Sooo, my TP-Link Archer C8 AC1750 Gigabit router decided to not play nice after a short power outage. Didn’t do much anyway except keep a couple of machines in a their own little subnet in which the pi-hole was located.
Replaced it with… NETGEAR GS108Tv2 8-Port Gigabit managed switch and flatten the network a little. Everything was peachy with that set up, but the pihole was still on 172.16.0.0/24… reconfigured that with pihole -r and all looked well except for the pi-hole could not ping outside of the LAN. Grrr! Much hair pulling until…
Getting pretty annoyed with keeping track of which browser on which machine has which add blockers installed, so it’s time for a more holistic approach. Enter, stage left, the Pi-hole. In short it:
…acts as a forwarding DNS server, which means if it doesn’t know where a domain is, it has to forward your query to another server that does. When you install Pi-hole, it knows where the ad-serving domains are (because you tell it), so it doesn’t forward those requests.
With a Rapsberry Pi 3 model b and a 64GB micro SD card, a set-up that is beefier than it needs to be, but who knows what the Pi will be used for in the future…
#1 Get Raspbian, and format micro SD card— after much jiggling with the unlock tab on the adapter and delicately repeatedly inserting-half-inserting into 2012 Macbook Pro’s gunked-up card reader port…
Unbound and setting up resolving/recursive DNS (rather than merely forwarding)
What’s the difference? With forwarding, if a name has not been previously associated with an IP (ie. ached on the pi-hole), the request is sent upstream and the result cahed.
Aaand in recursive… request is sent to ROOT servers for resolving say, “.us”, and thence to TLD name servers. Domain lookup will go to AUTHORATATIVE servers handling “yearl” (and subdomains), and all will be relayed and chached locally. So, a few more steps? Why do this? Neither Cloudflare nor Google (or whatever my upstream DNS would have been) will know where I am going. So, err privacy. Why not do this? It will take longer for the first resolution of a name.
<h1>May be set to yesif you have IPv6 connectivity</h1>
# Use this only when you downloaded the list of primary root servers!
# Trust glue only if it is within the servers authority
# Require DNSSEC data for trust-anchored zones, if such data is absent, the zone becomes BOGUS
# Don't use Capitalization randomization as it known to cause DNSSEC issues sometimes # see https://discourse.pi-hole.net/t/unbound-stubby-or-dnscrypt-proxy/9378 for further details
# Reduce EDNS reassembly buffer size. # Suggested by the unbound man page to reduce fragmentation reassembly problems
# TTL bounds for cache
# Perform prefetching of close to expired message cache entries # This only applies to domains that have been frequently queried
# One thread should be sufficient, can be increased on beefy machines
# Ensure kernel buffer is large enough to not loose messages in traffic spikes
# Ensure privacy of local IP ranges
private-address: 10.0.0.0/8 </code></pre>
EDIT (2018-06-19): Pi-hole was running quite nicely over wi-fi (assigned to 192.168.0.0), went to put it on the LAN and after removing SD card to placement of the Pi board inso some case the SD card decided to go fuck up. Anyhoo repeated above steps with a new (32GB) SD card, and all appears to be peachy-creamy.
ubnt@ubnt:~$ show dns forwarding nameservers -----------------------------------------------
Nameservers configured for DNS forwarding -----------------------------------------------
18.104.22.168 available via 'system'
22.214.171.124 available via 'system'
126.96.36.199 available via 'ppp pppoe0'
188.8.131.52 available via 'ppp pppoe0'
ubnt@ubnt:~$ ping 184.108.40.206
PING 220.127.116.11 (18.104.22.168)56(84) bytes of data. 64 bytes from 22.214.171.124: icmp_req=1ttl=60time=18.4 ms 64 bytes from 126.96.36.199: icmp_req=2ttl=60time=14.6 ms
ubnt@ubnt:~$ ping google.com
PING google.com (188.8.131.52)56(84) bytes of data. 64 bytes from lhr25s01-in-f14.1e100.net (184.108.40.206): icmp_req=1ttl=57time=15.3 ms 64 bytes from lhr25s01-in-f14.1e100.net (220.127.116.11): icmp_req=2ttl=57time=15.3 ms
ubnt@ubnt:~$configure uubnt@ubnt#set service dns forwarding system uubnt@ubnt#commit uubnt@ubnt# commit  ubnt@ubnt# save
Saving configuration to '/config/config.boot'...
Done  ubnt@ubnt# exit exit ubnt@ubnt:~$
Now for the rest of the network… but it’s sooo nice outside. There’s this orange thing in the sky, apparently
Like >90% of folk, I’ve typically used whatever POS modem/router/switch/WAP combo that my ISP supplied me with. These all-in-ones are pretty convenient, but there is something just not right about bundling so many features into a single unit… it basically means that whilst is can do all these things it does not do any one thing particularly well.
Wireless range, for example, is particularly bad (even on the 2.4MHz band). Time for a change. I’ve finally had enough.
#1 get your router’s loin credentials to the service. My ISP had these hard-coded and were not supplied to me. It was a royal waste of 40 minutes trying to explain that I was not trying to login to the TG589vac itself, but instead to use that which allows login to the ISPs edge router… need this to pass on to the replacement router (Ubiquiti’s Edgerouter X) otherwise… no Internetz!
#2 logging in to the TG589vac as “admin” gives one rather limited options, and certainly none for resetting the router. It’s not in the consumer documentation, but log in as “engineer” and use the value next to “Access Key” on the bottom of the device.
#3 Gateway >> Setup Your Gateway >> change “routed type” to bridge
#4 if VSDL retain VLAN 101; if ADSL set ATM VP to 0 and ATM VC to 38
#5 Cross fingers and reboot
#6 Congratulations you now have no Internet access; the TG589vac is now just a modem!
#7 need to get into the device again… that’s an ethernet cable into port #4, so obvs do not connect your new router to this port.
For giggles as “engineer” you get to see that your ISP has probably enabled TR-069 / CWMP. The what now? That’s the L7 protocol that kept your device up-to-date with firmware and such… or is/was a means for them to have get another means to sniff your packets. If you disabled it as soon as you initially got your device, TURN IT BACK ON BEFORE YOU CALL your ISP’s tech support (see #1). Mine got real pissy when I called on an unrelated issue and they could not get in and poke around.
It can take a wee while after getting “sage” to hit 1500. Lots of pretty mundane traceroute6-ing, ping-ing and such, but I stuck through it:
Really I should have scripted something to chron submit the result entries when the command result was obviously valid, but by the time I had found a reliable list of valid ipv6 addrs that were alive and correctly reporting it was too late for me to bother… and besides I sort of enjoyed the daily catharsis of taking five minutes to submit.
I’d usually stretch it out for ten or fifteen minutes when he kids were being particularly narky… sorry Mrs Sjy2!
Of course it’s of no practical use to me; but Hurricane Electric‘s IPv6 certification certainly has raised ipv6 awareness, I’d say. Actually, I lied there… one tangible benefit was free dinner and cocktails aboard the USS Hornet. My eldest and I took a relative. We had a blast.
Going to be changing ipv4 addresses a lot over the next little while, so I’ve decided to try a different v4-6 brokering arrangement. he.net’s tunnelbroker has been rock solid and I’ve been using it on and off since ’08, but I think it time to try something else.
The ideal would be a self-monitoring client that identifies local ipv4 changes here (kind like a dynDNS client might), and renegotiate an ipv6 endpoint to tunnel through based on that change. he.net’s configureation is a little more static than that, and there is no API that I can see that I can hook into to write that client myself. I sure as hell am not going the ‘scrape screens’ route for this.
First up is sixxxs. Looks like they have a client (AICCU) that might do the trick. Here goes.
Guru technical test — not done yet, despite being sage!
covers technical knowledge of IPv6 routing and IPv6 related protocols.
When using auto-configuration, what is used from the host to configure the last 64bits of the IPv6 address?
Random number generator is used
Nothing on the host is used
The IPv4 address on the ethernet interface
The MAC address of the ethernet interface
The loopback interface IPv4 address
A MAC address is only 48bits. So when using auto-configuration, what is used to fill in the missing 16bits?
Nothing, a MAC is really 64bits
On many routers, which one of the following commands is used to configure an IPv6 address on an interface?
ip address 2001:A:B:C::1/64
ipv6 address 2001:A:B:C:1
ipv6 address 2001:A:B:C::1/64
ipv6 address 2001:A:B:C:1/64
What is the length of an IPv6 packet header?
Which of the following organizations assigns IPv6 addresses?
All of the above
What protocol number is used for 6in4 IPv4 packets?
Which of the following is the 6to4 IPv6 prefix?
Which of the following well-known prefixes is used for Teredo?
Which of the following is an IPv4-mapped IPv6 address?
On operating systems that support it, IPv4-mapped IPv6 addresses are used to:
make it so that you have to write separate code for IPv6 socket calls and IPv4 socket calls
map IPv4 addresses to an IPv6 address to make it so that IPv6 socket system calls can be used with both IPv4 or IPv6 addresses
map IPv6 addresses to IPv4
Which of the following is an IPv4-compatible IPv6 address?
IPv4-compatible IPv6 addresses are deprecated in RFC 4291.
Should you ever see packets with IPv4-mapped IPv6 addresses on the wire (outside of a host)?
Which version of OSPF supports IPv6?
Which of the following can be used by an IPv6 host to learn the address of a default gateway?
neighbor introduction protocol
neighbor discovery protocol
Which of the following can be used by a host to learn its own IPv6 address?
neighbor discovery protocol
neighbor introduction protocol
If you translate IPv4 packets to IPv6 or IPv6 packets to IPv4, this is called:
completely compatible with all protocols
On many routers, what command shows IPv6 routes?
show ipv6 ospf summary
show ipv6 route
show ipv6 bgp summary
On many routers, what command shows IPv6 BGP sessions?
show ipv6 ospf summary
show ipv6 bgp route
show ipv6 bgp summary
On many routers, what command shows IPv6 BGP routes?
sh ipv6 ospf
sh ipv6 bgp
Covers technical knowledge of well known IPv6 prefixes and expands on your understanding of IPv6 related Linux and Windows commands.
1. What command shows IPv6 addresses configured on ethernet interfaces under UNIX (Linux, FreeBSD, etc.)?
ip link show
2. What command shows IPv6 addresses configured on ethernet interfaces under Microsoft Windows?
netsh interface show
3. Under FreeBSD, what does the generic tunneling interface start with?
4. Under Linux, what kernel module needs to be loaded to support IPv6 networking?
5. Are routers allowed to fragment IPv6 packets?
6. How many bytes are in an IPv6 address?
7. How many /48 subnets are available in a /32 prefix?
8. Which protocol is used for manually configured tunnels?
9. Which of the following is the IPv6 documentation prefix?
10. Which of the following is the IPv6 link-local prefix?
11. Which of the following is the IPv6 multicast prefix?
12. Which of the following is the IPv6 ULA (unique local addresses) prefix?
13. Which of the following is a subnet of 2001:db8::/32?
14. On Linux, how would you traceroute to the IPv6 address of he.net?
traceroute6 he.net X
15. On Windows Vista, how would you traceroute to the IPv6 address of he.net?
tracert he.net X
16. On Linux, what is the IPv6 ping command?
17. Which command forces the UNIX command ssh to use IPv6 to connect to example.com (useful for domains with both A and AAAA records)?
ssh -4 example.com
ssh -6 example.com X
18. You would force the UNIX command ssh to use IPv4 (useful if it had both A and AAAA records) to connect to example.com using which command?
ssh -6 example.com
ssh -4 example.com X
19. Which command forces the UNIX command wget to use IPv6 to make a HTTP GET request to he.net (useful for domains with both A and AAAA records)?
wget -4 he.net
wget -6 he.net X
20. Which command forces the UNIX command wget to use IPv4 to make a HTTP GET request to he.net (useful for domains with both A and AAAA records)?
wget -4 he.net X
wget -6 he.net
21. Which command forces the UNIX command mtr to use IPv6 to traceroute to he.net (useful for domains with both A and AAAA records)?
mtr -4 he.net
mtr -6 he.net X
22. Which command forces the UNIX command mtr to use IPv4 to traceroute to he.net (useful for domains with both A and AAAA records)?
mtr -4 he.net X
mtr -6 he.net
Covers technical knowledge of DNS and general IPv6 topics.
1. On Redhat, CentOS, and Fedora Core systems that don't accept ::/0 as the IPv6 default route, which of the following should you use instead?
2. When configuring forward DNS entries for use with an IPv6 address, what record type do you use?
3. When configuring reverse DNS with BIND for addresses in the IPv6 allocation 2001:A:B:C::/64, what is the correct format for the zone?
4.What is the IPv6 default route?
5. What is the IPv6 localhost address?
6. Which of the following is a link-local address?
7. Which of the following URLs specifies a literal IPv6 address correctly?
8. Which of the following URLs specifies a literal IPv6 address and port number correctly?
9. If you run native IPv4 and IPv6 at the same time this is called:
Dual stack X
10. How do you use the dig command to get the IPv6 address record for domain he.net?
dig he.net 6
dig he.net A
dig he.net AAAA X
11. How do you use the dig command to get the PTR record for the IPv6 address 2001:470:0:76::2?
dig 2001:470:0:76::2 PTR
dig -x 2001:470:0:76::2 X