LXC TOR + Pihole + Unbound + DNSSEC - Anonymous Recursive Secure DNS

Charg (CHG) Software Development
3

EDIT: I simply needed to restart between the two scrips. UPDATE: I’m zeroing in on the recursive aspect of this. Our recursive aspect needs a little loving at this time. You can see this in the screenshots, our current work-around (non-recursive). A small edit somewhere in the code fixes or makes this more reliable even after reboot. It may be a matter of cron firewall settings at boot. It might be a UI bug. Maybe there’s a circular dependency in there, maybe it’s a port conflict, maybe it’s something to do with it only letting me in when incognito mode, maybe I just need to look better at letting the recursive call out.

image
image1000×560 43.2 KB

mah tool

The entirety of the below script can be copy/pasted into one nano file to display a nice snapshot of how our configuration is doing.

sudo nano tool.sh

CTRL + x
y (yes) to save

chmod +x tool.sh

sudo ./tool.sh

tool.sh

#!/bin/bash
set -e

echo "[+] Checking network connectivity..."
ping -c 4 google.com || { echo "[!] No network connection. Exiting..."; exit 1; }

echo "[+] Checking if Pi-hole service is running..."
if systemctl is-active --quiet pihole-FTL; then
    echo "[+] Pi-hole is running."
else
    echo "[!] Pi-hole is not running. Exiting..."; exit 1;
fi

echo "[+] Checking if Unbound DNS service is running..."
if systemctl is-active --quiet unbound; then
    echo "[+] Unbound is running."
else
    echo "[!] Unbound is not running. Exiting..."; exit 1;
fi

echo "[+] Checking if Tor service is running..."
if systemctl is-active --quiet tor; then
    echo "[+] Tor is running."
else
    echo "[!] Tor is not running. Exiting..."; exit 1;
fi

echo "[+] Verifying iptables rules for DNS redirection..."
iptables -t nat -L OUTPUT -n -v | grep 'REDIRECT' || { echo "[!] DNS redirection via Tor is not set correctly. Exiting..."; exit 1; }

echo "[+] Testing DNS resolution through Tor..."
dig @127.0.0.1 -p 9053 google.com || { echo "[!] DNS resolution through Tor failed. Exiting..."; exit 1; }

echo "[+] Checking if Tor Hidden Service is running..."
if [ -f /var/lib/tor/pihole/hostname ]; then
    ONION_ADDR=$(cat /var/lib/tor/pihole/hostname)
    echo "[+] Tor Hidden Service is running with address: $ONION_ADDR"
else
    echo "[!] Tor Hidden Service is not available. Exiting..."; exit 1;
fi

echo "[+] Verifying Avahi for local peer discovery..."
avahi-browse -rt _pihole._tcp || { echo "[!] Avahi service is not properly configured or not running. Exiting..."; exit 1; }

echo "[+] Checking Pi-hole peers configuration..."
if [ -f "/etc/pihole/nodes.conf" ]; then
    echo "[+] Pi-hole peer configuration file exists."
else
    echo "[!] Pi-hole peer configuration file does not exist. Exiting..."; exit 1;
fi

echo "[+] Network diagnostics completed successfully."