so many years ago I thought i had finally found my crowd – I was mistaken. They accepted me, but i was never a part of it. Why? I have never found out… I probably did not commit enough (well, that’s what I thought) – this repeated itself over and over again over the years.
Many years later, I am now sporting a proper aversion to any kind of group affiliation, immediately trying to blend in vs. being afraid to commit
Why do I always want to “belong” somewhere? Why can I not just accept that I am – me?
And not “part of something” or “piece of something else”. Seriously I hate being part of the human race at this moment. Just leave me alone, whoever you are. I don’t like you. I am not your friend. Please go away.
Seriously.. I have ranted to so many people about how ugly SUVs and crossover cars are… and yet.. everyone seems to join me in this but most people then just buy them anyway.. conveniently? And the market/manufacturers then say “the market demands more SUVs” > repeat this cycle. 1974 italdesign came up with this concept that would become famous as “hyundai pony coupe”
so.. while the pony never looked like this, it definitlely inspired others. The VW Scirocco and most notably the DMC DeLorean
Now.. fast forward to 2022 – there are rumours that DeLorean are trying to reboot the brand (going all-electric) – and.. I can’t even imagine what moved those people but this is.. just another car.. also: it’s not the design language – the only thing that resembles the 1974 vibe are the gullwing doors :/
Am I subject to nostalgia? It’s not about the fucking doors.. it’s about design language. And being consistent with it. Who will buy this thing for 250K when there is Ferrari, Lamborghini, Porsche, etc.. etc.. out there being far more established and looking just as great?
look at Hyundai and their hydrogen “rolling lab” called “N Vision 74” where they (successfully) demonstrate how to speak the same language while still being innovative.
If there is a worthy successor of the DeLorean, it would be this one.
Also, while Hyundai have their own design language and – I admit I find it fugly – I have to admit, they stick to it – so kudos to them for understanding what “design” means.
I have used pi-hole for a while and love its amazing “just works” factor but I missed some real DHCP features // some proper packet filtering / blocking features that only a proper firewall can do so here goes:
I want to use pfsense as my router/firewall but keep using pi-hole as DNS resolver – the adblocking of pfblockNG is just not the same finesse as pi-hole.
Assumption here: Static IP for LAN interfaces of firewall and the pi-hole
standard install, LAN and WAN, source NAT/PAT – so far so good. So the Firewall advertises itself as DNS via DHCP and gets fed by upstream DNS. let’s fix that.
next step would be to disable the DNS resolver inside the firewall but I kinda use it for registering reverse DNS records for DHCP leases.. which the pi-hole then queries (more about that later) – so let’s leave it on and just add this (Services > DNS resolver)
(Caution: Apparently this breaks things when operating the firewall in python mode.)
Now we have a setup, we just need to tell our DHCP server to not announce itself but the pi-hole as DNS resolver. This is done here (Services > DHCP server)
Default is to advertise its own LAN interface.. so let’s change that. Why 2 IP adresses? I found out that some (all?) Android mobile phones add 184.108.40.206 (google) if you only adverise one single DNS resolver. so that’s that. But more on Google later.
pi-hole is surprisingly easy to use and set up, it works out of the box. All there is to do is to change/set up the upstream DNS servers and the reverse DNS lookup for LAN IPs.
that will take care of one thing: in the “query log” window, you will not see the IP adresses of the client but the hostnames from DHCP – see previous chapter ^ ^
This is where the nice things stop. Till now we have been friendly and allowed our friends at Google and Cloudflare and whatnot to gather our data and sure.. with emerging technologies like DNS over TLS, DNS over HTTPS, QUIC and what not.. it is important to ask yourself a few questions:
what do I want to achieve here?
why am I doing this?
do I just want ads blocked or browse securely / not give away my data to X to do Y
here is my take on this: Block as many ads as possible while still allowing privacy to exist. DNS over HTTPS allows Firefox to bypass censorship and control by a totalitarian regime.
But also Google Chrome can use UDP to port 443 and tunnel DNS through, bypassing my DNS server and the entire thing was for nothing. (Remember: Google is not your friend, they harvest your data (LOTS of it) for profit. Make it as hard as possible for them, they don’t pay you after all)
Advanced DNS / Firewall stuff (here be dragons)
Step 1: redirect all DNS traffic to the firewall.
Anyone who is trying to bypass the pi-hole’s adresses (manual DNS, hardcoded DNS resolvers (Android, I am talking about you!) will bypass our solution, let’s redirect those back to the firewall. sneaky. from the pfsense manual
Firewall > NAT > Port Forward.
Create a rule for TCP/UDP trying to reach port 53 EXCEPT when it’s on the LAN, AND NOT the pi-hole itself. Redirect that to the firewall’s IP and disable reflection. (wonderful application of inverted matches :)
the filter rule will be created automatically
Step 2: Firewall Rules
it is important to set the rules in the right order, remember: Top to bottom, once there is a match, the filtering stops.
Firewall > Rules > LAN
So what have I done here?
allow pihole to access the internet unfiltered
allow all DNS traffic from LAN to the firewall (created by the NAT policy before)
reject all other DNS traffic
reject DNS over TLS (port 853)
reject DNS over HTTPS to Google and Cloudflare (220.127.116.11, 18.104.22.168, 22.214.171.124, etc…)
reject UDP traffic to port 80 or 443 (used by chrome/QUIC)
So now I have achieved (I think) the best of both worlds. I enjoy near-perfect ad blocking while using a real firewall for my LAN. sure. pfblockNG is amazing (and I use it for IP blocking!) but the adblocking is just sub-par.
Step 3: pfblockNG
That one is a litte more tough to set up. I used a lot of reddit posts and blogs to get it working as there a ton of settings. I ended up using the Tier1 IP blocklists and the DNS blocklists of BBcan177 (thanks, whoever you are!)
basically it can make pi-hole redundant but I am using VMs so… why bother? :)
At my age I am not often surprised or hyped but this caught me off guard. Oh so many memories and legendary swordfights. This is definitely one of the things, that strongly shaped my character and my life. Also: Grog is bad for you :P
Thank you. Ron. You are a legend. We will celebrate with grog and red herring <3