Alternative DNS Servers - no filter/censorship (buydomains.com problem)



  • Hi,

    i had this now 4 times that some sides did not work correct (e.g. PayPal) or not get fully loaded and when this happens
    some sides get redirected to buydomains.com

    The first 3 times i had alerts and blocks in Snort:

    #(http_inspect) JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1
    gen_id 120, sig_id 9
    
    #(smtp) Attempted response buffer overflow
    gen_id 124, sig_id 3
    

    After adding this to suppress i had to restart pfSense - just a Snort restart did not help.

    Now i had it again that some sides did not fully load and i saw in the Firefox statusbar that
    in the background Firefox was trying to load buydomains.com.
    There was nothing in Snort this time and after a pfSense restart everything was working again.

    How can i figure out what the problem is and where does buydomains.com come from?



  • Some crap browser addon or search "helper" addware probably in a tool bar perhaps included in some "cool" software you download online from some sketchy site.



  • Hm, and that would affect all Computers in the house?
    And restarting pfSense would then correct the problem?

    And before i realized that all Computers are affect and that happened the first time i made a scan
    with: adwCleaner, Junkware Removal Tool and Malwarebytes Anti-Malware…



  • No - Definitely should not hit every computer in the house.

    Sounds like a DNS issue.  Where are you getting DNS from?



  • The settings in pfSense are:

    212.82.225.7 GW_WAN - wan - 10.0.0.1
    212.82.226.212 GW_WAN - wan - 10.0.0.1
    80.69.100.206 GW_WAN - wan - 10.0.0.1

    The first two are from https://www.wikileaks.org/wiki/Alternative_DNS/de and the last one is from my provider.

    My cable modem/router in front of pfSense is getting two DNS-Servers automatically from my provider.
    But the ones from my modem/router shouldn't be used right?

    IP cable modem/router: 10.0.0.1
    IP pfSense WAN: 10.0.0.3
    IP pfSense LAN: 192.168.0.1

    The cable modem/router is set in port forward to "Exposed Host to 10.0.0.3" and DHCP is off and should work just as modem.

    The computers "Default Gateway" and "DNS Server" are set to 192.168.0.1



  • I have an idea - Since you are obviously worried enough to want to make sure your DNS isn't getting tampered with, why not tell pfsense to be your resolver?

    Upgrade to 2.2, turn off DNS forwarder, turn on DNS resolver, remove all those DNS server IPs from your list, do not allow DNS on wan to over ride your DNS list.  Turn on dnssec and see if your problems go away?

    (You may still need to flush DNS cache on your LAN machines after one time)



  • I'm already on 2.2 and DNS forwarder is already off and DNS resolver on (I use the resolver for my local domains).

    But where do i place the alternative DNS-Servers i want to use?
    And what is the difference between a normal setup (like it is now) and the resolver thing?



  • You don't place any alternative servers anywhere.
    Go into DNS Resolver and turn on DNSSEC if you haven't.

    Then check each one of the clients ethernet adapter settings for IPV4 and IPV6 and make sure they get DNS and IP automatically.

    Then flush your DNS cache on all your machines (Windows I presume)

    right click cmd tool and open as admin and type  ipconfig /flushdns and hit enter.

    In the past I have also seen people using free firewall/av having their DNS redirected "for their safety".


  • Banned

    @kejianshi:

    No - Definitely should not hit every computer in the house.
    Sounds like a DNS issue.  Where are you getting DNS from?

    Very much possible with hacked cable modem. Stop pointing your DNS to cable modem in the first place.



  • @kejianshi:

    You don't place any alternative servers anywhere.

    If i don't add the DNS nameservers i want to use how do i use them ???

    The reasons to use other DNS servers then the ones you get from your provider are:
    1. No content filter
    2. maybe faster

    @kejianshi:

    Then check each one of the clients ethernet adapter settings for IPV4 and IPV6 and make sure they get DNS and IP automatically.

    Why should i do that if i don't want to use DHCP and want all my computers, consoles, micro controllers to have fixed IP's?

    @doktornotor:

    Very much possible with hacked cable modem. Stop pointing your DNS to cable modem in the first place.

    The cable modem/router is getting it's firmware updates from the provider and you can't do anything about that.
    I guess the box is save as it's the only one you can use with this provider (you get it from them) and it only works in your house.
    It's a FritzBox 6360: http://avm.de/produkte/fritzbox/fritzbox-6360-cable/
    You can't buy it and you only get it from 2 providers.

    If the cable modem would be hacked then i guess a pfSense restart would not solve the problem?

    What do you mean by "Stop pointing your DNS to cable modem in the first place."

    I had it working like that with my old Asus Dark Knight and Tomato for a long time.



  • What do you mean by "Stop pointing your DNS to cable modem in the first place."

    He means don't use your cable modem as DNS.  Use something external that is unlikely to be fiddled with, like Google DNS, Level3 or OpenDNS.  Your cable modem will be programmed to use your ISP's DNS, and some shady ISPs will do DNS injection, 404 redirection to serve ads, and other tricks etc.  What's interesting is that people have been complaining about being redirected to buydomains.com for like the past 10+ years now, and it was usually browser malware that causes it.



  • 3. You dont have to use Lizard Squads advertisers via DNS redirects, although its not specifically mentioned, theres no reason why LS couldnt if they thought about it, we just dont know….
    http://www.techweekeurope.co.uk/networks/lizard-squad-home-routers-ddos-159281?PageSpeed=noscript


  • Banned

    @MrGlasspoole:

    It's a FritzBox 6360: http://avm.de/produkte/fritzbox/fritzbox-6360-cable/
    You can't buy it and you only get it from 2 providers.

    Great shame you cannot buy it, considering features like this nifty unauthenticated command injection :D

    @MrGlasspoole:

    What do you mean by "Stop pointing your DNS to cable modem in the first place."

    ^That ;)



  • Its become recently apparent to me that as long as you keep using those sorts of non-dnssec compliant DNS servers you will continue to be vulnerable to having your DNS jacked.  So, consider using them as bad.  So, if its bad, no matter how much you like it, you shouldn't use it right?



  • @KOM:

    He means don't use your cable modem as DNS.  Use something external that is unlikely to be fiddled with, like Google DNS, Level3 or OpenDNS.  Your cable modem will be programmed to use your ISP's DNS, and some shady ISPs will do DNS injection, 404 redirection to serve ads, and other tricks etc

    I'm totally confused now. Isn't that what i'm doing/trying to do?

    I add the DNS Servers to system > general setup and point the computers to pfSense (192.168.0.1)



  • See there are 2 directions to go with unbound.

    1 - Let unbound work in resolver + DNSSEC mode using just the root internet servers.  No servers list anywhere.  Yes its super nice.  No it won't stop you kid from trying to find nude pics of their favorite model.

    2. Put unbound in forwarder mode and let it work with the list of servers you put in system > general.  Depending on if the servers in the list are DNSSEC compliant, you may get to use DNSSEC.  If not, then you can't.  Yes this may help you control content and prevent someone from seeing Miss July or it may also allow your DNS to get jacked with in a way you were not expecting.

    You probably shouldn't be mixing these two on pfsense.

    What I might do if it were me is keep unbound in resolver mode + DNSSEC so the vast majority of the network gets unmolested DNS and go to the kid's machine and manually enter the DNS server IP of your choice into the adapter setting to prevent that one machine from being used to find the dimensions of Miss July.



  • There are no Kids and i don't want to filter something buy DNS Servers.
    All i want to do is making sure i use DNS Name servers that are not filtering or censorship
    and that are fast.

    That whole DNS thing and all the settings in pfSense are confusing  :(



  • My god.  Then your settings are super simple.

    Go to system > General

    delete all your server IPs.

    uncheck Allow DNS server list to be overridden by DHCP/PPP on WAN

    uncheck  Do not use the DNS Forwarder as a DNS server for the firewall

    save.

    Then go to DNS forwarder and make sure its off.  Save.

    Then go to DNS resolver and make sure its on.
    Turn on DNSSEC

    Save

    Now, you should have raw, un-tampered unmolested DNS from the root servers.



  • I add the DNS Servers to system > general setup and point the computers to pfSense (192.168.0.1)

    That's correct, but what is your pfSense pointing to?  Probably your gateway which is your cable modem, or IP address(es) supplied by your ISP.  Don't use those.  Use external 3rd-party DNS from a list such as this:

    Free & Public DNS Servers (Updated January 2015)

    Provider           Primary DNS      Secondary DNS

    Level3           209.244.0.3      209.244.0.4
    Google           8.8.8.8          8.8.4.4
    DNS.WATCH         84.200.69.80      84.200.70.40
    Comodo Secure DNS  8.26.56.26        8.20.247.20
    OpenDNS Home     208.67.222.222    208.67.220.220
    DNS Advantage     156.154.70.1      156.154.71.1
    Norton ConnectSafe  199.85.126.10    199.85.127.10
    GreenTeamDNS     81.218.119.11    209.88.198.133
    SafeDNS           195.46.39.39      195.46.39.40
    OpenNIC           107.150.40.234    50.116.23.211
    SmartViper       208.76.50.50      208.76.51.51
    Dyn               216.146.35.35    216.146.36.36
    FreeDNS           37.235.1.174      37.235.1.177
    censurfridns.dk   89.233.43.71      91.239.100.100
    Hurricane Electric  74.82.42.42
    puntCAT           109.69.8.51


  • Banned



  • @kejianshi:

    My god.  Then your settings are super simple.

    But that is what i already explained in the beginning.
    But i don't get how this makes sure you get the fastest DNS server.
    Tutorials say you should pick one near your location and there is:
    https://code.google.com/p/namebench/
    and
    https://www.grc.com/dns/benchmark.htm

    @KOM:

    That's correct, but what is your pfSense pointing to?  Probably your gateway which is your cable modem, or IP address(es) supplied by your ISP.

    Is that not what you normally do - point your router to the modem?
    Some years ago i used Windows Server as router and did it the same way:
    Modem (10.0.0.1) <-> Win Server NIC1 WAN (10.0.0.2) - Win Server NIC2 LAN (192.168.0.1)

    Also it worked that way with my old Asus Router with Tomato firmware.

    And thats different from what kejianshi is suggesting.

    Are you talking about system -> routing -> gateways (Gateway IP address)?
    There you add only one external 3rd-party DNS and in "system > general setup" the others?
    Is there something wrong with the https://www.wikileaks.org/wiki/Alternative_DNS list?

    @doktornotor:

    As a side note: DNS hijacking flaw in ZynOS-based routers.

    If my cable modem/router has a problem then why the problem goes away after a pfSense restart?
    Also there is nothing i can do about it if the modem has a problem.
    You have to wait for the automatic update from the provider.
    I only use this device as modem cause DECT and WLAN is bad, not much control and you can't add
    your own VoIP numbers. You can use it only with the numbers from the ISP.


  • Banned

    @MrGlasspoole:

    Is that not what you normally do - point your router to the modem?

    No, that's what I never ever do. Definitely never ever with any of this completely unmaintained ISP-provided POS (which is ideally dumbed down to a bridge instead if you cannot get rid of it altogether.)



  • "But i don't get how this makes sure you get the fastest DNS server" - It will be super fast.  Only the 1st request to a page will require a look at the root servers.  The answer to the request will be cached (saved in memory).  From then on, the answers will come directly from pfsense.  It will take 1ms.  If you go into the advanced and enable Prefetch Support and Prefetch DNS Key Support sites you visit often will be kept warm in cache and rechecked and recached often and won't expire.  You will have fast fast resolver.

    "Is that not what you normally do - point your router to the modem?"
    Yes - If you are my grandmother…  There is a difference between "simple" and "optimal"
    And isn't your DNS getting spoofed with that setting?  The answer should be obvious by now.


  • LAYER 8 Global Moderator

    Maybe its just me but I would wish people would stop calling devices that are doing NAT modems ;)  Its not a "modem" if its doing NAT.. Its a gateway if its doing modem/router functions..

    A modem is just dumb device that converts media type..  Modems don't provide dns or dhcp services, etc..

    Why would anyone point their fancy pfsense router/firewall running nice dns forwarder or resolver like dnsmasq or ubound to some BS you have no idea what its using/doing of the dns forwarder service running on some isp provided "gateway"



  • Is that not what you normally do - point your router to the modem?

    In the context of DNS, yes, this is what most home users do and it used to be perfectly ok.  Used to.  Now you're better off using an external DNS.  I've found that Google is often faster than my local ISP, an dthey aren't fiddling like some ISPs.  However, being Google, they're likely tracking and analyzing all the DNS requests.  If that bothers you, try another free DNS.



  • @johnpoz:

    Why would anyone point their fancy pfsense router/firewall running nice dns forwarder or resolver like dnsmasq or ubound to some BS you have no idea what its using/doing of the dns forwarder service running on some isp provided "gateway"

    To give us carpal tunnel?



  • @doktornotor:

    which is ideally dumbed down to a bridge instead if you cannot get rid of it altogether.

    Was trying to do that with hacking but it's not working. You can to that on the DSL Routers from AVM you can buy.
    But it does not work on the custom firmware on the provider boxes.

    All i can do is setting port forward on the NIC to pfSense to "Exposed Host" to bypass NAT.

    @johnpoz:

    wish people would stop calling devices that are doing NAT modems

    Thats why i wrote modem/router.

    So can somebody guide me through the ideal settings please?
    There are so many settings in pfSense that its overwhelming and tutorials are rare.
    All stuff i was reading some time ago (not pfSense) was doing it the way with pointing the router to the modem.



  • :'( - What I told you is default, works well and is secure.  Prevents DNS tampering.  Sounds pretty ideal.


  • LAYER 8 Global Moderator

    "the ideal settings please?"

    Ideal settings for what network?  Every network is going to be different.  Different people have different priorities, needs/wants.  Your ideal setup might be completely different than mine.

    What hardware are you working with?  Do you only have 1 segment?  Do you have wireless - this is quite often broken out on its own segment..  While other users would say that is less than ideal..

    What connection do you have cable/dsl - are you pppoe?  I would think pretty much everyone in network would agree that doing a double nat like you have is less than ideal.. That is for sure.

    What you run for dns going to depend on your desires/requirements.  For many forwarder is fine - for others its useless they want do do their own queries to the owning servers and support for dnssec, etc. etc.



  • @MrGlasspoole:


    So can somebody guide me through the ideal settings please?
    ...

    So, did you try the settings of kejianshi reply #17 ? The results are better or worse than you have/had ?



  • I benchmarked my DNS options using the GRC utility. There were 43 external servers that I was able to access.

    For uncached queries, my server was only 50ms slower than the fastest alternative.
    For cached queries, there was nothing faster than a 1ms response time, since the server is local. :)

    For just 1/20th of a second of delay I'd rather know that my DNS results are coming straight from the source rather than potentially poisoned by a third-party DNS server. Like you, I also prefer to not be forwarded to a domain seller or search results if I mistype a web address.

    So with these pieces of information, I happily choose Unbound as my DNS option rather than using an external server.



  • Yes - Totally agree ^

    I'd still love to hear, is there a downside to hardening glue and hardening DNSSEC.

    Seems like a great idea at first glace but not sure if it will cost me anything?



  • @kejianshi:

    What I told you is default, works well and is secure.  Prevents DNS tampering.  Sounds pretty ideal.

    Ok, so no adding some servers like KOM listed?
    But what about the the pointing to modem thing (system -> routing -> gateways)?

    @johnpoz:

    Ideal settings for what network?

    For what i want to do: Fast non filtering/censorshiping DNS.
    I have two wireless devices with DD-WRT that only act as AP and don't know what segment means.



  • Don't mess with the gateways - You will shut yourself out of the internet more than likely if you play with that.

    HOWEVER - You really should either get a pure modem with no NAT or figure out how to get your modem into bridged mode (I'd bet this can be done without hacking)



  • @kejianshi:

    Don't mess with the gateways - You will shut yourself out of the internet more than likely if you play with that.

    HOWEVER - You really should either get a pure modem with no NAT or figure out how to get your modem into bridged mode (I'd bet this can be done without hacking)

    If it's Comcast, spring for the pure modem.
    Otherwise, it takes 20 minutes on the phone with them to get it into bridged mode and it'll revert back to a gateway anytime it has a power blip.



  • A pure modem is not possible cause this box is the only one where you can
    get 3 phone numbers and the numbers only work with this box.
    There are only 2 Cable ISPs in Germany and both use this box.

    bridged mode is not possible - there is a whole thread in the German forum.
    Only business customers get it - for private customers it's blocked.
    I can be happy that my connection is some years old cause new customers get IPv6 and that is only DS-Lite.

    So others say don't point to the modem/router and you say don't mess with it and leave it as is?

    @Trel:

    If it's Comcast, spring for the pure modem.

    It's one of the two german cable providers and there is no chance for a modem cause only with this box
    you can phone with there numbers and they don't let you bridge.



  • @kejianshi:

    If you go into the advanced and enable Prefetch Support and Prefetch DNS Key Support sites you visit often will be kept warm in cache and rechecked and recached often and won't expire.

    Doesnt that still generate traffic patterns over and above the normal dns patterns, creating what some would call a needle in a haystack?



  • Not sure what you mean by "Needle in a haystack"

    It will simply query the root servers for sites you visit very often instead of allowing them to age off.

    Yes, there will be more DNS traffic, but thats not a bad thing in anyway I can think of.


  • LAYER 8 Netgate

    That's how they found Bin Laden, or so I hear.  Constant DNS cache refreshes for 72virgins.haha.sexyfun.net.



  • I'll be  expecting boots at my door any moment then I guess…

    Since I couldn't find a good answer on how hardening DNSSEC and glue might impact my DNS performance, and no one answered my several posts on the subject, I just turned it on, turned on the Unwanted Reply Threshold also...

    If it does something unwanted, I will post back - somewhere...


Log in to reply