Difference between revisions of "Stopping Open DNS - TG582N"

From AAISP Support Site
Jump to navigation Jump to search
[unchecked revision][checked revision]
(→‎top: clean up)
 
(8 intermediate revisions by 2 users not shown)
Line 1: Line 1:
[[Image:T582-small.png|link=:Category:Router_TG582N|Got to Main TG582N Page]]
+
[[Image:T582-small.png|link=:Category:Router TG582N|Got to Main TG582N Page]]
   
=== Getting rid of Open DNS Forwarder ===
+
== Getting rid of Open DNS Forwarder ==
   
 
'''-This is set when AAISP configure the router.'''
 
'''-This is set when AAISP configure the router.'''
Line 20: Line 20:
 
dns server config state=disabled
 
dns server config state=disabled
 
saveall
 
saveall
  +
  +
*Then re-test from the Control Pages: https://clueless.aa.net.uk/dnsresolvers.cgi
  +
   
 
What this does, is tells the DHCPv4 server to directly give out the addresses of AAISP's recursive DNS servers and not its, own, and then completely disable the integral DNS forwarder (notice the DHCP server can only be reconfigured while disabled).
 
What this does, is tells the DHCPv4 server to directly give out the addresses of AAISP's recursive DNS servers and not its, own, and then completely disable the integral DNS forwarder (notice the DHCP server can only be reconfigured while disabled).
   
The router may still be wanting to use itself as a resolver for internal lookups - eg looking up names from it's configuration such as time servers etc. Telnet in to the router and set it to use the ISPs DNS servers, eg:
+
The router may still be wanting to use itself as a resolver for internal lookups - e.g. looking up names from its configuration such as time servers etc. Telnet in to the router and set it to use the ISPs DNS servers, e.g.:
   
 
dns client dnsadd addr=217.169.20.20 port=53
 
dns client dnsadd addr=217.169.20.20 port=53
Line 33: Line 36:
   
   
[[Category:Router TG582N]]
+
[[Category:Open DNS Resolvers]]
[[Category:Router]]
+
[[Category:Router TG582N|Stopping]]

Latest revision as of 00:59, 18 August 2018

Got to Main TG582N Page

Getting rid of Open DNS Forwarder

-This is set when AAISP configure the router.

Once the firewall is 'actually' disabled, there is now the problem that the DNS Forwarding function is now open-access to the world! This is bad because small spoofed-source UDP-packets can be sent to the router, resulting it a *large* UDP reply of the attackers' choice, a bandwidth-multiplication attack.

This can be resolved by:-

(a) On any machines with a static-IP-configuration, set their nameservers to go directly to AAISP (217.169.20.20 217.169.20.21) and do not try to use the routers' LAN IP address.

(b) Telnet into the Router, logon to Administrator (or aaisp from the WAN side), then enter commands:-

dhcp server config state=disabled
dhcp server pool config name LAN_custom localdns=disabled
dhcp server pool config name LAN_custom primdns=217.169.20.20
dhcp server pool config name LAN_custom secdns=217.169.20.21
dhcp server config state=enabled
dns server config state=disabled
saveall


What this does, is tells the DHCPv4 server to directly give out the addresses of AAISP's recursive DNS servers and not its, own, and then completely disable the integral DNS forwarder (notice the DHCP server can only be reconfigured while disabled).

The router may still be wanting to use itself as a resolver for internal lookups - e.g. looking up names from its configuration such as time servers etc. Telnet in to the router and set it to use the ISPs DNS servers, e.g.:

dns client dnsadd addr=217.169.20.20 port=53
dns client dnsadd addr=217.169.20.21 port=53
saveall

NB: You can check if Legacy IP addresses are running an Open Recursive server using the website:- http://security.zensupport.co.uk/recdns/