Canadian TV, Computing and Home Theatre Forums banner

1 - 20 of 27 Posts

·
Registered
Joined
·
636 Posts
Discussion Starter #1
Teksavvy & Start cable internet both experienced major outages this evening.

Networks are slowing returning to normal. Could someone be messing with the POI's?
 

·
Registered
Joined
·
1,537 Posts
Gentleman I saw plenty of complaints about Rogers home phone and internet services being down tonight and spotty phone service for the last week for some. Downdetector shows Rogers customers from Ottawa to London with problems and all the other TPIAs that rely on them.
 

·
Registered
Joined
·
8,579 Posts
I saw a few oddities on Rogers the past few days but no extended outages. Sites were unreachable or addresses were not resolvable a few times but it didn't last long. That's not unusual though. Sometimes it just my devices not waking up properly.
 

·
Registered
Joined
·
8,579 Posts
I've got to wonder if all Southern Ontario TSI traffic is all routed through some Rogers equipment in Mississauga. Then, when Rogers in Mississauga goes down it takes TSI in Ontario with it.
 

·
Registered
Joined
·
8,178 Posts
^^^^
I doubt it would be Mississauga, as there's just a head end here. However, there is a big place in Brampton, on Dixie. I don't know what passes through there.
 

·
Registered
Joined
·
636 Posts
Discussion Starter #11
It just wasn't TSI that was affected, all the TPIA's had issues. Check dslreports.

Still waiting for an explanation from TSI. But we'll likely never know what happened at Rogers.
 

·
Registered
Joined
·
8,579 Posts
It isn't the first time something like this has happened. When I was with TSI Rogers performed an "upgrade" without informing TSI that it was taking place. TSI was out for the good part of a day while their equipment was updated after the fact. TSI was the only cable TPIA in Ontario at the time.
 

·
Registered
Joined
·
4 Posts
I was helping out my brother with his Rogers connection within the past 7 days and fixed his issue. He was getting booted off of Xbox Live on an abnormal basis. I told him to enter in my public DNS server that I operate here in Mississauga as his DNS1 and told him to enter in Google's as his secondary, and his problems went away immediately.

As an independent hobbyist public DNS server operator, I can tell you personally that there are a lot of cloud VPS subscribers primarily based in USA and China who run attack scripts on DNS servers except that they run them from many different IP ranges simultaneously, which completely bypasses the DoS preventative features of DNS servers such as BIND and Microsoft DNS. I was able to help my brother stay online, because I've taken measures by writing a script that proactively blocks the major cloud VPS providers in my DNS configuration file, effectively making my single DNS server to be the best in the country, in my opinion. I'm a Rogers business internet customer, but since I run this server also for local DNS recursive queries, I also did not have any issues. What I did notice though is that most of the public DNS servers in Canada did go down or were inundated with many, many bogus DDoS type DNS queries. public-dns.info lists all the global DNS servers it can scan, and many of the Canadian DNS servers listed lost quite a bit of reliability percentage score. Not mine though.

In your WAN DNS config, just use two different provider's DNS servers. I like to use one from Google's and one from another reliable public provider, but don't make both DNS1 and DNS2 from the same ISP or media type. Do a ping test on both of the ISP provided DNS servers in your ISP's pamphlet....Whichever provides the lowest ping time, just use that as your DNS1 and then use Google's 8.8.4.4 as the other.
 

·
Registered
Joined
·
4 Posts
I like to use DNSBench from grc.com to find a good name server and avoid Google's name servers for privacy reasons.
All DNS servers will expose the source IP's internet name request unless they explicitly do not log or have not configured logging, which is irresponsible if one wants to know how their server is used, for stability reasons. A server administrator or operator cannot prevent a distributed denial of service attack effectively if they do not log and expose the source IP of the name request. It's very difficult to pinpoint a DDoS attack from other log sources, such as hardware firewall logs, as many attacks span multiple IP ranges while keeping the total sessions per IP down, effectively cloaking itself from other legitimate DNS internet requests. The only way to mitigate an attack is to see the log of the name request itself so it can be nipped in the bud.

The point of "privacy" is less applicable when you select an alternate name server, because your name request will be the same needle within a smaller haystack, so a small fry server operator would be more privy to the information if they decided to want to use that data for profit. It's best to use a known reliable server as an alternate along with another server that you also control, if possible. At least with Google's server, your internet request will be more secured from surfing to a known bad and malicious server that Google keeps track of. Almost no other server provides the basic levels of DNS security that Google does for free. Rogers DNS does not provide any additional security features that they make customers aware of, and their servers are abused often times by their own subscriber base.

I understand that people, including myself, might not like Google for various reasons, political or otherwise, but they honestly do run some of the best free public dns resolvers that also correct a lot of internet surfing problems once people configure one of them into their internet devices.

If you are a casual internet surfer, you are better off having your internet request go to Google's vs anyone else, unless you are more comfortable having that other server operator able to see your request much more easily than a Google tech would.

In Linux, all you need to do is run a single command to parse a known IP to watch or output all of their internet requests, and any server running on Unix or Linux has this capability. It all depends on the person that knows how to wield such tools to do what they want to do with the data.

For me personally, I am just trying to run a stable server for the public and for my client's web performance and reduction of malware.

Google for the most part is trying to clean the internet, there's no doubt there's privacy exposure, but almost all operators expose that privacy, internally I hope, so you might as well benefit from theirs, because they at least do some good with theirs. Other operators run theirs irresponsibly, which is why there are so many DNS outages across the country. Many times the outages have nothing to do with the ISP, unless the customer is using a DNS server that ISP operates.

Also even if you run your own DNS, your privacy is still exposed, because your recursive internet requests are examined by the global root servers via root hints. There's no way to completely secure your internet requests unless you create a forward lookup zone for every single internet name imaginable and then by maintaining them all by yourself. The root servers and operator of those root servers are ultimately able to see everything, if they choose to. Running your own server ultimately harnesses a lot of that control.

Just use Google's unless you really are generally bitter about them or want to serve up your own requests yourself or want to permit another large provider to serve up your requests instead. Ultimately, whichever server you configure will be the server that you are permitting to see your internet requests once you hit OK and start surfing.

I say all of this not solely for your viewing, but primarily for others who believe that not using Google's DNS somehow protects them from "privacy", which is a false notion. It's more about who to trust more than anything else.

The winner of your DNS traffic should be to those who run the best servers within the geographical area closest to your internet connected device or network, or have the best response times, but also other more important factors, and the DNSbench tool, as you mentioned is a way to help determine that winner, but it's not everything. Reliability combined with domain and IP blackhole filtering with performance should determine which are the winner DNS servers.
 

·
Registered
Joined
·
8,579 Posts
I am looking at it from the perspective of Google already slurping too much personal information into their galactic database and just trying to eliminate some of it by reducing the use of their services when possible. I'm well aware that I cannot eliminate Google's snooping entirely due to some of the Google devices and services I do use.

If I were really concerned about privacy then I would use the DNS servers available from a proxy service provider. None of them showed up in the DNSBench server list so I would have some concerns about their reliability and speed, as well as the higher profile using their servers might create.

If I were concerned about rogue sites and malware, I would use a server provided by a company that provides DNS servers specifically designed for that purpose. As it is, I'd rather avoid DNS services that block or redirect DNS requests. That function is already provided by my AV software.

I ran DNSBench to see what servers are currently performing well. A few things have changed. Google's servers no longer are anywhere near the top of the list. Previously they were. As in several previous tests, several OpenDNS servers performed well and it's a fairly well respected service, though it looks like it has new owners. Several Toronto based ISPs, including Rogers, showed up near the top of the list as well. I assume that's due to their proximity.
 

·
Registered
Joined
·
8,178 Posts
If I were really concerned about privacy then I would use the DNS servers available from a proxy service provider. None of them showed up in the DNSBench server list so I would have some concerns about their reliability and speed, as well as the higher profile using their servers might create.
I run pfSense for my firewall. It has a DNS resolver, which goes right to the root DNS servers, bypassing Google, etc..
 

·
Registered
Joined
·
4 Posts
DNSBench does not tell the whole story due to use of RRL or response-rate-limiting, which is a common feature in BIND DNS servers that most techs simply don't know anything about. Most DNS servers should be using this feature to varying degrees, which has a huge impact, negatively or positively, by its configuration. In fact, the configuration of the DNS server alone is the most important factor impacting the performance of a public recursive DNS resolver. You could use DNSBench, which is great software for determining a fast record response and latency of a server from the public side, but the real-world behaviour will vary once you give it a real load from a network, and this is due to the default and custom configured server in relation to total inbound recursive requests plus caching policy of that server. A lot of applications make many unneeded and identical hostname requests and distribute that load across multiple UDP ports, which I believe DNSBench does not account for, but the server would begin to block in many cases where the DNSBench application would only detect that as a latency spike or delayed response, but in reality the server could be dropping the request without a response.

In relation to preventing malware, DNS is the most resource-friendly way to eliminate known malware threats that I've ever come across other than at a security-enabled firewall. AV is only effective if each endpoint is up-to-date and if the AV provider uses blacklists that are up-to-date as well. This means each endpoint has to be managed against the blacklist independently or from the central AV management server. Using the AV method to redirect only mitigates threats at the endpoint which needs to be done x amount of times over and over, where x is the amount of computers that need to connect to the internet. Even if the DNS responds quickly, the endpoint would slow the perceived speed of the internet to the user.

You are correct about the proximity argument. That is true. You can use DNSBench to help isolate the close servers vs the farther ones.

Regarding your second paragraph where you prefaced with "If I were really concerned about privacy". I'm confused because I thought that privacy was your initial concern, which spawned my initial response. I was trying to debunk that notion of privacy that I used to believe myself until I started to run my own public server to see the logs myself.

Regarding Google being able to snoop your data across multiple devices and what not...I am not sure if I mentioned Google apart from their DNS services...not sure if this even comes into play. Regarding their market dominance, though, I'm with you...They are too big and/or I share similar sentiments.

Regarding OpenDNS...they are no different than Google. They collect data. Regarding OpenDNS's performance...I have mixed experiences deploying their DNS in years past depending on the ISP deployed on location. They are a great choice as well, especially if you pay for additional features.
 

·
Registered
Joined
·
4 Posts
I run pfSense for my firewall. It has a DNS resolver, which goes right to the root DNS servers, bypassing Google, etc..
pfSense is great. I took an old Nortel Contivity Firewall in 2012 one time and overwrote the firmware with pfSense...it was a fruitful and beneficial experience for the corporation, because it was able to work in a fanless appliance instead of having to load it up in a desktop or laptop. The server room was a tiny poorly ventilated closet...

It's a great way to manage DNS with a GUI on the cheap. I really like the versatility of pfSense also. I might use it again one day. Many features work very well, in many cases better than firewalls that costs anywhere between hundreds to tens of thousands of dollars.
 

·
Registered
Joined
·
8,579 Posts
Regarding your second paragraph where you prefaced with "If I were really concerned about privacy".
I said "really concerned" as opposed to just concerned. Maybe I should have said, "If I were really paranoid about privacy".

I ran pfSense for a few months then switched to OPNSense due to some issues with pfSense. OPNSense is a fork of pfSense and therefore very similar but seems to be a little more focused stability rather than adding new features. I've never had an issue with OPNSense. I'm running it on a lightweight PC which has more than enough power and resources. I already had most of the parts so it was cheaper than buying a consumer router.

These days, it looks like a good platform for pfSense or OPNSense is one of the Intel J1900 based mini PCs made to run pfSense. They have 4 gigabit LAN ports built in and can be configured with various hard drive and RAM options as needed. They aren't really cheap but are much less expensive than most preconfigured business routers.

The AV solution I use is very comprehensive and is updated regularly. It blocks questionable sites and scans all content for embedded malware. I'm not saying that DNS blocking or redirection is any better or worse, just that it is redundant for the most part. Both ways adds false positives and I don't want to compound that issue.
 
1 - 20 of 27 Posts
Top