Relay Deployment with Hyper-V Image

Article author
Chris Todd
  • Updated

Download the Image

Hyper-V 22.04, 9.9 GB (vhdx)

Warning: The relay uses multiple ports which need to be open at NSG level.

Ports that need to be open are as follows:

  • Port 53: Port 53 is used for DNS (Domain Name System) traffic.
  • Port 853: Port 853 is used for DNS over TLS (DoT) traffic.
  • Port 443: Port 443 is used for HTTPS (Hypertext Transfer Protocol Secure) traffic.

Once you've downloaded one of the images above onto your machine, the following steps show you how to set up and use the image

Creating the Relay VM

    1. Create a New Virtual Machine
      mceclip1.png
    2. Make Sure to choose Generation 2
    3. Make sure you choose to use an existing virtual hard disk (VHDX format)
      mceclip3.png
    4. In order to run the Relay as a Generation 2 Hyper-V virtual machine, you can either switch off the Secure Boot or Enable Linux Secure Boot depending on your HyperV version as follows:
    5. mceclip4.png
    6. mceclip0.png

Setting up the Relay

  1. Log in to the VM:
    user: dnsfilter
    password: ChangeMeNow!
  2. Change the password:
    passwd
  3. Edit the relay.conf file(use step 4 for some values to edit):
    sudo nano relay.conf -- (this is a symbolic link to /etc/relay/relay.conf)
  4. In relay.conf (found at the following location: /etc/relay/relay.conf ) set the Secret Site Key and Name.
    Note1: The name needs to match the deployment name set in your dashboard. 
    Note2: To save the changes made within relay.conf use ctrl+o to write out then hit return to finalise the file name, you can then exit with ctrl+x.
  5. By default, the system is set to use DHCP to obtain an IP - this is fine as long as you create a permanent DHCP lease in your firewall for the MAC of the Virtual NIC of the ESXI Container. If you wish to have a static IP assigned to the machine, you can do the following by using the command in step 5. (Note: # comments out the line it is placed before)
    sudo nano /etc/netplan/00-installer-config.yaml
    Add a # before dhcp4: true 
    Remove the #'s before the next 5 lines
    Update addresses: [192.168.1.15/24] to reflect the static IP that the machine is going to have - (i.e.: it would become addresses: [172.16.0.44/24])
    Update gateway4: 192.168.1.1 to the appropriate gateway of the network the machine is on - (i.e.: it would become gateway4: 172.16.0.1)
  6. Save the file and run:
    sudo netplan generate
    sudo netplan apply
  7. Reboot the machine
  8. Verify General Connectivity by running the following command to verify that the correct IP is shown:
    ifconfig
  9. Verify that a response is received by running:
    ping google.com
  10. If everything has gone well up until now, it’s time to start up the relay!
  11. Start the docker service by running the following commands:
    sudo systemctl enable docker.service
    sudo systemctl start docker.service
  12. Start the Relay containers by running:
    sudo docker start relay1 relay2
    Wait 10-20 seconds
  13. Verify the containers are running properly by running:
    sudo docker ps
    This will provide some output similar to one of the two following blocks:
    *Good* output looks like this and you can move to step 14:

    CONTAINER ID

    IMAGE

    COMMAND

    CREATED

    STATUS

    PORTS

    NAMES

    5fa41e37ecdc

    dnsfilter/relay:0-rtt

    “/go/bin/relay-linux…”

    6 days ago

    Up 12 Seconds 

     

    relay2

    1d91eb21abc2

    dnsfilter/relay:0-rtt

    “/go/bin/relay-linux…”

    6 days ago

    Up 13 Seconds

     

    relay1

    *Bad* output looks like this and some troubleshooting will be required:

    CONTAINER ID

    IMAGE

    COMMAND

    CREATED

    STATUS

    PORTS

    NAMES

    5fa41e37ecdc

    dnsfilter/relay:0-rtt

    “/go/bin/relay-linux…”

    6 days ago

    Restarting (1) 3 seconds ago

     

    relay2

    1d91eb21abc2

    dnsfilter/relay:0-rtt

    “/go/bin/relay-linux…”

    6 days ago

    Restarting (1) 4 seconds ago

     

    relay1

  14. If you run:
    sudo docker logs relay1
    You will receive the output of the logs for that container (relay1) - the two most common errors you will see are:
    time=“2022-02-23T21:53:33.355562001Z” level=fatal msg=“can not auto-register agent, please verify settings or contact support, trace: invalid organization or network secret key”
    This means the secret key you’ve entered into the relay.conf file is invalid.
    Double-check that the correct value is in the file.

    time=“2022-02-23T21:58:33Z” level=fatal msg=“not a valid TOML config file” config=/etc/relay/relay.conf error=“open /usr/local/bin/lan-proxy.conf: no such file or directory”
    This means there is a formatting error or errant character in your relay.conf file - verify that it is nearly identical to our example file
  15. Resolve these issues and run:
    sudo docker restart relay1 relay2
    Verify that things match the good output above, and move to step 16.
  16. Verify the relay containers are doing what they’re supposed to:
    nslookup -type=txt debug.dnsfilter.com 127.0.0.1 (from the VM itself)
    nslookup -type=txt debug.dnsfilter.com <internal IP address> (from another machine on the network)
    *Good* Output looks something like:
    Non-authoritative answer:
    debug.dnsfilter.com text = “time=2022-02-23 22:02:45.528505065 +0000 UTC
    debug.dnsfilter.com text = “serverid=55802”
    debug.dnsfilter.com text = “serverip=103.247.36.36"
    debug.dnsfilter.com text = “serverport=53”
    Along with multiple additional lines. Skip ahead to step 17.
    *Bad* Output looks something like:
    Non-authoritative answer:
    *** Can’t find debug.dnsfilter.com: No answer
    Authoritative answers can be found from: dnsfilter.com

    origin = amir.ns.cloudflare.com

    mail addr = dns.cloudflare.com

    serial = 2271027187

    refresh = 10000

    retry = 2400

    expire = 604800

    minimum = 3600
    If this is your output and you're certain the containers are running properly, the likely culprit is Transparent Proxying and we recommend you investigate that or reach out to support.

You’re done! You can now point all appropriate machines on the network to use this VM for DNS Resolution.

Was this article helpful?

1 out of 2 found this helpful

Have more questions? Submit a request

Comments

0 comments

Please sign in to leave a comment.