Archives

All posts for the month March, 2013

Using DD-WRT for Local DNS and DHCP

Posted by Ripdubski on 2013.03.26
Posted in: DD-WRT. Tagged: , , , , . 24 Comments
English: Screenshot of DD-WRT v24 SP2 mini bui...

English: Screenshot of DD-WRT v24 SP2 mini build running on a Linksys WRT160N. MAC address and WAN IP blanked out. (Photo credit: Wikipedia)

NOTE: I no longer use DD-WRT and am unable to answer any questions about it.

I’ve been slowly feeding you information on how to get the most out of the open-source DD-WRT router firmware.

In this article I’ll show you how to setup DD-WRT to act as a local name server on your home network and as a forwarder for external requests.  This will let you lookup names on your internal network (like xbox360, bluray, printer, etc) and continue to lookup names for external sites (like http://www.bing.com, http://www.opendns.com, http://www.apple.com, etc).

Before you begin you should have already enabled JFFS.  I showed you how here: Enable JFFS on DD-WRT

Enable DNS and DHCP

First you need to enable Local DNS and DHCP.  This turns on DNSMasq (built into DD-WRT) to do local network name resolution and distribute IP addresses via DHCP.  Pooled addresses get used and released via timed leases (devices using a pooled address may not always get the same IP address).  Static Addresses entered in the DHCP options are respected by DNSMasq and issued to the devices when they connect and request an IP address (devices using static addresses always get the same IP address).  Use a static address for devices that will never need to change, like your printer or a desktop computer.

  • Open a browser and point it to your router running DD-WRT.  Authenticate with the admin ID and password when needed.
  • Go to the “Setup > Basic Setup” tab.
  • In the “Network Setup > Router IP” section, enter the following details:
Local DNS = 0.0.0.0
  • In the “Setup > Basic” tab, in the “Network Address Server Settings (DHCP)” section, set the following options:
DHCP Type = DHCP Server
DHCP Server = Enable
Start IP Address = Whatever you want
Maximum DHCP Users = However big a pool you want. Do not overrun subnet!
Client Lease Time = 1440
Static DNS Addresses: 192.168.64.1, 208.67.220.220, 208.67.222.123
WINS = 0.0.0.0
Use DNSMasq for DHCP = Enable
Use DNSMasq for DNS = Enable
DHCP Authoritative = Enable

Note:  The Static DNS Addresses will be different for your network.  In this case I have set the address of the router itself (192.168.64.1) – fill in your routers address here (not the WAN one), and two OpenDNS name servers (208.67.220.220 and 208.67.222.123).  I’ll talk about OpenDNS in another post, but what these do is filter websites based on my custom criteria (*.220.220).  In the event that server does not respond in a timely manner, the request then goes to a more restrictive pre-configured filter supplied by OpenDNS FamilyShield (*.222.123).  The filtering effectively blocks access to sites deemed inappropriate.

  • In the “Services Management > DHCP Server” section, set the following options.  In this example I use “home.net” as the home network identifier.   You can replace “home” with whatever your like.  You can replace “.net” with a few different choices.  Home networks are most closely categorized into “.net” or “.info”.  If you are not registering a domain name to point to your WAN IP address, you can use whatever you want including “.com” or “.mil”.  You can, but don’t – home networks are not commercial or military.  Further, don’t use “.example”, “.test”, “.invalid”, or “.localhost” – these are reserved.  See the following link for a list you can choose from: top level domains.
Used Domain: LAN & WLAN
LAN Domain: home
Add any static leases you want or need.
  • In the “Services Management > DNSMasq” section, set the following options:
DNSMasq = Enable
Local DNS = Enable
  • There is a field for “Addition DNSMasq Options” in the DNSMasq section.  Set it as follows:
local=/home/
expand-hosts
domain-needed
bogus-priv
addn-hosts=/jffs/etc/hosts.home
strict-order

You may find these options useful as well:
no-poll : (may be useful to reduce system load on non embedded as well)
no-hosts : (we’re not going to read from any system generated hosts file on a ram disk) (for this configuration DO NOT set this!)

  • Click “Apply Settings”, then “Save”.

Create Static Hosts File

Now you need to create a hosts file that will be persistent across reboots for those devices which are you want using static IP addresses (like printers, routers, etc).

  • ssh into the router and login as root.
  • Change directory to jffs/etc: “cd /jffs/etc”
  • Create and edit the file “hosts.home” using vi (vi hosts.home).
  • Add the entries and save the file (with “ESC Z Z” or “:w!:q!”.  Entry formats are “xxx.xxx.xxx.xxx name” where xxx.xxx.xxx.xxx is the IP address you want to reserve and name is the device name you want referenced as.  Multiple names can be given, just enter them all on the same line separated by a space (xxx.xxx.xxx.xxx name1 name2 etc).

Reboot

Reboot the router by going to the “Administration > Management” tab in the browser interface.  Scroll to the bottom and click the “Reboot Router” button.

If all goes well, you should be able to lookup names on your network like “xbox360” or “xbox360.home” and get a result, as well as normal internet name resolution for external sites like “www.apple.com”.

If you can not resolve local names, you may need to release and re-acquire the IP and DNS information on the host your trying to resolve from.  The easiest way is to just reboot it as well.

Note: Netflix on iOS devices causes DNSMasq to think a DNS rebind attack is occurring and by default an option in DNSMasq is forcibly set that you can not override in the GUI. A special workaround is needed to remove that option when DNSMasq starts.  I showed you how to fix rebind here: Fixing DNS Rebind on DD-WRT

Vinyl Used to be King

Posted by Ripdubski on 2013.03.13
Posted in: General. Tagged: , , , . Leave a comment
Day 033/366: My Record Player

(Photo credit: Great Beyond)

Growing up with Vinyl LP’s as the defacto standard for music distribution I managed to collect quite a few before Compact Discs replaced them.  It’s interesting to know that these are still manufactured today.  You can even find them for some very well known artists.

I always knew that LP’s were created by stamping, but I ran across this article which really explains the process well, as well as the hurdles the LP has faced along the way.  Very interesting read.

http://gizmodo.com/5987010/how-records-are-made

Password Management for non Elephants

Posted by Ripdubski on 2013.03.06
Posted in: Security. Tagged: , , , , , , , , , . 2 Comments

Password Managers

Over the years I have used many different password managers.  Being a nerd and working in I.T. I have a lot passwords to keep track of (well over 250).  All unique, all complex.  I don’t have the memory of an elephant so remembering all of them is out of the question.  In this article I will discuss how I manage them effectively.

A long time ago I recognized the need to store passwords somewhere safe.  At the time there were not many applications, if any, for storing this information.  I started out using a password encrypted Excel spreadsheet.  This worked out fine because I mainly needed it for work anyway.

Once I needed to manage passwords for home as well the spreadsheet solution didn’t work that well for me.  There were a few password managers out then, but I wasn’t sure I trusted any of them, and didn’t want to pay what they were asking.  So I did what all coders would do, I wrote my own.  In comes KeySafe with RC4 encryption.  At the time I was using a mix of platforms so I needed it to work across all of them (Mac, Windows, and Linux).  All I had to do was copy the encrypted file between the computers.  I had intended to sell it as shareware, but never did.

That worked for quite a while, but it became increasingly difficult to remember which computer had the latest encrypted file.  I sometimes inadvertently replaced the most current with an older one and ended up losing a password.  A lot had changed since I first wrote it and I could not get it to compile any changes without significant effort and re-writing.  So I chose to look for a new alternative.

I tried several different password managers including mSevenSoftware mSecure, Acrylic Software Wallet, (OpenSource) KeyPass, and several others.  There were things I liked about all of them as well as things I didn’t like.  I should state that the browser’s password management feature was not an option since I also store non web based passwords.

Ultimately I chose Acrylic Software Wallet.  It had excellent aesthetics and an iOS application which could sync to the desktop.  It didn’t support Linux or Windows.  Linux didn’t matter that much any more for me, and I thought I could make do without the Windows side since it had an iOS companion.  This worked very well until July 2012 when the author announced it would no longer be developed as he was taking a job with Facebook.  So the search began again.

This time I looked at some I had looked at before and some other ones.  mSevenSoftware mSecure, (OpenSource) KeePass, AgileBits 1PasswordSiberSystems Roboform, and SBSH SafeWallet.  I wanted something that met five criteria:

  1. Must have an Mac OSX desktop application.
  2. Must have an iOS application.  Which must allow a master password for unlocking and not a crappy 4 digit pin (these can be hacked inside 45 minutes).
  3. Must have a Windows desktop application (yes I was tired of looking everything up on iOS and having to type in long complicated passwords).
  4. Must have the ability to intelligently sync between them.
  5. Must not be cost prohibitive once purchased for all needed platforms.

By this time I had started using LastPass as an augment to Wallet.  I still maintained every password in Wallet, but used LastPass to do automatic form filling (user name / password) for web sites.  The LastPass goal is to be the last password you need.  Very strong encryption, and you can use it across browsers and across computers.  Login once and it remembers, so the next time you don’t have to type in or copy/paste the password from a password manager.  Very nice indeed.  Wallet had this ability but it was only for Mac OSX so I didn’t use it.

After several email exchanges with each of the publishers and a spreadsheet showing pro’s and con’s of each password manager I chose SBSH SafeWallet.  It had everything I was looking for and was cheaper than the rest.  AgileBits 1Password was a close second.  SafeWallet served me well, until…  They announced in early 2013 they were changing how sync worked – moving the sync mechanism to their servers and disallowing the existing sync methods.  While this normally wouldn’t cause me much grief, I don’t like it because SBSH is based in Tel Aviv, Israel.  They say their servers will be in the United States, but who knows what they could/would do behind the scenes.  I’m not saying it’s a risk.  I am saying that I, personally, am not comfortable with that move.  Back to the drawing board.

Since it was so recently that I moved to SafeWallet, I only chose to look at my second choice – AgileBits 1Password.  I didn’t choose 1Password before because it allowed login with only a 4 digit pin, then a master password to open select items.  I asked some friends that were using it how they liked it and received good feedback.  I emailed their support to get a feel for the iOS app since there is no trial.  I found out they now had the option to not use the 4 digit pin.  They also sell bundles which reduces the overall cost.  Sold!

I recently completed the transition from SafeWallet to 1Password and couldn’t be happier.  It even has web browser plugins that do the form filling (username / password) just like LastPass.  So I no longer need LastPass.

1Password Usage

When you launch the Mac OSX desktop application you are presented with a lock screen. You enter your master password to unlock it.

1POSXUnlock

Once its unlocked you have access to all web passwords, system logins, secure notes and whatever else you’ve securely stored in it.  You can manage the passwords in multiple ways.  I use folders and tags, both of which are optional.

I use tags as a means to categorize and find items relating to a specific subject (ie: work, personal, career, etc).  The items may be a mix of web sites, system logins, notes, etc.  Click the tag and see everything related.  Each item can have multiple tags if applicable, unlike folders.  An item can only be in one folder.

I use folders as a means to categorize and find items similar to tags but on a more granular level (ie: work web sites, career web sites, personal web sites, finance web sites, work system logins, etc).  One could argue this could be done with tags as well and not use folders.  In the end it’s your choice – whatever works for you.

While using the 1Password desktop application alone and copy/pasting passwords into web login forms is fine, the browser plugin really makes this easy.  This is the part that replaces LastPass for me.  Install the browser plugin first, then restart your browser.  When you first start the browser you will need to unlock 1Password before using it.  Click the key icon and the unlock screen appears (these are all from Mac OSX Safari):

1PWebUnlock

Enter your master password to unlock it.  Visit a website you need to login to, click the key icon again and be presented with the choices that match.  In this example I went to Google Mail and 1Password recognized three account options.

1PWebFillDetect

I click the one I want and it fills in the details.

1PWebSigninFill

It can click the sign-in / logon button for you but I choose to do that myself.

If you are creating a login for a new site you can use 1Passwords builtin password generator.  It can create complex passwords with ease.  Click the key icon in the browser button bar to bring up the 1Password dialog, then click the icon that looks like the dial on a safe.  Adjust the parameters as necessary.  Click Fill when you are satisfied and 1Password will populate any password fields on the web page you are viewing.

1PWebGenerate

Once you click the login button on a web site, if it does not know the credentials for that site it will ask if you want to save the ones you entered.  This prompt will be in a bar at the top of the web page you are viewing. You can alter the name it suggests, then click the Save button.  If you don’t want to save it, click the X icon.

1PWebSaveNew

Now it will appear in the desktop application where you can tag and folder it how you like.

As a safety precaution, ALWAYS logout of any website you login to!

1PWebSignout

Now you’ve seen the Mac OSX desktop side.  The Windows side is not as pretty but functionally the same.  I’m told by the developer that a new version is in the works.

The iOS version works very similar.  When you start you need to unlock it:

1PiOSUnlock

I have it set to ask for the master password in order to unlock it.  4 digit passcodes are NOT safe.  DO NOT use them if you can avoid it.  They can be cracked through brute force trial and error in as little as 45 minutes.  To disable the 4 digit passcode, open settings inside the 1Password application and turn off the “Quick Unlock Code” option (green dot item below):

1PiOSSecurity

I know this sounds like an advertisement for 1Password, and it sort of is, though I get nothing in return.  It is simply an outstanding product and gets my full endorsement.  It is very secure, has very strong encryption, pleasing aesthetics, seamless syncing, and many other options.  Now I only have to remember the password to get into it!

Fixing DNS Rebind on DD-WRT

Posted by Ripdubski on 2013.03.04
Posted in: DD-WRT. Tagged: , , , . 4 Comments

NOTE: I no longer use DD-WRT and am unable to answer any questions about it.

DNS rebinding is a form of computer attack.  The DNS service (dnsmasq) built into DD-WRT has protections against this which are turned ON by default.  You might need to disable it if you use Netflix on any iOS devices due to the way Netflix is implemented (if you can’t stream from an iOS device you probably need this turned off).

Since the current build (v24-sp2-14896) of DD-WRT for the ASUS RT-N16 router does not have the option to toggle DNS rebind protection on and off, and it can’t be set as a parameter, a post boot fix is required.  This is a show to setup a small script that will make the required changes.  It is executed after the router boots.  You must have previously enabled JFFS for this to work.

  • Login to the router as the administrator via ssh (command line not web interface).
  • Change directory to the bin directory under /jffs (create it if its not there):
cd /jffs/bin
  • Use vi to create the script (vi boot_set.sh), or you can create it elsewhere and scp for ftp it up to the router.  Just make sure its in the /jffs directory tree.  Contents should be:
#!/bin/sh
# Fix DNS Rebind

# Make a copy of the booted configuration
cp /tmp/dnsmasq.conf /tmp/dnsmasq.orig

# Copy the contents of the booted configuration to a new file
# but excluding the stop-dns-rebind line
cat /tmp/dnsmasq.conf | sed -e '/stop-dns-rebind/d' > /tmp/dnsmasq.norebind

# Kill off the dnsmasq service
killall -9 dnsmasq

# Wait 1 second
sleep 1

# Move the new configuration file over the booted one
mv /tmp/dnsmasq.norebind /tmp/dnsmasq.conf

# Restart the dns service (dnsmasq) and tell it where 
# the configuration file is
dnsmasq --conf-file=/tmp/dnsmasq.conf
  • Mark the file as executable
chmod 755 boot_set.sh
  • Logout of the command line with ‘exit’.
  • Now login to the web interface of the router.
  • Select ‘Administration > Commands’ from the menu tabs.
  • In the commands field of the “Command Shell” section (at the top) enter (assuming you put it in /jffs/bin):
/jffs/bin/boot_set.sh
  • Click the “Save Startup” button.
  • Select ‘Administration > Management’ from the menu tabs.
  • Scroll to the bottom of the page.
  • Click the “Reboot Router” button.

After the reboot, DNS rebinding should be disabled!