My PiHole is “Half Baked”

Good Morning from my Robotics Lab! This is Shadow_8472, and today I am installing PiHole. With luck, I’ll have be configuring some of its other functions to augment my home’s network as well. Let’s get started!

PiHole, Take II

I can rant about the evils of Google ‘til boredom do its part. However, this search engine is between inconvenient and impossible to ignore, given its impressive list of “hobbies” from STEM projects to smartphones. It’s an open secret few care to think about that their empire is built off user exploitation. I installed ad blocker browser plugins over their aggression last presidential election cycle.

Earlier this month, I read about Manifest v3, the new browser-plugin interface library created by Google. Their precautions against spyware just so happen to cripple ad blockers, among other legitimate plugins. This walking conflict of interest is set to roll out January, 2023, and Firefox is going along with it.

When a browser loads a web page, it asks a DNS service to translate the page’s URL into an IP address. It then finds, loads, and renders the page at that IP. This may involve loading other pages –such as ads– as elements of the original page. Network ad blockers protect you by fudging bad URL’s addresses.

Objectives

My main goal this week is to kill ads across my home network. Follow-up objectives include advanced PiHole features and a private DNS for even better protection.

Night 1

My first attempt at PiHole was messy. I set up PiHole OCI/“Docker” containers across my two servers – ButtonMash and my old laptop. Like before, the main router skipped IP’s on me. I had it repaired within an hour thanks to my same laptop functioning as a workstation with a static IP. With the router upgrade to my upstairs workstation, I easily archived its settings and outfitted it with its own wider network static IP – complete with a netmask wide enough to chase down its rogue counterpart should it shift again (Did I have laptop’s static IP netmask configured incorrectly this whole time?!).

Surprise! The expanded subnet didn’t work because the rogue router had its own subnet mask I was outside of. The dance was too involved for a play by play, but I only really felt helpless while trying to avoid hiking around to different workstations to clean up after this failed networking spell. As I reassembled the router for normal operation, I reasoned out that my router’s firmware is hardwired not to consider a DNS coming from a LAN connection, like I’m trying to do.

Flashing open source firmware is out of the question. For one, I wouldn’t know how to fix it and don’t have a replacement. Two: apparently its chipset manufacturer isn’t a fan of open source – the help thread I spotted recommended contacting OP’s government representative if he wanted to do anything about it.

Night 2

I did a bit of research before dismantling the network again. DHCP settings include optional fields for DNS requests. This should let me direct computers straight to PiHole instead of relaying the request in a convoluted workaround involving a NAT table and possibly causing a network loop.

This means each router is now a separate task. The responsible thing to do now is ensure my subnet router can behave before working on the main one. It’s not long before I fry my DNS settings. Navigation around my local network remains unaffected, but I eventually resort to restoring my backup from yesterday, re-applying the static IP, and updating the backup.

My best bet from here is to finalize my PiHole install. My initial container creation was the absolute minimum: port 80 web interface, port 53/TCP+UDP. There’s a lengthy list of environment variables to browse.

A Few Days Later

Jackpot! My mind cleared enough before bed to skim PiHole Docker’s documentation on GitHub. It has a list of example deployments – including a shell script. I converted it for Podman, entered my environment variables, and –during debugging– axed the logic for relaying logs as it was causing problems and I can view them directly with Cockpit-Podman.

PiHole User

But where to land it? I’ll eventually integrate as I master Caddy. Leaving the container running as root lets it use the proper ports, but I know better. Thanks to discoveries I spun off into last week’s project, I can now make more underprivileged, Cockpit-enabled users than I will ever need by using loopback the address (127.0.0.1/8).

The run script was easy to copy over to my new PiHole user. I gave it the directories it wanted as mountable volumes and shifted ports around until I was happy. I took the time to tidy up my firewall, combining a couple related entries and reclosing the normal DNS port.

I remember having issues with Vaultwarden’s stability over the course of days to weeks. The problem was occasionally annoying as Bitwarden only requires its home server when modifying the password vault, but PiHole will be sorely missed the moment it goes down. The one place I found the solution was in the official Podman troubleshooting guide on their GitHub [1]:

loginctl allow-linger userName

I sadly could not verify this was my previous, solution to my Vaultwarden long-term issues, but it’s not entirely unfamiliar, and it’s my best-informed guess.

DNS Port Forwarding

With PiHole secured in its own, easily accessible account, I soon experienced how picky DNS requests are about using the privileged port 53. All my attempts at manually telling OpenWRT to use port 5300 failed. I expect the the story will be the same if I try with on my main router.

I found the solution where Woody from b-woody.com blogged about almost the exact same project last May [2]: port forward port 53 to port 5300. Paranoid about goofing my firewall over command line I ran my version of Woody’s commands past r/TechSupport’s Discord channel. Moderator Donjuanal confirmed my omission of a trailing “:toaddr=”, but questioned my blind use of tcp, explaining how DNS clients default to udp for speed.

sudo firewall-cmd --zone=public --add-forward-port=port=53:proto=udp:toport=5300 --permanent

Even with this measure in place, I had to access the web console and tick Settings>DNS>Interface settings>Potentially dangerous options>Permit all origins before my local requests made it through. This may need to be addressed later.

Takeaway

I am so glad to have PiHole installed, even if it doesn’t appear to be doing much more than the uBlock Origin Firefox plugin. I’m researching the next segment though, and I estimate another week or more worth of work before it is configured alongside a private DNS server. Worth noting is that Firefox is leaving in the features ad block requires, despite potential security concerns. This is as good enough stopping point.

Final Question

Do you use PiHole? I’d be happy to hear about your experience.

I look forward hearing your answers on in the comments below or on my Socials.

Works Cited

[1] eriksjolund, “Podman\ Troubleshooting\ A list of common issues and solutions for Podman,” github.com, Nov. 19, 2022. [Online]. Available: https://github.com/containers/podman/blob/main/troubleshooting.md [Accessed Jan. 30, 2023].

[2] Woody, “Run PiHole in a rootless Podman container,” b-woody.com, May 12, 2022.[Online]. Available: https://b-woody.com/posts/2022-05-12-pihole-on-a-rootless-podman-container/ [Accessed Jan. 30, 2023].

[3] Can You Block It, “CAN YOU BLOCK IT?\ AN SIMPLE AD BLOCK TESTER” canyoublokit.com, 2021. [Online]. Available: https://canyoublockit.com/ [Accessed Jan. 30, 2023].

I Glitched Cockpit and Discovered Multi-user Login

Good Morning from my Robotics Lab! This is Shadow_8472 with a side project for the week. Let’s get started!

My mother needed an extra browser, so I installed Firefox hardened it a little. I took the liberty of adding the Bitwarden plugin, encouraging her to make an account on my self-hosted instance. Remembering my failure so far to diagnose the “Network Error” blocking log in, I spared the time to learn how new Bitwarden clients are slightly incompatible with old Vaultwarden servers.

I easily could have updated Vaultwarden with maybe a note on the blog Discord. Instead, I felt like adding VaultwardenUsr@localhost to Cockpit with “Add new host.” This stunt worked at the cost of forwarding shadow8472@ButtonMash to VaultwardenUsr@ButtonMash when to logging in. Relogging didn’t help, and the hosts list saw VaultwardenUsr as the primary login – disallowing me from removing it, and as a remote login – blocking my attempts to add my real primary account back in with the same stunt.

While exploring this bug, I logged into my old laptop server and linked its Cockpit back into ButtonMash without getting forwarded to VaultwardenUsr. At this point, I submitted a bug report to Cockpit’s GitHub. I soon found the malformed host list at /etc/cockpit/machines.d/99-webui.json. I backed it up, purged the malformed entry, and updated GitHub with my workaround.

Out of curiosity, I added VaultwardenUsr@192.168.0.— as an alternate host. This sends packets for an extra detour, but it works as required. Only after all this did I update my Vaultwarden image from Docker Hub and deploy a new container from it using the same command as the last two successful times.

Note: While working on next week’s project, I logged into VaultwardenUsr@127.0.0.1 and other loopback IP’s with no problems. It’s just name@localhost that causes problems.

Takeaway

1 day for the win! My push for PiHole and supporting network projects has been intense lately, so it’s great to have a smaller project where I still learn while by doing something important.

Final Question

Have you ever misused a software feature successfully? What challenges did you face before getting it to work how you had in mind?

look forward hearing your answers on in the comments below or on my Socials.

Networking Is Magic

Good Morning from my Robotics Lab! This is Shadow_8472, and if you missed last week’s post, feel free to check it out. It… was a minor disaster. I tried setting up PiHole network adblocker, but my home router unexpectedly moved its local IP address in the process. I cleaned up what I could really quickly and noticed my little hackjob of a subnet router was running an end-of-life operating system. Today, I am fixing that oversight. Let’s get started!

Replacing My Hackjob Router

Hackjob Router was my consolation prize after a failed quest to implement the open source router firmware, OpenWRT, onto my Raspberry Pi 4B in early 2020 and another in 2021. Both times, the exact version I needed was still under development. Dealing with testing versions was too advanced of a magic spell for me. I did, however, find an easy tutorial within my reach, but it did little to advance me beyond an aspiring networking mage with smoke and mirrors, but no fire or glass. When I looked this week, the beta warning was lifted.

I downloaded OpenWRT and flashed it over Hackjob Router’s SD card. Sure enough, the web interface was complete. I’ve used at least half a dozen ranging from limited config options to full access. OpenWRT’s “Lu-Ci” web interface puts everything on display with a helpful tool tip. It is comparable to other network devices I’ve worked with, but is simpler to look at, and has slightly more functionality.

My final configuration was surprisingly easy for a project that’s been hanging for almost three years now. At no point did I gain a key insight directly from an online search. But mistakes were made, and background information was researched and shelved for later.

My first mistake was a wrong Wi-Fi password. When I finally located and corrected it, my connection to OpenWRT died. I quickly learned how to assign a static IP in KDE’s settings thanks to intuitive interface design. I researched br-lan, a virtual network interface used for assigning one IP to multiple physical interfaces, thinking I needed to add the physical Wi-Fi radio to the one automatically generated to host all of the one Ethernet port and “bridge” the two sides that way.

The problem was actually a bad netmask. IPv4 network addresses come in four eight-bit numbers between 0 and 255. Local networks mask off leading bits – typically in multiples of 8 (for example: 10.0.0.1/8). Routers can use DHCP to dynamically assign local IP addresses with in their assigned subnet. My subnet ranges between 192.168.1.0 and 192.168.1.255 – properly denoted 192.168.1.1/24. Originally, my trailing mask was /16, allowing DHCP to assign my workstation to 192.168.0.200. Correcting the mask made it behave.

An unanchored memory I have regarding this week’s research is that some devices can route packets directly between network interfaces as opposed to routing them manually. I doubt the Raspberry Pi 4 has this ability, but it would be nice to know for sure.

Takeaway

Networking is magic at times. I still have a long way to go before I understand enough to do everything I want to, but I’ve cleared a large and long-standing burrier toward that goal this week. This is in part thanks to OpenWRT’s Lu-Ci with its educational help tips about every drop-down menu, text field, and tick box.

Final Question

Do you ever study a known science and everything inside you insists it’s magic?

I look forward hearing your answers on in the comments below or on my Socials.

Never Underestimate Your Gremlins

Good Morning from my Robotics Lab! This is Shadow_8472 and today I am working on my home network. Let’s get started!

Where to begin? Last week I left off with Puppy Linux. Well, I successfully installed it to a USB. While hardening FireFox, I noticed that the popular search-engine/online-advertising company is pushing out a new set of standards for their popular browser called Manifest 3 that will cripple functionality browser-based ad blockers rely on to keep prying eyes out (all in the name of privacy, of course); Mozilla/FireFox will be adopting these standards, with roll out this month: January 2023.

Network Collapse

In response, I prioritized setting up PiHole, a network-based ad blocker which won’t be affected by Manifest 3 and will work on Android devices. I soon learn it’s available in an OCI/“Docker” container. Long story short, I install it to ButtonMash and my old laptop for logistical reasons involving my dormant Family Photo Trunk project. I went to adjust the router’s DNS (Domain Name Server) settings to point at my PiHole containers figuring the worst that could happenwould be I just need five minutes tops to revert changes… the router moved itself from 192.168.0.1 to 162.168.1.1, collapsing the home network – including the workstation I was planning on using to fix it!

I was more than a bit stunned. Lucky for me, my old laptop was on a static IP address; unlucky: Bitwarden password manager has been a pain on that machine as of late, so I had to copy it manually from elsewhere. Once I was in, I reverted the DNS settings to automatic and most computers recovered by toggling network off and on (or rebooting) to refresh the automatic DHCP settings.

Upstairs Workstation

A while back, I rigged up a Raspberry Pi to work as a Wi-Fi catcher/subnet router, and it’s served me well up to this point. I switched its static, subnet-facing IP so it didn’t conflict with the one now claimed by the router, but as Iwas researching how to adjust its DHCP settings for the new subnet, I noticed its base operating system is at least months past end-of-life.  

Takeaway

I need to stop quoting optimistic worst-case scenarios. Gremlins can and will make a fool of me. On the other hand, I’m very thankful I had my laptop-server still able to navigate the crippled network with its static IP.  

I’ll be keeping the router where it is and see how saving the band of 192.168.0.* for static IP’s plays out. I guess I have the rest of this month’s projects planned out…

Final Question

What is the biggest computer oops you’ve ever had (and recovered from)?

Furthermore

I had a small adventure getting this post from LibreOffice on my upstairs workstation over to my blog without Internet. The way my filesystem is set up, it the save feature hangs badly when a mounted network drive doesn’t respond. I ended up using a .txt file on a thumb drive, and dumping it to the command line with cat, a terminal program to concatenate.

I’m Learning Puppy Linux

Good Morning from my Robotics Lab! This is Shadow_8472 and today I am overhauling an old Windows XP machine with a tiny distro called Puppy Linux. Let’s get started!

About Puppy

Tiny Linux distributions have reduced complexity – meaning fewer distractions from the core functionality of your system, which makes them work great as a learning environment. I learned the Linux terminal on MicroCore Linux building upon previous experience from using commands in games like Minecraft. I aimed a bit too high and stalled when I wasn’t ready to start repackaging software, but I still consider that period one of the most productive projects regardless.

Another good use for miniature Linux distros is old computers. Specialty software, like commercial quality games, may pose an extra challenge to locate and install various libraries found in general purpose systems, but if all you need is a browser and a basic office suite, a refurbished system with a slim OS may be all you need.

The first thing I learned coming back to Puppy was that it’s a whole branch of Linux distributions and has been for some time [1]. Even a distro outside the definition of puppy/puplet/etc. may still be considered part of the family if it follows certain principles Puppy is built upon.

Exploring Puppy

My project this week is on an old church office computer running Windows XP Professional 32 bit on a 64 bit CPU. It has 2GB DDR2 RAM and a pair of 150GB HDD’s configured in a BIOS-level “Intel ARRAY” (mirrored per RAID 1, but not in name) with a 100 GB main partition, a 50GB partition labeled backup, and a couple tiny partitions for system files/recovery files respectively.

One talking point from Puppy’s site is how “Grandpa friendly” it is and how active the community is. I went ahead with making an account on the forum, left a request for a most user-friendly puppy overnight in the new users’ section. I never gotten so much help so fast. Consensus was that I should try Friendly Fossa 64-4 once I brought up that I was interested in burning it to CD – my third download after the base Fossa 64 and Friendly Fossa 64-2; all install .ISO’s are dropped onto my Ventoy multi-boot USB.

It’s amazing what built-in help can do for a system in terms of user-friendliness! Both Friendly variants each had a conspicuous help directory on their desktops, which the official Fossa64 build lacked. I’m impressed with how easy answers seem to be if I just take the time to explore those, various settings, or miscellaneous tooltips. This is a distro for people who aren’t ready for the command line. I just haven’t successfully loaded a pupfile (computer session save file) yet.

were a big improvement over their official Fossa 64 build thanks to a conspicuous directory on the desktop and various other help tooltips. I’m impressed with how easy it is to find my own answer if I just explore. I’m not a fan of the exact graphical style, but if ever there were one distro for people scared of the command line, this would be it – provided I can figure out how to load a pupfile.

Puppy works by copying everything into RAM. It first loads a base image, then modifies it with a “pupfile” made using that image when you shutdown and save a session. If I understand things correctly, you should only save sessions where you tweak system settings. Otherwise, data goes on mounted drives, where it stays regardless of pupsaves. I could be wrong though. Either way, this makes it almost trivial to flush out a virus by rebooting.

So far, I’ve burned the install media to CD and done a lot of exploring. I will need to come back to this.

Takeaway

I’m not a fan of the exact graphical style, and I still have much to learn. While Puppy takes a massively different approach to personal computing than mainstream operating systems, it’s overall one I can see myself recommending to people looking to learn Linux.

Final Question

What is the most unusual computer configuration you’ve used?

I look forward hearing your answers on in the comments below or on my Socials.

Works Cited

[1] Puppy Linux Team, “About Puppy Linux,” puppylinux-woof-ce.github.io 2020. [Online]. Available: https://puppylinux-woof-ce.github.io/. [Accessed: Jan. 2, 2023].