Alternative DNS Servers - no filter/censorship (buydomains.com problem)
-
Just trying TTL 2147483647 which will generate its own operational signature.
https://www.ietf.org/rfc/rfc2181.txt Section 8 TTL.
-
Ohhhhh. Tell me how that turns out…
-
Just today
-
Actually anything not running DNSSEC is vulnerable to this attack:
1st Man on the side attack where you someone listening passively on the side does packet injection and spoofs a DNS response faster than the real DNS server. They send you to their fake server loaded with forged certs and forged websites that look like the real thing. (Thats the really evil version) or perhaps they just redirect you to some BS crap shopping site.
2nd Once your server connects to theirs they fake the website you were trying to visit and complete the HTTPS transaction and forward you on to the real site - via their server. Now they are the man in the middle and can read your supposedly encrypted traffic, inject packets inject malware, whatever.
So, thats pretty much 99% of the web users are vulnerable.
IMHO pfsense doesn't sell its self hard enough on its security features. Not in terms average buyers can grasp anyway.
-
1st Man on the side attack where you someone listening passively on the side does packet injection and spoofs a DNS response faster than the real DNS server. They send you to their fake server loaded with forged certs and forged websites that look like the real thing. (Thats the really evil version) or perhaps they just redirect you to some BS crap shopping site.
Wonder if that was the case with this one: https://forum.pfsense.org/index.php?topic=87491.0
-
No idea - maybe.
-
Ok, i made some screen shoots of the settings i have now.
@kejianshi
I'm still not sure about the gateway.
You said pointing to the modem is how grandmother did it: https://forum.pfsense.org/index.php?topic=87678.msg483085#msg483085
But then you said: "Don't mess with the gateways".And to make sure i get it right: With this settings i get name resolving directly from the 13 Root-Nameservers (Anycast aside)?
If thats the case then why everywhere are this alternative DNS server lists and why is this not the default in routers from ISPs?I guess i change the title of this thread - maybe it helps others.
-
Name servers that return a bullshit IP address instead of NXDOMAIN for A records that don't exist are an abomination.
I will be switching over to a resolver-based configuration this weekend now that I'm on 2.2.
-
well your resolver is on all all, which is not how I would set it up.
Resolver should only listen on your lan port, and should only talk to other dns on your wan.
And don't see how you expect pfsense to resolve anything - so its not going to be able to check for updates..
-
You could deselect WAN without hurting anything or you could just not open port 53 on WAN… Either way. (P.S. Its not open)
It should work and resolve just fine the way you have it here.Easy way to check if your system is resolving and if you can get updates is to go to the main pfsense gui and see if it show "you are on current version"
If it does, your pfsense is resolving fine for its self and probably for all the other machines on the LAN.
Now, go to https://www.dnsleaktest.com/ and see how many resolvers show up.
Hopefully its like...1
-
Selecting just LAN on "Network Interfaces" and "Outgoing Network Interfaces" gives the error:
This system is configured to use the DNS Resolver as its DNS server, so Localhost or All must be selected in Network Interfaces. -
Select all. Port 53 is closed on the WAN. No issues there.
-
Now only the gateway question is still open :)
-
Then select both lan and localhost ;) ALL is BAD practice!!
Here is mine
-
I wouldn't screw with the gateway… unless you are in the mood to upgrade to a ISP/Modem combo that gets you a public IP on the pfsense wan?
-
Not sure if you know, but you select individual interfaces by holding the cntl key while clicking on the ones you want.
What johnpoz is saying is best - I was trying to keep it simple…
-
Not sure if you know, but you select individual interfaces by holding the cntl key while clicking on the ones you want.
I know that :-) - My computer knowledge is good but pfSense is overwhelming :-)
So the important part here is that on "Network Interfaces" you just have the internal and
on "Outgoing Network Interfaces" the external stuff?Gateway:
I did check my ISP router and i have the bridge option now.
I made the hack a year ago and the option was not there - seems like after
some firmware update it changed.
I have a warning "from manufacture not supported change".So i can select LAN2 as bridged.
But if i do that and connect my pfSense WAN NIC to LAN2 i can not reach the router anymore with 10.0.0.1.What changes do i need to make in pfSense to test it?
I guess in "Interfaces > WAN" and "System > Routing > Gateways" -
Is your WAN DHCP or PPPoE?
(Or Static?)
-
Wait. If you select bridged your router is no longer a router so you might not be able to get to it any more at all and, frankly, who cares?
-
Is your WAN DHCP or PPPoE?
(Or Static?)Static - pictures of WAN and gateway settings are ad top of this page :)
Wait. If you select bridged your router is no longer a router so you might not be able to get to it any more at all and, frankly, who cares?
I care cause the phone book, caller list, fax stuff and everything is handled by that box.
There are two phones connected to that box. You can't use dedicated VoIP phones with german
cable ISPs (VoC) cause they don't work. They don't give you the access data and it only works from
your box in your house (not like normal VoIP). -
Yes - I call it built in BS and multifunction trash designed to purposely remove your options. Very familiar with the concept.
-
Is your WAN DHCP or PPPoE?
(Or Static?)Static - pictures of WAN and gateway settings are ad top of this page :)
Meh, what is your connection protocol to your ISP ….
You should get your public IP on WAN if bridged works or is supported at all, which you must test.
Close your firewall WAN inbound vulnerabilities first. -
@hda:
Meh, what is your connection protocol to your ISP ….
What do you mean by protocol?
It's DOCSIS, IPv4… -
Static - pictures of WAN and gateway settings are ad top of this page :)
At the top of what page?
Forum users can set how many messages per page are shown.
Please provide a link to the exact post or attach it again. Thanks.
-
Sorry: https://forum.pfsense.org/index.php?topic=87678.msg483594#msg483594
-
Yeah, that's a static on 10.0.0.1. If you're bridged to the internet you should, somehow, get a public IP on WAN. This is usually accomplished with DHCP or PPPoE.
-
What do you mean by protocol?
It's DOCSIS, IPv4…So, then probably your protocol is a DHCP on WAN, anyway you have to test.
Beware if it works or is supported by ISP Unitymedia:- "front door" is open, control inbound ports on WAN
- may lose the phone capabilities.
- "front door" is open, control inbound ports on WAN
-
You don't have any DNS servers set up on your General page but your WAN is setup for static!
I believe the pfSense box will use DHCP to locate needed DNS. (Ive not tested this)
On the General page fill in at least one DNS and click both boxes below.
-
I made a test with the settings in the attachments.
I also tried it with setting 8.8.8.8 in the general page.In the dashboard i see then:
WAN (DHCP): a public ip but different then the one i have in my ISPs router
DNS server(s): the same like in my ISPs routerand i get "unable to obtain update status" - so no internet.
-
I guess you don't like the way I suggested to do it?
-
Just testing and you wrote: pointing to the modem is how grandmother did
The DMZ way (how it is now) works. But if it's better without double NAT and i can get it to work?
But from looking around more on that topic and this box it seems like nobody has it working.
Looks like only business tariff customers can use the bridge cause they get a second IP. -
I got a new router from the ISP and had to change stuff because on that stupid thing you can't change the IP to another subnet.
So i did read through this thread again and need to ask again even if you kill me :(I can't get bridge mode here so i have to set:
Interfaces > WAN
IPv4 Upstream gateway: GW_WAN - 192.168.0.1
Right?I had kejianshi's suggestion running now the last 2 years:
@kejianshi:Go to system > General
delete all your server IPs.
uncheck Allow DNS server list to be overridden by DHCP/PPP on WAN
uncheck Do not use the DNS Forwarder as a DNS server for the firewall
save.
Then go to DNS forwarder and make sure its off. Save.
Then go to DNS resolver and make sure its on.
Turn on DNSSECSave
BUT still don't understand if for this setting and with no bridge mode his statement is true:
@kejianshi:Now, you should have raw, un-tampered unmolested DNS from the root servers.
Also still others here wrote you have to put a DNS server in System > General Setup
So with kejianshi's suggestion and without bridge mode I'm using the ISP's DNS server - yes or no?
I also saw on the Timeserves setting:
Remember to set up at least one DNS server if a host name is entered here!