NBN Discussion

DNS poisoning on end points is a legitimate cybersecurity issue. cached entries on a local server, rather than each machine is a much safer practice. Anyway, each to their own.
Post automatically merged:

TheRealTMA said:
No that would be ok. Also you could use Cloudfare as primary and Google as secondary. But this is for name recognition DNS not the web cache so there’s no real point. Cloudfare and Google DNs are gereraliy in the <15ms resolution. Most likely your local DNS would use Cloudfare etc as their upstream DNS anyway.
Click to expand...
Web cache? This is DNS caching only. Their are a number of advantages using a local DNS cache.
 
Guvner said:
DNS poisoning on end points is a legitimate cybersecurity issue. cached entries on a local server, rather than each machine is a much safer practice. Anyway, each to their own.
Post automatically merged:


Web cache? This is DNS caching only. Their are a number of advantages using a local DNS cache.
Click to expand...
Such as?
 
Unlock 20,000 Bonus Points on just $10K in Business Expenses
Turn business expenses into Business Class! Process $10,000 through pay.com.au to score 20,000 bonus PayRewards Points and join 30k+ savvy business owners enjoying these benefits:

- Pay suppliers who don’t take Amex
- Max out credit card rewards—even on government payments
- Earn & Transfer PayRewards Points to 8+ top airline & hotel partners

AFF Supporters can remove this and all advertisements

TheRealTMA said:
Such as?
Click to expand...
I could write some up, but plenty of others have done so before.
Here's one example: Benefits of DNS Service Locality - InCyber
Another: 9 DNS Security Best Practices | PhoenixNAP KB
As with any such network service, there are also disadvantages to implementing and managing them internally. Same with a hybrid internal/external model, which I would advocate for redundancy/business continuity reasons.
As I said above, each to their own, depending on which lens you view it through, the footprint/design and purpose of your network(s) and the type/likelihood of attacks you are trying to mitigate against.
 
Guvner said:
I could write some up, but plenty of others have done so before.
Here's one example: Benefits of DNS Service Locality - InCyber
Another: 9 DNS Security Best Practices | PhoenixNAP KB
As with any such network service, there are also disadvantages to implementing and managing them internally. Same with a hybrid internal/external model, which I would advocate for redundancy/business continuity reasons.
As I said above, each to their own, depending on which lens you view it through, the footprint/design and purpose of your network(s) and the type/likelihood of attacks you are trying to mitigate against.
Click to expand...
Thanks for that. I’ll follow it up tomorrow. Generally I don’t recommend nor use local DNS so it’s interesting.
 
Quickstatus said:
I have no idea what the last few posts are talking about , so much so that I dont even know if its on or off topic...😂
Click to expand...
It's probably slowly meandering away from the central point of the thread... happy to take it somewhere else.
 
Guvner said:
It's probably slowly meandering away from the central point of the thread... happy to take it somewhere else.
Click to expand...
This thread is very much suitable for discussion about DNS operations that may not follow the default NBN provider's recommended implementations, which are normally designed for the ISP/RSP's benefits (simplify support) rather than outcomes such as maximising performance and security.

If people are not sure about the discussion on this topic, just stick with your provider's default settings. If you want to maximise performance and security and are willing to self-support your configuration/operation, there is some useful content up-thread (and potentially will be down-thread).
 
Guvner said:
DNS poisoning on end points is a legitimate cybersecurity issue. cached entries on a local server, rather than each machine is a much safer practice. Anyway, each to their own.
Click to expand...

I'm not saying you're wrong, but that doesn't make sense to me. If you have DNS cache poisoning on the endpoint, it's been poisoned from upstream. How does having a local DNS server avoid this situation?

Additionally, to implement this would be a nightmare. How are you going to stop DNS caching on every endpoint on the network? Plus it would impact performance.

Guvner said:
I could write some up, but plenty of others have done so before.
Here's one example: Benefits of DNS Service Locality - InCyber
Another: 9 DNS Security Best Practices | PhoenixNAP KB
As with any such network service, there are also disadvantages to implementing and managing them internally. Same with a hybrid internal/external model, which I would advocate for redundancy/business continuity reasons.
As I said above, each to their own, depending on which lens you view it through, the footprint/design and purpose of your network(s) and the type/likelihood of attacks you are trying to mitigate against.
Click to expand...

I'd say for the average home use this is not needed at all. Total overkill and more likely to cause more problems and security issues than potential benefit.
 
I'm not sure I ever said it was suitable for all situations.
Switching off endpoint caching is straightforward. Monitoring suspicious DNS activity on a central server is easier than monitoring disparate devices.
There's no right or wrong here, just horses for courses.
 
jb747 said:
Just talk to them about vortex ring. That will balance things out.
Click to expand...
But it's a thread on NBN, not aerodynamics or fluid dynamics. Just like the Ask the Pilot thread. It's for those who have tech questions or other specific questions about the NBN/Internet issues. With the greatest of respect, those without knowledge probably should consider posting in the other threads? :) :)
 
Last edited by a moderator:
FYI: As a trial, I've followed @Daver6 suggestion and swapped over to the Cloudfare DNS for interest. It's just a popdown choice in the Telstra Gateway router.

Cloudfare say ".1 to be the "internet's fastest DNS directory," and will never log your IP address, never sell your data, and never use your data to target ads" but who knows. Can't see / feel any difference over the Google DNS but then I would not expect any in normal use.

Some references for those interested.

Also note Steve Gibson has a benchmark tool. From my machine, this show Cloudfare to be the fastest.

GRC's | DNS Nameserver Performance Benchmark

DNS Nameserver Performance Benchmark
www.grc.com www.grc.com
 
Last edited:
Guvner said:
I'm not sure I ever said it was suitable for all situations.
Switching off endpoint caching is straightforward. Monitoring suspicious DNS activity on a central server is easier than monitoring disparate devices.
There's no right or wrong here, just horses for courses.
Click to expand...

True you didn't. Given we were talking about home internet, I assumed the discussion was in relation to that.

How do you turn off endpoint DNS caching on endpoints that aren't a computer?
 
Well that list would be greater than 1000 different devices... I'm not sure where this is going.
 
I run a local DNS server on my NAS. This is mainly for performance reasons, with local DNS caching. I found my NBN RSP's DNS server response is faster than Cloudfare of Google, which is not surprising as its on the ISP/RSP's network. Ping times for NBN RSP's DNS is around 4ms while google and Cloudfare are around 20ms.

For resilience I use my local NBN RSP DNS as primary forwarding from my local DNS server, and I use Cloudfare as the secondary server (in case my ISP/RSP has catastrophic DNS failure).
 
Guvner said:
Well that list would be greater than 1000 different devices... I'm not sure where this is going.
Click to expand...

I didn't realise you could disable DNS caching on things like a Google Home, Ring doorbell, Samsung TV. Heck, even an iPhone. Not a loaded question. How does one achieve it?
 
TheRealTMA said:
But it's a thread on NBN, not aerodynamics or fluid dynamics. Just like the Ask the Pilot thread. It's for those who have tech questions or other specific questions about the NBN/Internet issues. With the greatest of respect, those without knowledge probably should consider posting in the other threads? :) :)
Click to expand...
You mean I wasn't successfully DNS poisoning....?
 
Daver6 said:
I didn't realise you could disable DNS caching on things like a Google Home, Ring doorbell, Samsung TV. Heck, even an iPhone. Not a loaded question. How does one achieve it?
Click to expand...
Maybe we are looking at this from different angles. You would look to disable caching on an endpoint which may be a likely and vulnerable target for a Malware attack. If you are worried that your Ring Doorball is vulnerable to malware, perhaps stick it in a subzone and apply some specific firewall rules to mimimise the likelihood of whatever attack you think is possible. There's no one size fits all blanket solution. Local DNS servers are but one of many attack mitigation tools, not the one and only.
 

Become an AFF member!

Join Australian Frequent Flyer (AFF) for free and unlock insider tips, exclusive deals, and global meetups with 65,000+ frequent flyers.

AFF members can also access our Frequent Flyer Training courses, and upgrade to Fast-track your way to expert traveller status and unlock even more exclusive discounts!

AFF forum abbreviations

Wondering about Y, J or any of the other abbreviations used on our forum?

Check out our guide to common AFF acronyms & abbreviations.

Recent Posts

Currently Active Users

Total: 117 (members: 8, guests: 109)
Back
Top