For those that use my script for installing a LetsEncrypt cert in the Unifi Controller, I’ve made some small changes to update it to inject the new root certificates.
Category: Open Source
DNSDist is a great load balancing DNS forwarder/resolver designed by the same people behind PowerDNS.
It works on Linux and other UNIX OSs, and is fairly easy to set up once you understand how its configuration file works.
An example config with some comments…
controlSocket('127.0.0.1:5199')
setConsoleACL('127.0.0.1/32')
setKey("PUT-KEY-HERE")
addLocal('127.0.0.1')
addLocal('10.0.0.1')
addLocal('::1')
webserver('10.0.0.1:8083', 'dnsdist', 'dnsdist')
This is the initial section defining what IPs DNSDist uses to listen for its control and general purpose sockets:
- controlSocket() – sets local IP and port that the control listens on
- setControlACL() – sets what can connect to the control socket
- setKey() – sets your unique key to prevent unauthorized access
- addLocal() – sets the local IP and port that the resolver listens on
- webserver() – sets the local IP and port that the stats webserver listens on, with the username and password it expects
addDOHLocal("172.16.5.1:5053",
"/etc/letsencrypt/live/domain.com/fullchain.pem",
"/etc/letsencrypt/live/domain.com/privkey.pem",
"/dns-query",
{ doTCP=true, reusePort=true }
)
doh_ips=newNMG()
doh_ips:addMask('0.0.0.0/0')
doh_ips:addMask('::/0')
addAction(AndRule({NetmaskGroupRule(doh_ips, true), DSTPortRule(5053)}), PoolAction('recursive'))
This section we set up DNS over HTTPS for use with Firefox, Chrome, etc that can take advantage of a secure channel to query DNS separate from their provider’s servers.
In this case, we’re allowing anyone to query over DOH, but you can change that by removing the addMask() covering ‘everything’.
- addDOHLocal() – this sets the local IP and port that the DOH HTTPS server listens on. The paths are to the local letsencrypt generated certificates. The “/dns-query” path is the web server path to use as the base for the queries.
- doh_ips=newNMG() – sets up the Network Mask Group variable
- doh_ips:addMask() – configures the source IP ranges to allow
- addAction() – this one in particular allows anyone from the doh_ips variable who queries DOH on port 5053 to recursive query DNS.
recursive_ips=newNMG()
recursive_ips:addMask('127.0.0.0/8')
recursive_ips:addMask('::1/128')
recursive_ips:addMask('fe80::/10')
recursive_ips:addMask('10.0.0.0/24')
addAction(NetmaskGroupRule(recursive_ips), PoolAction('recursive'))
This section we set up the standard port 53 UDP/TCP resolver to accept queries. It works the same way as the previous block does, with the exception of the addAction().
- addAction() – this allows anyone from recursive_ips variable to query your resolver on port 53 UDP or TCP.
newServer({address="8.8.8.8:53", pool="recursive"})
newServer({address="1.1.1.1:53", pool="recursive"})
recursivepc = newPacketCache(10000, {maxTTL=86400, minTTL=0, temporaryFailureTTL=60, staleTTL=60, dontAge=false})
getPool("recursive"):setCache(recursivepc)
setACL({'::/0','0.0.0.0/0'})
This section sets up the recursive pool of servers to use for querying.
- newServer() – sets the parent recursive DNS servers to balance between. In the above examples, we use two public ones – Google and Cloudflare. Can be your provider’s recursive or other public ones.
- recursivepc=newPacketCache() – sets up the details on the packet cache to improve performance and expire old entries.
- getPool():setCache() – links the recursive pool to the recursivepc packet cache defined before
- setACL() – needed to allow any incoming queries to hit the Netmask Group ACLs previously defined.
IHere’s what you need to do to run the Unifi Controller on Debian Buster:
Add the following to /etc/apt/sources.list:
deb http://repo.mongodb.org/apt/debian jessie/mongodb-org/3.4 main
Do:
wget -qO - https://www.mongodb.org/static/pgp/server-3.4.asc | apt-key add -
(thx u/theinvisibleman_ for the key update info on his post here)
Grab:
http://security.debian.org/debian-security/pool/updates/main/o/openssl/libssl1.0.0_1.0.1t-1+deb8u12_amd64.deb
http://security.debian.org/debian-security/pool/updates/main/o/openjdk-8/openjdk-8-jre-headless_8u232-b09-1~deb9u1_amd64.deb
Do:
dpkg -i <package deb file>
To install both of those packages. Then:
apt-get update
And install the mongodb packages:
apt-get install mongodb-org-server mongodb-org-tools mongodb-org-shell
This should give you all you need to install the controller deb.
If I missed any depends, let me know as I threw this together after the fact and may have forgotten something.
You might have heard of BitWarden – a free/open source password management service that is a lot like LastPass. I use it pretty heavily here thanks to the integration with various web browsers and iOS.
The original BitWarden server is kinda large and clunky. A third party has re-implemented it in Rust with a much smaller footprint is API compatible with the official server.
As I’m not a fan of Docker, Bitwarden_rs was initially going to be a no-go for me due to it being distributed as a container by default. However, another individual as nice enough to provide a build script and premade .deb files of it that doesn’t require docker to be installed.
The original build script author has been quiet since October, and there has been a few upgrades to Bitwarden_rs in the meantime leading to an outdated repo. I’ve forked the repo on Github, updated the build script, and released updated .deb files for the latest upstream release.