Alternative DNS Servers - no filter/censorship (buydomains.com problem)
-
…
So can somebody guide me through the ideal settings please?
...So, did you try the settings of kejianshi reply #17 ? The results are better or worse than you have/had ?
-
I benchmarked my DNS options using the GRC utility. There were 43 external servers that I was able to access.
For uncached queries, my server was only 50ms slower than the fastest alternative.
For cached queries, there was nothing faster than a 1ms response time, since the server is local. :)For just 1/20th of a second of delay I'd rather know that my DNS results are coming straight from the source rather than potentially poisoned by a third-party DNS server. Like you, I also prefer to not be forwarded to a domain seller or search results if I mistype a web address.
So with these pieces of information, I happily choose Unbound as my DNS option rather than using an external server.
-
Yes - Totally agree ^
I'd still love to hear, is there a downside to hardening glue and hardening DNSSEC.
Seems like a great idea at first glace but not sure if it will cost me anything?
-
What I told you is default, works well and is secure. Prevents DNS tampering. Sounds pretty ideal.
Ok, so no adding some servers like KOM listed?
But what about the the pointing to modem thing (system -> routing -> gateways)?Ideal settings for what network?
For what i want to do: Fast non filtering/censorshiping DNS.
I have two wireless devices with DD-WRT that only act as AP and don't know what segment means. -
Don't mess with the gateways - You will shut yourself out of the internet more than likely if you play with that.
HOWEVER - You really should either get a pure modem with no NAT or figure out how to get your modem into bridged mode (I'd bet this can be done without hacking)
-
Don't mess with the gateways - You will shut yourself out of the internet more than likely if you play with that.
HOWEVER - You really should either get a pure modem with no NAT or figure out how to get your modem into bridged mode (I'd bet this can be done without hacking)
If it's Comcast, spring for the pure modem.
Otherwise, it takes 20 minutes on the phone with them to get it into bridged mode and it'll revert back to a gateway anytime it has a power blip. -
A pure modem is not possible cause this box is the only one where you can
get 3 phone numbers and the numbers only work with this box.
There are only 2 Cable ISPs in Germany and both use this box.bridged mode is not possible - there is a whole thread in the German forum.
Only business customers get it - for private customers it's blocked.
I can be happy that my connection is some years old cause new customers get IPv6 and that is only DS-Lite.So others say don't point to the modem/router and you say don't mess with it and leave it as is?
If it's Comcast, spring for the pure modem.
It's one of the two german cable providers and there is no chance for a modem cause only with this box
you can phone with there numbers and they don't let you bridge. -
If you go into the advanced and enable Prefetch Support and Prefetch DNS Key Support sites you visit often will be kept warm in cache and rechecked and recached often and won't expire.
Doesnt that still generate traffic patterns over and above the normal dns patterns, creating what some would call a needle in a haystack?
-
Not sure what you mean by "Needle in a haystack"
It will simply query the root servers for sites you visit very often instead of allowing them to age off.
Yes, there will be more DNS traffic, but thats not a bad thing in anyway I can think of.
-
That's how they found Bin Laden, or so I hear. Constant DNS cache refreshes for 72virgins.haha.sexyfun.net.
-
I'll be expecting boots at my door any moment then I guess…
Since I couldn't find a good answer on how hardening DNSSEC and glue might impact my DNS performance, and no one answered my several posts on the subject, I just turned it on, turned on the Unwanted Reply Threshold also...
If it does something unwanted, I will post back - somewhere...
-
Just trying TTL 2147483647 which will generate its own operational signature.
https://www.ietf.org/rfc/rfc2181.txt Section 8 TTL.
-
Ohhhhh. Tell me how that turns out…
-
Just today
-
Actually anything not running DNSSEC is vulnerable to this attack:
1st Man on the side attack where you someone listening passively on the side does packet injection and spoofs a DNS response faster than the real DNS server. They send you to their fake server loaded with forged certs and forged websites that look like the real thing. (Thats the really evil version) or perhaps they just redirect you to some BS crap shopping site.
2nd Once your server connects to theirs they fake the website you were trying to visit and complete the HTTPS transaction and forward you on to the real site - via their server. Now they are the man in the middle and can read your supposedly encrypted traffic, inject packets inject malware, whatever.
So, thats pretty much 99% of the web users are vulnerable.
IMHO pfsense doesn't sell its self hard enough on its security features. Not in terms average buyers can grasp anyway.
-
1st Man on the side attack where you someone listening passively on the side does packet injection and spoofs a DNS response faster than the real DNS server. They send you to their fake server loaded with forged certs and forged websites that look like the real thing. (Thats the really evil version) or perhaps they just redirect you to some BS crap shopping site.
Wonder if that was the case with this one: https://forum.pfsense.org/index.php?topic=87491.0
-
No idea - maybe.
-
Ok, i made some screen shoots of the settings i have now.
@kejianshi
I'm still not sure about the gateway.
You said pointing to the modem is how grandmother did it: https://forum.pfsense.org/index.php?topic=87678.msg483085#msg483085
But then you said: "Don't mess with the gateways".And to make sure i get it right: With this settings i get name resolving directly from the 13 Root-Nameservers (Anycast aside)?
If thats the case then why everywhere are this alternative DNS server lists and why is this not the default in routers from ISPs?I guess i change the title of this thread - maybe it helps others.
-
Name servers that return a bullshit IP address instead of NXDOMAIN for A records that don't exist are an abomination.
I will be switching over to a resolver-based configuration this weekend now that I'm on 2.2.
-
well your resolver is on all all, which is not how I would set it up.
Resolver should only listen on your lan port, and should only talk to other dns on your wan.
And don't see how you expect pfsense to resolve anything - so its not going to be able to check for updates..
