Arun's blog π
-
Penta in escalation
We had a better gun, yes, but I will take that penta.
-
Setting up Pi-hole on the Tailscale network
I have been a fan of NextDNS for the last year or so. It’s easy to use, is cheap, and makes it incredibly easy to manage my ad-block lists. The configuration functionality of NextDNS is great as well, as it allows for compartmentalized setup.
However, I have always wanted to start using Pi-hole as it offers more data control (self-hosted) and because it’s open source. While Pi-hole setup is straightforward and can act as a network-wide ad-blocker within your house, extending that to mobile/other networks, for on-the-go usage is not easy. Pi-hole docs have this guide about setting up that extension, using OpenVPN protocol but I hear Wireguard has superior performance.
I tried Rajan’s guide involving Wireguard, and later came Tailscale which makes VPNs stupidly easy.
Tailscale is built on the top of the Wireguard protocol as well.
Once you have installed and logged into your Tailscale account on your devices, they will basically be available on a flat network, thus allowing your devices to talk to each other. Talk in this context refers to setting up a service/server on one device, making it listen on the Tailscale network and making the other devices connect to it.
For the purpose of this post, I will explain how I set up my Pi-hole to listen on the Tailscale network, allowing for network-wide ad blocking.
Get Tailscale on your devices and log with a Google or Microsoft account
- Tailscale is available for download on Android, iOS, Windows, Mac and Linux. You can get your copy here.
- Once you have installed it, log into each device using your Google or Microsoft account.
- Do so on the Linux device that you are about to use for your Pi-hole as well. If you have a Windows device, you can install Linux on it using Windows Subsystem for Linux.
- Once that’s completed, you can find your devices on this Tailscale admin page.
Set up Pi-hole on a Linux device
It’s time to install Pi-hole on your Raspberry Pi or the Linux device.
Work through the Pi-hole setup guide here. The basic installer at the top of the page can work.
Note:
While setting that up, you will be prompted to choose a “listening interface”. Choose “tailscale0”, not “eth0”.
Once the set up is done, you can visit
Settings > DNStab of your Pi-hole settings to verify thatListen only on interface tailscale0is selected underInterface listening behavior.
Indicates the “Interface Listening Behavior” setting on my Pi-hole At this stage, Pi-hole set up is all done!
Marking Pi-hole as DNS resolver for all Tailscale devices
Log into your Tailscale admin dashboard. Under the
Name serverssection, enter the Tailscale node address for the device you installed Pi-hole on.Magic DNS
Make sure that you do not enable magic DNS. I am fuzzy on what it’s supposed to do, but I have noticed that non-Tailscale traffic doesn’t work when magic DNS is enabled. It’s probably being discussed on this GitHub issue.
In my case, I have two Pi-holes. One on my Raspberry Pi at home, and one on the Google Cloud. As such, the two addresses that I entered on my Tailscale name servers section are 100.112.92.63 and 100.127.221.120.
Name servers entered on my Tailscale account Once your name servers are added, enable Tailscale on your computer/mobile devices. By doing so, your VPN configuration will be enabled, and all DNS queries will be tunneled to your Pi-hole. This will work even when you are on a mobile network, outside of your house!
Disable private DNS on Android
If you have a private DNS address added on your Android settings, turn it off.
Things to note
One of the things that Tailscale promises is that the Tailscale node address never changes for your device. This ensures that the name servers that you just entered always work, thus not leaving you without a DNS resolver.
Are apps/websites not loading?
It’s possible that you enabled Tailscale on your computer/mobile before adding the Pi-hole’s node address on Tailscale DNS page. In such a case, restart Tailscale on your device and it must fetch the name servers from your admin.
Do not enable
Block connections without a VPNsetting on your Android VPN settings. Brad explains why here.You can share your Tailscale node where Pi-hole is running (your Raspberry Pi device or the Linux device) with other Tailscale users. Once they accept the invite, they can add your Tailscale node address as the name server on their DNS page. By doing so, they will get the benefit of your Pi-hole as well.
This is not an open resolver. This Pi-hole DNS resolver will be accessible only by Tailscale nodes on your Tailscale network, and by those that you invite to that device.
Access ad-free, tracker-free Google search results.
Access your ProtonMail emails on a self-hosted, open-source bridge called Hydroxide.
Self-host a private, ad and tracker-free reddit frontend UI with libreddit.
-
Airship! π
π’ MARCH 31 π’#TheAirship is coming.
— Among Us βοΈ omg almost March 31 – The Airship!! (@AmongUsGame) March 18, 2021
this NEW map is our biggest one yet, including:
β’ all new tasks
β’ different starting rooms
β’ preliminary account system
β’ more!!!
wake up ur crew it's almost time to eject impostors
ποΈ Dev log: https://t.co/bWP008pKmr pic.twitter.com/ZcTZFjsu3nThe hype is real! The map will be available for free on all platforms.
-
Among Us wrangler
At Automattic, we are able to pick our own job titles. After hosting a few rounds of Among Us within my team yesterday, I am officially our in-house Among Us wrangler!
-
Kudos to Apple for privacy-focussed features
I have been using ProtonMail, Signal, DuckDuckGo and SimpleLogin for a fairly long time. These make up an integral part of my online presence, and I cannot go back to a time where these didn’t exist.
Without doubt, I truly enjoy and recommend using privacy-respecting products.
In a recent conference, Tim Cook committed to advancing user privacy by giving them tools to control where their data is shared. Especially in today’s world, it’s important to understand the implications of online data tracking, and it’s necessary to be informed about ways to prevent that. Apple’s recent release of an illustration explaining implications of data tracking will be a great read. While the conclusion of that report focusses on Apple-centric tools to prevent data tracking, the content of the report holds true, that companies profit by monitoring users.
At Apple, we made our choice a long time ago. We believe that ethical technology is technology that works for you. It’s technology that helps you sleep, not keeps you up. It tells you when you’ve had enough, it gives you space to create, or draw, or write or learn, not refresh just one more time. It’s technology that can fade into the background when you’re on a hike or going for a swim but is there to warn you when your heart rate spikes or help you when you’ve had a nasty fall. And with all of this, always, it’s privacy and security first, because no-one needs to trade away the rights of their users to deliver a great product.
Tim Cook at the Computers, Privacy and Data Protection conference, MacRumorsStarting with the next beta release of iOS 14, Apple will be launching a new tool called
App Tracking Transparencythat will enable users of apps to control sharing of data with app makers. By taking away data tracking functionality within the iOS ecosystem, Apple is definitely making a sizeable dent in businesses that primarily focus on monetizing user data, read Facebook.
Apple’s new App Tracking Transparency feature that will be available in the next beta release of iOS 14 Open-source software like Pi-hole has existed for a while, and recently, online services like NextDNS and AdGuard have emerged that offer similar controls. I am a happy user of these products and services, but I particularly like how Apple is championing this effort.
iOS takes up 50% of the market share in the US, which is Facebook’s largest market. If Facebook is feeling threatened by Apple iOS 14’s new privacy features, we are moving in the right direction.
It’s also worth noting that WhatsApp will be sharing user data with Facebook group of companies. It’s particularly worse for those WhatsApp Business API users as their messages wouldn’t be end-to-end encrypted. Differently put, they will be visible to third-party Business Solutions Providers, including cloud-based version of the API hosted by Facebook:
Some organizations may choose to delegate management of their WhatsApp Business API endpoint to a third-party Business Solution Provider. In these instances, communication still uses the same Signal protocol encryption. However, because the WhatsApp Business API user has chosen a third party to manage their endpoint, WhatsApp does not consider these messages end-to-end encrypted. In the future, in 2021, this will also apply to businesses that choose to leverage the cloud-based version of the API hosted by Facebook.
Gizmodo – This Was WhatsApp’s Plan All AlongOn the flip side, Apple is fighting back, highlighting that this will impact small businesses that depend on personalized ads for sales. Facebook also highlights that Apple’s own apps will be exempted from App Tracking Transparency, but it’s not clear if that’s true, based on Apple’s press release.
Other privacy efforts by Apple that I appreciate
In June of 2020, Apple announced support for native encrypted DNS throughout the device. This is a big deal for users like me that have a NextDNS subscription.
In iOS 14 and iPad OS 14, Apple also launched a new App Store functionality, called the privacy nutrition labels. It gives users a quick overview of the apps’ privacy practices — as in, what level of data is obtained by the app, what these details are used for, and also outlines how they may be linked to an individual. Apple’s own apps, like Apple Music, are required to show these labels; they are not exempted.
An image showing the new privacy nutrition labels feature on the Apple App Store If you are not aware, the messaging app Signal collects only your mobile number. It doesn’t link that mobile number to your identity either! If you are a WhatsApp or Telegram user, it’s time to consider switching to Signal.
Signal’s privacy nutrition labels on the App Store I am keen on seeing where things head from here!
-
Ejected into space
— Nader Dabit (@dabit3) January 30, 2021
Okay, this is me. π
-
“A Day in the Life of Your Data” by Apple
It’s a great illustration!
While the conclusion of that story is Apple-centric, with recommendation being to use their products to protect one’s privacy, the content is very true. We all must give it a read, possibly with our parents or children, to bring awareness on what’s truly happening.
It’s available here: A Day in the Life of Your Data by Apple.
Majority of these companies’ focus is on mining user data, for profit.
Choosing privacy-respecting alternatives do not have to come with a compromise.
Most think that by choosing Signal over WhatsApp, they will have to give up on connections with their friends. It’s true to some extent — I understand that network effect can be a friction, I can only hope that we consider privacy-feature-set tradeoff to make the jump. Signal is growing fast and already has basic features to get your communication going.
That’s one example.
NextDNS, ProtonMail, Tutanota, SimpleLogin are a few other privacy-respecting products that I use every day.
If you are looking for privacy-respecting choices in other categories, Privacy Tools has a great list here.
In particular, I want to note NextDNS.
There is nothing to lose by NextDNS. You will only see benefits by using such a DNS resolver, in that, your ISP (Internet Service Provider, like Airtel, Jio, Comcast) will not be able to monitor your DNS queries anymore. You will also get a great level of flexibility, like blocking ads/trackers from these data mining corporations, and like preventing unwanted content from appearing on yourΒ children’s devices.
Pi-hole is an alternative to NextDNS. It is a free, open-source software as well that you can further extend to devices on the go.
Let your change begin today!
-
Peering agreements between Backblaze and Cloudflare
I came across Brian’s comment on Backblaze reddit, where I learned of a few interesting things about how internet data traffic is billed between customers, hosts and transit partners. In particular, they explain how Backblaze and Cloudflare have peering agreements in place to enable free egress for customers. It’s great read!
The way the CloudFlare/Backblaze relationship works is that CloudFlare is very arguably big enough to be tier 1, and should be allowed to have the utterly free peering of a tier 1 provider, but they are “locked out”. They don’t get the sweet sweet deal the tier 1 providers get of running their businesses terribly and pocketing billions of dollars of profit without innovating. So normally, without contortions, if a Backblaze customer wanted to route a network packet to CloudFlare, it would flow over at least 1 of the tier 1 network providers and Backblaze and CloudFlare would both have to pay a lot of money. But here is the work-around: Backblaze is in several datacenters where CloudFlare has network cabinets (where their equipment is housed), and essentially CloudFlare and Backblaze run a network patch cable between our cabinets BYPASSING the tier 1 network, and therefore don’t have to pay the tier 1 providers to route packets between Backblaze and CloudFlare. That’s it, that’s the magic.
-
NextDNS blocks Facebook and WhatsApp requests
I love it when NextDNS actively blocks these Facebook requests. ππ½
-
Exit nodes on Tailscale
A quick screencast of what I hacked on today: setting up exit nodes on my @Tailscale network, and switching my laptop's internets between them. https://t.co/JfaF1t5MaN
— Dave Anderson (@dave_universetf) January 20, 2021
Still WIP. Still TODO: exit node picker GUI on other OSes.Exit nodes are coming soon on Tailscale! I have been waiting for this functionality for a while now. I would like to run Cloudflare Warp on a Raspberry Pi, and route all devices traffic via that Pi. Super looking forward to it!