DNS

Use this forum if you want to discuss a problem or ask a question related to a hMailServer beta release.
Post Reply
User avatar
mattg
Moderator
Moderator
Posts: 21106
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

DNS

Post by mattg » 2019-11-02 22:58

From this thread - viewtopic.php?f=7&t=34523
(thanks to Katip for reminding us that there was an OP in that thread)

Dravion wrote:
2019-11-02 15:31
mattg wrote:
2019-11-02 14:50
Dravion wrote:
2019-11-02 08:17
A hosted DNS-Server with a limited Web config page isn't exactly the same thing as running your own DNS-Server
But NONE of these are REQUIRED to run a mailserver, even a secure mailserver
False.
I don't have an internal DNS, and I'm pretty comfortable with my server security - there is no perfect solution.
Dravion wrote:
2019-11-02 08:17
However, running your own DNS-Server can be necessary if you need specific features like DNSSEC, DNSv6, DANE, SRV Records, IPv6 Dualstack MX-Records, DNS-Responserate limiting, certain DNS-Cache poisining mitigation, Reverse Zone entries and dozens of other features.
the same thing as running your own DNS-Server.
I don't have IPv6 available to me, I DO have SRV records available via by provider's portal, the only things I'd consider hosting my own DNS records for is DNSSEC and DANE.

These are certainly NOT REQUIRED.

Dravion wrote:
2019-11-02 15:31
For internal LAN (Local Area Network) you need a DNS-Server as well. It's clear to me, you like toys like a Consumer Routers to manage internal DNS-Zones
but it's far away from best practices or a recommended procedure. With such low DNS-Skills for Local Area Network Setups you would fail any Linux or Windows Networking course. Even the bad Windows DNS-Server would be a better solution instead using a cheap Consumer Router toy designed for inexperienced Private Home users.
This is completely full of OPINION being passed as fact.

There is no NEED to have a local DNS. For sure it is best practice, but best practice does not equate to NEED.

Why are you so hot under the collar about this issue?
What am I missing?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 3826
Joined: 2006-08-21 15:38
Location: Denmark

Re: DNS

Post by SorenR » 2019-11-03 00:00

Most RBL's do not work well with public DNS servers "asking questions" so there's an argument for having your own caching DNS.

Some ('nix) NAS systems have DHCP and a DNS server that actually communicate - or you can use DHCP and DNS on a Windows Server, that way the server will manage DNS names, anyways as a business you would want your main "www.mydomain.com" to resolve regardless if you are "home" or on a business trip, so for that reason you need the internal DNS.

If you really want to host your own DNS then it's not really that difficult. You would want to set up a "Split Horizon" to cater for the FQDN's that is used both internally and externally.

https://en.wikipedia.org/wiki/Split-horizon_DNS

If I am not completely mistaken then my old Synology DS209+II could do something similar to a "Split Horizon" DNS in less than 5 minutes. Never bothered to try though, perhaps I should ;-)
SørenR.

“Those who don't know history are doomed to repeat it.”
― Edmund Burke

User avatar
mattg
Moderator
Moderator
Posts: 21106
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: DNS

Post by mattg » 2019-11-03 04:15

SorenR wrote:
2019-11-03 00:00
If you really want to host your own DNS then it's not really that difficult. You would want to set up a "Split Horizon" to cater for the FQDN's that is used both internally and externally.
I agree

My point is that this is NOT NEEDED to run hMailserver.
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
katip
Senior user
Senior user
Posts: 779
Joined: 2006-12-22 07:58
Location: Istanbul

Re: DNS

Post by katip » 2019-11-03 06:13

we run HMS in an AD behind a Linux FW/Router (Untangle) connected to a 100Mb fiber WAN.
all LAN->WAN DNS queries (including those from router WAN interface) are done by our local DC.
all WAN related DNS setup is at registrar end (MX, A, SPF etc..).
this is so since about 10 years.

earlier, we were in a workgroup which was connected to WAN thru a proxy server. DNS was done by ISP.

in either setup, i don't remember a particular DNS + HMS related issue.

at home setup (which is a miniature of the office), once i even experienced with hosting my personal domain's DNS records on my DC. all was fine but the idea running a DNS open to queries from WAN wasn't wise, obviously :wink:
Katip
--
HMS 5.7.0 x64, MariaDB 10.4.10 x64, SA 3.4.2, ClamAV 0.101.2 + SaneS

User avatar
SorenR
Senior user
Senior user
Posts: 3826
Joined: 2006-08-21 15:38
Location: Denmark

Re: DNS

Post by SorenR » 2019-11-03 14:37

mattg wrote:
2019-11-03 04:15
SorenR wrote:
2019-11-03 00:00
If you really want to host your own DNS then it's not really that difficult. You would want to set up a "Split Horizon" to cater for the FQDN's that is used both internally and externally.
I agree

My point is that this is NOT NEEDED to run hMailserver.
I think you missed the point.

Most residential users only have one (1) IP address and is using a hosted DNS with an optional Dynamic DNS functionality to enable an online presence.

They do not really need a Private DNS - if it were not for the fact that most RBL's reject DNS lookups from the major ISP's due to the amount of traffic they generate, same with public DNS'es like 4.4.4.4 and 8.8.8.8 from Google.

Running a Private DNS (local caching DNS) actually require very little effort. Enable the ting on your NAS or Windows Server and set your DHCP to allocate the IP address of the server (most likely 192.168.0.??) as DNS server and that's it. When LAN clients are allocated an IP address via DHCP they are also allocated the IP address of your Private DNS. AND !! Unless you really FU'd they will never know the difference.

The main issue is however that YOUR subscriber IP address is used in the RBL DNS Lookup and since - presumably - you have low traffic your lookup request will be asked and answered. That's WHY you need a Private DNS.

Hardcore private users and corporate installations will most likely use a "Split Horizon" DNS (merging your hosting DNS and Private caching DNS into one DNS) in order to maintain 112% control of their online/offline presence. Most DNS servers like BIND9 will enable you to do this relatively easy but one false setting and you are "off the grid" and there is noone to blame but yourself !!

If you are a nerd, geek or suffer from OCD you would naturally configure both DNS servers (the one at you hosting company AND your Private DNS) to look and feel the same but address different IP addresses. I can promise you that the DNS at your hosting site will have 1 (maybe 2) A-records and a truckload of CNAME's where your Private DNS will have plenty A-records and very few CNAME's. That is the result of NAT (network address translation) and PAT (port address translation).

Sometimes when running NAT you also have to decide if you want to use "Cone" of "Symmetric NAT". "Cone" is the general selection where "Symmetric NAT" is the most secure. Gaming works best with "Cone" :mrgreen:
I do not remember hearing about these terms until yesterday when I received my new Huawei B525s-23a 4G/LTE broadband modem (with fixed IP and port 25 open) as a replacement for my regular DSL. The equipment from my DSL ISP did not have the choice and neither did my Cisco ASA5505 firewall.

I have by the way upgraded my connection speed from 15/1 Mbps (ADSL with Pair Bonding) to 75/45 Mbps over 4G/LTE (those are maximum speeds btw.). I live "out where the crows bring their own food" close to the sea where PSTN is the norm and "fiber" is a thing in your muscles. I will need to install an external 4G/LTE antennea to perfect the signal but pings are 16-22 ms so everything works as expected.
I get 5 times higher speeds, fixed IP, open ports and 1 Terrabyte data per month - and pay less... Life is good :mrgreen:
SørenR.

“Those who don't know history are doomed to repeat it.”
― Edmund Burke

User avatar
jimimaseye
Moderator
Moderator
Posts: 8777
Joined: 2011-09-08 17:48

Re: DNS

Post by jimimaseye » 2019-11-03 22:55

I think there is another point being missed here. The original thread (and subsequent dns discussion) was about it being needed to run a basic mail server ie sending and receiving emails. Arguably, RBL's (that benefit local dns servers) are for anti-spam measures just as spamassassin is (which also benefits local dns). But to simply run a basic mail server you do not need local dns servers. After all - why would you need local dns server to send emails? You wouldn't. And if you don't care about spam and choose to accept all incoming email (and don't bother with anti spam measures) then again you wouldn't need a local dns server.

[Entered by mobile. Excuse my spelling.]
5.7 on test.
SpamassassinForWindows 3.4.0 spamd service
AV: Clamwin + Clamd service + sanesecurity defs : https://www.hmailserver.com/forum/viewtopic.php?f=21&t=26829

User avatar
mattg
Moderator
Moderator
Posts: 21106
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: DNS

Post by mattg » 2019-11-04 01:38

SorenR wrote:
2019-11-03 14:37
Running a Private DNS (local caching DNS) actually require very little effort.
Agreed, and I do this
SorenR wrote:
2019-11-03 14:37
... That's WHY you need a Private DNS...
Again, that word NEED

That's why a private DNS is useful
That's one reason where you COULD use a DNS
That's not the ONLY reason where you COULD use a local DNS

However the DNS is NOT NEEDED to run hmailserver. hMailserver works perfectly fine WITHOUT a local DNS
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
Dravion
Senior user
Senior user
Posts: 1688
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: DNS

Post by Dravion » 2019-11-04 08:10

Any nowdays Operating systems have a built in DNS-Resolversubsystem with caching capabilities.
In most cases, they only implement a Subset of features but in all cases they work very well.

On Windows you can display your local DNS-Resolver settings with netsh dnsclient and flush the dns cache with ipconfig /flushdns

User avatar
nitro
Normal user
Normal user
Posts: 36
Joined: 2018-11-08 16:31
Location: Spain

Re: DNS

Post by nitro » 2019-11-04 13:06

I have been using HMailserver for years on a VPS server without a local DNS. I use the DNS server of my domain registrar.

On another server located in my office I use local DNS.

I think that before deciding whether or not to use a local DNS server, other questions should be asked.

Will Hmailserver be used on a local computer or in a VPS?
If used on a local computer.
How many client computers will use the mail service of the same network?

It may be easier to modify the host file of three computers that configure a split horizon DNS server.

There is no suitable and exact answer to the generic question of whether it is necessary to configure a local DNS server to use HMailserver or any other service that requires DNS resolution.
Production 5.6.8-B2489.22.RvDH W.Server 2016 Datace [2x Intel Xeon E5-2660 8GB RAM]
Staging 5.7-B2490 W.Server 2008 R2 Stand [Intel Pentium 4 4GB RAM]

User avatar
Dravion
Senior user
Senior user
Posts: 1688
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: DNS

Post by Dravion » 2019-11-04 18:05

nitro wrote:
2019-11-04 13:06
There is no suitable and exact answer to the generic question of whether it is necessary to configure a local DNS server to use HMailserver or any other service that requires DNS resolution.

Yeah, but using a IoT Device for DNS on a Business Network like a Cheap Broadbandrouter is almost criminal.
Such Toys get hacked every day and will be abused in Worldwide DDOS-Bot Attacks without the Owners knowlege.
You also put your Clients at high risks of getting infiltrated, scammed and hacked.

That's the worst thing a so called "IT-Expert" can do.

User avatar
SorenR
Senior user
Senior user
Posts: 3826
Joined: 2006-08-21 15:38
Location: Denmark

Re: DNS

Post by SorenR » 2019-11-04 18:44

Dravion wrote:
2019-11-04 18:05
nitro wrote:
2019-11-04 13:06
There is no suitable and exact answer to the generic question of whether it is necessary to configure a local DNS server to use HMailserver or any other service that requires DNS resolution.

Yeah, but using a IoT Device for DNS on a Business Network like a Cheap Broadbandrouter is almost criminal.
Such Toys get hacked every day and will be abused in Worldwide DDOS-Bot Attacks without the Owners knowlege.
You also put your Clients at high risks of getting infiltrated, scammed and hacked.

That's the worst thing a so called "IT-Expert" can do.
I do it ... IT Expert for over 30 years - Started with IBM mainframes and worked my way down ... I know networks, firewalls, routers, Dial-up, Pre-/Postpaid VoIP and PSTN. I can even do the cabling and terminate fiberoptics :mrgreen:

First real security issue I managed, safely hidden behind Kerio WinRoute Firewall on a laptop with two PCMCIA LAN cards, I used a locked down IIS on Windows NT to fight Code Red when it broke out until it became illegal. Never had security breached, never had SQL or web hijacked. Followed Steve Gibson (grc.com) for many years until the "tinfoil hat" thing became too much.
SørenR.

“Those who don't know history are doomed to repeat it.”
― Edmund Burke

User avatar
Dravion
Senior user
Senior user
Posts: 1688
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: DNS

Post by Dravion » 2019-11-04 21:48

Mainframes with Token Ring or limited LAN with Nebios or Novell IPX is a complete differen't thing then TCP/IP ISO Layers and even more complex with IPv6 in WAN Network Scenarios like a allways on and public Internet.

Even a limited Scriptkid can nowdays download and install Kali Linux which has all the recon and exploit tools by default prepared for action. You only need something like Metasploit and your Toy Router info and its on.

Your internal Network is fully visible, any traffic passing your device in and out is visible, can be redirected or manipulated.Automated and scripted attacks are running day and night. Its only a matter of time.

User avatar
SorenR
Senior user
Senior user
Posts: 3826
Joined: 2006-08-21 15:38
Location: Denmark

Re: DNS

Post by SorenR » 2019-11-04 23:38

Dravion wrote:
2019-11-04 21:48
Mainframes with Token Ring or limited LAN with Nebios or Novell IPX is a complete differen't thing then TCP/IP ISO Layers and even more complex with IPv6 in WAN Network Scenarios like a allways on and public Internet.

Even a limited Scriptkid can nowdays download and install Kali Linux which has all the recon and exploit tools by default prepared for action. You only need something like Metasploit and your Toy Router info and its on.

Your internal Network is fully visible, any traffic passing your device in and out is visible, can be redirected or manipulated.Automated and scripted attacks are running day and night. Its only a matter of time.
Well... The only safe network is a disconnected network. You cannot host services and not be visible ... Think about it ! OR use the DMZ function that most routers have ... :wink:

Token-Ring and Novell IPX is a thing of the 90's. NetBios is a non-routable protocol and if you layer it on TCP/IP most ISP's block port 137 udp/tcp, 138 udp, 139 tcp and port 445 udp/tcp. Usually why you need an IPSEC VPN for remote workplaces.

Anyways, you don't know if my NAT connection is "Symmetric NAT" or "Cone" based so you have to guess the ports used by the connection on both sides of the NAT router to gain access - and then there is the matter of firewall. How do you know which ports are allowed inbound or outbound?

You could send me an email and have me click on it but that would be cheating and you hacking my network from the inside out ... Like how CIA/NSA and the Israeli infiltrated the Iranien nuclear power plants with Stuxnet ... That will only work once in my book :mrgreen:
SørenR.

“Those who don't know history are doomed to repeat it.”
― Edmund Burke

User avatar
SorenR
Senior user
Senior user
Posts: 3826
Joined: 2006-08-21 15:38
Location: Denmark

Re: DNS

Post by SorenR » 2019-11-04 23:49

Actually there is one security risk not mentioned yet...

HOMO SAPIENS

They are the biggest security risk in Cyberspace by far! Eliminate them and you are safe.

https://www.getgds.com/resources/blog/c ... ts-in-2019
SørenR.

“Those who don't know history are doomed to repeat it.”
― Edmund Burke

User avatar
mattg
Moderator
Moderator
Posts: 21106
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: DNS

Post by mattg » 2019-11-04 23:56

SorenR wrote:
2019-11-04 23:38
How do you know which ports are allowed inbound or outbound?
As Dravion says Kali Linux in default mode will find all inbound ports and what service is behind them pretty quickly.


I get multiple IPs per day that try SMTP connections on my server via a custom port? How do they know which port and what service to try?
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

User avatar
SorenR
Senior user
Senior user
Posts: 3826
Joined: 2006-08-21 15:38
Location: Denmark

Re: DNS

Post by SorenR » 2019-11-05 00:11

mattg wrote:
2019-11-04 23:56
SorenR wrote:
2019-11-04 23:38
How do you know which ports are allowed inbound or outbound?
As Dravion says Kali Linux in default mode will find all inbound ports and what service is behind them pretty quickly.


I get multiple IPs per day that try SMTP connections on my server via a custom port? How do they know which port and what service to try?
So will Shields Up from grc.com :mrgreen:

https://www.grc.com/x/ne.dll?bh0bkyd2

Only guy I know that writes windows software using assembler :shock:
SørenR.

“Those who don't know history are doomed to repeat it.”
― Edmund Burke

palinka
Senior user
Senior user
Posts: 2178
Joined: 2017-09-12 17:57

Re: DNS

Post by palinka » 2019-11-05 02:03

mattg wrote:
2019-11-04 23:56
I get multiple IPs per day that try SMTP connections on my server via a custom port? How do they know which port and what service to try?
Firewall Ban those suckers!!! :mrgreen:

That's what I do.

palinka
Senior user
Senior user
Posts: 2178
Joined: 2017-09-12 17:57

Re: DNS

Post by palinka » 2019-11-05 02:11

SorenR wrote:
2019-11-04 23:38
You could send me an email and have me click on it but that would be cheating and you hacking my network from the inside out ... Like how CIA/NSA and the Israeli infiltrated the Iranien nuclear power plants with Stuxnet ... That will only work once in my book :mrgreen:
Didn't someone break in and physically install stuxnet using a thumb drive? That won't work even once in my book. Dogs and guns, my friend.... :mrgreen:

User avatar
Dravion
Senior user
Senior user
Posts: 1688
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: DNS

Post by Dravion » 2019-11-05 03:23

Yeah, it's not an easy one to secure your Systems.

Using alternative ports can be usefull for specific ports like
Teamviewer/RDP or Linux SSH Remote access. This is because the attacking script are trying to sent some specific tcp datagram packets abd they are dependent on a response by the attacked port and the Network Software behind it (for example hMailServer SMTP). If you have Wireshark installed you can see what a simple EHLO SMTP command can allready expose, but you cannot avoid EHLO if you want to run a SMTP-Server.

This is why a DNS-Server is important:
The BIND DNS-Server for exampke has serveral tricks to stop an Attacker allready at the DNS-Level. For example: it can ignore DNS MX NSLOOKUP commands to determine the MX in charge for blacklisted domains or DNS-Servers used by the Attacker only, or it allows only a specific amount of DNS-Lookups from a specific ip for a period of time which helps to mitigate DNS Amplification Attacks, a type of Attack to DDOS and slowdown or shutdown Network services like SMTP/POP3 or IMAP.

Firewalling and DMZ is a defferen't beast and a verry large one. IMHO the Windows Firewall sucks bc it only can grant and deny access. More advanced Firewalls can inspect and decide what to to with a suspicious data packet
or are connected to an Artificial Intelligence System which can learn an react on specific attack pattern and block the attackers ip.

User avatar
nitro
Normal user
Normal user
Posts: 36
Joined: 2018-11-08 16:31
Location: Spain

Re: DNS

Post by nitro » 2019-11-06 10:52

It is true but I consider that it lacks a logical proportion, if what is desired is to set up a mail server for a small business with five email accounts.
You would be surprised how many times I have encountered Zyxel or Cisco hardware firewalls badly configured, using a path, or servers located within the Lan instead of the DMZ. All this after spending hundreds of dollars / euros / crowns for nothing, anyone with a $ 150-200 router can get acceptable security for their home or small business environment
Production 5.6.8-B2489.22.RvDH W.Server 2016 Datace [2x Intel Xeon E5-2660 8GB RAM]
Staging 5.7-B2490 W.Server 2008 R2 Stand [Intel Pentium 4 4GB RAM]

User avatar
Dravion
Senior user
Senior user
Posts: 1688
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: DNS

Post by Dravion » 2019-11-06 11:23

nitro wrote:
2019-11-06 10:52
anyone with a $ 150-200 router can get acceptable security for their home or small business environment
I don't thing so.

Large list with vulnerable Routers

https://www.symantec.com/blogs/threat-i ... ot-malware

https://routersecurity.org/bugs.php

This list is far from complete:

Asus RT-AC66U
Asus RT-N10
Asus RT-N10E
Asus RT-N10U
Asus RT-N56U
Asus RT-N66U


D-Link DES-1210-08P
D-Link DIR-300
D-Link DIR-300A
D-Link DSR-250N
D-Link DSR-500N
D-Link DSR-1000
D-Link DSR-1000N


Huawei HG8245


Linksys E1200
Linksys E2500
Linksys E3000
Linksys E3200
Linksys E4200
Linksys RV082
Linksys WRVS4400N


MikroTik CCR1009
MikroTik CCR1016
MikroTik CCR1036
MikroTik CCR1072
MikroTik CRS109
MikroTik CRS112
MikroTik CRS125
MikroTik RB411
MikroTik RB450
MikroTik RB750
MikroTik RB911
MikroTik RB921
MikroTik RB941
MikroTik RB951
MikroTik RB952
MikroTik RB960
MikroTik RB962
MikroTik RB1100
MikroTik RB1200
MikroTik RB2011
MikroTik RB3011
MikroTik RB Groove
MikroTik RB Omnitik
MikroTik STX5


Netgear DG834
Netgear DGN1000
Netgear DGN2200
Netgear DGN3500
Netgear FVS318N
Netgear MBRN3000
Netgear R6400
Netgear R7000
Netgear R8000
Netgear WNR1000
Netgear WNR2000
Netgear WNR2200
Netgear WNR4000
Netgear WNDR3700
Netgear WNDR4000
Netgear WNDR4300
Netgear WNDR4300-TN
Netgear UTM50


QNAP TS251
QNAP TS439 Pro
Other QNAP NAS devices running QTS software


TP-Link R600VPN
TP-Link TL-WR741ND
TP-Link TL-WR841N


Ubiquiti NSM2
Ubiquiti PBE M5

User avatar
Dravion
Senior user
Senior user
Posts: 1688
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: DNS

Post by Dravion » 2019-11-06 11:24

nitro wrote:
2019-11-06 10:52
anyone with a $ 150-200 router can get acceptable security for their home or small business environment
I don't think so.


https://www.symantec.com/blogs/threat-i ... ot-malware
If you care about the security of your router, and you should, it is best to avoid consumer grade routers. On the whole, the software in these routers is buggy as heck.
https://routersecurity.org/bugs.php


Protocol used by 630,000 devices can be abused for devastating DDoS attacks
https://www.zdnet.com/article/protocol- ... s-attacks/

Large list with vulnerable Routers (only a few)

Asus RT-AC66U
Asus RT-N10
Asus RT-N10E
Asus RT-N10U
Asus RT-N56U
Asus RT-N66U


D-Link DES-1210-08P
D-Link DIR-300
D-Link DIR-300A
D-Link DSR-250N
D-Link DSR-500N
D-Link DSR-1000
D-Link DSR-1000N


Huawei HG8245


Linksys E1200
Linksys E2500
Linksys E3000
Linksys E3200
Linksys E4200
Linksys RV082
Linksys WRVS4400N


MikroTik CCR1009
MikroTik CCR1016
MikroTik CCR1036
MikroTik CCR1072
MikroTik CRS109
MikroTik CRS112
MikroTik CRS125
MikroTik RB411
MikroTik RB450
MikroTik RB750
MikroTik RB911
MikroTik RB921
MikroTik RB941
MikroTik RB951
MikroTik RB952
MikroTik RB960
MikroTik RB962
MikroTik RB1100
MikroTik RB1200
MikroTik RB2011
MikroTik RB3011
MikroTik RB Groove
MikroTik RB Omnitik
MikroTik STX5


Netgear DG834
Netgear DGN1000
Netgear DGN2200
Netgear DGN3500
Netgear FVS318N
Netgear MBRN3000
Netgear R6400
Netgear R7000
Netgear R8000
Netgear WNR1000
Netgear WNR2000
Netgear WNR2200
Netgear WNR4000
Netgear WNDR3700
Netgear WNDR4000
Netgear WNDR4300
Netgear WNDR4300-TN
Netgear UTM50


QNAP TS251
QNAP TS439 Pro
Other QNAP NAS devices running QTS software


TP-Link R600VPN
TP-Link TL-WR741ND
TP-Link TL-WR841N


Ubiquiti NSM2
Ubiquiti PBE M5

User avatar
nitro
Normal user
Normal user
Posts: 36
Joined: 2018-11-08 16:31
Location: Spain

Re: DNS

Post by nitro » 2019-11-06 11:46

I reaffirm, with that price you can get a CISCO router for example. In that list there are very few teams and brands compared to the total. It is anecdotal.

I will enter amazon and look for the words CISCO and router. I am sure that any router in that price range is not easily vulnerable.
Production 5.6.8-B2489.22.RvDH W.Server 2016 Datace [2x Intel Xeon E5-2660 8GB RAM]
Staging 5.7-B2490 W.Server 2008 R2 Stand [Intel Pentium 4 4GB RAM]

User avatar
SorenR
Senior user
Senior user
Posts: 3826
Joined: 2006-08-21 15:38
Location: Denmark

Re: DNS

Post by SorenR » 2019-11-06 16:31

Dravion wrote:
2019-11-06 11:23
nitro wrote:
2019-11-06 10:52
anyone with a $ 150-200 router can get acceptable security for their home or small business environment
I don't think so.
You are entitled to your opinion ... I just wish you would stop crying "wolf" all the time... Yes, some DSL routers are vulnerable but so what. How many "innocent" subscribers do you think they need to try until they find one worth steeling from and would "they" really bother doing it?

0-day vulnerabilities and such are usually keept secret as they are used in targeted attacks (for ransom or by goverments), not simply for probing the entire world and when someone disclose them the world become aware ... but nothing really changes - you may get an updated firmware for your gear but that's it. Life goes on unaffected. Just pray you DO have a current backup if one of your users act stupid and get a virus or some malware.

Actually, using 10+ year old equipment may actually be the most secure as noone knows how to hack it anymore :mrgreen:

Oh yes... Real life experience from the horses mouth ;-)
https://www.zdnet.com/article/ransomwar ... ya-attack/
SørenR.

“Those who don't know history are doomed to repeat it.”
― Edmund Burke

User avatar
Dravion
Senior user
Senior user
Posts: 1688
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: DNS

Post by Dravion » 2019-11-06 17:42

SorenR wrote:
2019-11-06 16:31
You are entitled to your opinion ...
You 2.

User avatar
mattg
Moderator
Moderator
Posts: 21106
Joined: 2007-06-14 05:12
Location: 'The Outback' Australia

Re: DNS

Post by mattg » 2019-11-07 00:00

Dravion wrote:
2019-11-06 11:24
https://www.symantec.com/blogs/threat-i ... ware[quote]
If you care about the security of your router, and you should, it is best to avoid consumer grade routers. On the whole, the software in these routers is buggy as heck.
Personally, my opinion is that I wouldn't trust Symantec to tell the truth, especially when they sell a product in support of their argument

That long list of routers, is that before patches are applied and firmware updated, or is that current for latest firmware...And also what has to happen to get on that list?

That DDOS article specifically talks about LOCAL devices...
Just 'cause I link to a page and say little else doesn't mean I am not being nice.
https://www.hmailserver.com/documentation

palinka
Senior user
Senior user
Posts: 2178
Joined: 2017-09-12 17:57

Re: DNS

Post by palinka » 2019-11-07 02:25

mattg wrote:
2019-11-07 00:00
Dravion wrote:
2019-11-06 11:24
https://www.symantec.com/blogs/threat-i ... ware[quote]
If you care about the security of your router, and you should, it is best to avoid consumer grade routers. On the whole, the software in these routers is buggy as heck.
Personally, my opinion is that I wouldn't trust Symantec to tell the truth, especially when they sell a product in support of their argument

That long list of routers, is that before patches are applied and firmware updated, or is that current for latest firmware...And also what has to happen to get on that list?

That DDOS article specifically talks about LOCAL devices...
Anecdotally, I've been thinking about getting a new router and one at the top of my list is a mikrotik, which appears many times on the list. There was a vulnerability (even written about at spamhaus.org) that was patched a long time ago. It seems that its pretty safe after updating firmware. Probably most on the list are like that.

User avatar
Dravion
Senior user
Senior user
Posts: 1688
Joined: 2015-09-26 11:50
Location: Germany
Contact:

Re: DNS

Post by Dravion » 2019-11-07 08:14

That long list of routers, is that before patches are applied and firmware updated, or is that current for latest firmware...And also what has to happen to get on that list?
This is the next problem with consumer grade routers, firmware updates are not allways available and in lots of cases the router companies doesn't issue firmware patches at all, even if they are aware of a security problem.

Its also important to study longterm firmware support
policy and compare which Company produces the least buggy products.

User avatar
SorenR
Senior user
Senior user
Posts: 3826
Joined: 2006-08-21 15:38
Location: Denmark

Re: DNS

Post by SorenR » 2019-11-07 12:08

Well... Some of this gear is carrier grade and pretty damn expensive...

https://tools.cisco.com/security/center ... nListing.x

Regarding firmware... xDSL residential customers in Denmark cannot use other equipment than the box provided by the ISP/ITSP.
They can configure a DMZ and put their own gear on the DMZ but that's it. Firmware updates are done by the ISP/ITSP without prior notice.
SørenR.

“Those who don't know history are doomed to repeat it.”
― Edmund Burke

palinka
Senior user
Senior user
Posts: 2178
Joined: 2017-09-12 17:57

Re: DNS

Post by palinka » 2019-11-07 13:34

SorenR wrote:
2019-11-07 12:08
Well... Some of this gear is carrier grade and pretty damn expensive...

https://tools.cisco.com/security/center ... nListing.x

Regarding firmware... xDSL residential customers in Denmark cannot use other equipment than the box provided by the ISP/ITSP.
They can configure a DMZ and put their own gear on the DMZ but that's it. Firmware updates are done by the ISP/ITSP without prior notice.
DSL is dead. Copper wire was abandoned years ago. Everything is fiber or 4g wireless now. Even in rural farmland Denmark. :mrgreen: Of course there are no options for private DSL modems/routers.

User avatar
SorenR
Senior user
Senior user
Posts: 3826
Joined: 2006-08-21 15:38
Location: Denmark

Re: DNS

Post by SorenR » 2019-11-07 15:20

palinka wrote:
2019-11-07 13:34
SorenR wrote:
2019-11-07 12:08
Well... Some of this gear is carrier grade and pretty damn expensive...

https://tools.cisco.com/security/center ... nListing.x

Regarding firmware... xDSL residential customers in Denmark cannot use other equipment than the box provided by the ISP/ITSP.
They can configure a DMZ and put their own gear on the DMZ but that's it. Firmware updates are done by the ISP/ITSP without prior notice.
DSL is dead. Copper wire was abandoned years ago. Everything is fiber or 4g wireless now. Even in rural farmland Denmark. :mrgreen: Of course there are no options for private DSL modems/routers.
I wish...

Playing with "dead gateways". I have ...:
- 192.168.0.254 (Metric 1) = xDSL Router with Fixed IP, Open port 25 and Custom rDNS.
- 192.168.0.252 (Metric 2) = 4G Router with Fixed IP, Open port 25.

Both gateways are validated with pbl.spamhaus.org.

Enable on ALL interfaces
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"DeadGWDetectDefault"=dword:00000001

Enable on specific interface (I deleted these on my box due to above setting)
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{0161AFC1-2912-4966-9581-D620D40BD127}]
"EnableDeadGWDetect"=dword:00000001

For this purpose it is nice to have a local DNS :mrgreen:
SørenR.

“Those who don't know history are doomed to repeat it.”
― Edmund Burke

Post Reply