NBN Discussion

Guvner

Established Member
Joined
Jul 1, 2014
Posts
1,202
DNS poisoning on end points is a legitimate cybersecurity issue. cached entries on a local server, rather than each machine is a much safer practice. Anyway, each to their own.
Post automatically merged:

No that would be ok. Also you could use Cloudfare as primary and Google as secondary. But this is for name recognition DNS not the web cache so there’s no real point. Cloudfare and Google DNs are gereraliy in the <15ms resolution. Most likely your local DNS would use Cloudfare etc as their upstream DNS anyway.
Web cache? This is DNS caching only. Their are a number of advantages using a local DNS cache.
 

TheRealTMA

Senior Member
Joined
Jul 13, 2012
Posts
7,524
Qantas
Platinum
DNS poisoning on end points is a legitimate cybersecurity issue. cached entries on a local server, rather than each machine is a much safer practice. Anyway, each to their own.
Post automatically merged:


Web cache? This is DNS caching only. Their are a number of advantages using a local DNS cache.
Such as?
 

Guvner

Established Member
Joined
Jul 1, 2014
Posts
1,202
I could write some up, but plenty of others have done so before.
Here's one example: Benefits of DNS Service Locality - InCyber
Another: 9 DNS Security Best Practices | PhoenixNAP KB
As with any such network service, there are also disadvantages to implementing and managing them internally. Same with a hybrid internal/external model, which I would advocate for redundancy/business continuity reasons.
As I said above, each to their own, depending on which lens you view it through, the footprint/design and purpose of your network(s) and the type/likelihood of attacks you are trying to mitigate against.
 

TheRealTMA

Senior Member
Joined
Jul 13, 2012
Posts
7,524
Qantas
Platinum
I could write some up, but plenty of others have done so before.
Here's one example: Benefits of DNS Service Locality - InCyber
Another: 9 DNS Security Best Practices | PhoenixNAP KB
As with any such network service, there are also disadvantages to implementing and managing them internally. Same with a hybrid internal/external model, which I would advocate for redundancy/business continuity reasons.
As I said above, each to their own, depending on which lens you view it through, the footprint/design and purpose of your network(s) and the type/likelihood of attacks you are trying to mitigate against.
Thanks for that. I’ll follow it up tomorrow. Generally I don’t recommend nor use local DNS so it’s interesting.
 

NM

Enthusiast
Moderator
Joined
Aug 27, 2004
Posts
16,752
Qantas
LT Gold
Virgin
Red
It's probably slowly meandering away from the central point of the thread... happy to take it somewhere else.
This thread is very much suitable for discussion about DNS operations that may not follow the default NBN provider's recommended implementations, which are normally designed for the ISP/RSP's benefits (simplify support) rather than outcomes such as maximising performance and security.

If people are not sure about the discussion on this topic, just stick with your provider's default settings. If you want to maximise performance and security and are willing to self-support your configuration/operation, there is some useful content up-thread (and potentially will be down-thread).
 

Daver6

Senior Member
Joined
Dec 31, 2011
Posts
7,752
Qantas
Platinum
Virgin
Gold
DNS poisoning on end points is a legitimate cybersecurity issue. cached entries on a local server, rather than each machine is a much safer practice. Anyway, each to their own.

I'm not saying you're wrong, but that doesn't make sense to me. If you have DNS cache poisoning on the endpoint, it's been poisoned from upstream. How does having a local DNS server avoid this situation?

Additionally, to implement this would be a nightmare. How are you going to stop DNS caching on every endpoint on the network? Plus it would impact performance.

I could write some up, but plenty of others have done so before.
Here's one example: Benefits of DNS Service Locality - InCyber
Another: 9 DNS Security Best Practices | PhoenixNAP KB
As with any such network service, there are also disadvantages to implementing and managing them internally. Same with a hybrid internal/external model, which I would advocate for redundancy/business continuity reasons.
As I said above, each to their own, depending on which lens you view it through, the footprint/design and purpose of your network(s) and the type/likelihood of attacks you are trying to mitigate against.

I'd say for the average home use this is not needed at all. Total overkill and more likely to cause more problems and security issues than potential benefit.
 

Guvner

Established Member
Joined
Jul 1, 2014
Posts
1,202
I'm not sure I ever said it was suitable for all situations.
Switching off endpoint caching is straightforward. Monitoring suspicious DNS activity on a central server is easier than monitoring disparate devices.
There's no right or wrong here, just horses for courses.
 

TheRealTMA

Senior Member
Joined
Jul 13, 2012
Posts
7,524
Qantas
Platinum
Just talk to them about vortex ring. That will balance things out.
But it's a thread on NBN, not aerodynamics or fluid dynamics. Just like the Ask the Pilot thread. It's for those who have tech questions or other specific questions about the NBN/Internet issues. With the greatest of respect, those without knowledge probably should consider posting in the other threads? :) :)
 
Last edited by a moderator:

TheRealTMA

Senior Member
Joined
Jul 13, 2012
Posts
7,524
Qantas
Platinum
FYI: As a trial, I've followed @Daver6 suggestion and swapped over to the Cloudfare DNS for interest. It's just a popdown choice in the Telstra Gateway router.

Cloudfare say ".1 to be the "internet's fastest DNS directory," and will never log your IP address, never sell your data, and never use your data to target ads" but who knows. Can't see / feel any difference over the Google DNS but then I would not expect any in normal use.

Some references for those interested.

Also note Steve Gibson has a benchmark tool. From my machine, this show Cloudfare to be the fastest.

 
Last edited:

Daver6

Senior Member
Joined
Dec 31, 2011
Posts
7,752
Qantas
Platinum
Virgin
Gold
I'm not sure I ever said it was suitable for all situations.
Switching off endpoint caching is straightforward. Monitoring suspicious DNS activity on a central server is easier than monitoring disparate devices.
There's no right or wrong here, just horses for courses.

True you didn't. Given we were talking about home internet, I assumed the discussion was in relation to that.

How do you turn off endpoint DNS caching on endpoints that aren't a computer?
 

NM

Enthusiast
Moderator
Joined
Aug 27, 2004
Posts
16,752
Qantas
LT Gold
Virgin
Red
I run a local DNS server on my NAS. This is mainly for performance reasons, with local DNS caching. I found my NBN RSP's DNS server response is faster than Cloudfare of Google, which is not surprising as its on the ISP/RSP's network. Ping times for NBN RSP's DNS is around 4ms while google and Cloudfare are around 20ms.

For resilience I use my local NBN RSP DNS as primary forwarding from my local DNS server, and I use Cloudfare as the secondary server (in case my ISP/RSP has catastrophic DNS failure).
 

Daver6

Senior Member
Joined
Dec 31, 2011
Posts
7,752
Qantas
Platinum
Virgin
Gold
Well that list would be greater than 1000 different devices... I'm not sure where this is going.

I didn't realise you could disable DNS caching on things like a Google Home, Ring doorbell, Samsung TV. Heck, even an iPhone. Not a loaded question. How does one achieve it?
 

jb747

Enthusiast
Joined
Mar 9, 2010
Posts
11,351
But it's a thread on NBN, not aerodynamics or fluid dynamics. Just like the Ask the Pilot thread. It's for those who have tech questions or other specific questions about the NBN/Internet issues. With the greatest of respect, those without knowledge probably should consider posting in the other threads? :) :)
You mean I wasn't successfully DNS poisoning....?
 
Sponsored Post

This is an example of a Sponsored Post, one of the many ways you can advertise on the Australian Frequent Flyer.

Other options include banner advertisements on our content and forum pages or our newsletter. You can also purchase an audio message on our podcast - or if you just want to try it out, you can sponsor a thread.

If you'd prefer not to see any advertisements (including these sponsored posts), you can become an AFF Supporter from just $6 and instantly remove all advertisements from our website!

Guvner

Established Member
Joined
Jul 1, 2014
Posts
1,202
I didn't realise you could disable DNS caching on things like a Google Home, Ring doorbell, Samsung TV. Heck, even an iPhone. Not a loaded question. How does one achieve it?
Maybe we are looking at this from different angles. You would look to disable caching on an endpoint which may be a likely and vulnerable target for a Malware attack. If you are worried that your Ring Doorball is vulnerable to malware, perhaps stick it in a subzone and apply some specific firewall rules to mimimise the likelihood of whatever attack you think is possible. There's no one size fits all blanket solution. Local DNS servers are but one of many attack mitigation tools, not the one and only.
 

Enhance your AFF viewing experience!

From just $6 we'll remove all advertisements so that you can enjoy a cleaner and uninterupted viewing experience.

And you'll be supporting us so that we can continue to provide this valuable resource :)


Sample AFF with no advertisements? More..

Staff online

Top