Alternative DNS Servers - no filter/censorship (buydomains.com problem)
-
Don't mess with the gateways - You will shut yourself out of the internet more than likely if you play with that.
HOWEVER - You really should either get a pure modem with no NAT or figure out how to get your modem into bridged mode (I'd bet this can be done without hacking)
If it's Comcast, spring for the pure modem.
Otherwise, it takes 20 minutes on the phone with them to get it into bridged mode and it'll revert back to a gateway anytime it has a power blip. -
A pure modem is not possible cause this box is the only one where you can
get 3 phone numbers and the numbers only work with this box.
There are only 2 Cable ISPs in Germany and both use this box.bridged mode is not possible - there is a whole thread in the German forum.
Only business customers get it - for private customers it's blocked.
I can be happy that my connection is some years old cause new customers get IPv6 and that is only DS-Lite.So others say don't point to the modem/router and you say don't mess with it and leave it as is?
If it's Comcast, spring for the pure modem.
It's one of the two german cable providers and there is no chance for a modem cause only with this box
you can phone with there numbers and they don't let you bridge. -
If you go into the advanced and enable Prefetch Support and Prefetch DNS Key Support sites you visit often will be kept warm in cache and rechecked and recached often and won't expire.
Doesnt that still generate traffic patterns over and above the normal dns patterns, creating what some would call a needle in a haystack?
-
Not sure what you mean by "Needle in a haystack"
It will simply query the root servers for sites you visit very often instead of allowing them to age off.
Yes, there will be more DNS traffic, but thats not a bad thing in anyway I can think of.
-
That's how they found Bin Laden, or so I hear. Constant DNS cache refreshes for 72virgins.haha.sexyfun.net.
-
I'll be expecting boots at my door any moment then I guess…
Since I couldn't find a good answer on how hardening DNSSEC and glue might impact my DNS performance, and no one answered my several posts on the subject, I just turned it on, turned on the Unwanted Reply Threshold also...
If it does something unwanted, I will post back - somewhere...
-
Just trying TTL 2147483647 which will generate its own operational signature.
https://www.ietf.org/rfc/rfc2181.txt Section 8 TTL.
-
Ohhhhh. Tell me how that turns out…
-
Just today
-
Actually anything not running DNSSEC is vulnerable to this attack:
1st Man on the side attack where you someone listening passively on the side does packet injection and spoofs a DNS response faster than the real DNS server. They send you to their fake server loaded with forged certs and forged websites that look like the real thing. (Thats the really evil version) or perhaps they just redirect you to some BS crap shopping site.
2nd Once your server connects to theirs they fake the website you were trying to visit and complete the HTTPS transaction and forward you on to the real site - via their server. Now they are the man in the middle and can read your supposedly encrypted traffic, inject packets inject malware, whatever.
So, thats pretty much 99% of the web users are vulnerable.
IMHO pfsense doesn't sell its self hard enough on its security features. Not in terms average buyers can grasp anyway.
-
1st Man on the side attack where you someone listening passively on the side does packet injection and spoofs a DNS response faster than the real DNS server. They send you to their fake server loaded with forged certs and forged websites that look like the real thing. (Thats the really evil version) or perhaps they just redirect you to some BS crap shopping site.
Wonder if that was the case with this one: https://forum.pfsense.org/index.php?topic=87491.0
-
No idea - maybe.
-
Ok, i made some screen shoots of the settings i have now.
@kejianshi
I'm still not sure about the gateway.
You said pointing to the modem is how grandmother did it: https://forum.pfsense.org/index.php?topic=87678.msg483085#msg483085
But then you said: "Don't mess with the gateways".And to make sure i get it right: With this settings i get name resolving directly from the 13 Root-Nameservers (Anycast aside)?
If thats the case then why everywhere are this alternative DNS server lists and why is this not the default in routers from ISPs?I guess i change the title of this thread - maybe it helps others.
-
Name servers that return a bullshit IP address instead of NXDOMAIN for A records that don't exist are an abomination.
I will be switching over to a resolver-based configuration this weekend now that I'm on 2.2.
-
well your resolver is on all all, which is not how I would set it up.
Resolver should only listen on your lan port, and should only talk to other dns on your wan.
And don't see how you expect pfsense to resolve anything - so its not going to be able to check for updates..
-
You could deselect WAN without hurting anything or you could just not open port 53 on WAN… Either way. (P.S. Its not open)
It should work and resolve just fine the way you have it here.Easy way to check if your system is resolving and if you can get updates is to go to the main pfsense gui and see if it show "you are on current version"
If it does, your pfsense is resolving fine for its self and probably for all the other machines on the LAN.
Now, go to https://www.dnsleaktest.com/ and see how many resolvers show up.
Hopefully its like...1
-
Selecting just LAN on "Network Interfaces" and "Outgoing Network Interfaces" gives the error:
This system is configured to use the DNS Resolver as its DNS server, so Localhost or All must be selected in Network Interfaces. -
Select all. Port 53 is closed on the WAN. No issues there.
-
Now only the gateway question is still open :)
-
Then select both lan and localhost ;) ALL is BAD practice!!
Here is mine