Print

Please login or register.
1 Hour 1 Day 1 Week 1 Month Forever
Login with username, password and session length

[hydra3333]

Not a networking expert here. Advice welcomed.

Summary:  Potential DNS Security Issue
After 2h-3h or so, the DIR-880L does not use the DNS servers manually entered even though it's status page reports it is using them.

Details:
PCs set to DHCP, auto get DNS addresses from the router. 
Router set to non-DHCP-relay, manually entered DNS servers..

Trying out Getflix, ie changing DNS server entries the DIR-880L, to Sydney 1 and 2.

For 2h-3h or so it works fine, computers attached to the router pass the Getflix status test at https://www.getflix.com.au/manage/dashboard

Then, with Router unchanged, one of the computers attached to the router started to fail the Getflix status check.

Used another PC attached to the router, it too was failing the Getflix status check...

The router status page reported it was still using the correct manually-entered DNS server addresses.

Tested:
Manually entered the Getflix DNS server addresses into one PC and flushed the PC DNS cache.

Then that specific PC started passing the Getflix status check and continued to pass it.

So:
After a few hours, the router was not using the manually-entered DNS server addresses it reported that it was using.

hardware: v1a1
firmware: 1.00 initial release

[FurryNutz]

Internet Service Provider and Modem Configurations

• What ISP Service do you have? Cable or DSL?
• What ISP Modem Mfr. and model # do you have?
• Is ISP Modem/Service using Dynamic or Static WAN IP addressing?
• What ISP Modem service link speeds UP and Down do you have?

There is newer FW v1.01 available...

I recommend updating. If you do, please follow this:
FW Update Process

[hydra3333]

Internet Service Provider and Modem Configurations

• What ISP Service do you have? Cable or DSL?
• What ISP Modem Mfr. and model # do you have?
• Is ISP Modem/Service using Dynamic or Static WAN IP addressing?
• What ISP Modem service link speeds UP and Down do you have?

There is newer FW v1.01 available...

I recommend updating. If you do, please follow this:
FW Update Process

Thanks for your quick response !

• What ISP Service do you have? Cable or DSL?

ISP Telstra Australia. Cable

• What ISP Modem Mfr. and model # do you have?

New C6300, locked by the ISP.

• Is ISP Modem/Service using Dynamic or Static WAN IP addressing?

Dynamic.

• What ISP Modem service link speeds UP and Down do you have?

2.5 / 100

There is newer FW v1.01 available...
I recommend updating. If you do, please follow this:
FW Update Process

OK.

I'll look at it in the next couple of days, for the moment I'm sticking with DNS entries manually entered into the PCs.  

The other thing I'm unclear of is - whether the DIR-880L is using the DNS servers it's picking up from the IPS's WAN cable modem eg with DHCP/DNS relay, or it is using something else.[/list]

[FurryNutz]

Is the C6300 Mfr by Netgear? 

[hydra3333]

Is the C6300 Mfr by Netgear? 

Oops, yes.  It's *heavily* Telstra branded and labelled and locked down but with some googling it's that.

Just to be clear,

• the C6300 had unchanged settings during the period of testing
• the DIR-880L was bought as a "second line of defense, different manufacturer" firewall and as a "more configurable", ie unlocked, device
• the DIR-880L was not set for DNS relay
• manually changing one PC's DNS server settings caused that PC to work as expected again

[FurryNutz]

• If the ISP modem has a built in router, it's best to bridge the modem. Having 2 routers on the same line can cause connection problems: Link>Double NAT and How NAT Works.
  
  Sounds like you are in a double NAT condition and this an effect how the DIR-880L or any router behind this ISP modem can operate correctly.

[hydra3333]

If the ISP modem has a built in router, it's best to bridge the modem. Having 2 routers on the same line can cause connection problems: ...
Sounds like you are in a double NAT condition and this an effect how the DIR-880L or any router behind this ISP modem can operate correctly.

Thanks for the links !
http://www.practicallynetworked.com/networking/fixing_double_nat.htm
http://cognitiveanomalies.com/cisco-nat-how-nat-works/

The same basic functions are used in every NAT.
•NAT is the most common form of protecting the internal IP structure.  Making it harder to attack the network.
•NAT enables enterprises to use less registered (public) IP addresses.
•NAT should never be confused with a firewall. It may be the same hardware but a firewall is a permit or deny traffic functioning device.
•NAT is not a firewall but a method of allowing users to change the IP source address for various reasons.
•Most common uses of NAT are port address translation and static translation.
•NAT is most commonly use with inside unregistered ( private ) addresses to some form of registered outside address when going to the www.
•Unregistered addresses rfc 1918 IP addresses are:
•10.0.0.0 – 10.255.255.255
•172.16.0.0 – 172.31.255.255
•192.168.0.0 – 192.168.255.255

... which means that both the WAN and LAN sides of your router are private networks. The upshot of this is that any UPnP and/or port forwarding you enable on your router is for naught, because incoming remote access requests never make it that far -- they arrive at the public IP address on the other device, where they're promptly discarded.

Yes, as intended I have 2 separated private network segments using 2 routers with NAT and SPI and separate address spaces.  
Voip and UPNP is not an issue for me; firewalled separation of networks is.
My "untrusted" devices are plugged into the "outer" network segment (ie attached to the ISP's router, ie an internal DMZ) and cannot see any devices plugged into the inner network (ie behind the second NAT'd router), whereas devices plugged into the inner network can in part see devices in the outer network enough for me.
Multiple port-forwarding has also worked with previous router combinations.
This should not affect DNS manually entered into the inner router settings (in my case the DIR-880L) ?
DNS relay worked with my old DIR-655.  
DNS server addresses manually entered into each of the routers should work.

Happy to be corrected  

If I was to make a wild guess, it'd be maybe the 880L is somehow swapping using DLINK's own DNS servers (there is a config settings for that somewhere).  If I find time, I wonder if I can network sniff it somehow. As always, I am not a network person and may be completely and utterly wrong on all counts ... let me know !

[FurryNutz]

Sounds like it working. Though could be problematic when something happens and you have to go and troubleshoot it.