Dnsmasq is a lightweight DNS proxy server that is also capable of handling DHCP requests and can act as a TFTP server which is a requirement for PXE boots. There are plenty of well-known DNS services available including Windows’ DNS service available on Windows Server as well as BIND which is for Unix based operating systems, so what sets Dnsmasq apart from these popular services? Well besides being multi-purpose it’s also geared toward home networks and large office workgroups by being easy to configure and allowing your machines to effectively communicate with each other. It works by reading the host file and integrating with DHCP to match hosts with IP addresses. You can also configure it to forward DNS requests to another DNS server such as your ISP or Google’s public DNS server. When the name is mapped to an IP address Dnsmasq will cache the results so the name can be resolved locally next time.
Since I run a Linux machine at home I decided to give Dnsmasq a try. I run Fedora 16 which already had Dnsmasq installed I just had to locate the configuration file which was located in /etc. I have to say that the configuration file was rather easy to work with. The comments were descriptive enough to help me understand what each line was for and what I needed to put into each line. After setting up the configuration file it was now time to test it. I used the Linux command Dig (Dig www.trigonit.com) which shows the time it takes to have the name resolved. Running it a second time after the name and ip address were cached resulted in much faster times since it was now being resolved locally rather than from a public DNS server. At the time of this writing I have not yet dabbled in the DHCP or TFTP features. Now a word of advice despite its relative ease for set up I would still recommend doing as much research as possible before attempting to configure it and also before touching the configuration file make a copy of it just in case something doesn’t work you can revert back to the original file. If you have any questions about DNS or why it’s important for your network environment please feel free to contact us today and we can assist you.
- by Chad, "The Dream", Weaver.
I wanted to finish up my series on wireless networks with just a little bit more on open and or WEP encrypted networks. You won’t always have a choice on which network you are going to connect to but there are some important things you should consider when doing so. When you are connected to either of these networks your traffic isn’t protected from prying eyes. WEP, a little more so, but it uses the same key to encrypt the traffic, which allows a listener to be able to decrypt the stream with almost no effort to ready what is being transmitted. So if you want to keep what you are doing private, whether it is changing your Facebook status, or tweeting about the great cup of coffee you are now drinking at a coffee shop, you might want to take a couple extra steps.
Now a little while back there was an add-on released for Firefox web browsers that would allow anyone running Firefox and this add-on to watch the traffic in the air for session data with popular websites. I don’t want to give any one any ideas about this so I won’t even mention its name. It is still around and has plenty of downloads out there. Not only were they able to see these sessions they could “sidejack” or step in as the user effectively taking over a session as that user including sites again like Facebook Twitter, Flickr and so on. Now to get started; this works best on an open network like a coffee shop or airport where the network is gated by a website providing access once terms are accepted.
So what can you do to keep your awesome status updates your own or those hot tweets about the weather or what-not all yours? One way is to be sure you are using SSL when connection to websites, this is even more important when connection over wireless networks. This encryption prevents data from being read as all transfers between you and the website are encrypted with the help of a digital certificate. So make sure your address bar reads HTTPS rather than HTTP to make sure you’re using this method, also look for the padlock icon to verify the site is secure. One of the biggest flaws with this is that the websites don’t always use HTTPS for every page usually only encrypting the data during login protecting your password but not you against attacks like the one I mentioned above that only needs to have your session information, which is then returned to you unencrypted in some occasions.
Now how can we do better, the first option is VPN, if you can establish a VPN connection to a trusted location and send all your traffic down that new tunnel then everything you will be doing is secure between you and that endpoint, protecting you completely. There are online servers that provide access to VPN servers in various locations across the globe for this and other purposes. This way is 100% secure to their servers so anyone trying to read your wireless traffic would be unsuccessful. You could even create one to your home network using different programs which I won’t go into here.
The next method is to use SSH to encrypt your web traffic by sending all web traffic down an SSH tunnel to a more secure trusted endpoint and from there accessing the internet. This can be done in various operating systems, including Windows Mac and Linux. You can run a small SSH server at home and build a tunnel to it, and then when you are on the road use this to protect your web browsing traffic. Another way and one I have tested myself, which is also sort of fun in a nerdy sort of way is to use an Amazon EC2 cloud server to build the tunnel too, and direct your web browser to use this tunnel for internet traffic through a SOCKS proxy. I used a free micro instance in the cloud and started it up, I have also built and installed other pieces of software on this server but the base install is all you need to protect your traffic for web browsing needs. After you get through the process of logging in creating your key pairs and launching your first instance, just be sure you pick the micro if you want to do this 100% free. You can use your SSH client to create a tunnel through SSH specifying a local port to bind to the tunnel. In this example, 8899, but you can use whatever port number you wish. In your web browser, go to your proxy settings and chose manual settings SOCKS proxy at address localhost and the port number you created the tunnel at. And like magic all your traffic to the web will go through this tunnel to the Amazon cloud before going to the internet. This will protect your internet traffic from any prying eyes, and if you use a site to find your IP you will see that it is changed to the IP of your cloud instance. This has a nice side effect of bypassing some web filtering services also as the traffic would not be coming from the port for HTTP and would be unreadable as it is over a SSH tunnel anyway. If I hear that anyone is interested in a step by step in creating such a proxy I shall make a good write up on how to get it started.
Remember when you are using public networks unless you are protecting your data in some way everything you are doing is well public. If you are not do, not do anything you wouldn’t want anybody to see or have access to, including anything involving private data, work data and anything you wouldn’t want to be public knowledge. Be safe. If you'd like to know more about the secure solutions Trigon Technology provides, be sure to contact us post haste!