Alternative DNS Servers - no filter/censorship (buydomains.com problem)
-
Why would anyone point their fancy pfsense router/firewall running nice dns forwarder or resolver like dnsmasq or ubound to some BS you have no idea what its using/doing of the dns forwarder service running on some isp provided "gateway"
To give us carpal tunnel?
-
which is ideally dumbed down to a bridge instead if you cannot get rid of it altogether.
Was trying to do that with hacking but it's not working. You can to that on the DSL Routers from AVM you can buy.
But it does not work on the custom firmware on the provider boxes.All i can do is setting port forward on the NIC to pfSense to "Exposed Host" to bypass NAT.
wish people would stop calling devices that are doing NAT modems
Thats why i wrote modem/router.
So can somebody guide me through the ideal settings please?
There are so many settings in pfSense that its overwhelming and tutorials are rare.
All stuff i was reading some time ago (not pfSense) was doing it the way with pointing the router to the modem. -
:'( - What I told you is default, works well and is secure. Prevents DNS tampering. Sounds pretty ideal.
-
"the ideal settings please?"
Ideal settings for what network? Every network is going to be different. Different people have different priorities, needs/wants. Your ideal setup might be completely different than mine.
What hardware are you working with? Do you only have 1 segment? Do you have wireless - this is quite often broken out on its own segment.. While other users would say that is less than ideal..
What connection do you have cable/dsl - are you pppoe? I would think pretty much everyone in network would agree that doing a double nat like you have is less than ideal.. That is for sure.
What you run for dns going to depend on your desires/requirements. For many forwarder is fine - for others its useless they want do do their own queries to the owning servers and support for dnssec, etc. etc.
-
…
So can somebody guide me through the ideal settings please?
...So, did you try the settings of kejianshi reply #17 ? The results are better or worse than you have/had ?
-
I benchmarked my DNS options using the GRC utility. There were 43 external servers that I was able to access.
For uncached queries, my server was only 50ms slower than the fastest alternative.
For cached queries, there was nothing faster than a 1ms response time, since the server is local. :)For just 1/20th of a second of delay I'd rather know that my DNS results are coming straight from the source rather than potentially poisoned by a third-party DNS server. Like you, I also prefer to not be forwarded to a domain seller or search results if I mistype a web address.
So with these pieces of information, I happily choose Unbound as my DNS option rather than using an external server.
-
Yes - Totally agree ^
I'd still love to hear, is there a downside to hardening glue and hardening DNSSEC.
Seems like a great idea at first glace but not sure if it will cost me anything?
-
What I told you is default, works well and is secure. Prevents DNS tampering. Sounds pretty ideal.
Ok, so no adding some servers like KOM listed?
But what about the the pointing to modem thing (system -> routing -> gateways)?Ideal settings for what network?
For what i want to do: Fast non filtering/censorshiping DNS.
I have two wireless devices with DD-WRT that only act as AP and don't know what segment means. -
Don't mess with the gateways - You will shut yourself out of the internet more than likely if you play with that.
HOWEVER - You really should either get a pure modem with no NAT or figure out how to get your modem into bridged mode (I'd bet this can be done without hacking)
-
Don't mess with the gateways - You will shut yourself out of the internet more than likely if you play with that.
HOWEVER - You really should either get a pure modem with no NAT or figure out how to get your modem into bridged mode (I'd bet this can be done without hacking)
If it's Comcast, spring for the pure modem.
Otherwise, it takes 20 minutes on the phone with them to get it into bridged mode and it'll revert back to a gateway anytime it has a power blip. -
A pure modem is not possible cause this box is the only one where you can
get 3 phone numbers and the numbers only work with this box.
There are only 2 Cable ISPs in Germany and both use this box.bridged mode is not possible - there is a whole thread in the German forum.
Only business customers get it - for private customers it's blocked.
I can be happy that my connection is some years old cause new customers get IPv6 and that is only DS-Lite.So others say don't point to the modem/router and you say don't mess with it and leave it as is?
If it's Comcast, spring for the pure modem.
It's one of the two german cable providers and there is no chance for a modem cause only with this box
you can phone with there numbers and they don't let you bridge. -
If you go into the advanced and enable Prefetch Support and Prefetch DNS Key Support sites you visit often will be kept warm in cache and rechecked and recached often and won't expire.
Doesnt that still generate traffic patterns over and above the normal dns patterns, creating what some would call a needle in a haystack?
-
Not sure what you mean by "Needle in a haystack"
It will simply query the root servers for sites you visit very often instead of allowing them to age off.
Yes, there will be more DNS traffic, but thats not a bad thing in anyway I can think of.
-
That's how they found Bin Laden, or so I hear. Constant DNS cache refreshes for 72virgins.haha.sexyfun.net.
-
I'll be expecting boots at my door any moment then I guess…
Since I couldn't find a good answer on how hardening DNSSEC and glue might impact my DNS performance, and no one answered my several posts on the subject, I just turned it on, turned on the Unwanted Reply Threshold also...
If it does something unwanted, I will post back - somewhere...
-
Just trying TTL 2147483647 which will generate its own operational signature.
https://www.ietf.org/rfc/rfc2181.txt Section 8 TTL.
-
Ohhhhh. Tell me how that turns out…
-
Just today
-
Actually anything not running DNSSEC is vulnerable to this attack:
1st Man on the side attack where you someone listening passively on the side does packet injection and spoofs a DNS response faster than the real DNS server. They send you to their fake server loaded with forged certs and forged websites that look like the real thing. (Thats the really evil version) or perhaps they just redirect you to some BS crap shopping site.
2nd Once your server connects to theirs they fake the website you were trying to visit and complete the HTTPS transaction and forward you on to the real site - via their server. Now they are the man in the middle and can read your supposedly encrypted traffic, inject packets inject malware, whatever.
So, thats pretty much 99% of the web users are vulnerable.
IMHO pfsense doesn't sell its self hard enough on its security features. Not in terms average buyers can grasp anyway.
-
1st Man on the side attack where you someone listening passively on the side does packet injection and spoofs a DNS response faster than the real DNS server. They send you to their fake server loaded with forged certs and forged websites that look like the real thing. (Thats the really evil version) or perhaps they just redirect you to some BS crap shopping site.
Wonder if that was the case with this one: https://forum.pfsense.org/index.php?topic=87491.0