Alternative DNS Servers - no filter/censorship (buydomains.com problem)

MrGlasspoole

Hi,

i had this now 4 times that some sides did not work correct (e.g. PayPal) or not get fully loaded and when this happens
some sides get redirected to buydomains.com

The first 3 times i had alerts and blocks in Snort:

#(http_inspect) JAVASCRIPT OBFUSCATION LEVELS EXCEEDS 1
gen_id 120, sig_id 9

#(smtp) Attempted response buffer overflow
gen_id 124, sig_id 3

After adding this to suppress i had to restart pfSense - just a Snort restart did not help.

Now i had it again that some sides did not fully load and i saw in the Firefox statusbar that
in the background Firefox was trying to load buydomains.com.
There was nothing in Snort this time and after a pfSense restart everything was working again.

How can i figure out what the problem is and where does buydomains.com come from?

kejianshi

Some crap browser addon or search "helper" addware probably in a tool bar perhaps included in some "cool" software you download online from some sketchy site.

MrGlasspoole

Hm, and that would affect all Computers in the house?
And restarting pfSense would then correct the problem?

And before i realized that all Computers are affect and that happened the first time i made a scan
with: adwCleaner, Junkware Removal Tool and Malwarebytes Anti-Malware…

kejianshi

No - Definitely should not hit every computer in the house.

Sounds like a DNS issue.  Where are you getting DNS from?

MrGlasspoole

The settings in pfSense are:

212.82.225.7 GW_WAN - wan - 10.0.0.1
212.82.226.212 GW_WAN - wan - 10.0.0.1
80.69.100.206 GW_WAN - wan - 10.0.0.1

The first two are from https://www.wikileaks.org/wiki/Alternative_DNS/de and the last one is from my provider.

My cable modem/router in front of pfSense is getting two DNS-Servers automatically from my provider.
But the ones from my modem/router shouldn't be used right?

IP cable modem/router: 10.0.0.1
IP pfSense WAN: 10.0.0.3
IP pfSense LAN: 192.168.0.1

The cable modem/router is set in port forward to "Exposed Host to 10.0.0.3" and DHCP is off and should work just as modem.

The computers "Default Gateway" and "DNS Server" are set to 192.168.0.1

kejianshi

I have an idea - Since you are obviously worried enough to want to make sure your DNS isn't getting tampered with, why not tell pfsense to be your resolver?

Upgrade to 2.2, turn off DNS forwarder, turn on DNS resolver, remove all those DNS server IPs from your list, do not allow DNS on wan to over ride your DNS list.  Turn on dnssec and see if your problems go away?

(You may still need to flush DNS cache on your LAN machines after one time)

MrGlasspoole

I'm already on 2.2 and DNS forwarder is already off and DNS resolver on (I use the resolver for my local domains).

But where do i place the alternative DNS-Servers i want to use?
And what is the difference between a normal setup (like it is now) and the resolver thing?

kejianshi

You don't place any alternative servers anywhere.
Go into DNS Resolver and turn on DNSSEC if you haven't.

Then check each one of the clients ethernet adapter settings for IPV4 and IPV6 and make sure they get DNS and IP automatically.

Then flush your DNS cache on all your machines (Windows I presume)

right click cmd tool and open as admin and type  ipconfig /flushdns and hit enter.

In the past I have also seen people using free firewall/av having their DNS redirected "for their safety".

doktornotor

@kejianshi:

No - Definitely should not hit every computer in the house.
Sounds like a DNS issue.  Where are you getting DNS from?

Very much possible with hacked cable modem. Stop pointing your DNS to cable modem in the first place.

MrGlasspoole

@kejianshi:

You don't place any alternative servers anywhere.

If i don't add the DNS nameservers i want to use how do i use them ???

The reasons to use other DNS servers then the ones you get from your provider are:
1. No content filter
2. maybe faster

@kejianshi:

Then check each one of the clients ethernet adapter settings for IPV4 and IPV6 and make sure they get DNS and IP automatically.

Why should i do that if i don't want to use DHCP and want all my computers, consoles, micro controllers to have fixed IP's?

@doktornotor:

Very much possible with hacked cable modem. Stop pointing your DNS to cable modem in the first place.

The cable modem/router is getting it's firmware updates from the provider and you can't do anything about that.
I guess the box is save as it's the only one you can use with this provider (you get it from them) and it only works in your house.
It's a FritzBox 6360: http://avm.de/produkte/fritzbox/fritzbox-6360-cable/
You can't buy it and you only get it from 2 providers.

If the cable modem would be hacked then i guess a pfSense restart would not solve the problem?

What do you mean by "Stop pointing your DNS to cable modem in the first place."

I had it working like that with my old Asus Dark Knight and Tomato for a long time.

KOM

What do you mean by "Stop pointing your DNS to cable modem in the first place."

He means don't use your cable modem as DNS.  Use something external that is unlikely to be fiddled with, like Google DNS, Level3 or OpenDNS.  Your cable modem will be programmed to use your ISP's DNS, and some shady ISPs will do DNS injection, 404 redirection to serve ads, and other tricks etc.  What's interesting is that people have been complaining about being redirected to buydomains.com for like the past 10+ years now, and it was usually browser malware that causes it.

firewalluser

3. You dont have to use Lizard Squads advertisers via DNS redirects, although its not specifically mentioned, theres no reason why LS couldnt if they thought about it, we just dont know….
http://www.techweekeurope.co.uk/networks/lizard-squad-home-routers-ddos-159281?PageSpeed=noscript

doktornotor

@MrGlasspoole:

It's a FritzBox 6360: http://avm.de/produkte/fritzbox/fritzbox-6360-cable/
You can't buy it and you only get it from 2 providers.

Great shame you cannot buy it, considering features like this nifty unauthenticated command injection :D

@MrGlasspoole:

What do you mean by "Stop pointing your DNS to cable modem in the first place."

^That ;)

kejianshi

Its become recently apparent to me that as long as you keep using those sorts of non-dnssec compliant DNS servers you will continue to be vulnerable to having your DNS jacked.  So, consider using them as bad.  So, if its bad, no matter how much you like it, you shouldn't use it right?

MrGlasspoole

@KOM:

He means don't use your cable modem as DNS.  Use something external that is unlikely to be fiddled with, like Google DNS, Level3 or OpenDNS.  Your cable modem will be programmed to use your ISP's DNS, and some shady ISPs will do DNS injection, 404 redirection to serve ads, and other tricks etc

I'm totally confused now. Isn't that what i'm doing/trying to do?

I add the DNS Servers to system > general setup and point the computers to pfSense (192.168.0.1)

kejianshi

See there are 2 directions to go with unbound.

1 - Let unbound work in resolver + DNSSEC mode using just the root internet servers.  No servers list anywhere.  Yes its super nice.  No it won't stop you kid from trying to find nude pics of their favorite model.

2. Put unbound in forwarder mode and let it work with the list of servers you put in system > general.  Depending on if the servers in the list are DNSSEC compliant, you may get to use DNSSEC.  If not, then you can't.  Yes this may help you control content and prevent someone from seeing Miss July or it may also allow your DNS to get jacked with in a way you were not expecting.

You probably shouldn't be mixing these two on pfsense.

What I might do if it were me is keep unbound in resolver mode + DNSSEC so the vast majority of the network gets unmolested DNS and go to the kid's machine and manually enter the DNS server IP of your choice into the adapter setting to prevent that one machine from being used to find the dimensions of Miss July.

MrGlasspoole

There are no Kids and i don't want to filter something buy DNS Servers.
All i want to do is making sure i use DNS Name servers that are not filtering or censorship
and that are fast.

That whole DNS thing and all the settings in pfSense are confusing  :(

kejianshi

My god.  Then your settings are super simple.

Go to system > General

delete all your server IPs.

uncheck Allow DNS server list to be overridden by DHCP/PPP on WAN

uncheck  Do not use the DNS Forwarder as a DNS server for the firewall

save.

Then go to DNS forwarder and make sure its off.  Save.

Then go to DNS resolver and make sure its on.
Turn on DNSSEC

Save

Now, you should have raw, un-tampered unmolested DNS from the root servers.

KOM

I add the DNS Servers to system > general setup and point the computers to pfSense (192.168.0.1)

That's correct, but what is your pfSense pointing to?  Probably your gateway which is your cable modem, or IP address(es) supplied by your ISP.  Don't use those.  Use external 3rd-party DNS from a list such as this:

Free & Public DNS Servers (Updated January 2015)

Provider           Primary DNS      Secondary DNS

Level3           209.244.0.3      209.244.0.4
Google           8.8.8.8          8.8.4.4
DNS.WATCH         84.200.69.80      84.200.70.40
Comodo Secure DNS  8.26.56.26        8.20.247.20
OpenDNS Home     208.67.222.222    208.67.220.220
DNS Advantage     156.154.70.1      156.154.71.1
Norton ConnectSafe  199.85.126.10    199.85.127.10
GreenTeamDNS     81.218.119.11    209.88.198.133
SafeDNS           195.46.39.39      195.46.39.40
OpenNIC           107.150.40.234    50.116.23.211
SmartViper       208.76.50.50      208.76.51.51
Dyn               216.146.35.35    216.146.36.36
FreeDNS           37.235.1.174      37.235.1.177
censurfridns.dk   89.233.43.71      91.239.100.100
Hurricane Electric  74.82.42.42
puntCAT           109.69.8.51

doktornotor

As a side note: DNS hijacking flaw in ZynOS-based routers.