Seems that hacker is inserting a foreign DNS into my computer, how to remove it?

JKnott

@Netgate1100guy said in Seems that hacker is inserting a foreign DNS into my computer, how to remove it?:

There is often a secondary IPv6 address, which seems to be from hacker. Can Link Local IPv6 work
or what else?

????

Where are you seeing the link local address? Every IPv6 capable device has one. However, given they're not routeable, they'd be pretty much useless for an attacker.

Firewalldude89

@johnpoz It shows me a login page but it stalls.

michmoor

@Netgate1100guy turn off the firewall and keep it off for 9 days. That should solve it. Come back and let us know if that works.
Also, as a last resort try turning off the cable modem just in case. You should be clear from the hacker after that. Worked for me

johnpoz

@Netgate1100guy said in Seems that hacker is inserting a foreign DNS into my computer, how to remove it?:

It shows me a login page but it stalls.

Stalls? If pfsense has no working dns then yes the login page can be very slow.. From what you posted before - pfsense has only an actual IP on 1 interface - so hard to image that it would have working dns.. So yeah the login is prob going to be very slow.

rcoleman-netgate

@Netgate1100guy said in Seems that hacker is inserting a foreign DNS into my computer, how to remove it?:

@johnpoz It shows me a login page but it stalls.

Connect via the console.

Tell your 1100 to reboot.

Attempt a GUI login again.

Does the console report any errors?

However as @johnpoz notes if your WAN isn't connected or your DNS upstream isn't working pages can take some time to load. Also loading the initial dashboard from the LAN also can take time to load but other pages afterwards are quick to load.

Try loading a subpage after logging in from your URL history. This is how I bypass the 30-second wait.

rcoleman-netgate

@michmoor said in Seems that hacker is inserting a foreign DNS into my computer, how to remove it?:

You should be clear from the hacker after that. Worked for me

Not helpful...

michmoor

@rcoleman-netgate There is seeking help and then there is trolling. We crossed that boundary several posts ago. If there is no attempt by the OP to seek assistance then how is my attempt at helping any different than others? Plus they stopped responding.

rcoleman-netgate

@michmoor said in Seems that hacker is inserting a foreign DNS into my computer, how to remove it?:

We crossed that boundary several posts ago.

Then you can walk away and turn off notifications on the post.

michmoor

@rcoleman-netgate thats a great option.

Firewalldude89

Hi all, I can now log into admin site on web and it is better now.
Link Local for IPv6 seems to be great and can make a hacker intrusion much less likely.

A few simple questions:

On Suricata and Snort, should I enable interface for both LAN and WAN or just one of them,
which of them? Because I have often blocked myself actually and maybe thats because of interface enabled
for both LAND and WAN..

I have accepted that SSL Inspection or Interception is not that necessary or ideal for blocking a hacker,
seems that fine tuned Snort and Suricata settings are far more important.
SSL Inspection is used for only clients connected to the LAN network, but not for anyone from the outside,
incoming from the web? Is SSL Inspection useless for stopping hackers?

What other packages are important for blocking hackers? How can I for example block DoS and DDoS attacks?

rcoleman-netgate

@Firewalldude89 said in Seems that hacker is inserting a foreign DNS into my computer, how to remove it?:

On Suricata and Snort, should I enable interface for both LAN and WAN or just one of them,
which of them? Because I have often blocked myself actually and maybe thats because of interface enabled
for both LAND and WAN..

Best to post this type of question in the IDS/IPS section.

Gertjan

@Firewalldude89 said in Seems that hacker is inserting a foreign DNS into my computer, how to remove it?:

How can I for example block DoS and DDoS attacks?

On your side ? Nothing to do, the default hidden WAN firewall rules is the one rule that will do it all : it blocks all and everything.
The only traffic that passes = comes in - is traffic initiated from behind the firewall, like for example a LAN based device.

But, as we can compare this to the good old phone network : can you stop some one (or even the entire planet) to call you ?
No, of course not.
If many, like thousands, try to connect to your WAN, they will all find themselves before a closed door. They will manage to do just one thing : your down stream 'pipe' is full with these access requests. So, no more data comes in - the pipe is full, and no more data gets out, as the pipe is full.
And that's what a DOS or DDOS is all about : stopping your Internet access.
And yes, it's known that the firewall just 'give up' (goes 'down').

The only thing you can do against DOS/DDOS is : be good friends with your ISP, so they can block traffic for you, way upstream.
Next best solution : the little boys solution : who has the biggest pipe ? Like : if your WAN upstream / downstream is 100 Gbits / sec then a 'miserable' (still consequent) 10 Gbit sec DOS/DDOS won't even ne noticed by you.

michmoor

@Gertjan said in Seems that hacker is inserting a foreign DNS into my computer, how to remove it?:

Like : if your WAN upstream / downstream is 100 Gbits / sec then a 'miserable' (still consequent) 10 Gbit sec DOS/DDOS won't even ne noticed by you.

The only caveat i would add is that the resource utilization of the firewall will be impacted. As far as I am aware there are no built in protections to protect the firewall(pfSense) itself from resource exhaustion if a ddos attack occurs.
Typically there are "Zone Protection" features in other products that limit the amount SYNs or UDPs that are allowed.
Otherwise inter-vlan traffic on the firewall will be impacted because of a ddos on the WAN.