NBN Discussion

DNS poisoning on end points is a legitimate cybersecurity issue. cached entries on a local server, rather than each machine is a much safer practice. Anyway, each to their own.
Post automatically merged:

No that would be ok. Also you could use Cloudfare as primary and Google as secondary. But this is for name recognition DNS not the web cache so there’s no real point. Cloudfare and Google DNs are gereraliy in the <15ms resolution. Most likely your local DNS would use Cloudfare etc as their upstream DNS anyway.
Web cache? This is DNS caching only. Their are a number of advantages using a local DNS cache.
 
DNS poisoning on end points is a legitimate cybersecurity issue. cached entries on a local server, rather than each machine is a much safer practice. Anyway, each to their own.
Post automatically merged:


Web cache? This is DNS caching only. Their are a number of advantages using a local DNS cache.
Such as?
 
I could write some up, but plenty of others have done so before.
Here's one example: Benefits of DNS Service Locality - InCyber
Another: 9 DNS Security Best Practices | PhoenixNAP KB
As with any such network service, there are also disadvantages to implementing and managing them internally. Same with a hybrid internal/external model, which I would advocate for redundancy/business continuity reasons.
As I said above, each to their own, depending on which lens you view it through, the footprint/design and purpose of your network(s) and the type/likelihood of attacks you are trying to mitigate against.
 
I could write some up, but plenty of others have done so before.
Here's one example: Benefits of DNS Service Locality - InCyber
Another: 9 DNS Security Best Practices | PhoenixNAP KB
As with any such network service, there are also disadvantages to implementing and managing them internally. Same with a hybrid internal/external model, which I would advocate for redundancy/business continuity reasons.
As I said above, each to their own, depending on which lens you view it through, the footprint/design and purpose of your network(s) and the type/likelihood of attacks you are trying to mitigate against.
Thanks for that. I’ll follow it up tomorrow. Generally I don’t recommend nor use local DNS so it’s interesting.
 
Sponsored Post

Struggling to use your Frequent Flyer Points?

Frequent Flyer Concierge takes the hard work out of finding award availability and redeeming your frequent flyer or credit card points for flights.

Using their expert knowledge and specialised tools, the Frequent Flyer Concierge team at Frequent Flyer Concierge will help you book a great trip that maximises the value for your points.

I have no idea what the last few posts are talking about , so much so that I dont even know if its on or off topic...😂
It's probably slowly meandering away from the central point of the thread... happy to take it somewhere else.
 
It's probably slowly meandering away from the central point of the thread... happy to take it somewhere else.
This thread is very much suitable for discussion about DNS operations that may not follow the default NBN provider's recommended implementations, which are normally designed for the ISP/RSP's benefits (simplify support) rather than outcomes such as maximising performance and security.

If people are not sure about the discussion on this topic, just stick with your provider's default settings. If you want to maximise performance and security and are willing to self-support your configuration/operation, there is some useful content up-thread (and potentially will be down-thread).
 
DNS poisoning on end points is a legitimate cybersecurity issue. cached entries on a local server, rather than each machine is a much safer practice. Anyway, each to their own.

I'm not saying you're wrong, but that doesn't make sense to me. If you have DNS cache poisoning on the endpoint, it's been poisoned from upstream. How does having a local DNS server avoid this situation?

Additionally, to implement this would be a nightmare. How are you going to stop DNS caching on every endpoint on the network? Plus it would impact performance.

I could write some up, but plenty of others have done so before.
Here's one example: Benefits of DNS Service Locality - InCyber
Another: 9 DNS Security Best Practices | PhoenixNAP KB
As with any such network service, there are also disadvantages to implementing and managing them internally. Same with a hybrid internal/external model, which I would advocate for redundancy/business continuity reasons.
As I said above, each to their own, depending on which lens you view it through, the footprint/design and purpose of your network(s) and the type/likelihood of attacks you are trying to mitigate against.

I'd say for the average home use this is not needed at all. Total overkill and more likely to cause more problems and security issues than potential benefit.
 
I'm not sure I ever said it was suitable for all situations.
Switching off endpoint caching is straightforward. Monitoring suspicious DNS activity on a central server is easier than monitoring disparate devices.
There's no right or wrong here, just horses for courses.
 
Just talk to them about vortex ring. That will balance things out.
But it's a thread on NBN, not aerodynamics or fluid dynamics. Just like the Ask the Pilot thread. It's for those who have tech questions or other specific questions about the NBN/Internet issues. With the greatest of respect, those without knowledge probably should consider posting in the other threads? :) :)
 
Last edited by a moderator:
The Frequent Flyer Concierge team takes the hard work out of finding reward seat availability. Using their expert knowledge and specialised tools, they'll help you book a great trip that maximises the value for your points.

AFF Supporters can remove this and all advertisements

FYI: As a trial, I've followed @Daver6 suggestion and swapped over to the Cloudfare DNS for interest. It's just a popdown choice in the Telstra Gateway router.

Cloudfare say ".1 to be the "internet's fastest DNS directory," and will never log your IP address, never sell your data, and never use your data to target ads" but who knows. Can't see / feel any difference over the Google DNS but then I would not expect any in normal use.

Some references for those interested.

Also note Steve Gibson has a benchmark tool. From my machine, this show Cloudfare to be the fastest.

 
Last edited:
I'm not sure I ever said it was suitable for all situations.
Switching off endpoint caching is straightforward. Monitoring suspicious DNS activity on a central server is easier than monitoring disparate devices.
There's no right or wrong here, just horses for courses.

True you didn't. Given we were talking about home internet, I assumed the discussion was in relation to that.

How do you turn off endpoint DNS caching on endpoints that aren't a computer?
 
Well that list would be greater than 1000 different devices... I'm not sure where this is going.
 
I run a local DNS server on my NAS. This is mainly for performance reasons, with local DNS caching. I found my NBN RSP's DNS server response is faster than Cloudfare of Google, which is not surprising as its on the ISP/RSP's network. Ping times for NBN RSP's DNS is around 4ms while google and Cloudfare are around 20ms.

For resilience I use my local NBN RSP DNS as primary forwarding from my local DNS server, and I use Cloudfare as the secondary server (in case my ISP/RSP has catastrophic DNS failure).
 
Well that list would be greater than 1000 different devices... I'm not sure where this is going.

I didn't realise you could disable DNS caching on things like a Google Home, Ring doorbell, Samsung TV. Heck, even an iPhone. Not a loaded question. How does one achieve it?
 
But it's a thread on NBN, not aerodynamics or fluid dynamics. Just like the Ask the Pilot thread. It's for those who have tech questions or other specific questions about the NBN/Internet issues. With the greatest of respect, those without knowledge probably should consider posting in the other threads? :) :)
You mean I wasn't successfully DNS poisoning....?
 
I didn't realise you could disable DNS caching on things like a Google Home, Ring doorbell, Samsung TV. Heck, even an iPhone. Not a loaded question. How does one achieve it?
Maybe we are looking at this from different angles. You would look to disable caching on an endpoint which may be a likely and vulnerable target for a Malware attack. If you are worried that your Ring Doorball is vulnerable to malware, perhaps stick it in a subzone and apply some specific firewall rules to mimimise the likelihood of whatever attack you think is possible. There's no one size fits all blanket solution. Local DNS servers are but one of many attack mitigation tools, not the one and only.
 
Back
Top