valvaris

Level 3
Verified
--------------------UPDATE 12-01-2020-------------------
From today on I am a (eBlocker) contributor.

That does not mean that I will "fanboying" this product like a boss! I am open to all projects. :D

It just seams fair to the Malwaretips-Community that they know about my standing to eBlocker and understand if I try to protect this product a little more then the others. Of course the time spent to collaborate with other devs. from the eBlocker Team.

I still want to try out other solutions / projects and my mix match project is still on the go. (eblocker / Pi-Hole combo Https Pattern and DNS unbound server) Just waiting for the eBlocker Raspberry 4 update.

Sincerely

Val.
 
Last edited:

oldschool

Level 54
Verified
It just seams fair to the Malwaretips-community that they now about my standing to eBlocker and understand if I try to protect this product a little more then the others. Of course the time spent to collaborate with other devs. from the eBlocker Team.
I think that's great. You might post re: your collaboration on your security thread. if you decide to post one. Definitely on your MT Profile.

I'm considering eBlocker for the future but Raspberry Pi 4s are in short supply here. I really admire those folks working to re-build it.
 

valvaris

Level 3
Verified
I think that's great. You might post re: your collaboration on your security thread. if you decide to post one. Definitely on your MT Profile.

I'm considering eBlocker for the future but Raspberry Pi 4s are in short supply here. I really admire those folks working to re-build it.
Thanks for the tip @oldschool - Updated my Profile Info it is on the About Page. :D

Best regards
Val.
 

valvaris

Level 3
Verified
From today on I have configured my Pi-hole to my "raspberry pi 4b" - could not wait...

What I did?
Clean Pi-hole install
Tested Pi-hole DNS directly with Quad9 Uplink DNS Server
Installed and Configured - Unbound - Recursive DNS Server and Signatures
Looped the DNS Querys back from Unbound to PI-hole
Like this all DNS Querys hit the Pi-hole and it makes a direct request to the Root-DNS-Servers plus Signature chain. (DNSSEC)

Pi-hole unbound instructions -> Pi-hole as All-Around DNS Solution - Pi-hole documentation

Example DNS Query:

PC----> eblocker -----> Pi-hole <---> Unbound (Service Local on Pi-hole) ---> Router ----> ISP--->RootDNSServers if not cached by Pi-hole

Best part out of it is that I do not need to rely on services like cloudflare, quad9 and google to function since I request directly from the root servers.

DNSSec works too! 🙂

eBlocker is setup to have the Pi-hole as the Uplink server and disabled all Domain Blocklists since Pi-hole will take care of that part by itself and I am able to see what domains are "bogus" or "insecure". Now the added advantage is the following with eBlocker...

HTTPs Inspection --- goes to Pattern Files ---- that forwards unblocked querys to the DNS (Pi-hole) ---- that checks if the Domains are Blacklisted and allows/denys that query ---- verfiys DNSSEC ------ So you have the best of two worlds HTTPS Inspection from eBlocker and DNSSec, RecursiveDNS, Domain / Regex Blocklist from unbound/Pi-hole.

Best regards
Val.
 
Last edited:

valvaris

Level 3
Verified
Project Update and Experience

The Project was to have an eBlocker go to a Pi-Hole (Uplink DNS) and that one to Unbound to have a direct recursive DNS route to the Root DNS Servers. With features enabled like DNSsec for SSL Chain Verification and Monitoring.

How was the Setup?
Have to say super easy Pi-hole has a very well documented website and the installation and preparation for Unbound was awesome.

The Performance?
A little meh... at first until the DNS requests were cached and then wooow it was fast. But still the performance could be allot better if eBlocker was Raspberry 4 compatible... (More Processing Power and 1Gbit/Ethernet Interface) - Reason is that HTTPS Inspection costs allot of horsepower and since the device acts as a gateway all traffic goes thru that first (Raspberry 3 - 100Mbit/Ethernet Interface)... -.-

Conclusion
Nice to have but needs allot of fine tuning (eBlocker Raspberry 4 Support) and Whitelisting of URLs needed for eBlocker (Desktop Apps & Smartphone Apps that do not like to be SSL Inspected) - Plus the added administration of Pi-hole DNS Query's.

Sincerely
Val.

P.S. ATM I run Adguard Home DNS with Unbound and wait for it ...... DNSsec - Yap got it to work without a certificate on the Adguard somehow?!
 
Top