PDA

View Full Version : change DNS settings for a safer more secure mac and pc



macgig
12-03-2017, 02:32 PM
https://quad9.net/#/

I asked my cyber security instructor/expert if this quad 9 is a good idea and is safe. he said yes.

Just wanted to share this info. :)

mrplow
12-04-2017, 05:02 AM
It's certainly a sound idea.

There's a good article on it here:
https://arstechnica.com/information-technology/2017/11/new-quad9-dns-service-blocks-malicious-domains-for-everyone/?comments=1

I'd like to see a little me info on the service and a little more clarification around privacy and data retention but it looks promising.

chscag
12-04-2017, 05:22 PM
As I pointed out in another post regarding Quad 9.... it's easy enough to change over to it and try it out. Google's 8.8.8.8 does not provide the same safety net as Quad 9 does, privacy or no privacy.

As "mrplow" points out, more information on privacy (tracking) and keeping your data in the cloud would be helpful. I'm rather doubtful though that any DNS service can keep your privacy "private" along with your data. Maybe I'm being pessimistic. :\

Cr00zng
12-05-2017, 09:44 AM
It's certainly a sound idea.

There's a good article on it here:
https://arstechnica.com/information-technology/2017/11/new-quad9-dns-service-blocks-malicious-domains-for-everyone/?comments=1

I'd like to see a little me info on the service and a little more clarification around privacy and data retention but it looks promising.
Agreed, it looks promising, but...

I'd like to see more clarification about the "gold list"... Quote from the ArsTech article:


There's also a "gold list"—domains that should never be blocked, such as major Internet service sites like Microsoft's Azure cloud, Google, and Amazon Web Services. "We do realize that docs.google.com is hosting phishing attacks," Baykal said. "But because this is DNS filtering, we cannot block that URL specifically. And we don't ever want to completely block Google."
So, it's a OK for companies on the gold-list spreading malware, but it's not OK for others?:Smirk: If I am a hacker, guess where I'll have my malware distributed from? :Angry:

And if you think about this a bit, the Quad9 DNS service is the same as the AV protection in some respect. Both of them will protect you against known exploits, but it does nothing against new ones.

</tinfoil-hat on>
What if the Quad9 DNS server blocks access to legitimate sites, such as foreign news companies sites, "alt-right"/"alt-left" sites, religious sites, etc.,? Or worse, it redirects to other websites...
</tinfoil-hat off>

There are questions, but I give them credit for doing something about malware, or at least they try...

michelangelo
12-15-2017, 06:48 PM
Living in France near Paris, I have configured my main WAN modem to use Quad 9 (9.9.9.9) for DNS. It is not so fast as Google's 8.8.4.4, but is faster than my ISP's own DNS server, and reputedly very secure. If you want more info on DNS speed (and on DNS spoofing as well) you may want to use Steve Gibson's free DNS resources available on GRC.com. There, the DNS benchmark test is a .exe program written in assembly language, but it works perfectly on my Mac when I open it with Wine (I use the combo Wine / WINEBOTTLER designed for the mac). HTH

pm-r
12-15-2017, 08:07 PM
If you want more info on DNS speed


This reminds me of the old namebench.app that certainly comes to mind for those that might want to check or change their DNS for the beat speed:



namebench

Open-source DNS Benchmark Utility

Are you a power-user with 5 minutes to spare? Do you want a faster internet experience?

Try out namebench. It hunts down the fastest http://en.wikipedia.org/wiki/Domain_Name_System'>DNS servers available for your computer to use. namebench runs a fair and thorough benchmark using your web browser history, tcpdump output, or standardized datasets in order to provide an individualized recommendation. namebench is completely free and does not modify your system in any way. This project began as a 20% project at Google. …
https://code.google.com/archive/p/namebench/

It's VERY safe and easy to use. It just needs a few minutes to run, to test things of course. :Blushing:





- Patrick
======

Cr00zng
12-16-2017, 08:23 AM
Testing both DNS Benchmark and namebench on my system gives different results.

DNS Benchmark:

27586

Namebench:

27585

The "SYS-127.0.0.1" DNS server is DNSCrypt (https://www.dnscrypt.org/) client, that bypasses the ISP provided DNS server.

Performance wise, the DNSCrypt performs relatively well on my system and there had been no issues accessing websites. As for the difference between the two DNS benchmark software... I tend to prefer the DNS Benchmark; it's a smaller file and works faster.

PS: Couple DNSCrypt with TOR browser, if privacy is what you're looking for. Doing so prevents your ISP to log your internet access; the only information the ISP will have is the DNSCrypt server and the first TOR node IPs, the latter one changes every time the TOR browser started

michelangelo
12-16-2017, 10:47 AM
Hello. I checked on name bench.app. It simply told me my set-up (whereby the address of my DNS server is in my secondary router 192.168.1.1) was the best. Did not tell me of alternates. I was not convinced.

As also suggested above, you may want to try also Steve Gibson's DNS Benchmark (a ridiculously low-weight software, because it is written in assembly language), available at <https://www.grc.com/dns/benchmark.htm>.

To use it on the mac, I use the Wine install provided by Winebottler <http://winebottler.kronenberg.org/>. I simply download the installers, install Wine.app and Winebottler.app in my Applications folder and do not even bother to use Winebottler. Simply download the executable DNSBench.exe on my desktop, "Open it with Wine" and do not attempt to assign it to the list of windows apps tamed by Whinebottler. Add to the list any DNS' IP you want considered in addition to the default choices (I added 9.9.9.9 and my ISP's suggested DNS server). The table of results provides information quite useful for choosing which DNS server or bunch of servers to use. FWIW

pm-r
12-16-2017, 02:18 PM
Did not tell me of alternates. I was not convinced.

That's odd,

It's always shown alternatives for me as well as numbering in the column as #1, #2 etc…
IE27587:




- Patrick
======

Ember1205
12-16-2017, 02:47 PM
The Quad 9 service will not work for many... Why? Because your ISP expressly prohibits it.

DNS uses very little network traffic to resolve a hostname to an IP. But, the ISP's want to be completely in control of those queries for a variety of reasons. And, many will outright block DNS traffic from going anywhere but to their own DNS servers.

There's a host of problems that this can cause, but generally the impact to us as consumers is negligible or zero. For the providers, they are able to retain some level of control on how much of their traffic is DNS as opposed to actual content. While saving a packet or two on my behalf is nothing, multiplying that by a few hundred thousand users adds up to real traffic savings.

This -could- become more and more problematic across more providers if the repeal of Net Neutrality isn't prevented in some fashion. If providers are allowed to manipulate traffic more, the first step in that direction is a tighter control on DNS. That gives them the ability to turn www.netflix.com into something entirely different and land you on their servers instead. I'm not saying this is GOING to happen, I'm saying it's a risk.

As far as prevention of malware, DNS manipulation like this is a pretty basic and very old tool. The concept of blacklisting sites and turning their names into junk IP Addresses goes way, way back. You can do it with a hosts file, a DNS server that maintains an updated list, or other similar ways. But, as pointed out in the article, DNS ties to a specific host entity and has absolutely NO AWARENESS of the content that's actually on that host. Blocking access via DNS only blocks access to the site NAME, not its actual address.

If www.badsite.com translates to address a.b.c.d, and Quad9 blocks this resolution, that's good. But, what if address a.b.c.d is the same address used by www.goodsite.com (for those that don't know, this isn't only possible, it's very common)? Allowing www.googsite.com lands you on the exact same machine that was blocked prior. So, the bad content is still there... What did DNS -really- do for you? Depends on how the machine at address a.b.c.d is set up.

This exact situation is why Application layer firewalls are more useful now than even, and more popular too. A network firewall can't do anything to protect against malware except to explicitly deny talking to an IP Address that is known to be spreading malware. And that might also block access to good content on the same site. An Application layer firewall can actually look at the -content- going back and forth and block based on what it sees at that level.

It's sort of akin to saying "No tractor trailers are allowed on this road" (network firewall) versus "No tractor trailers that are carrying 55 gallon drums of nuclear waste are allowed on this road" (application firewall). Deciding based on content is generally safer overall. And, Quad 9 provides a service that's much closer to the network firewall example.


Like others, I am suspect of why this is a free service. Who's paying for it? Can I see the lists of good sites somewhere? The bad sites? What are they capturing for usage data? What are they DOING with that data? Am I uniquely identified in any way in the data they're capturing?

pm-r
12-16-2017, 07:45 PM
The Quad 9 service will not work for many... Why? Because your ISP expressly prohibits it.

Thanks for the info but I wish I understood all the details more, just like when I was trying to understand how some stuff works as in the article I was reading earlier:
“Suspicious” event routes traffic for big-name sites through Russia
https://arstechnica.com/information-technology/2017/12/suspicious-event-routes-traffic-for-big-name-sites-through-russia/




- Patrick
======

Cr00zng
12-16-2017, 11:55 PM
This -could- become more and more problematic across more providers if the repeal of Net Neutrality isn't prevented in some fashion. If providers are allowed to manipulate traffic more, the first step in that direction is a tighter control on DNS. That gives them the ability to turn www.netflix.com into something entirely different and land you on their servers instead. I'm not saying this is GOING to happen, I'm saying it's a risk.

Changing how Netflix accessed isn't necessarily a bad thing for anyone. On the surface, yes it is; however, if you have some network information and knowledge of the plans to remediate congestion, it might not be a bad thing. For example.... About 60% of the internet traffic for the largest ISPs is for Netflix. Moving the Netflix media servers closer to the customers would free up the ISPs' internet bandwidth, in addition to doing the same for Netflix. This is a win-win scenario for the ISPs, their customers, and for Netflix. While there had been plans to do this, the net neutrality prevented the actual implementation.

Will the ISPs proceed with the plans now and in the process increase fees for customers? Only time will tell, but my guess is yes, they will proceed, but initially there will be no charge to customers by either the ISPs or Netflix. Will there be additional charges once the protests, lawsuits, etc., settled down? You bet and it will be a money making machine...


This exact situation is why Application layer firewalls are more useful now than even, and more popular too. A network firewall can't do anything to protect against malware except to explicitly deny talking to an IP Address that is known to be spreading malware. And that might also block access to good content on the same site. An Application layer firewall can actually look at the -content- going back and forth and block based on what it sees at that level.

It's sort of akin to saying "No tractor trailers are allowed on this road" (network firewall) versus "No tractor trailers that are carrying 55 gallon drums of nuclear waste are allowed on this road" (application firewall). Deciding based on content is generally safer overall. And, Quad 9 provides a service that's much closer to the network firewall example.

Great example...

On my Windows system, the Windows firewall is controlling application access, not actual content, via the Windows Firewall Control (https://www.binisoft.org/) app. The firewall allows controlling apps connectivity, both in and outbound. The "Medium Filtering (recommended)" blocks connections, apps or otherwise, unless explicitly allowed. The "High Filtering" blocks all in and outbound connection that can be selected manually and in addition, it's enabled at system startup and shutdown.

No, Windows firewall is not application firewall, but don't undersell the firewall yet. As long as the firewall rule set takes in to account all of the apps that require internet access and blocks everything else, the firewall is still an integral part of protecting systems.

On the other hand, I certainly agree with you about the DNS comments. As ISPs monitoring and now analyzing more and more the internet traffic, they are looking for ways for improving the network performance, without substantial capital investments. Keeping DNS queries internal will probably be one of the first "victim", as you've stated. There will be other changes that will slowly, but surely implemented in the back end somewhat hidden from the customers. Most of them won't even notice, only people with technical background will complain. But who listens to those nerds anyway, right?:Smirk::D

Cr00zng
12-17-2017, 01:56 AM
Thanks for the info but I wish I understood all the details more, just like when I was trying to understand how some stuff works as in the article I was reading earlier:
“Suspicious” event routes traffic for big-name sites through Russia
https://arstechnica.com/information-technology/2017/12/suspicious-event-routes-traffic-for-big-name-sites-through-russia/




- Patrick
======

Why the Quad 9 will not work for most is simple... The ISPs will redirect Quad 9 DNS queries to their local DNS server. Doing so will save bandwidth for their internet connections. Yes, the ISPs DNS servers will send out the DNS query to the internet, but it's a single server and and not hundreds of thousands of customers doing the same.

The bandwidth savings will come from locally caching the DNS server's query results and serving it up to the customers accessing the same sites. The ISPs DNS server already have the response in the cache, no need to query the internet. It's very similar to what your DNS client does on your system. It does not query the www.mac-forums.com all the times, when you browse this forum. The DNS client already has a resolution for that.

Could the ISPs DNS server utilize Quad9 server for their queries? They absolutely could, but they probably won't. People, who cannot access black listed sites by Quad9 servers will call. Support is costly and better off just allow the connection, instead of blocking it.

The Arstech article about suspicious routing is more complex. The following may or may not be a simple explanation...;D

You have an address where you live and people know where to send mail to you. It is true that you gave them your address, including ZIP-code. The post office, UPS, FEDEX, etc., use the ZIP-code to route the mail to your town, where it is sorted by ZIP-code/address and delivered to you.

Let's say that friend of yours asked by someone where to send mail to you and he/she intentionally/unintentionally gives the wrong address, ZIP-code. In this case, the mail will end up at the wrong address.

Let's say that I live somewhere close by and go to your post office and pretend to be you. I'll ask for a change of address form for you and file it with the post office. Since the post office did not detect the false identity, it'll dutifully forward your mail to the address I specified in the form that could actually be my address.

In the case of the internet traffic, the Autonomous System (AS) is pretty much equivalent to ZIP-code. Except instead of street addresses, the AS deals with IP addresses.

The AS39523 in the article advertised through Border Gateway Protocol (BGP) the block of IPs, it claimed to know how to route requests to these IPs. Other routers on the internet with BGP enabled took notice of the new route and accordingly, forwarded IP addresses to the AS39523's router. Once they got there, they were probably routed to the rightful destination, but in the meantime, all the pockets flowing through the AS39523 router could have been captured and analyzed later.

Yes, that's how vulnerable the Autonomous System is. While there's a verification process for obtaining an AS number for a block of IP addresses, there's no verification process in place for changing the AS router advertised block of IP addresses. If I own a small block of IPs and get an AS number and BGP router, I can advertise route for any blocks of IP addresses.

The AS39523 router advertisement could have been unintentional, network administrator error, or intentional with a purpose. This is not the first, nor it is the last time when the AS incorrectly claiming to know how to route a block of IP addresses. But... Since it is an Autonomous System in Russia and the current phobia in the US about Russia, everyone is convinced that this had been intentional. I am not convinced for a number of reasons...

Ember1205
12-17-2017, 04:50 PM
Changing how Netflix accessed isn't necessarily a bad thing for anyone. On the surface, yes it is; however, if you have some network information and knowledge of the plans to remediate congestion, it might not be a bad thing. For example.... About 60% of the internet traffic for the largest ISPs is for Netflix. Moving the Netflix media servers closer to the customers would free up the ISPs' internet bandwidth, in addition to doing the same for Netflix. This is a win-win scenario for the ISPs, their customers, and for Netflix. While there had been plans to do this, the net neutrality prevented the actual implementation.

Will the ISPs proceed with the plans now and in the process increase fees for customers? Only time will tell, but my guess is yes, they will proceed, but initially there will be no charge to customers by either the ISPs or Netflix. Will there be additional charges once the protests, lawsuits, etc., settled down? You bet and it will be a money making machine...



Your description of caching is and its value is fine, but isn't related to what I was trying to say.

In order for a web browser to access particular content, it needs to know the IP Address of the destination server. Computers are great with numbers. People, not so much - we do better with names.

The converting of names to numbers (URL's to IP Addresses) is done by DNS.

What I was saying is that your service provider typically just turns an address like www.netflix.com into the correct IP address so you can access the correct site. With the removal of Net Neutrality, your ISP will now be allowed to [legally] change your request into whatever it wants. They could give you the correct IP or they could change the name to something else entirely (like streaming.comcast.com) and force you to connect to THEIR streaming content server effectively breaking the Netflix application and making it impossible for you to reach content that you're paying for.

Cr00zng
12-18-2017, 11:42 AM
What I was saying is that your service provider typically just turns an address like www.netflix.com into the correct IP address so you can access the correct site. With the removal of Net Neutrality, your ISP will now be allowed to [legally] change your request into whatever it wants. They could give you the correct IP or they could change the name to something else entirely (like streaming.comcast.com) and force you to connect to THEIR streaming content server effectively breaking the Netflix application and making it impossible for you to reach content that you're paying for.
Even ISPs cannot just change a URL, that they don't have ownership, to the URL that they do own. The only way I can see the redirection that you've stated is, that adding an authoritive DNS record for Netflix on their DNS server. And that will land the ISP in legal trouble...

While I agree that repealing NN gives the ISPs somewhat more leverage in controlling what their customers can/cannot access, forcing/redirecting Netflix access to their streaming server(s) and breaking applications is not likely to take place. The more likely scenario is that access to Netflix will be blocked and ISPs offering their own streaming services instead.

Ember1205
12-18-2017, 11:52 AM
Even ISPs cannot just change a URL, that they don't have ownership, to the URL that they do own. The only way I can see the redirection that you've stated is, that adding an authoritive DNS record for Netflix on their DNS server. And that will land the ISP in legal trouble...

While I agree that repealing NN gives the ISPs somewhat more leverage in controlling what their customers can/cannot access, forcing/redirecting Netflix access to their streaming server(s) and breaking applications is not likely to take place. The more likely scenario is that access to Netflix will be blocked and ISPs offering their own streaming services instead.

How will it land them in trouble? With NN gone, the ISP's are allowed to manipulate traffic and that's exactly what they will claim they were doing. Look up "captive proxy" to see more about how they can simply grab the URL and land it anywhere they'd like.