DNS-Over-TLS Built-In & Enforced – 1.1.1.1 and the GL.iNet GL-AR750S

DNS-Over-TLS Built-In & Enforced - 1.1.1.1 and the GL.iNet GL-AR750S

DNS-Over-TLS Built-In & Enforced - 1.1.1.1 and the GL.iNet GL-AR750SGL.iNet GL-AR750S in black, same form-factor as the prior white GL.iNet GL-AR750. Credit card for comparison.

Back in April, I wrote about how it was possible to modify a router to encrypt DNS queries over TLS using Cloudflare’s 1.1.1.1 DNS Resolver. For this, I used the GL.iNet GL-AR750 because it was pre-installed with OpenWRT (LEDE). The folks at GL.iNet read that blog post and decided to bake DNS-Over-TLS support into their new router using the 1.1.1.1 resolver, they sent me one to take a look at before it’s available for pre-release. Their new router can also be configured to force DNS traffic to be encrypted before leaving your local network, which is particularly useful for any IoT or mobile device with hard-coded DNS settings that would ordinarily ignore your routers DNS settings and send DNS queries in plain-text.

DNS-Over-TLS Built-In & Enforced - 1.1.1.1 and the GL.iNet GL-AR750S

In my previous blog post I discussed how DNS was often the weakest link in the chain when it came to browsing privacy; whilst HTTP traffic is increasingly encrypted, this is seldom the case for DNS traffic. This makes it relatively trivial for an intermediary to work out what site you’re sending traffic to. In that post, I went through the technical steps required to modify a router using OpenWRT to support DNS Privacy using the DNS-Over-TLS protocol.

GL.iNet were in contact since I wrote the original blog post and very supportive of encrypting DNS queries at the router level. Last week whilst working in Cloudflare’s San Francisco office, they reached out to me over Twitter to let me know they were soon to launch a new product with a new web UI containing a “DNS over TLS from Cloudflare” feature and offered to send me the new router before it was even available for pre-order.

On arrival back to our London office, I found a package from Hong Kong waiting for me. Aside from the difference in colour, the AR750S itself is identical in form-factor to the AR750 and was packaged up very similarly. They both have capacity for external storage, an OpenVPN client and can be powered over USB; amongst many other useful functionalities. Alongside the S suffixing the model number, I did notice the new model had some upgraded specs, but I won’t dwell on that here.

Below you can see the white AR750 and the new black AR750S router together for comparison. Both have a WAN ethernet port, 2 LAN ethernet ports, a USB port for external storage (plus a micro SD port) and a micro USB power port.

DNS-Over-TLS Built-In & Enforced - 1.1.1.1 and the GL.iNet GL-AR750S

The UI is where the real changes come. In the More Settings tab, there’s an option to configure DNS with some nice options.

DNS-Over-TLS Built-In & Enforced - 1.1.1.1 and the GL.iNet GL-AR750S

One notable option is the DNS over TLS from Cloudflare toggle. This option uses the TLS security protocol for encrypting DNS queries, helping increase privacy and prevent eavesdropping.

Another option, Override DNS Settings for All Clients, forcibly overrides the DNS configuration on all clients so that queries are encrypted to the WAN. Unencrypted DNS traffic is intercepted by the router, and by forcing traffic to use it’s own local resolver, it is able to transparently rewrite traffic to be encrypted before leaving the router and heading out into the public internet to the upstream resolver – 1.1.1.1.

This option is particularly useful when dealing with embedded systems or IoT devices which don’t have configurable DNS options; Smart TVs, TV boxes, your toaster, etc. As this router can proxy traffic over to other Wi-Fi networks (and is portable), this is particularly useful when connecting out to an ordinarily insecure Wi-Fi network; the router can sit in the middle and transparently upgrade unencrypted DNS queries. This is even useful when dealing with phones and tablets where you can’t install a DNS-Over-TLS client.

These options both come disabled by default, but can easily be toggled in the UI. As before, you can configure other DNS resolvers by toggling “Manual DNS Server Settings” and entering in any other DNS servers.

There are a number of other cool features I’ve noticed in this router; for example, the More Settings > Advanced option takes you into a standard LuCi UI that ordinarily comes bundled with LEDE routers. Like previous routers, you can easily SSH into the device and install various program and perform customisations.

For example; after installing TCPDump on the router, I am able to run tcpdump -n -i wlan-sta 'port 853' to see encrypted DNS traffic leaving the router. When I run a DNS query over an unencrypted resolver (using dig A junade.com on my local computer), I can see the outgoing DNS traffic upgraded to encrypted queries on 1.1.1.1 and 1.0.0.1.

DNS-Over-TLS Built-In & Enforced - 1.1.1.1 and the GL.iNet GL-AR750S

If you’re interested in learning how to configure 1.1.1.1 on other routers, your computer or your phone – check out the project landing page at https://1.1.1.1/. If you’re a developer and want to learn about how you can integrate 1.1.1.1 into your project with either DNS-Over-TLS or DNS-Over-HTTPS, checkout the 1.1.1.1 Developer Documentation.

Source:: CloudFlare

How to operationalize Cumulus Linux

Thanks to the limitations of traditional networks, network operators are accustomed to doing everything manually and slowly. But they want to perform configuration, troubleshooting and upgrades faster and with fewer mistakes. They’re ready and willing to learn a new approach, but they want to know what their options are. More importantly, they want to do it right. The good news is, regardless of your organization’s specific goals, you can operationalize Cumulus Linux to meet those objectives faster and more consistently. This post will help you understand your options for developing agile, speed-of-business workflows for:

Configuration management
Backup and recovery
Troubleshooting

And if you’re looking for a deeper, more technical dive into how to implement these network operations, download this white paper.

Configuration management

Automation

The biggest disadvantage of manual configurations is that they simply don’t scale. Implementing BGP across dozens of switches is a copy-and-paste endeavor that’s time-consuming and prone to error. Not only that, checking that the configuration took effect and works as expected requires hop-by-hop verification in addition to testing route propagation and IP connectivity. However, In a small network, there’s no shame in at least starting out doing everything by hand.

Cumulus Linux lets you use a configuration management platform such as Ansible, Puppet or Chef to make frequent, sweeping changes at scale. But more importantly, automation comes with an “undo” button that lets you revert those changes immediately and painlessly should you change your mind.

By storing your configurations in a centralized repository using a version control system such as Git, you essentially keep a backup of all your past and current configurations. If you make a change and it fails, you can revert to a previous working configuration with the push of a button. Version control functions as a de facto backup. Even better, version control makes it easier to push your configurations to a test environment that mirrors your production network.

Network Command Line Utility (NCLU) vs. editing configuration files

Regardless of whether you choose an automated or manual approach, you also must decide how to get your configurations onto your devices. You have two options: editing flat configuration files, or the Network Command Line Utility (NCLU).

Editing configuration files by hand is prone to error, and there are no safety checks to ensure that the directives in your configuration files are valid. Even if you successfully push out a new configuration file, you won’t necessarily know something is wrong until you see symptoms of a broken network. You should test all changes in a simulated lab environment first.

Thankfully, editing flat files isn’t the only option. You can use the NCLU to handle this process behind the scenes. Rather than editing one file to change your IGP configurations, and another to change your network interface settings, you can use the NCLU to do it all. One big advantage of the NCLU is that it checks for typos and doesn’t accept invalid commands, in much the same way Cisco IOS rejects commands with missing parameters or invalid values.

The NCLU has two wrappers that let you invoke it manually via the CLI or through the NCLU Ansible module. For manual work, the net command lets you specify configuration commands directly at the CLI. For automation, Ansible ships with an NCLU module that lets you specify the same commands in your declarative code.

NCLU also offers a rollback feature that lets you roll back to a previous configuration, regardless of whether that configuration was done manually or via automation. Issuing a net show commit history shows you recent commits, which include both manual and automated changes.

Backup and recovery

Cumulus Linux is just Linux, so if you’re already backing up Linux hosts in your environment, adding your Cumulus Linux network devices to your regular backup processes is seamless. There are numerous network-specific folders and files you should back up, including both Linux system files and Cumulus-specific configuration files. Some of these include:

/etc/network/
/etc/cumulus/ports.conf
/etc/cumulus/switchd.conf
/etc/frr/

This list isn’t exhaustive, and you should see the Installation Management chapter of the Cumulus Linux User Guide for a full list.

Of course, remember to copy the file to a safe place, otherwise it’s not a backup! In addition to serving as a backup, it’s a great learning tool. You can just glance at the configuration commands to understand what the configuration does. And if you’re contemplating automation, having the net commands at your fingertips makes it a breeze to construct your automation playbooks. Check out the automated NCLU backup playbook to help you get started.

Troubleshooting

Network troubleshooting consists of three basic steps:

Isolating the problem
Implementing a fix
Verifying the fix resolves the problem

Cumulus Linux and Cumulus NetQ speed up the entire troubleshooting process in several ways. First, Cumulus NetQ maintains a graph of your network, not just as it is now, but how it was hours, days, and even weeks ago! This lets you identify not only what part of the network changed, but when it changed.

Isolating the problem

The first task is to rule the network in or out. Often, the network is presumed guilty until proven innocent, so most troubleshooting starts by ruling the network out as the culprit.

Once you determine the network is indeed the problem, you must determine where on the network the problem lies. Is it a network configuration error, switch operating system issue, carrier fault or hardware issue?

Cumulus Linux and Cumulus NetQ take the pain out of the troubleshooting process. You can use Cumulus NetQ to perform the bulk of your diagnostics from a single switch or management server in seconds.

Cumulus NetQ lets you pipe the output from one command to the netq resolve command to have it resolve the IP addresses of your switches to their hostnames. This gives you a powerful way to see your network topology without having to manually look up IP addresses. By just glancing at the output from Cumulus NetQ, you can determine that spine01 has layer 2 connectivity to its failed OSPF neighbors.

Implementing a fix

Once you’ve narrowed the issue down to the configuration on a handful of switches, you can start to determine exactly what changed. Because Cumulus Linux keeps a record of every change made using the NCLU, figuring this out isn’t guesswork; it’s just a matter of using the net show commit last command. To undo changes, issue the net rollback last command. Then check the new configuration.

When you perform a rollback, the NCLU takes another snapshot. Even if the rollback doesn’t resolve the problem, you can roll back the rollback and start back over. This gives you peace of mind that you’re not compounding the problem by making a bunch of unnecessary changes.

Verifying the fix

How you verify whether the problem is resolved depends on the nature of the problem. With intermittent problems, it’s just a matter of waiting and seeing if the problem reoccurs. With ongoing problems, you have to check whether the original symptoms are still occurring. But nothing’s more annoying than believing you’ve resolved a problem, only to have it show up again later. Cumulus NetQ can help you validate that the fixes you implemented really did have the effect you intended.

The choice is yours

How you operationalize Cumulus Linux is really up to you. Instead of being locked into a set way of doing things as with traditional networks, you have the flexibility to form your own workflows and processes. Cumulus Linux will adapt to you! Traditional networks have conditioned us to think of the network as a decentralized collection of disparate devices that require a lot of individual attention. Thanks to Cumulus Linux and Cumulus NetQ, you can configure and troubleshoot the network as a cohesive unit from a single management server.

The post How to operationalize Cumulus Linux appeared first on Cumulus Networks Blog.

Source:: Cumulus Networks

Pump up your summer parties with this killer Prime deal on Anker’s SoundCore 2 Bluetooth speaker

There are a lot of Bluetooth speakers out there, and it can be hard to cut through all the noise. Amazon makes it easy today with this killer deal on Anker’s super popular, well-reviewed SoundCore 2. Right now it’s on sale for $28Remove non-product link, the lowest price we’ve ever seen and a sharp discount from its usual price of $42. Like most of the deals this week, you need to be a Prime member to get that price. (You can sign up for a 30-day free trial hereRemove non-product link.)

To read this article in full, please click here

Source:: IT news – Hardware Systems

Here come the first blockchain smartphones: What you need to know

After months of speculation, Taiwanese electronics company Huawei Technologies Ltd. (HTC) has confirmed it will be releasing a blockchain-enabled smartphone this year that will allow users to securely store cryptocurrency offline and act as a compute node in a blockchain network.

“We want to double and triple the number of nodes of Ethereum and Bitcoin,” HTC said in its marketing material for the device. The new smartphone is expected to be able to work with multiple blockchain protocols allowing for interoperability between them.

[ Further reading: Review: Samsung’s new Galaxy S9 phones make excellence routine ]

In addition, the HTC Exodus blockchain-enabled smartphone will allow owners to play CryptoKitties, a decentralized app (Dapp) game. Dapps are applications that run across multiple nodes on peer-to-peer (P2P) networks.

To read this article in full, please click here

Source:: IT news – Security