dn42 stands for Decentralized Network 42. It is an interconnected network that employs the same technology (DNS, BGP, etc) as the internet. This provides a great opportunity to replicate the processes used by real ISPs peering on the internet.…
read more...Connecting Network Namespaces with veth
This post will look at how to define network namespaces and connect to and between them using veth pairs…
read more...Generating Memorable Hostnames for a Subnet
This is a simple Bash script I wrote to generate memorable names for an IP address space. The names are camelCase word pairs obtained by shuffling a list of the thousand most common English words. This produces readable and memorable hostnames, e.g. FormerAbility.…
read more...Dnsmasq Cheat Sheet
Comprehensive documentation of all of the options for the dnsmasq DNS/DHCP server, with practical examples…
read more...Self Hosted DNS using NSD
In this tutorial, I'll be setting up a pair of authoritative DNS servers using the NSD DNS server daemon.…
read more...OpenWRT/LEDE Bridging Firewall
It would be neat if my wireless access point could bridge directly to my cable modem so that clients would have proper public IP addresses. Being directly connected to the internet significantly increases vulnerability so the aim is to address this with a bridge firewall.…
read more...Setting up Tor and Hosting a Hidden Service
This tutorial will show you how to set up TOR as a daemon and host hidden services. Hidden services are only available on the TOR darknet and allow you to host services without revealing your IP. Tor hidden services can be accessed via a special .onion domain. Although it hides your IP address, Tor isn't completely untracable. If using Tor for illegal activity, you CAN and WILL get tracked down and held accountable. Table of contents Introduction to Tor Setting up and testing Tor Setting up a Hidden Service Redirect user traffic through Tor Conclusion Introduction to TOR Tor is…
read more...Customizing Digitalocean Floating IPs
Digitalocean allows, for free, the option to add an additional IP address to your virtual machine ("droplet"). These floating IPs are similiar to Amazon AWS Elastic IPs and are tied to your account and location, rather than any specific instance This means that when an instance is destroyed, you can still preserve the floating address and migrate it to your new instance, providing it's in the same datacenter location. Floating IPs also have load balancing features, where if a site/instance goes down, it can automatically redirect to a backup instance. It is for these reasons it is…
read more...Running your own DNS with Unbound (and block ads)
Today we will learn how to create your own recursive DNS server using Unbound. This will improve performance through caching. We will also look at ad-blocking.…
read more...Routeable Loopback Addresses
Today we will learn about loopback addresses that can be reached from the outside via routing. This is useful for running services on a router In a previous post, I talked about the loopback interface and how we can locally bind services to any address in the range 127.0.0.1-127.255.255.254. This is useful if 127.0.0.1 is already in use on a particular port. The main advantages of loopback addresses are: Adding additional addresses without the need to add extra interfaces Better availability of services, as long as you have a route to…
read more...Rate-limiting logging on the Ubiquiti EdgeRouter Lite
The Ubiquti Edgerouter Lite has an iptables based firewall. For each firewall rule (and named set of ules) there is a is an option to enable LOG. Unsolicited traffic to tcp ports, especially ssh, telnet is very common and so our log gets quite large, rather quickly. On a device with limited storage like the EdgeRouter, a barrage of blocked traffic may rapidly fill memory and crash the device. How to do it: We use iptables-save to get the current iptables rules. We then use sed to find/replace. We replace -j LOG with -m limit --limit 3/min -j…
read more...There's more to localhost than 127.0.0.1
The loopback interface is most familiarly encountered as 127.0.0.1 and is referred to as the local loopback address. This address is present on every IPv4 host and is given the hostname localhost. Did you know there's ~16 million other addresses that applications can also listen? This means that you can have multiple local services on the same port; as long as they are listening on a dfiferent address. The local loopback address is not a single address, it's the range 127.0.0.1 - 127.255.255.254.…
read more...Script to send a SMS when IP changes
So this is one application of the SMS gateway. My home internet gets its address via DHCP, however, unless something goes wrong, the addresses are usually reasonably persistent (generally at least 10 days). I was motivated to set this up because when my ISP was having connectivity issues, it was very frustrating having to sit around and keep trying ping until it came back online. Now I can just wait for a notification :) I have this script running on my Ubiquti EdgeRouter but it would work the same if you had it on a workstation. This goes in /etc/cron.…
read more...Using the ss command to view active and established connections
The command known as ss which stands for socket statistics. It is used for listing listening and established connections and to find out which processes and users are associated with them. Finding all outbound connections to a particular port ss -t -o 'dport = :ssh' --resolve | awk '{print $4,$5,%6}' desktop:42444 websrv1:ssh timer:(keepalive,61min,0) desktop:58600 websrv1:ssh timer:(keepalive,36min,0) desktop:56194 virt1:ssh timer:(keepalive,117min,0) Finding all inbound connections to a particular listening port. Remembering that the local side is always on the left, we can see that .6…
read more...Pretty printing terminal output into JSON/CSV
There is a command called column which allows you to format the lines produced by a command into symmetrical rows/columns, which can then be easily converted into CSV or JSON. This will be quite handy for reading and populating files. In this case, I needed to populate /etc/ethers/ from the arp table More info on column Note: This is based on the column command in fedora linux, it may be different in other distros Creating a table This bit is simple enough, we delete unneeded fields with awk, and then use the command column -t to turn it…
read more...Network Basics: The DHCP client
So what is DHCP? How automatic configuration works The DHCP client When you bring your laptop over to your buddies house and plug into their network, your internet is ready by "magic". This is achieved by the DHCP client daemon dhcpcd. When a new network link comes on line (e.g plugging in an ethernet cable, or connecting over WiFi), your machine sends announces itself to all devices on the link, and, if present, a DHCP server (usually the network's router) replies back, informing your computer of the settings for the particular network, and reserves you an IP…
read more...Converting a Hostfile Adblock into Unbound DNS records
There are lots of places where you can download ad blacklists in the form of simple host files, but they require manual installation on every device. Instead we will make records for our DNS server so we can block ads network wide. I used a blacklist from somewhocares. This github page contains a range of different filters and their stats. If you wish to learn more about setting up Unbound, I have an example configuration fileHere is my script to do it. It also allows you to specifiy a different address than "0.0.0.0". This is…
read more...