Man, Sometimes This Stuff Is Just Weird...

[BrokeLinuxPhile]

The way the OS handles these transactions matters the most IMO.  Take windows 10 and compare it to a flavor of linux properly configured using the low latency kernel. 

 

The speed of the linux box can be freaky in comparision.  The front page of ESPN or the weather channel will load in less than a second for me, don't need much better than that.  Those pages are just bloated with ad content.  That's using the latest release of ubuntu studio, onboard ethernet, several year old processor, and a pretty janky linksys router.  Using comcast for DNS.

[crenca]

38 minutes ago, John Dyson said:

I consider needing an extra external network transaction as being a point of failure or congestion.  If a caching server fails (so easy to fire-up on machines nowadays, and Windows already does the caching -- must be simple), then there are problems that would probably make using a WWW browser impractical :-). 

 

 

 

It's the opposite.  The transaction is trivial given normal bandwidth/latency, thus making the whole WWW thing even more practical than it was 20 years ago when local DNS caching was actually needful in many situations.  

 

42 minutes ago, John Dyson said:

  It is just SO easy to put together a caching server if you already have some kind of server on the network, and under Linux or whatever -- it is triival.  Under WIndows, I think that one needs to disable the local caching server if you don't want it (AFAIR.)  

 

Easy does not make it necessary or even wise.  Besides, @Judlow powered, poorly programed, cheap as China home networking gear was trying to play this role - not a desktop OS.

 

44 minutes ago, John Dyson said:

 

Also, a local DNS server shouldn't be a local point of failure -- the system (properly designed) goes off and grabs another source if there is a problem.  The major time where there is a problem is when there are problems with the root servers and then problems propagate down, but I seem to remember that (roots having connectivity problems) has bene mitigated.   I'd' suspect that organizations like Comcast might even fake themselves as root servers?  The internet is still the wild west in a lot of ways.

 

 

Right, so why would it be wise for the "average" home network and non-technical user want to wade into this - with equipment that is far worse/reliable than the upstream ISP equipment, to say nothing of Google's DNS infrastructure (or the other choices available)?  

 

Barring the oddity in ISP service, 99.99999999% of home users don't need to be caching DNS for any reason, no matter how easy it is.  Sure, if they want to play around, poke, hack, learn, etc.  Still, I hope no "average" home user reads this thread and gets the idea that local caching will be anything other than fun and games - or worse, that it will somehow improve their audio experience.... 😋

 

On the other hand, you folks with teenager who think your "safe" browsing app is anything more than a DNS service redirect, and that your teenager did not figure out how to get around it in 2.3 seconds....perhaps you need to play around a bit and become aware of some basic Internet wonkery...

[John Dyson]

32 minutes ago, crenca said:

 

It's the opposite.  The transaction is trivial given normal bandwidth/latency, thus making the whole WWW thing even more practical than it was 20 years ago when local DNS caching was actually needful in many situations.  

 

 

Easy does not make it necessary or even wise.  Besides, @Judlow powered, poorly programed, cheap as China home networking gear was trying to play this role - not a desktop OS.

 

 

Right, so why would it be wise for the "average" home network and non-technical user want to wade into this - with equipment that is far worse/reliable than the upstream ISP equipment, to say nothing of Google's DNS infrastructure (or the other choices available)?  

 

Barring the oddity in ISP service, 99.99999999% of home users don't need to be caching DNS for any reason, no matter how easy it is.  Sure, if they want to play around, poke, hack, learn, etc.  Still, I hope no "average" home user reads this thread and gets the idea that local caching will be anything other than fun and games - or worse, that it will somehow improve their audio experience.... 😋

 

On the other hand, you folks with teenager who think your "safe" browsing app is anything more than a DNS service redirect, and that your teenager did not figure out how to get around it in 2.3 seconds....perhaps you need to play around a bit and become aware of some basic Internet wonkery...

But, your windows box has a caching server built in (AFAIR.)  It is very likely that anyone running a recent version of Windows hasn't really been without a caching server.  On Linux (AFAIR), it all depends on the distribution, but I would make sure that one is running.

Run with the caching servers disabled -- then do the comparison.  I have always liked one running.

 

There just is ZERO downside -- really.

 

Now, web proxy caches do tend to be less useful -- content is to variable nowadays, and there ARE invalidation issues with those.  (You have to program timeouts and depend on some things that aren't always supported in WWW sites.)  I used to use a squid proxy also -- but the WWW browsers already do good enough.

 

 

 

John

[crenca]

3 minutes ago, John Dyson said:

But, your windows box has a caching server built in (AFAIR.)

 

John

 

Right.  Back in the olden days with Windows NT (both server and desktop), "ipconfig /flushdns" was basic network fix stuff.  I have long forgotten what the persistence of this cache was (and is).  

 

Still, this is not the same as setting up a DNS "caching server" with your cheap-ass chi-fi home networking crap gear in the modern situation of ISP DNS service (or Goggles, or...) which is fast as hell and has an uptime several orders of magnitude greater than whatever you can pull off with your China Net gear like Jud sort of stumbled into 😋 🤣

 

[John Dyson]

18 minutes ago, crenca said:

 

Right.  Back in the olden days with Windows NT (both server and desktop), "ipconfig /flushdns" was basic network fix stuff.  I have long forgotten what the persistence of this cache was (and is).  

 

Still, this is not the same as setting up a DNS "caching server" with your cheap-ass chi-fi home networking crap gear in the modern situation of ISP DNS service (or Goggles, or...) which is fast as hell and has an uptime several orders of magnitude greater than whatever you can pull off with your China Net gear like Jud sort of stumbled into 😋 🤣

 

They are essentially the same thing (machine local and on your main server.)  The original reason (still valid) for the caching servers is that they would be used when there were multiiple machines on the network, and since I am likly  to have a server anyway when I have multiple machines, a caching server is a freebee.  (DNS caching already machine-locally active.)

 

Using a caching server on a garbage box -- the person is already dealing with garbage of some kind anyway...  I am speaking of a real DNS server -- machine local or a server that also does DNS.

 

All of the 'disadvantages' of a caching server are already manifest on the existant machine local caching servers -- so there is no downside.  A nice thing about DNS (from day one) is that if it doens't get a UDP packet back right away -- if a zone request hasn't been done, then it goes on to the next source -- likedy split...  If you are running on a primitive (kind of 'slave') unix system, then failure is even handled there with the list of 3 servers -- FAILURE HAS ALREADY BEEN CONSIDERED

 

DNS was designed to be 'caching' for many years (since at least the early 1990s'.)  Again -- ZERO disadvantage to having one.  It only provides advantages -- your server for other things is already online.  No biggie, right?

 

Isn't this an # angels on the head of a pin?  I say essentially zero cost, then why not (the disadvantages are already manifest, if ANY - which are essentially none, and failure modes are already handled.)

 

The arguments that I have seen against DNS servers ARE valid for WWW proxy servers, but not DNS.

 

John

 

 

[Jud]

Explaining the beta features of the eero system: https://blog.eero.com/introducing-eero-labs-building-future-home-wifi/

 

The other couple of beta features have always worked great (along with all the standard ones).  Most of the time the DNS caching works just fine, but there've been a couple of times in the past year I've used it that it's caused a problem.  I'm guessing we're dealing with a software bug here.

[BrokeLinuxPhile]

A separate caching server will work and  work well, but it is one more thing that has to be maintained and secured.  Makes perfect sense with a large # of machines making frequent requests, but only a few and most won't see too much difference in speed.  Another tactic is use plugins like uBlock Origin or adblockers to stop unnecessary lookups from happening right from the get go.

[Jud]

41 minutes ago, BrokeLinuxPhile said:

Another tactic is use plugins like uBlock Origin

 

Yes, pleased with uBlock Origin. Stays out of the way and quietly does its job.

[Paul R]

Hate to say it bro, but have you got something like Bitdefender's Box2 or Netgear's Armor running on the router? 

If not, you need to look into that. Sounds to me like someone tried to pull an old fashioned DNS poison run on your home network. A couple hundred bucks a year for point defense against stuff like that is really worth it. 

 

I really really get annoyed with those wannabe hacker people. I mean, I understood fending off 20K attacks at day at the office, that even through Level-3 filtering. 

 

But I get 20-30 silly people attempting to get into my network here at home every day. I really like Armor. It is not, of course, my only defense, but so far, nobody has managed to burn through it, at least not successfully. Managed to get the router fouled up enough to have to reboot it. Once. 

 

Oh wait, the was me foolishly challenging some friends who break into systems for a living. And they had a bit of "inside information." 🙄

 

-Paul 

 

 

[AudioDoctor]

1 hour ago, Paul R said:

Hate to say it bro, but have you got something like Bitdefender's Box2 or Netgear's Armor running on the router? 

If not, you need to look into that. Sounds to me like someone tried to pull an old fashioned DNS poison run on your home network. A couple hundred bucks a year for point defense against stuff like that is really worth it. 

 

I really really get annoyed with those wannabe hacker people. I mean, I understood fending off 20K attacks at day at the office, that even through Level-3 filtering. 

 

But I get 20-30 silly people attempting to get into my network here at home every day. I really like Armor. It is not, of course, my only defense, but so far, nobody has managed to burn through it, at least not successfully. Managed to get the router fouled up enough to have to reboot it. Once. 

 

Oh wait, the was me foolishly challenging some friends who break into systems for a living. And they had a bit of "inside information." 🙄

 

-Paul 

 

 

 

Ok Paul, so I've been wondering about this, I have one of the NetGear Armor supported Orbi systems. What the heck is it and how does it work?

[Thuaveta]

1 hour ago, AudioDoctor said:

What the heck is it and how does it work?

 

It's the more expensive, and possibly not quite as good, but probably easier to use version of Sophos' UTM or PFSense+Suricata (or PFsense + SecurityOnion if you feel like doing things by the book and have nothing better with your life than nerd around) 😉.

 

Essentially, those things are "smart" firewalls that do firewall stuff like block everything they shouldn't, which is the usual firewall stuff, but then also look at everything that goes in and out of your network, and let you know if there's suspicious patterns. It works by replacing the box your ISP provides by a rather more powerful machine, and it works pretty well.

 

If you're not willing to invest quite a bit of time and possibly money for hardware (these require rather powerful machines), or have little to no interest in this stuff, Paul R's suggestions are probably a better idea than mine.

[Paul R]

6 hours ago, Thuaveta said:

 

It's the more expensive, and possibly not quite as good, but probably easier to use version of Sophos' UTM or PFSense+Suricata (or PFsense + SecurityOnion if you feel like doing things by the book and have nothing better with your life than nerd around) 😉.

 

Essentially, those things are "smart" firewalls that do firewall stuff like block everything they shouldn't, which is the usual firewall stuff, but then also look at everything that goes in and out of your network, and let you know if there's suspicious patterns. It works by replacing the box your ISP provides by a rather more powerful machine, and it works pretty well.

 

If you're not willing to invest quite a bit of time and possibly money for hardware (these require rather powerful machines), or have little to no interest in this stuff, Paul R's suggestions are probably a better idea than mine.

 

Yeah, the open source stuff is right up there with the commercial, options, save for support. But you have to spend a lot of time and effort to install, configure, and manage them at home - even if you know what you are doing.

 

The Netgear / Bitdefender matchup is far from perfect, but way better than what most folks have. And as a front line easy to manage IPS with some IDS  and network inspection capability? It’s a steal and far better than the firewall in most routers. Not an ASA, but closer.

 

 

[Jud]

Don't think it was a cache attack. This time and the other couple of times that setting has caused a problem, it's been the opposite - not changing when I wanted a change, rather than changing when I didn't want it to, as in a DNA spoofing attack. 

[Paul R]

12 minutes ago, Jud said:

Don't think it was a cache attack. This time and the other couple of times that setting has caused a problem, it's been the opposite - not changing when I wanted a change, rather than changing when I didn't want it to, as in a DNA spoofing attack. 

 

Perhaps it was an unsuccessful attempt? 🤪. In any case, it sounds like something got screwed up by crazy input.  Oh, and often those kinds of attacks only redirect certain requests, in an attempt to be clever. 

[BrokeLinuxPhile]

Probably a firmware bug.  Especially if it happens repeatably after a period of time.  Has signs of potential memory leak, hard crash, or a function stuck in a loop.  I'd expect strange redirects and slowness if you got poisoned or you were being actively hacked in some other way.  Logs/core dumps/console grabs only way to know for sure.

[crenca]

I'm going to swim upstream and say that for many home networks, paying for the hardware/subscription of a border firewall/security device is probably not money well spent.  Your just not that interesting to hackers, and your ISP supplied/rented modem/router and OS firewall is "good enough".  Any malware you get is likely because of your own online behavior, and not an external attack.  Any problems with basic IP infrastructure you are likely to have are due to your cheap chi-net gear, not "hackers".

 

I run a commercial grade device at my home, but that is because I have children who are growing up and I run a tight ship vis-a-vis porn, social media, video screen time, and the like, and I have the background to leverage a "real" border device in this way.  In other words I am using it for internal control, not for external threats.  Still, it ain't cheap and is certainly not a general recommendation... 

[Jud]

I've had these routers for years and no hardware or software problems other than this one feature, clearly labeled beta. In fact the software is probably what's nicest about it. I have enough background to run consumer networking equipment and make any adjustments I want. But I've reached the stage where there's less I want to bother with. These likely have the easiest setup of any routers going. Plug 'em in, follow (literally) a couple of steps in a phone app, you're done.

[Samuel T Cogley]

58 minutes ago, crenca said:

I'm going to swim upstream and say that for many home networks, paying for the hardware/subscription of a border firewall/security device is probably not money well spent.  Your just not that interesting to hackers, and your ISP supplied/rented modem/router and OS firewall is "good enough".  Any malware you get is likely because of your own online behavior, and not an external attack.  Any problems with basic IP infrastructure you are likely to have are due to your cheap chi-net gear, not "hackers".

 

I put a firewall in front of my CPE and just disabled the CPE firewall.  I just don't trust my ISP.

[Ralf11]

29 minutes ago, Samuel T Cogley said:

 

I put a firewall in front of my CPE and just disabled the CPE firewall.  I just don't trust my ISP.

 

 

Comcast??

[Samuel T Cogley]

4 minutes ago, Ralf11 said:

 

 

Comcast??

 

AT&T

[mansr]

1 hour ago, crenca said:

I run a commercial grade device at my home, but that is because I have children who are growing up and I run a tight ship vis-a-vis porn, social media, video screen time, and the like

Good, they'll learn early how to circumvent network blocks. It's a useful skill to have, should the government turn (more) oppressive.

[Paul R]

2 hours ago, mansr said:

Good, they'll learn early how to circumvent network blocks. It's a useful skill to have, should the government turn (more) oppressive.

 

Smart children equal less income for the bad guys. 

 

I know someone said that they feel home networks are not a target of interest. That is precisely correct for most folks, if you are talking about targeted high value attacks. 

 

On the other paw, automated collection of credit card, password, and other information is quite a profitable sideline for the the "bad guys" as home networks are usually so easy to to penetrate. I am certainly not up to debate the matter, like music, everyone gravitates to their own level of comfort and ability. 

 

And on the gripping hand, an ounce of prevention is worth a kiloton or two of cure. Used ASA and similar model devices are going cheap these days... 

 

-Paul 

 

[Jud]

Stuff about eero software development that may be of interest to folks that know a little more about networking: https://blog.eero.com/bookshelf-spiffy-space-stashing-state/

[daverich4]

On 4/29/2019 at 12:47 AM, Paul R said:

Hate to say it bro, but have you got something like Bitdefender's Box2 or Netgear's Armor running on the router? 

If not, you need to look into that. Sounds to me like someone tried to pull an old fashioned DNS poison run on your home network. A couple hundred bucks a year for point defense against stuff like that is really worth it. 

 

I really really get annoyed with those wannabe hacker people. I mean, I understood fending off 20K attacks at day at the office, that even through Level-3 filtering. 

 

But I get 20-30 silly people attempting to get into my network here at home every day. I really like Armor. It is not, of course, my only defense, but so far, nobody has managed to burn through it, at least not successfully. Managed to get the router fouled up enough to have to reboot it. Once. 

 

Oh wait, the was me foolishly challenging some friends who break into systems for a living. And they had a bit of "inside information." 🙄

 

-Paul 

 

 

 

This might be a little off topic but as I assume everyone here uses a router connected to the internet, maybe not. I've run the Netgear Orbi setup for a couple of months and based on your post I took a look at the log for the first time. Last night I apparently had over 30 attacks, most of them DOS attacks. (Why that type I have no idea, it's not like I'm running an online service or anything) Should that be a source of concern? If I need to do something about it do you prefer one of the methods you mentioned over the other? Something else? On another note, I'm under the impression that to get into the router settings as an administrator you need to be on the same network as the router. Is that correct? The password I use for admin access is a combination of letters and numbers that mean something to me (not my birthday or anything you could look up). Do I need to create some super password for my router or would someone have to be at least in my driveway and know the wifi password to get into it?

[crenca]

2 minutes ago, daverich4 said:

 

This might be a little off topic but as I assume everyone here uses a router connected to the internet, maybe not. I've run the Netgear Orbi setup for a couple of months and based on your post I took a look at the log for the first time. Last night I apparently had over 30 attacks, most of them DOS attacks. (Why that type I have no idea, it's not like I'm running an online service or anything) Should that be a source of concern?

 

The answer to this question is usually/generally "no" given your situation (home network, not running web service, etc.).  

 

4 minutes ago, daverich4 said:

 

 

Something else? On another note, I'm under the impression that to get into the router settings as an administrator you need to be on the same network as the router. Is that correct?

 

 

Yes...unless you have intentionally/accidentally enabled your router's management to be allowed on the public (internet or ISP) facing port.  You can confirm this in the management interface.

 

6 minutes ago, daverich4 said:

The password I use for admin access is a combination of letters and numbers that mean something to me (not my birthday or anything you could look up). Do I need to create some super password for my router or would someone have to be at least in my driveway and know the wifi password to get into it?

 

This is always a balance and a pragmatic matter.  You want a fairly "randomized" password with a mix of letters, numbers, and characters  (such as ^ and !), but you have to be able to remember it.