020-03-08T19:37:46+01:00" level=info msg="Starting metrics server" addr="127.0.0.1:35771"
Mär 08 19:37:46 RockHomeServer systemd[1]: Started Argo Tunnel.
Test
~# dig @127.0.0.1 -p 5053 google.com
; <<>> DiG 9.11.5-P4-5.1-Debian <<>> @127.0.0.1 -p 5053 google.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 62550
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 1452
; PAD: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ("...............................................................................................................................................................................................................................................................................................................................................................................................................")
;; QUESTION SECTION:
;google.com. IN A
;; ANSWER SECTION:
google.com. 63 IN A 216.58.211.110
;; Query time: 366 msec
;; SERVER: 127.0.0.1#5053(127.0.0.1)
;; WHEN: Mo Mär 09 12:01:55 CET 2020
;; MSG SIZE rcvd: 468
Demnach funktionieren alle Dienste, jetzt die Frage: Wie kombiniert man die Dienste z.B. damit der DNS-Verkehr über Unbound verschlüsselt läuft und/oder über das TOR geleitet wird?
Laut Pi-hole Guides muss man in Pi-Hole Web GUI die Custom 1 (IPv4) dan jeweils pro Dienst setzen. Für Unbound 127.0.0.1#5353 für DNS-Over-HTTPS > 127.0.0.1#5053 .
Welches DNS muss in /etc/resolv.conf gesetzt werden?
Vielen Dank!