the itjerk

my adventures with technology

dnscrypt2

Spurred on by some recent articles, I decided to switch to dnscrypt2. It’s an improved version, supports a whole slew of things and more resovers.

This was a bit of work, because, stupidly, I disabled dns! Anyway, long story short, I followed the instructions here, and everything worked out okay. I did need to edit /etc/dnsmasq.conf because dnsmasq was also trying to use to 127.0.0.1.

desktop:~$ nslookup -type=txt debug.opendns.com
Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
debug.opendns.com text = "server m33.chi"
debug.opendns.com text = "flags 20 0 70 7950800000000000000"
debug.opendns.com text = "originid 0"
debug.opendns.com text = "actype 0"
debug.opendns.com text = "source 23.122.56.207:33649"
debug.opendns.com text = "dnscrypt enabled (714E7A696D657555)"

One the web:
DNScrypt

Advertisements

the big upgrade

Production website upgrades (do-release-upgrade from 14.04.5 to 16.04.4) are the most nerve-wracking ever. Being a “one-man show” means it’s all or nothing, no team to lean on, just my wits and google. Sure, I had a back-up if everything went south; yes, I had an idea everything would work; and yes, I ran into problems.

The local copy of my website needed an earlier version of php to work. That fix was easy enough, I just installed ondrej ppa for it. But I ran into a problem with the production site because I have iRedMail installed; so yes, the local copy isn’t completely like the production site. Here the problem was auth_mysql, as evidenced by sudo apache2ctl configtest. Two mods I have – awstats and cluebringer – were calling auth_mysql and preventing apache2 to load. The fix was fairly easy, apt-get install libaprutil1-dbd-mysql, and then clearing out the offending *.conf files. Thanks to iRedMail for information.

Seeing that website, email, etc live again was a good, good feeling.

A few weeks later, there were a few more things I had to tweak to get oh-so-right, but most of that was email related, and mostly non-OS related.

phpbb – new website

I have a web property, progressiverock.com, that’s been dormant ever since I rebranded my prog rock site after my book, strawberrybricks.com, a few years ago. One would think that the former URL is worth some money, but to date I have been unsuccessful in finding a buyer. So rather than just serving as a redirect to the latter URL, I decided to install phpbb and relaunch the site as a bulletin board to discuss all things prog rock and generate some brand recognition.

I use Digital Ocean for virtual hosting because it’s cheap (starting at $5/mo) and easy. The process to create a new virtual host “droplet” is simple enough: pick your choice of options (size, memory), hosting location, operating system (you can even get it pre-loaded with LAMP) and then setup the dns records. Within minutes, it was up and running as progressiverock.com.

Immediately after an apt-get update/dist-upgrade, I added some basics to the core system, like openssh server, ufw, postfix/logwatch and apticron. Most were straight forward installs, but for postfix, be sure to setup your A, MX and TX records before you start, and check your logs/errors for what to tweak; I had to add postconf compatibility and manually create the virtual alias map to clear errors I found in mail.log. I also setup sender_canonical because I just have a “no-reply” email system (for now). Also, don’t forget to set your timezone.

After configuring mysql and apache2, I added my rss feed, which needed the php-xml module installed to work. Let’s Encrypt was next, because why not — everyone should be using SSL. I also added awstats, which needed user www-data added to the adm group to correct the errors I generated by cron. The bulletin board software phpbb was quite simple to install; fortunately I remembered some basic mySQL commands to get the database setup beforehand. I then added American English as a language, and found feedpostbot, an extension that uses rss feeds to create topics — perfect for the “Album of the Day.” Forum hierarchy took a little thought, and I’m sure I’ll change it again before it all goes live. My next task is to get a new style for the site, but that my require some outside help. More later.

None of this was complicated, and most steps took but a few minutes to do. My big take away here is that log files and error messages are your friend: listen to them as they tell you exactly what to correct with your installation.

And if you want the domain progressiverock.com, make me an offer that I can’t refuse!

On the web:
phpBB • Free and Open Source Forum Software

bios, baby

I know that everyone hates updates, especially that ultra-pesky 1709 Creators update for Windows 10. But you gotta do them, just like exercising, dieting, eating healthy, etc. Please remember when an update says “DO NOT POWER OFF YOUR COMPUTER” it really means it.

Currently most every “modern” computer needs to have its BIOS updated for those also-pesky chip Spectre/Meltdown vulnerabilities. Most computer manufacturers and motherboard companies have Windows software that helps you perform a BIOS update. Apple calls these firmware, and handles the updates for you via the App Store. Just remember, these updates should be done attended, so that’s more for the itjerk to do!

google home mini

I went to Microcenter with my family to pick up a couple flash cards (free with coupon) and as soon as we walked in, we were greeted by an end-cap of Google Home Minis. A well-positioned salesperson said “I think they are still on sale for $29.95.” One of my daughters, armed with Xmas money, immediately grabbed one and started pleading with me to allow her to purchase it (she’s only 10 years old).

With out much banter, I acquiesced to both the purchase and her intended location: her bedroom. Second, older daughter also ponied up. Mind you, I sold my Google Home over the holidays because a) I just never got used to the idea that she was always listening to ALL our first floor conversations, and b) I can perform the same commands on my phone – “Okay Google, play Syd Barrett” – and send them to Chromecast Audio.
Google-Home-Mini

Not much larger than a hamburger, the Google Home Mini is quite a bargain at $29.95. According to the web, that’s just about Google’s cost for the thing. Both daughters have Nexus phones (one part of the Fi plan, the younger wifi only), so once home, they quickly downloaded the Google Home app and we began setting them up. The Mini offers my daughters a couple of things that I like: all the music they’d ever want (with a linked Spotify account), an alarm clock, and interaction with voice technology. Let’s face it, in a decade or so, our houses will have voice-controlled access to computer technology in every room. It’s such and amazing and convenient interface: “what’s the weather” or “what’s 56 times 27?” It’s also a single solution for the clock radio and the bluetooth speaker (though I wish it had a time display).

I have to admit, I kinda wanted to buy one myself, but, alas, the sale ended, and so did my desire for it. For now…

google pixel 2

With $250 off — $150 trade-in on my “warranty repaired” Nexus 5X plus $100 discount for being a Google Fi subscriber — I couldn’t resist upgrading to the Pixel 2. It’s the same size as the 5X, and honestly, not much different other than the price tag. Excellent battery life and 64GB of storage popped out instantly, as did the “swipe up” home screen, but what I like the most about it is that it’s the purest Android experience yet. And it’s not repaired. 😉

no phone

I was at a Xmas party the other afternoon, and after taking my just-over-two-year-old phone out of my front breast pocket, noticed that it was not on. I tried to turn it on, but nothing. No battery? When I got home a few hours later, I plugged it into multiple chargers, went into recovery mode, cleared the cache, tried a factory reset, but same result: wouldn’t start. I chatted Google Fi (my carrier), was transferred twice, then eventually talked to LG, the manufacturer of the LGH790, aka Nexus 5X.

Long story short, it stopped working, stuck in some kind of infinite reboot. LG offered to repair the phone for free (cross-fingers). I then went to their specific website for repairs, filled out everything (including IMEI), went back to Google to get a proof-of-purchase, printed out that and the Fedex label, and have been slowly watching it traverse its way to Texas via ground service. Estimated 8-10 business days for the repair. Over the Xmas holiday, too.

No phone and no camera. Only a computer at home and a computer at work. How do I check my Fitbit? How do I get text messages? What about that ongoing thread about the next “sniding” (record listening event)? What about my Facebook friends? How do I show off my kids’ pix?

Oh first world problems. Sure, it’s liberating not getting work email 24/7 or habitually checking my phone for… well, because that’s what we now do.

I feel anxious, though, like something’s missing. How long can this go on? Evidently much longer…

UPDATE: I received the phone back on Friday 12/22 (using Fedex’s Ship Manager to have it delivered to a local Fedex/Kinko’s). No cost to me and a perfectly new-looking phone.

LG

dnscrypt

Domain Name Service (DNS) is the mechanism by where numeric IP addresses become readable domain names; it’s far easier for me to tell you to visit strawberrybricks.com than a bunch of numbers. When you browse the internet, then, the addresses you type or click on go through a DNS search. Typically, your ISP provides this service, or whomever you get your network connection from – however there is an implicit level of trust involved. Who’s to say that yahoo.com for example, is really yahoo.com? What is the DNS server spoofed the reply? Further, any DNS server can collect a wealth of information by recording your DNS requests. Finally, the speed of your browsing is dependent on how quickly these requests are filled.

Both Google (8.8.8.8) and OpenDNS (208.67.222.222) provide free DNS services that are fast and secure, and supposedly do not track your requests. A third service, Quad9 (9.9.9.9) was very recently launched. Your ISP has a lot of information about you. Switching your DNS to one of these providers is simple (just type them in your router, or network connection), and gives some degree of privacy. Every little bit helps?

DNSCrypt goes one further by encrypting all your DNS requests. It’s an easy enough program to install, available for PC, Mac and Linux, and for routers using DD-WRT. On my Ubuntu box, I needed to install libsodium-dev first, and then was most successful installing DNSCrypt-proxy from source by using the old “configure, make, make install” method with version 1.9.5. Then, you can run it with systemd automatically.

On the web:
DNSCrypt

caa records

If you bother to read this, CAA Mandated by CA/Browser Forum you’ll learn that CAA (Certificate Authority Authorization) standard designed to prevent bad actors from creating unauthorized SSL/TLS certificates has been implemented as of September 2017. CAA records allow domain owners to specify which Certificate Authorities (CAs) are permitted to issue certificates. This is acheived by adding CAA information to your domain’s records at the host level.

Good news. My host added this functionality, and it’s a simple process to now identity who can issue an SSL certificate to your domain. In my case, it’s letsencrypt.org. Now my SSL rating has gone up. Legit.

caa

Oppo BVD-103

Yep, time to get into Blu-ray. This was mostly precipitated by the imminent arrival of a new Gentle Giant compilation, Three Piece Suite, which features 5.1 remixes of tracks from their first three records. The Oppo BVD-103 had been on my radar for a long time… so long, that it was discontinued in favor of the newer UDP-203. But the newer model doesn’t support older formats like HDCD and VCD, so I was off to find the older model.

As much as I thought it could be found for less than the newer model ($550 MSRP), the reality was that I really couldn’t find one. However, Amazon did have a few listed as “Warehouse Deals,” so purchased one for $430 that was listed in “very good” condition. I figured if it didn’t turn out OK, I would simply return it – the beauty of dealing with Amazon!

I received the player with Prime shipping the following day. It was complete with the exception of a manual (which I downloaded from the Oppo website), and the battery contacts on the remote needed a little scrubbing. Otherwise, it was in top condition, and immediately upon connecting the player to my (wired) network, it set opon upgrading its firmware — definitely a good sign. I disabled HDCD decoding on the Oppo to get those discs to play right, and went pretty much default on the other settings for the player.

In addition to providing me Blu-ray capabilities, the UDP-103 is definitely a step up from my previous Oppo universal player, which I purchased about 9 years prior. It sounds better, especially the analog output from the Oppo (which I run through my stereo system), and this funky issue I had with the output volume between digital and HDMI appears to have vanished.