[opensuse] A (probably totally ignorant) DNS question
Hello! [os Leap 15.2, xfce, Network Manager, Firefox 78.3.0esr, IPV4 only] A (probably totally ignorant) DNS question: which resolver(s) will this system be actually using? A system has an Arris SURFboard cable modem, SBG7400AC2. This is a AC2350Mbps combined router/modem. Though it's owned, the ISP can and does change the firmware not so infrequently (docsis 3). This modem has a firmware option to turn off the ISP's two resolvers and enter my own resolvers (up to three) but doing so is flakey: change it, save/reload, and the ISP's resolver addresses return to the display. In frustration I removed it from the power line. I got busy with something else and didn't get back to this for about 6 hours. Plugged in the power and, hello, my own resolver addresses were now displayed in the 'change resolver' section as the current running set. Good. But the section of the router/modem firmware that displays the current 'System Information' still displays the ISP's resolvers. Network Manager's gui (right-click) 'Connection Information' displays my chosen resolvers in the order I set them in the modem/router firmware. In dhclient.conf I have a 'prepend domain-name-servers' with the wanted resolvers (in reverse order so I can tell effect if any) but it appears this isn't being imposed. In Network Manager's gui 'Edit Connection / Editing ... / IPV4 Settings / Additional DNS servers' I have not added anything, but here's another place to set resolvers. Finally, I have set Firefox's 'DNS over HTTPS' option which says it will use Cloudflare for resolver. SO... there are apparently way too many ways to set a resolver, all seemingly independent of each other. Which one overrules the others? I'm thinking it's the Mozilla/Cloudflare thing for any DNS queries going through Firefox browser. But which resolver gets used for queries not going through Firefox browser? I'm wondering if the ISP's docsis tinkering may be the final overriding one (he who controls the firmware controls the world...) Thanks for a clue :) Ralph -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 30/09/2020 11.53, Ralph wrote:
Hello!
[os Leap 15.2, xfce, Network Manager, Firefox 78.3.0esr, IPV4 only]
A (probably totally ignorant) DNS question: which resolver(s) will this system be actually using?
A system has an Arris SURFboard cable modem, SBG7400AC2. This is a AC2350Mbps combined router/modem. Though it's owned, the ISP can and does change the firmware not so infrequently (docsis 3).
This modem has a firmware option to turn off the ISP's two resolvers and enter my own resolvers (up to three) but doing so is flakey: change it, save/reload, and the ISP's resolver addresses return to the display. In frustration I removed it from the power line. I got busy with something else and didn't get back to this for about 6 hours. Plugged in the power and, hello, my own resolver addresses were now displayed in the 'change resolver' section as the current running set. Good. But the section of the router/modem firmware that displays the current 'System Information' still displays the ISP's resolvers.
Network Manager's gui (right-click) 'Connection Information' displays my chosen resolvers in the order I set them in the modem/router firmware.
Well, then you are good, your changes are being passed on.
In dhclient.conf I have a 'prepend domain-name-servers' with the wanted resolvers (in reverse order so I can tell effect if any) but it appears this isn't being imposed.
In Network Manager's gui 'Edit Connection / Editing ... / IPV4 Settings / Additional DNS servers' I have not added anything, but here's another place to set resolvers.
Finally, I have set Firefox's 'DNS over HTTPS' option which says it will use Cloudflare for resolver.
SO... there are apparently way too many ways to set a resolver, all seemingly independent of each other. Which one overrules the others? I'm thinking it's the Mozilla/Cloudflare thing for any DNS queries going through Firefox browser. But which resolver gets used for queries not going through Firefox browser?
What your Linux machine will use, aside of Firefox, is written in "/etc/resolv.conf". Doesn't mean you have to edit the file, but that whatever sets it up should end written in there. Hopefully automatically. -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar)
On Wed, 30 Sep 2020 12:09:36 +0200 "Carlos E. R." <robin.listas@telefonica.net> wrote:
On 30/09/2020 11.53, Ralph wrote:
Hello!
[os Leap 15.2, xfce, Network Manager, Firefox 78.3.0esr, IPV4 only]
A (probably totally ignorant) DNS question: which resolver(s) will this system be actually using?
A system has an Arris SURFboard cable modem, SBG7400AC2. This is a AC2350Mbps combined router/modem. Though it's owned, the ISP can and does change the firmware not so infrequently (docsis 3).
This modem has a firmware option to turn off the ISP's two resolvers and enter my own resolvers (up to three) but doing so is flakey: change it, save/reload, and the ISP's resolver addresses return to the display. In frustration I removed it from the power line. I got busy with something else and didn't get back to this for about 6 hours. Plugged in the power and, hello, my own resolver addresses were now displayed in the 'change resolver' section as the current running set. Good. But the section of the router/modem firmware that displays the current 'System Information' still displays the ISP's resolvers.
Network Manager's gui (right-click) 'Connection Information' displays my chosen resolvers in the order I set them in the modem/router firmware.
Well, then you are good, your changes are being passed on.
In dhclient.conf I have a 'prepend domain-name-servers' with the wanted resolvers (in reverse order so I can tell effect if any) but it appears this isn't being imposed.
In Network Manager's gui 'Edit Connection / Editing ... / IPV4 Settings / Additional DNS servers' I have not added anything, but here's another place to set resolvers.
Finally, I have set Firefox's 'DNS over HTTPS' option which says it will use Cloudflare for resolver.
SO... there are apparently way too many ways to set a resolver, all seemingly independent of each other. Which one overrules the others? I'm thinking it's the Mozilla/Cloudflare thing for any DNS queries going through Firefox browser. But which resolver gets used for queries not going through Firefox browser?
What your Linux machine will use, aside of Firefox, is written in "/etc/resolv.conf". Doesn't mean you have to edit the file, but that whatever sets it up should end written in there. Hopefully automatically.
Hi Carlos, thanks for reply. So all the many (linux) ways of setting DNS still all end up in exactly the same place, written in resolv.conf? Ok, so these questions remain: 1 - if all the different ways of setting the resolver(s) have different resolver(s), which one gets the 'prize', which is the final one written to resolv.conf? What order does linux read and write them? 2 - why is dhclient.conf (prepend) not being applied? Because it is not the 'last' place searched for a resolver? This used to be where I made my only-needed changes pre-15.2 (different modem/router) but it does nothing in 15.2. 3 - can the ISP, 'owning' the firmware sitting between linux and the net, still redirect the query to his own server (and logs), return fake data, and spoof the reply to make it appear it went to and came from the requested server? (theoretical issue, don't ask 'why' I ask this question...) Thanks. Ralph -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Ralph wrote:
So all the many (linux) ways of setting DNS still all end up in exactly the same place, written in resolv.conf?
Yes, they have to for the resolver to work.
2 - why is dhclient.conf (prepend) not being applied? Because it is not the 'last' place searched for a resolver? This used to be where I made my only-needed changes pre-15.2 (different modem/router) but it does nothing in 15.2.
I expect because the ISC dhcp client is not being used ?
3 - can the ISP, 'owning' the firmware sitting between linux and the net, still redirect the query to his own server (and logs), return fake data, and spoof the reply to make it appear it went to and came from the requested server?
Yes that would be possible. -- Per Jessen, Zürich (16.9°C) http://www.dns24.ch/ - free dynamic DNS, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On Wed, 30 Sep 2020 13:45:18 +0200 Per Jessen <per@computer.org> wrote:
3 - can the ISP, 'owning' the firmware sitting between linux and the net, still redirect the query to his own server (and logs), return fake data, and spoof the reply to make it appear it went to and came from the requested server?
Yes that would be possible.
But it would violate the law in a lot of countries I think? Privacy and net neutrality rules would both tend to prohibit it. Ralph, the workaround if you suspect such a thing is to use a VPN to make connections, and/or compare the results of Firefox DoH communication with command-line tools. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
Dave Howorth wrote:
On Wed, 30 Sep 2020 13:45:18 +0200 Per Jessen <per@computer.org> wrote:
3 - can the ISP, 'owning' the firmware sitting between linux and the net, still redirect the query to his own server (and logs), return fake data, and spoof the reply to make it appear it went to and came from the requested server?
Yes that would be possible.
But it would violate the law in a lot of countries I think? Privacy and net neutrality rules would both tend to prohibit it.
I think so too, yes. There have been some cases like that - https://en.wikipedia.org/wiki/DNS_hijacking -- Per Jessen, Zürich (16.4°C) http://www.dns24.ch/ - your free DNS host, made in Switzerland. -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
On 30/09/2020 13.40, Ralph wrote:
On Wed, 30 Sep 2020 12:09:36 +0200 "Carlos E. R." <> wrote:
On 30/09/2020 11.53, Ralph wrote:
What your Linux machine will use, aside of Firefox, is written in "/etc/resolv.conf". Doesn't mean you have to edit the file, but that whatever sets it up should end written in there. Hopefully automatically.
Hi Carlos, thanks for reply.
So all the many (linux) ways of setting DNS still all end up in exactly the same place, written in resolv.conf? Ok, so these questions remain:
1 - if all the different ways of setting the resolver(s) have different resolver(s), which one gets the 'prize', which is the final one written to resolv.conf? What order does linux read and write them?
I don't know for sure, it depends on the actual configuration of each machine. In each case I have to look around to find out - or I directly edit that resolv.conf
2 - why is dhclient.conf (prepend) not being applied? Because it is not the 'last' place searched for a resolver? This used to be where I made my only-needed changes pre-15.2 (different modem/router) but it does nothing in 15.2.
Maybe that daemon is not used.
3 - can the ISP, 'owning' the firmware sitting between linux and the net, still redirect the query to his own server (and logs), return fake data, and spoof the reply to make it appear it went to and came from the requested server? (theoretical issue, don't ask 'why' I ask this question...)
They might... they would have to create software for this, to capture packages and repurpose them. But then, you can issue a command like "host -v someaddress yourdnsipaddress" and see if the reply is suspicious. My guess is this could be a crime or offence. Or they could log the transaction and look inside, but not doing anything to alter it. This would not be traceable. If this is suspected, the alternative would be to cipher the dns queries. I heard of this, but I don't know if it is possible and how to do it. -- Cheers / Saludos, Carlos E. R. (from 15.1 x86_64 at Telcontar)
On 30/09/2020 05:53, Ralph wrote:
Hello!
[os Leap 15.2, xfce, Network Manager, Firefox 78.3.0esr, IPV4 only]
A (probably totally ignorant) DNS question: which resolver(s) will this system be actually using?
If you mean your Linux system then that's defined by the machine's /etc/resolv.conf and the /etc/nsswitch.conf The C level routine to get host by name starts by looking at /etc/nsswitch.conf. I have mine set to hosts: files dns networks: files dns so I can over-ride specific sites. My /etc/resolv.conf reads nameserver 127.0.0.1 which means that I use a locally defined nameserver, in this case 'dnsmasq', which doe a large number of smart things including integrating the dynamics entries for DHCP in a much easier manner than BIND. Your needs might vary. Oh, and does good security stuff without the crypto stuff that BIND needs. much easier to manage :-) Of course you might mean something different when you talk of 'SYSTEM". We often encounter problems with language imprecision here.
A system has an Arris SURFboard cable modem, SBG7400AC2. This is a AC2350Mbps combined router/modem. Though it's owned, the ISP can and does change the firmware not so infrequently (docsis 3).
Ah, "SYSTEM". But your applications on you Linux hosts don't know anything about this. As far as they are concerned it's irrelevant. If your applications use the standard C library then they use gethostbyname(3) and that goes vis nssswitch.conf/resolv.conf Now it *IS* possible to configure your nameserver to be your router, in which case whatever your ISP has set or you have over-ridden, comes into play. Is that how you have your /etc/resolve.conf set up?
This modem has a firmware option to turn off the ISP's two resolvers and enter my own resolvers (up to three) but doing so is flakey: change it, save/reload, and the ISP's resolver addresses return to the display.
OUCH. So this isn't a recommended router. Does your ISP allow any other DOCIS3 compliant router. There are some nice, capable ones I around.
In frustration I removed it from the power line. I got busy with something else and didn't get back to this for about 6 hours. Plugged in the power and, hello, my own resolver addresses were now displayed in the 'change resolver' section as the current running set. Good. But the section of the router/modem firmware that displays the current 'System Information' still displays the ISP's resolvers.
OUCH. So you don't know what to believe.
Network Manager's gui (right-click) 'Connection Information' displays my chosen resolvers in the order I set them in the modem/router firmware.
Wait! Are you talking about 'Network Manager' on the router or on Linux?
In dhclient.conf I have a 'prepend domain-name-servers' with the wanted resolvers (in reverse order so I can tell effect if any) but it appears this isn't being imposed.
I presume you are talking about /etc/dhclient.conf on your Linux host. So we are talking about DHCP now, not DNS. That drags in a who new can of worms. personally I see this as an irrelevancy to what we are discussing. That you're concerned with it makes it clear you don't understand how your host does name resolution and management of same.
In Network Manager's gui 'Edit Connection / Editing ... / IPV4 Settings / Additional DNS servers' I have not added anything, but here's another place to set resolvers.
Yes, and there's Yast as well. But while the NetworkManager keeps its own record of what it has done, it is YetAnotherFrontEnd to putting entries into /etc/resolv.conf You can also use such font ends to /etc/resolv.conf and /etc/nsswitch.conf and /etc/hosts and /etc/networks and /etc/ethers as VI, GVIM, ED, KATE, NEDIT, GEDIT, and many more that achieve the same ends as YaST and NetworkManager, but without the consistency checks. Never the less, some of us favour that technique over the GUI.
I'm wondering if the ISP's docsis tinkering may be the final overriding one (he who controls the firmware controls the world...)
I suppose it is possible that there is code in the router, not so very different from the code the US state department claims is in the Huawei routers, that intercepts certain addresses or protocols and redirects them. This would, of course, be an invasion of privacy and would break the function of the Internet. I can't think of way to test all possible second, third and lower tier DNS servers by address, but it is easy enough to test outgoing DNS queries. Set up you own external server that 'fakes out' a query to port 53/UDP using 'netcat'. if DNS queries are being intercepted & redirected then it won't get to you fake server. -- “Reality is so complex, we must move away from dogma, whether it’s conspiracy theories or free-market,” -- James Glattfelder. http://jth.ch/jbg -- To unsubscribe, e-mail: opensuse+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse+owner@opensuse.org
participants (5)
-
Anton Aylward -
Carlos E. R. -
Dave Howorth -
Per Jessen -
Ralph