this post was submitted on 08 Nov 2023
213 points (97.8% liked)

Selfhosted

50253 readers
586 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
213
I finally figured out how to virtualize my OPNsense firewall. Suck it, Roku. (lemmy.one)
submitted 2 years ago by AdventuringAardvark@lemmy.one to c/selfhosted@lemmy.world
30 comments fedilink hide all child comments
 

Blocked that hard-coded google dns garbage.

top 30 comments
sorted by: hot top controversial new old
[–] Decronym@lemmy.decronym.xyz 20 points 2 years ago* (last edited 2 years ago) (1 children)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
DNS Domain Name Service/System
IP Internet Protocol
IoT Internet of Things for device controllers
NAT Network Address Translation
PiHole Network-wide ad-blocker (DNS sinkhole)
SSL Secure Sockets Layer, for transparent encryption
TCP Transmission Control Protocol, most often over IP
UDP User Datagram Protocol, for real-time communications
VPN Virtual Private Network

[Thread #267 for this sub, first seen 8th Nov 2023, 04:10] [FAQ] [Full list] [Contact] [Source code]

[–] EvolvedTurtle@lemmy.world 7 points 2 years ago

Good bot

[–] bless@lemmy.world 16 points 2 years ago

+1 for dst nat on googles dns servers back to my piholes

[–] filister@lemmy.world 15 points 2 years ago (1 children)

Hey man, can you share some resources that you followed to configure Opnsense as VM. I am in the same situation, bought a firewall, that I want to use as a hypervisor but didn't configure yet the Opnsense and would love to educate myself more on the matter.

[–] Pete90@feddit.de 4 points 2 years ago (1 children)

I'm currently using this guide to setup a OPNsense VM on proxmox. Home Network Guy also has an OPNsense guide, but for a full router.

[–] filister@lemmy.world -2 points 2 years ago (1 children)

Thanks for the link but in the series I can only find information about Pfsense and not Opnsense.

[–] Pete90@feddit.de 2 points 2 years ago

It's pretty similar, but I combined those two guides and that worked pretty well.

[–] randombullet@feddit.de 12 points 2 years ago (2 children)

I do a DNS redirect on my Mikrotik router.

It's going to suck when DoH and DoT becomes more prevalent.

[–] possiblylinux127@lemmy.zip 10 points 2 years ago

I think the solution is to avoid tech that you don't control. Its a hard pill to swallow for some but at the end of the day there are tons of ways a device could bypass networking restrictions

[–] blackstrat@lemmy.fwgx.uk 2 points 2 years ago

Best you can do is maintain a list of public DoH IPs and block them. Redirect all port 53 traffic to your own DNS server.

[–] CorrodedCranium@leminal.space 11 points 2 years ago (3 children)

Is this to block ads?

[–] AdventuringAardvark@lemmy.one 19 points 2 years ago (1 children)

No, you can block ads with a pihole. This is because Roku hard codes its dns server as 8.8.8.8. Pihole doesn’t handle IP addresses, only DNS.

[–] IlliteratiDomine 9 points 2 years ago (3 children)

Interesting. I set an adblocking dns via DHCP and, as far as I know, the Roku respects it. Ads are blocked and I can see it failing to delivery telemetry in my dns logs (most persistent thing on the network).

I set a rule to catch outside dns to see if anything, the roku included, has been misbehaving.

[–] chagall@lemmy.world 9 points 2 years ago

Pihole blocks the basics for Roku. Things like logs ads etc. but there’s a lot more telemetry that they’re collecting. Here’s a hackernews thread about the topic and the associated article it references.

[–] IlliteratiDomine 3 points 2 years ago

Well, I'm back and can confirm the sneaky DNS resolver. I have two roku devices and they both were making requests to 8.8.8.8.

Thanks for this post! TIL.

[–] EvolvedTurtle@lemmy.world 2 points 2 years ago (1 children)

I doubt it but could this help my tv randomly crashing

It's genuinely so annoying and is such a 2023 problem

[–] StopSpazzing@lemmy.world 7 points 2 years ago

Tv crashing? Add an external device and don't use TVs for their smart features as they tend to be pretty bad.

[–] StrawberryPigtails@lemmy.sdf.org 10 points 2 years ago

Not familiar with Rokus, but it depends on what your filtering. Mostly it's to block needless analytics tracking. I use a pair of PiHoles for much the same purpose.

[–] normonator@lemmy.ml 0 points 2 years ago (1 children)

One reason used to be to switch to a different region for Netflix, etc but I'm not sure if that still works, I haven't had to use a Roku in a long time.

[–] null@slrpnk.net 2 points 2 years ago (1 children)

How would you switch regions using a firewall?

[–] normonator@lemmy.ml 2 points 2 years ago* (last edited 2 years ago)

Using the firewall to force dns because the services were stupid enough to rely on dns to determine location. You would use a (usually paid) dns service hosted out of the wherever the content you want was and get access to region locked stuff like the US netflix library from abroad. This worked because vpns were being detected and rokus dns was hard coded so assumed to be trusted.

I don't know if this still works because I no longer own anything Roku and Netflix's service hasn't been worth that kind of shenanigans for a long time. It likely doesn't work anymore.

Edit: Unblock-US used to be such a service

[–] phx@lemmy.world 8 points 2 years ago (1 children)

I setup a NAT rule that redirects anything going to the Google DNS IP's send sends it to my own DNS server.

[–] lemming741@lemmy.world 1 points 2 years ago (1 children)

I did that for anything on port 53.

[–] phx@lemmy.world 1 points 2 years ago

I can't recall if I limited to Google's IP's or not actually. Just that I wanted to prevent their devices from ignoring the DHCP provided hosts

[–] auf@lemmy.ml 7 points 2 years ago (1 children)

TIL that dns uses udp instead of tcp

https://www.geeksforgeeks.org/why-does-dns-use-udp-and-not-tcp/

[–] rentar42@kbin.social 6 points 2 years ago

One more confusion: If DNSSEC is enabled it actually switches to TCP, since DNSSEC requires messages that are much bigger than what UDP can transfer.

[–] redcalcium@lemmy.institute 6 points 2 years ago* (last edited 2 years ago) (1 children)

I configured my Asus router with asuswrt-merlin firmware to route all DNS traffics to my Adguard instance to catch those apps and devices with hard-coded DNS. Those routed DNS queries appear in adguard as originating from my router's IP address, so I can easily see what apps and devices trying to bypass my dns. Turns out the main offender is Netflix.

[–] AdventuringAardvark@lemmy.one 0 points 2 years ago (1 children)

That's interesting. What IP address is netflix hardcoding?

[–] redcalcium@lemmy.institute 1 points 2 years ago

My router doesn't log the target dns server ip address, but according to many forum threads, netflix apps seems to hardcode the dns to 8.8.8.8 and 8.8.4.4.

[–] jubilationtcornpone@sh.itjust.works 2 points 2 years ago

I have a firewall rule to dst-nat any outgoing DNS requests not coming from piHole back to the piHole server. That way all devices on the LAN are forced to use piHole for DNS and can't bypass it. I don't have an OPNSense firewall but I would think it should be able to do that as well.