dnsdist + dnstap

October 5th, 2019

real quick, wanted to document this for others out there. here’s the steps you need to run dnsdist + dnstap to log/process your dns queries easily

 

sudo apt-get install -y golang

go get -u github.com/dnstap/golang-dnstap/dnstap

sudo vi /etc/dnsdist/dnsdist.conf

# Add these lines
rl = newFrameStreamTcpLogger("127.0.0.1:8000")
addResponseAction(AllRule(), DnstapLogResponseAction("rdns", rl))

:wq

sudo systemctl restart dnsdist.service

go/bin/dnstap -l 127.0.0.1:8000

And you’re all set.

2019 and it’s still happening

June 24th, 2019

It’s halfway through 2019 and we still have some major backbones that are not implementing operational best practices. Those operating large networks know the risk of BGP hijacks and other malfeasance. We had a major incident in 2018 that was used to take down parts of Amazon that was tied to crypto currency theft. Real money is lost when these events occur, despite the value that we may individually see as part of this.

Today was the most recent event impacting many providers, directing traffic via a previously unknown provider using a BGP optimizer product from Noction. Many people use solutions like this, but the risks posed by this are regularly seen.

In 2007 I gave a talk at NANOG about some extremely simple mitigations that could be performed to protect one from accepting invalid routes using AS_PATH based filtering. I figure it’s time to link to it again – https://www.youtube.com/watch?v=W9WBBZOfWcA to allow people to see how regularly these occur. The system is still up and running 12 years later here https://puck.nether.net/bgp/leakinfo.cgi showing the problem is ongoing. Today just search for a contact ASN of 396531 to see the problems.

We must put pressure on our providers and operators of backbones to implement things like peer locking and sanity filters to prevent backbone routes to be learned from customers. There is no reason for a provider like Cogent (174) to accept Sprint (1239) or level3 (3356) routes from Verizon Business (701).

120.209.192.0/19 3277 39710 20632 31133 174 701 396531 33154 1239 9808
104.31.88.0/21 3277 39710 20632 31133 174 701 396531 33154 3356 13335

It’s time to end this madness.

FTTH Parts List

December 29th, 2017

So you want to build yourself some FTTH?

Many people seem to be working on this and have requested some required equipment and parts to be posted/shared

Here’s a quick list of items you will need:

Fusion Splicer – Cost around $1200
Jonard Fiber Optic Strippers (These are better than the ones that come in the Signal Fire Fusion Splicer kit – Cost around $21
Scisors for Cutting the Kevlar in patch cords – $12
Kimtech Wipes to clean and prepare fiber – $6 or so
Light Meter to check your fiber – $30
Visual Fault Locator & FC-LC Connector – $29
Pigtails for your fiber – $1 per connector
Splice Enclosures – Varying types

Drop Cable – varying types
Graybar – Single strand tone capable drop cable
Baltic Networks – 2 strand cable

If you are doing underground work, you want something like the RD4000 locate wand and transmitter. These can be had on eBay for varying prices used.

You also will want to get something like the FlexScan FS200 OTDR so you can find cable faults.

Few other pro-tips:
You can also cut patch cords, these can be cheaper per connector than pigtails.

Updated ADS-B partslist

October 14th, 2015

I’ve been helping a few people optimize their ADS-B setups recently and wanted to provide a simple aggregated location for people to purchase their parts and see my setup.

Outdoor Case
Mounting Plate inside case
– PoE injector 48V
Raspberry PI 4
48V PoE HAT for Raspberry PI 4
RTL-SDR and Filter (this is really critical!)
Filter to Antenna cable
5dB ADS-B 1090 Antenna or GO BIG, 9dB Antenna and see 300miles when properly mounted

Once you install Raspian you will want to follow the instructions at Flightaware to update to the latest piaware.  Previously I had build instructions here but they are no longer necessary as the changes are merged upstream these days.

Once that’s in there, go ahead and edit your /etc/default/dump1090-fa file and make the options look like this:

RECEIVER_OPTIONS="--gain -10 --ppm 0 --net-bo-port 30005 --oversample --phase-enhance"
DECODER_OPTIONS="--max-range 450 --lat x.x --lon -y.y --fix --modeac --enable-agc"
NET_OPTIONS="--net --net-heartbeat 60 --net-ro-size 1000 --net-ro-interval 1 --net-ri-port 0 --net-ro-port 30002 --net-sbs-port 30003 --net-bi-port 30004,30104 --net-bo-port 30005 --forward-mlat"


This should result in a nice setup where you can see 200-300 miles away. You will still need to register with Flightaware, eg:


sudo piaware-config -autoUpdate 1 -manualUpdate 1
sudo piaware-config -mlatResultsFormat beast,connect,localhost:30004
sudo piaware-config -user username -password

Hope this helps you!

Raspberry PI2 and both i2c busses

May 27th, 2015

I’m working on a project that uses devices that have overlapping i2c addresses. In more recent raspberry pi instances they changed how this works and there is quite a bit of confusion on forums about how to do this. Here’s your 2015 update for using NOOBS as a starting point:

Add these two lines to /boot/config.txt:

echo dtparam=i2c_arm=on >> /boot/config.txt
echo dtparam=i2c_vc=on >> /boot/config.txt

append bcm2708.vc_i2c_override=1 to /boot/cmdline.txt

WIth this, you can use both i2c, pins 3,5 and 27,28. Keep in mind you may need a pull-up for pins 27,28 and your i2c setup, where 3,5 have them on-board.

root@raspberrypi:/home/pi# i2cdetect -l
i2c-0    i2c           3f205000.i2c                        I2C adapter
i2c-1    i2c           3f804000.i2c                        I2C adapter

root@raspberrypi:/home/pi# ls -ld /dev/i2c*
crw-rw—T 1 root i2c 89, 0 May 27 01:08 /dev/i2c-0
crw-rw—T 1 root i2c 89, 1 May 27 01:08 /dev/i2c-1

PiAware/Dump1090 optimal setup

April 8th, 2015

I often am standing outside wondering what that plane is flying overhead. Services like Flightaware or even Siri where you can say “Wolfram Alpha Planes Overhead” can help you with this. But most have a delay in the data you receive of 5-10 minutes.

ADS-B (Automatic dependent surveillance) is an automated system for delivering data from planes to surrounding aircraft and ground listeners. All aircraft are required to be retrofitted by 2020 in the US/FAA region.

After spending some time tinkering, I have an optimal setup for ADS-B established at my home which allows me to see 150 planes up to 200 miles away. I wanted to document the parts list for what I did. While Flightaware has a list, here: http://flightaware.com/adsb/piaware/build that list is imperfect and slowly becoming out of date.  Most items are available via Amazon Prime.

Required Parts:
* Raspberry Pi Model B+ (B Plus) 512MB$34
or Raspberry Pi 2 Model B$39
* ADS-B USB Adapter with antenna $24 *or* USB ADS-B Adapter no Antenna$17
* Power for Raspberry PI (2 Amp USB) *or*
* WS-POE-USB-Kit for Raspberry Pi $27
16GB MicroSD card w/ Adapter $8

Recommended:
* STRONGLY RECOMMENDED: 1090Mhz Filter + Preamp – £41.99 + Shipping (may take 2+ weeks due to customs)
* ADS-B Antenna – $150
* ADS-B Antenna to Amplifier cable – $14
* Amplifier to USB Dongle cable $6
* Weatherproof Enclosure $45
* Fittings to attach box to building/chimney

Easy thin crust pizza

February 19th, 2015

While normally I focus on technical things, if you truly know me, you know I love peperoni pizza and thin crust as well.

Here’s a quick and lazy(easy) way to make pizza:

Items needed:
Hardtack rolling pin
Rhodes Rolls
– Baking Sheet
– Sauce
– Toppings (eg: peperoni, cheese)
– Flour

Optional: Cooking Spray, parchment paper

Set out a set of 2-4 frozen rolls per person you would like to serve in a bowl or pan. Spray the pan with cooking spray, or sprinkle some flour on the rolls so they do not stick to each other. Let them warm for 1 hour. You can speed this process up by placing the pan by the vent of your stove and turning the oven on to slowly warm the dough.

After the dough has thawed and risen, sprinkle some flour on the roll or rolling pin so it doesn’t stick and is easy to work with.

Pre-heat your oven to 500-550 degrees.

Roll out the dough so it is thin enough it’s nearly transparent. The finished pizza will end up about 2x the thickness of what you roll out. Roll away from yourself, rotate and flip the dough and repeat until you reach a size of around 7-8 inches.

Put the dough on a cookie sheet, Apply sauce and your toppings and cook for 5 minutes or until the crust starts to be golden.

If you are making many of these, beware you can easily end up with the process of rolling out 2 rolls taking the entire 5 minutes of baking time, so an assistant may be helpful.

I find a kid eats 1-2 of these pizzas and an adult 2-4.

LB4M and cheap switching

February 13th, 2015

I’ve been starting to play around with the LB4M as a cheap switching platform. These can be had easily on eBay and other sites for around $100-105, including 2x10G-SR optics as part of the deal. The downside is the switches are perhaps a bit noisy and a bit hard to work with as the CLI and software are a bit difficult to operate with. It’s also not well supported by the manufacturer, and the software.

I’ve decided to create a small archive of the images and data related to this platform. Those can be found here: http://puck.nether.net/~jared/lb4m/

I am hoping to document some of the efforts I’m undertaking with these and any progress I have on getting more modern software, or even something linux based running on the box.

If you know how to do a factory firmware restore on these, please do contact me, even if it requires XMODEM or JTAG. I managed to load the improper firmware on the box such that the Boot Menu does not even appear.

Dynamic DNS and what it has to do with IPv6 and the NO-IP outage

July 2nd, 2014

For many years there have been a number of Dynamic DNS providers offering various paid and free services to the community. Some companies like DynamicDNS have parlayed these into a larger commercial offerings of DNS services (now they are called Dyn) .

Why do end-users need dynamic DNS services? The key reason has been the fact that IP addresses changed often enough one would not want to manually manage DNS settings as they could take 24 hours or more to update.

Since the late 1990s there have been many changes under the hood with the internet and its protocols including DNS. The ability for DNS Notifies to be sent so all the DNS servers are in sync. The reliability of the networks involved has skyrocketed to be utilitarian in function. (My home network stays up even if the power is out, all the way to the public internet).

Marketers have taken advantage of this, with internet connected devices from video cameras to phones and even telepresence robots. You can use your internet connected security system or nanny cameras to check on the welfare of aging family members.

These devices either need to phone-home to a central service or provide you a way to interact with them directly over the internet. Here’s where DDNS providers come into play, many of them are embedded into device firmware. Why is this necessary? Partly due to the changing IPs that may happen as part of your internet service. Many people don’t want to pay for a fixed IP address so instead use free services.

Much of this is rooted in the slowly growing “IPv4 run-out”, but there’s a related issue which is the lack of IPv6 support. This is a broad and complex issue since there are many moving parts. There is no clear demand for IPv6 as the existing internet “works just fine”, so why should investments be made? The IPv4 internet is not going away any time soon and many devices are not yet IPv6 ready.

While at my home I have business class service and static IPs, there are many people where that is not feasible to obtain. With the noip.com situation still unfolding, the most interesting stories for me are how people use security camera systems to check on elderly and mentally ill family members. I still view the internet as a bit more unreliable than others, this is a use case I had not thought about. If these homes had proper IPv6 services, it would perhaps mitigate the need for both the DDNS provider being involved and the subsequent abuse and outage of these services regardless of the cause.

It also reminds me having a proper backup plan is critical. Internet operators make efforts to provide a stable and reliable service, when it fails what is your plan B? While an uncomfortable question, when technology fails you from your phone, GPS or internet mapping service is the impact minor or major?

Here’s hoping that IPv6 will properly flourish to reduce the general public dependency upon DDNS providers and managing ones home full of IP connected devices.

An update on puck and poor IPv6 performance

February 15th, 2013

Turns out, the saga may not yet be over. There is a defect in the current version of VirtualBox. I’m using VirtualBox-4.2-4.2.6_82870_fedora18-1.x86_64 right now and there seems to be an issue where IPv6 performance is only ~22Kb/s or so in most of my experiences.

https://www.virtualbox.org/ticket/9380

Hope this helps someone else.

UPDATE:

Disabling GRO seemed to work around the problem for me.

I spent a bunch of time doing “iperf -V -s” between both a VM and a host on the same machine/lan/network interface. The performance one-way would be fast but the other way would be slow with GRO on. Hope this helps you.