DNS Makes The Internet Work

Addresses around the internet are assigned by Intenet Protocol (IP) addresses. Yet when you type a website address such as www.redhat.com, your browser takes you to RedHat. How does your browser translate www.redhat,com into “172.231.50.240”, their IPv4 address? The answer is DNS, or Domain Name Services. This essential service runs on servers hosted by your ISP, Google, or various third party companies. The Intenet as we know it could not function without it. What’s more important is that your results may differ depending on whose DNS servers you are using. Commercial ISP’s often redirect DNS queries to ad-driven sites when one types in an incorrect address Have you ever been redirected to an odd looking website when you made a typo, or typed .net instead of .org or .com? It’s important to use quality DNS providers for other reasons too. Accurate results are essential to avoid being redirected to a scammer site or receiving a page not found error. Speed is also important as your browser must wait for a DNS response with an IP address before it can visit and load a site. For an unfiltered Internet and fast results, we recomend you utliize third party DNS services such as the following: • Open DNS • Quad 9 • Cloudfare • DNS Watch Check your PC and/or router and change these settings for quicker and more accurate DNS results. Most home router DHCP settings provide DNS addresses for all clients on the network. You can test your DNS servers using the following free tool: GRC DNS Benchmark Tool Small businesses should consider installing a local caching DNS server such as Pi-Hole which is free and easily installed on a Linux system. This will speed up your browsing by caching common DNS queries directly on your network. PiHole also has a slick web interface and allows for blocking various categories of websites such as pornography, violence, drugs, and hate speech. It can be quickly installed on a virtual machine or any old PC laying around, and needs few system resources. An unfiltered internet spells trouble for businesses. Unfortunately we cannot assume that everyone has good intent when surfing the internet. Allowing pornogrphy on your business network is asking for trouble. Quality DNS providers ensure a good browsing experience. How does your DNS provider measure up? Use the free tool from GRC to test it today!

Transparent Firewalls and Proxy Servers

Firewalls are used to protect networks and servers. A transparent firewall is a special type of firewall that typically is inserted between a web server and a database server to provide additional protection for the database. In can be configured with or without and IP address, the latter would require direct physical terminal access to modiy or alter. This would essentiallly make it hack-proof. Adding a Proxy server such as Squid and software such as Dansguardian to the firewall allows for powerful yet easily customizable traffic filtering. Content filtering is essential in the home or office to provide a safe environment, and also reduce unwanted network traffic. Dansguardian protection is only as good as the filter list. In the past, good filters could be obtained for free, but currently they are all subscription based. More information to come about how to configure a low cost content filter to protect your network. As mentioned above in the DNS section, we cannot assume everyone has good intent on the internet. Content filtering proects your employees and reduces network congestion.

Fail2Ban and Iptables

Fail2ban is one of many tools that can be used to protect Linux servers. It will block external IP addresses if they meet certain criteria, such as excessive 404 or 403 access attempts, match lists of known bots, or failed password attempts. It his easily to configure and custom filters can be created. It can block access to HTTP, FTP, and SSH servers from known IP addresses. The bans are created by adding and removing lines to/from the IPtables firewall according to the specified rules for banning and unbanning IP addresses after the specified unban time. There are many good installation instructions on the internet so we won’t cover that here. On Centos 7, we noted that after iinstallation and configuration, Fail2ban will log IP addresses, but does not ban them. This issue does not appear to be well documented. We determined that in the jail.local file, the following must be added to each jail section to actually add the banned addresses to the IPTABLES block list: banaction = iptables-multiport Restart Fail2ban and confirm that it bans any previously detected IP address with this command: iptables -nL | grep “REJECT” For a quick count of banned addresses, use the following variation of the above command: iptables -nL | grep -c REJECT More to come on Fail2ban configuration. Happy banning!

Enterprise Antivirus Systems and Data Backups

Years ago we had a client who purchased the cheapest computers he could find, and relied on a variety of free antivirus software. He was constantly having to replace machines due to hardware failures and malware. He could not keep data backups because there was no centralized data storage. On several occasions, one machine was able to replicate malware to others on the same network causing lost data and productivity for his workforce. This was an impossible situation for us, as without seeing the bigger picture the client would continue to suffer data and productivity losses. It is essential for all businesses to obtain Enterprise antivirus protection that can immediately detect and correct issues on any system connected to the network. - before data loss occurs. Offsite and offline data backups are equally important to prevent data loss. When asked “how often should I backup my data?”, our response is how much will it cost you for each day of lost data? Ransomeware is an increasingly costly problem affecting businesseses, schools, and government organizations. Antivirus and offsite/offline backups are the best protection against these extortion attacks. Even if you pay up, you may never receive the key to unlock your data. Don’t let your organization get hit with this increasingly common nightmare!

Tech Corner