Relay Deployment with Azure Cloud Image

Article author
Chris Todd
  • Updated

These instructions demonstrate how to perform the steps using the Azure Portal (portal.azure.com). But you can also use the Azure CLI tools or any other Azure-capable API to complete these steps.

We have prepared a generalized local image for Azure here.

Download the Image

Azure Cloud 22.04, 2.07 GB (zip)

Warning: The relay uses multiple ports which need to be open at NSG level.

Ports that need to be open are as follows:

  • Port 53: Port 53 is used for DNS (Domain Name System) traffic.
  • Port 853: Port 853 is used for DNS over TLS (DoT) traffic.
  • Port 443: Port 443 is used for HTTPS (Hypertext Transfer Protocol Secure) traffic.

Setting up the Image

    1. Upload the VHD file using the Azure Portal.
      • In the Azure Portal, select Storage Accounts.
      • Select the storage account to which the Relay VHD file will be uploaded.
      • If you do not have a storage account, click Add to create one.
      • Note that the selected location will dictate where the image can be created and subsequently deployed.
    2. Under BLOB SERVICE, select Containers.
    3. Select a container to upload the VHD file to.
      • If you do not have a storage container, click Add Container to create one.
    4. Click Upload and select the Relay VHD file to upload.
      • Ensure that the Blob type is set to Page Blob.1.png
      This process may take a long time depending on your network connection and the location of your Azure storage account.
    5. Create an image using the Azure Portal.
      • In the Azure Portal, select Images.
      • Click Add to create a new image.
        • Give the image a name. Remember that this image is a template that will later be deployed to a virtual machine with a different name.
        • Ensure that the location is the same as the location of your storage account.
        • In the OS disk section:
          • Select Linux and the OS type.
          • Click Browse on the Storage Blob field. A new panel will list your storage accounts. Using this panel, navigate through the storage account and container to locate the VHD that was uploaded.
        • Click Create to begin the image creation process. This process typically takes minutes to complete.
        • When the process has been completed, return to the Images panel and verify that the new image was created.2.png This image can now be used to deploy Relay virtual machines in Azure.  Make sure to click on see all images and choose My Images.3.png4.png

Setting up the Relay

      1. Log in to the VM:
        user: dnsfilter
        password: ChangeMeNow!
      2. Change the password
        passwd
      3. Edit the relay.conf file using the following command (See step 4 for some default values to edit):
        sudo nano relay.conf
      4. In relay.conf (found at the following location: /etc/relay/relay.conf) set the Secret Site Key and Name.
        Note1: The name needs to match the deployment name set in your dashboard. 
        Note2: To save the changes made within relay.conf use ctrl+o to write out then hit return to finalise the file name, you can then exit with ctrl+x.
      5. By default, the system is set to use DHCP to obtain an IP - this is fine as long as you create a permanent DHCP lease in your firewall for the MAC of the Virtual NIC of the ESXI Container. If you wish to have a static IP assigned to the machine, you can do the following by using the command in step 5. (Note: # comments out the line it is placed before)
        sudo nano /etc/netplan/00-installer-config.yaml
        Add a # before dhcp4: true 
        Remove the #'s before the next 5 lines
        Update addresses: [192.168.1.15/24] to reflect the static IP that the machine is going to have - (i.e.: it would become addresses: [172.16.0.44/24])
        Update gateway4: 192.168.1.1 to the appropriate gateway of the network the machine is on - (i.e.: it would become gateway4: 172.16.0.1)
      6. Save the file and run:
        sudo netplan apply
      7. Reboot the machine
      8. Verify General Connectivity:
        Run the following command to verify that the correct IP is shown
        ifconfig
      9. Verify that a response is received by running:
        ping google.com
        If everything has gone well up until now, it’s time to start up the relay!
      10. Start the Relay containers by running:
        sudo docker start relay1 relay2
        Wait 10-20 seconds
      11. Verify the containers are running properly by running:
        sudo docker ps
        This will provide some output similar to one of the two following blocks:
        *Good* output looks like this and you can move to step 12:

        CONTAINER ID

        IMAGE

        COMMAND

        CREATED

        STATUS

        PORTS

        NAMES

        5fa41e37ecdc

        dnsfilter/relay:0-rtt

        “/go/bin/relay-linux…”

        6 days ago

        Up 12 Seconds 

         

        relay2

        1d91eb21abc2

        dnsfilter/relay:0-rtt

        “/go/bin/relay-linux…”

        6 days ago

        Up 13 Seconds

         

        relay1

        *Bad* output looks like this and some troubleshooting will be required:

        CONTAINER ID

        IMAGE

        COMMAND

        CREATED

        STATUS

        PORTS

        NAMES

        5fa41e37ecdc

        dnsfilter/relay:0-rtt

        “/go/bin/relay-linux…”

        6 days ago

        Restarting (1) 3 seconds ago

         

        relay2

        1d91eb21abc2

        dnsfilter/relay:0-rtt

        “/go/bin/relay-linux…”

        6 days ago

        Restarting (1) 4 seconds ago

         

        relay1

      12. If you run:
        sudo docker logs relay1
        You will receive the output of the logs for that container (relay1) - the two most common errors you will see are:
        time=“2022-02-23T21:53:33.355562001Z” level=fatal msg=“can not auto-register agent, please verify settings or contact support, trace: invalid organization or network secret key”
        This means the secret key you’ve entered into the relay. conf file is invalid.
        Double-check that the correct value is in the file.
        time=“2022-02-23T21:58:33Z” level=fatal msg=“not a valid TOML config file” config=/etc/relay/relay.conf
        error=“open /usr/local/bin/lan-proxy.conf: no such file or directory”
        This means there is a formatting error or errant character in your relay.conf file - verify that it is nearly identical to our example file.
      13. Restart the relay using the following command:
        sudo docker restart relay1 relay2
        Re-verify that things match the good output above, and move to step 14.
      14. Verify the relay containers are doing what they’re supposed to:
        nslookup -type=txt debug.dnsfilter.com 127.0.0.1 (from the VM itself)
        nslookup -type=txt debug.dnsfilter.com <internal IP address> (from another machine on the network)
        *Good* Output looks something like:
        Non-authoritative answer:
        debug.dnsfilter.com text = “time=2022-02-23 22:02:45.528505065 +0000 UTC”
        debug.dnsfilter.com text = “serverid=55802”
        debug.dnsfilter.com text = “serverip=103.247.36.36"
        debug.dnsfilter.com text = “serverport=53”
        Along with multiple additional lines. Skip ahead to step 15.
        *Bad* Output looks something like:
        Non-authoritative answer:
        *** Can’t find debug.dnsfilter.com: No answer
        Authoritative answers can be found from: dnsfilter.com

        origin = amir.ns.cloudflare.com

        mail addr = dns.cloudflare.com

        serial = 2271027187

        refresh = 10000

        retry = 2400

        expire = 604800

        minimum = 3600
        If this is your output and you're certain the containers are running properly, the likely culprit is Transparent Proxying and we recommend you investigate that or reach out to support.

You’re done! You can now point all appropriate machines on the network to use this VM for DNS Resolution.

Was this article helpful?

1 out of 2 found this helpful

Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.