XYMer's Home away from Home

I got a call from my ISP today complaining about the large number of recurrent DNS requests being made by my connection and suggesting I buy a router. Well, I have one - an Airport Extreme.

All my systems are pointing to the router for DNS - yet the Airport doesn't seem to be caching the DNS look-ups. And I can't find any sort of DNS retention setting in the Airport Utility.

Is this just another case of Airport sucks as features go, or is there a correctable problem here?

Put the DNS numbers in the Machines.

Fir Macs/10.4.x... Network>TCP/IP>DNS Servers:, for that Interface...

208.67.222.222
208.67.220.220

Apply. These Servers have been patched to guard against DNS poisoning, and are faster/more reliable than most ISP's DNS Servers.

4.2.2.1
4.2.2.2

Free Public DNS Server
Service provider: Google
• 8.8.8.8
• 8.8.4.4
Service provider: ScrubIt
Public dns server address:
• 67.138.54.100
• 207.225.209.66
Service provider:dnsadvantage
Dnsadvantage free dns server list:
• 156.154.70.1
• 156.154.71.1
Service provider:OpenDNS
OpenDNS free dns server list:
• 208.67.222.222
• 208.67.220.220
Service provider: vnsc-pri.sys.gtei.net
Public Name server IP address:
• 4.2.2.1
• 4.2.2.2
• 4.2.2.3
• 4.2.2.4
• 4.2.2.5
• 4.2.2.6

http://theos.in/windows-xp/free-fast-pu ... rver-list/

What DNS servers are used with Earthlink/Mindspring ?...

Users who have DSL provisioned by Covad should use these:

207.69.188.186
207.69.188.185
207.69.188.187

The DNS servers for Earthlink (there are many others, I believe... someone else add as needed...) are:

207.217.126.81
207.217.120.83
207.217.77.82

NOTE: To manually Opt Out of the redirecting DNS that Earthlink has shoved down our throats forced upon us then use the IPs here:

»EarthLink DSL FAQ »What are the DNS Opt Out Servers for the Redirecting Earthlink DNS Problem?

207.69.188.172 (East Coast)
207.69.188.171 (West Coast)

If you are on the East Coast use it as your Primary DNS entry and use the West Coast as your Secondary DNS entry. If you are on the West Coast use it as your Primary DNS entry and use East Coast as your Secondary DNS entry. It is best to hard code these into your Router only and let the Router give the DNS to your PCs via normal DHCP instead of manually having to hard code multiple PCs. Most Routers have a settings location to place DNS entries.

http://www.dslreports.com/faq/1993

someone on our campus sysadmin list posted this DNS bench. looks like it would be useful and pretty

http://code.google.com/p/namebench/

That and you can make your ISP see what "a lot" of DNS requests really looks like.

If I had to make a lot of DNS requests, I'd consider running my own caching name server. Actually, I don't make a lot of requests, but still run my own DNS server since it's convenient and gives me much more control over name resolution.

- Anonymous

Have you tried flushing the DNS cache on your machines? If that doesn't work, the only currently known option is to turn airport on and then off again to force the base unit to reconnect and resume DNS caching.

I'd get a real router if I were you. AirPort is proprietary and exceptionally closed, with little to no documentation to resolve issues like these. Getting a real wireless router like a Linksys or Netgear (avoid D-Link like the plague unless you like obscure problems) is recommended. Newer Linksys routers can use Tomato firmwares (assuming they don't already have one installed), and are VERY well documented, so if you have issues, all you'd have to do is google your model # and the type of issue(s) you're having with it and you'd find solutions rather quickly.

I know several people that had to toss their AEBS (Airport Extreme Base Stations) and get real routers with true firewalling and non-closed/proprietary NAT tech.

The other solution, which is one I use with my Linksys router is to set all machines to use the router as the Gateway (192.168.1.1), and I use the following for my DNS servers:

128.210.10.11
4.2.2.2

The first is purdue's server, the second is a public DNS server, one of the above listed as guarded against DNS poisoning. As such, I rarely have issues with DNS caching, and if I do, I flush my DNS cache locally and I'm good (that's what I had to do when WoW stopped connecting on occasion after patch days).

New linksys routers blow....
And really your ISP called you i find that odd no one else?

It would take a pretty phenomenal volume of DNS queries, I think.

- Anonymous

second this. at least the GL linux one is flashable

Yup, which is why I love that Tomato integrates dnsmasq. It's a caching DNS server, even does local DNS resolves for whatever you want (e.g. static & dynamic DHCP names).

And I agree, all the new Linksys routers blow. I managed to get a WRT54GL v8 flashed to DD-WRT micro but the newer ones are shittier yet. OTOH the Micro image was actually lightweight enough to be able to handle a decent load, instead of putting it's virtual hands in it's virtual ears and virtually yelling "nyah nyah nyah i'm not listening to you" if you tried to go over 500~1000 simultaneous connections. Which sounds like a lot, sure, but connections don't time out very quickly, and if you put more than 2 systems behind it the connection limit rises to high levels surprisingly quickly. And newer Linksys routers are even worse, hardware-wise, than the v8.

OTOH there is a "new" WRT160NL that's supposed to eventually replace the WRT54GL, only problem is limited third party support. The thing launched over a year ago, but is significantly different than other open source (or reverse-engineered) routers - making for slow adoption and development. Last I checked there were bleeding-edge OpenWRT (telnet/ssh-only interface) builds and not much else, but it's been a while since I looked. It has removable antennas like the GL, which allows you a wider array of professional installations.

The ISP began flagging connections doing what they considered an unreasonable number of DNS lookups, because they said it would suggest an infected PC is up to something.

It comes down to Airport's don't keep a DNS cache of their own - they just forward DNS requests.

I switched the Airport DNS settings to Google DNS to shut them up.

Depending on how they're catching those DNS connections, that still may not shut them up. If they're catching it based on DNS traffic originating from your node, instead of catching it based on DNS requests hitting their server, they would still see the DNS traffic.

It seems like it would be more useful to monitor traffic flow for a large number of DNS connections to other servers -- not the ISP's server -- as a symptom of bot traffic. DNS amplification attacks, a particular kind of distributed denial of service attack, is conducted this way. Of course if they have the capacity to effectively monitor this, they should also have the capacity to block that kind of attack since it depends on forged UDP source addresses (that is, addresses that probably aren't on their own network). If they're just concerned about a large number of lookups to their own server, the value of monitoring this is lower unless they think you're attacking the ISP's server.

It is worth noting that your computer should also cache DNS responses, even if the Airport doesn't, so after an initial flurry of lookups when the computer is started up (cache empty), the number of lookups should probably eventually settle in to a lower equilibrium level as the cache accumulates frequently used names, at least unless you're doing something unusual.

- Anonymous

This was at the office, not just one computer.

The ISP can be pretty amateurish, but their very generous with upstream.

If you have a server at the office, you could set it up to be a caching DNS server, then configure AE to dish that out to DHCP clients.

No real server unfortunately, that would be my first choice. However not a peep since I switched the DNS over to Google.

Well the "server" just needs to be a system that's on 24/7. Any OS X box will do.

Funny that they haven't complained, but then again from what I've gathered in the application/interview process, ISPs tend to hire people who don't know what they're doing. So it's not all that surprising.