ISP and Router Vendor Security Related Offering, DNS and Firewall for Security

[xiaofan]

Yes, you can block particular target IP addresses. For example, you can block 1.1.1.1 (one of CloudFlare's IPv4 DNS server addresses). But it's not foolproof. You're just blocking direct access to well-known DNS services when you do that. It's trivially easy for clients to bypass such blocks.

For sure it is not foolproof. The idea is to block most of the clients using hard-coded DoT DNS servers (eg: Chrome Browser for Android phones, or if user is using Android Private DNS).

But I am not so sure if it is really "trivally easy" when the block list is pretty comprehensive.

What do you mean when you say it is "trivally easy"? By setting up a DoH DNS server on cloud VPS? Or setting a DNS server not using common port 53/853? I would not say this kind of thing "trivally easy" for most users.

 

[BBCWatcher]

But I am not so sure if it is really "trivally easy" when the block list is pretty comprehensive.

It’s trivially easy because literally any reverse HTTPS proxy still works. Including one that you opportunistically set up using a public commercial cloud provider’s free tier. Also, any VPN connection bypasses all such blocks. Moreover, it’s just the DNS lookup part. You could look up the numeric IP address on your phone (for example) then connect using the numeric address. Or not even that. There are myriad Web sites that’ll look up an IP address for you.

I think if you’re going to enter into the world of blocking traffic then it ought to be based on white lists. For example, if you have a segregated “IoT” network, and your washing machine genuinely needs to contact something.lg.com, block all traffic except to something.lg.com. Your washing machine probably doesn’t need to visit Wikipedia (for example).

What do you mean when you say it is "trivally easy"? By setting up a DoH DNS server on cloud VPS? Or setting a DNS server not using common port 53/853? I would not say this kind of thing "trivally easy" for most users.

Free VPNs are really easy. And the VPN providers are constantly playing the cat and mouse games to avoid black lists.

 

[xiaofan]

Free VPNs are really easy. And the VPN providers are constantly playing the cat and mouse games to avoid black lists.

I am not a fan of typical free commercial VPNs. In fact I am not even a fan of typical paid commercial VPNs like NordVPN or Surfshark VPN. I know they are popular.

I prefer to use my own Wireguard VPN, or overlay VPNs like Tailscale/ZeroTier, mainly for remote access back to home.

But free apps to use secure DNS are good (usually acting as a VPN), like Cloudflare 1.1.1.1 app (also can be used as a VPN with the Warp feature). And indeed this is very easy to setup. I use it myself on mobile phones and Windows/macOS/Linux machines, mainly for testing purposes. There are other apps as well like ControlD and Intra, as well as many DNS changer apps.

Thanks for pointing this out.

 

[xiaofan]

Moreover, it’s just the DNS lookup part. You could look up the numeric IP address on your phone (for example) then connect using the numeric address. Or not even that. There are myriad Web sites that’ll look up an IP address for you.

That is where DNS based security is not good enough. But you can have IP based block list.

pfBlockerNG has the IP based block list. Same for banip.

But as you mentioned, VPN can easily bypass such IP block list as well.

 

[xiaofan]

Interesting read:

Top domains: top public DNS servers are also top domains, like appledns.net, dns.google, cloudflare-dns.com and quad9.net.

CloudFlare:
https://radar.cloudflare.com/domains

Quad9:
https://github.com/Quad9DNS/quad9-domains-top500/blob/main/top500-latest.json

 

[xiaofan]

The Three Protocols That Could Bring Down The Internet (And Life as We Know It): DNS, PKI and BGP
https://billatnapier.medium.com/the...fe-as-we-know-it-dns-pki-and-bgp-e9b0c0b08df4

 

[BBCWatcher]

But as you mentioned, VPN can easily bypass such IP block list as well.

Afraid so. Tor clients can also bypass block lists.

 

[d3adc3II]

I am not a fan of typical free commercial VPNs. In fact I am not even a fan of typical paid commercial VPNs like NordVPN or Surfshark VPN. I know they are popular.

I agree. Whats even the point of using surfshark/nord VPN in Singapore though :v, there are no good use case for those service , unless you are in China. But even China , vpn might not work. China GFW quite hardcore one , more often it blocks wireguard also.

The only use case I can think of iis Netflx US ? in that case, get a small vps cheaper and it can do more things

 

[xiaofan]

I agree. Whats even the point of using surfshark/nord VPN in Singapore though :v, there are no good use case for those service , unless you are in China

The only use case I can think of iis Netflx US ? in that case, get a small vps cheaper and it can do more things

They do not even work well inside mainland China to bypass the Great Firewall in general. it is easier just to use data roaming if on short trip. For long term stay, you may need to use those special socks proxy like SSR/V2Ray/X-ray/Trojan/etc. Or set up a VPS server and use those socks proxies.

These commerical VPNs also do not work outside of mainlan China for mainland China contents consumption. You need to use special going-into-China VPNs like AJS/Transocks/Malus/etc.

But yes the main use cases of such paid commercial VPNs seem to be for bypassing Geo-blocking, for contents like Netflix US or Netflix Japan.

Many of paid VPNs do not work for going-into-Singapore when people go abroad and want to use MediaCorp MeWatch or Singtel Cast or Starhub TV+, since those local services usually ban IP addresses of Singapore based data centres.

 

[d3adc3II]

They do not even work well inside mainland China to bypass the Great Firewall in general. it is easier just to use data roaming if on short trip. For long term stay, you may need to use those special socks proxy like SSR/V2Ray/X-ray/Trojan/etc. Or set up a VPS server and use those socks proxies.

Totally correct. Or sing-box better, created by genius Chinese people to jump over China GW lolz.

Even for vpn, i prefer vps over vpn for the same cost

 

[d3adc3II]

although you can’t really block all DoH requests coming directly from clients since that’s indistinguishable from other HTTPS traffic. And if you’re slightly sophisticated you can configure different DNS servers (via DoH or DoT) for different LANs.

Can block , quite easy actually but not worth it for us . That requirement alone ( block traffic go through HTTPS ) cost few thousands , an L7 Application firewall that understand certificate and fingerprint.

then firewall no longer talk in IPs, and ports but application name.

ya , wont be possible in home network context, unless 1 day someone generous enough to develop open source solution for us ( and its not Suricata)

 

[xiaofan]

Interesting news which shows

Mis-issued certificates for 1.1.1.1 DNS service pose a threat to the Internet​

https://arstechnica.com/security/20...-1-dns-service-pose-a-threat-to-the-internet/

...
In an emailed statement sent several hours after this post went live, Cloudflare officials confirmed the certificates were improperly issued. They wrote in part:

Cloudflare did not authorize Fina to issue these certificates. Upon seeing the report on the certificate-transparency email list, we immediately kicked off an investigation and reached out to Fina, Microsoft, and Fina’s TSP supervisory body – who can mitigate the issue by revoking trust in Fina or the mis-issued certificates. At this time, we have not yet heard back from Fina.

...

Cloudflare's statement observed:

The CA ecosystem is a castle with many doors: the failure of one CA can cause the security of the whole castle to be compromised. CA misbehavior, whether intentional or not, poses a persistent and significant concern for Cloudflare. From the start, Cloudflare has helped develop and run Certificate Transparency that has allowed this mis-issuance to come to light

 

[BBCWatcher]

Interesting news....
....In an emailed statement sent several hours after this post went live, Cloudflare officials confirmed the certificates were improperly issued.

Bad, but there are some significant limitations that make it less bad:

• According to the report, Microsoft Edge was potentially vulnerable. Other major Web browsers configured within the browser to use DNS over HTTPS (Chrome, Firefox) and Apple devices (Safari) are not affected.
• The vulnerability/attack would only work if the adversary/attacker intercepted DoH lookups — had the opportunity to intercept traffic to 1.1.1.1. This requires some degree of control over a particular network segment.
• The adversary/attacker would only be able to monitor DNS lookups (i.e. where the Edge user is visiting), not the contents of the Web pages themselves. Although the adversary/attacker might get some good clues about what's inside the Web page(s) based on intra-page DNS lookups.

If this was some government's or other party's "wake up call" to persuade Microsoft and other technology providers to be more careful about monitoring security attributes in basic Internet infrastructure, "mission accomplished" (we hope). And this incident may put a CA out of business.

 

[xiaofan]

Nice introduction video for DNS on Linux: DoH, DoT and DNSSEC.