Posts tagged ‘security’

Adventures in DNS

I just posted about my new PA-220 firewall and mentioned URL filtering.  I have a number of categories blocked, including web-advertising, adult content, malware, etc.  But you can always make something better, right?

The PA-220 has a feature to enforce safe search with various search engines.  Unfortunately, it seems to not work very well on my iPhone, or in Safari on my Mac.  It could be the 8.0.2 firmware, or perhaps it’s something that I’m doing wrong.  In any case, I wanted to fix it, as it was annoying.

Both Google and Bing support a feature to enable Safe Search for your network via DNS.  What you have to do is, when someone requests, make your DNS return a CNAME record for  While this might sound easy, as I discovered, its a bit more complex than perhaps it should be.

First, the DNS proxy feature in my PA-220 does support configuring static entries, so I could add an entry for, but I can’t set it to CNAMEs, only IP addresses.  I  would have to hard code the IP address for, which could potentially change at any time, breaking things.

After a bit of research, my first candidate to truly do the CNAME change was found.


On my unRaid box, I installed a docker of Pi-Hole, which is a DNS based system (meant for the Raspberry Pi, but capable of running on other platforms) which blackholes DNS queries to Web advertising sites, etc.  It uses DNSmasq and has the ability to run DHCP as well as DNS.  With this integration, it can resolve local hostnames to their DHCP assigned addressing.  I could do that now by adding static entries to my DNS Proxy instance on the PA-220, but it wouldn’t pick up on DHCP entries.  But, alas, DNSmasq treats a CNAME entry added manually differently than I had hoped.  It will ignore it unless it has that record defined somewhere, such at a static definition or via DHCP…  It won’t resolve an external CNAME like a normal query and return it.  And since if I were to define as an A record in DNSmasq, that would really defeat the whole purpose of using the CNAME.

Pi-Hole does have a very nice modern web interface with statistics, graphs, and it looks extremely easy to whitelist or blacklist sites.  It gives you great visibility into what devices on your network are doing the most DNS lookups, and if you are wondering where your IoT devices go on the Internet, you can even filter the logs to see what an individual device is performing lookups against, assuming you have all your devices directly querying Pi-Hole, instead of chained like I’m doing here.  In fact, you can even disable the blocking functionality if you like.  With it disabled, it won’t block, but you’ll be able to see all the statistics and logs it has to offer, even showing you what it would have blocked.  Today, it has blocked about 8.8 percent of my DNS queries, though I haven’t really noticed much different than when I simply go through my PA-220.


While looking for other DNS packages that could do this CNAME trick, I ran across one that looked very interesting for a different reason.  Dingo is effectively a DNS resolver that takes requests in on port 53, and resolves them over encrypted HTTP/2.  It can be used with both Google and OpenResolve (by OpenDNS).  I installed it as another docker and it seems to work fine.  I did increase it to use 25 worker threads instead of the initial 10.  I don’t know if I’ll keep using this or not, but I’ll see how it goes.


Other research turned up some settings for Bind that would let me add the CNAME records I needed to for Google and Bing to enforce safe search, and yet another Docker was installed.  The one I chose included Webmin for easy administration of Bind.  It worked just fine.

So, now I have the initial DNS queries pointing to the PA-220, taking advantage of the Threat/URL Filtering there, then forwarding to a docker running Bind to handle google and bing domains, which forwards to Pi-Hole (which I may end up removing from this chain), and finally to Dingo to perform the actual DNS lookups over encrypted HTTP/2.


That sounds like a lot, but not including the PA-220 (which was doing this job before), I’ve added three hops that all exist on the same box.

May 21, 2017 at 7:48 pm Leave a comment

The PA-220 Firewall is here!

The PA-220 has 8 ports of Gigabit goodness on the front, aside from the management port.

The PA-220 supports some pretty high-end features, making it suitable for use in a small business office.  First, there is High Availability mode (HA), if you have a pair of PA-220s and duplicate your connectivity (even to your WAN, so you’d need a switch between a Cable/DSL modem and the pair of firewalls)  Another big feature is LACP support (Link Aggregation Control Protocol), so you could have multiple connections between your firewall and an Ethernet switch.  This redundancy is something that small offices would likely want, as when the WAN connection is down, there is probably work that can’t be done.

The PA-220 comes with a template and hardware to mount it sideways on a wall, something that I plan to do at some point but haven’t gotten around to yet.

Since the speed that the PA-220 handles traffic is limited to about 500 Mbps firewalled, and down to about 150 Mbps with Threat enabled, I recommend only putting relatively low speed or volume devices directly on the ports of the firewall itself, if the primary thing they are communicating to is also on the local LAN.  You could always add a rule in for intrazone traffic to be allowed and not place any Threat profiles on that rule, giving you the maximum 500 Mbps speed to the internal network.

I’ve got it in place, doing SSL decryption, Threat, URL filtering, Wildfire, and GlobalProtect VPN.  It seems to perform pretty well so far.

May 21, 2017 at 11:20 am 7 comments

Bad Journalism – Fear Mongering for hits

Recently there have been a number of high profile security issues.  Heartbleed, ShellShock, and POODLE have all hit in 2014.

I must say that I like the fact that these significant security vulnerabilities are getting these hip nick-names in the media.  That means that more and more people who are less technical are going to hear about the issues.

It also means there is going to be bad journalism.  Get everyone up in arms about the latest threat, real or imagined.

Today, I ran across this really bad article:

Here’s the sub-title:

We took a hacker to a café and, in 20 minutes, he knew where everyone else was born, what schools they attended, and the last five things they googled.

Exaggerate much?  This is complete hyperbole.

How can I be sure?  Because just about every major site has gone to SSL by default.  Don’t believe me?  Go to in another tab.  You’ll see that you’re redirected to an SSL page, and you’ll have the familiar lock icon visible somewhere in your browser bar.  Even social sites like facebook have gone to SSL by default.

What does that prove?

Well, if this hacker really did have a way to get by SSL encryption so easily, without giving the victims any warning at all, then any reporter worth their salt would publish the details, as that would be a HUGE story.  On-line shopping wouldn’t be secure.  Stock trading, or any other financial transactions would be completely open to prying eyes.  And it would matter if it were at a cafe, or from the comfort of your home, you could still be victimized.

But, conveniently, this author included almost no details at all.
How is this hacker able to overcome SSL encryption?  I’d guess the answer is via a man-in-the-middle attack, whereby it presents it’s own SSL certificate and proxies the requests to the real website.  If that is the case, the end-user’s browser would warn the user that security may be compromised.  If the journalist clicked through that warning it was not mentioned in the article.  That’s a detail that should not have been glossed over, as it makes things seem far worse than reality.

I can see the possibility that random people would click through an SSL warning without thought, but the fact that there was a warning is not something that should have been skipped.  If there was no warning, that would be a story.

I suspect that the journalist who wrote this is not terribly technical.  I’ll not assume that he understands exactly what is happening and has chosen to leave out key details to get more page clicks.  For that matter, perhaps the original author had those details included, but some editor cut them out to “add more sizzle”.

Publications who wish to have any authority on matters of Internet security should get someone who is technically competent to do their reporting.  That doesn’t mean that they need to be a programmer or networking expert, but someone who understands cryptography and is aware of how security works.  Chances are good that the typical journalist is no more equipped to report on security than the people who blindly click through those SSL warning messages.

This article makes it sound like the hacker had to do nothing more than sit in the path of the traffic and he could get everything, encrypted or not.  If SSL is so easy to bypass, we should all be very worried about the people who work at ISPs, as they could easily do the same thing, but not with the 10–20 people at a cafe, but to tens of thousands of people.  ISPs generally have several large circuits that connect to their provider.  All it would take is a laptop running wireshark plugged into a mirrored port, and all that data could be captured, to be later decrypted with the magic “decryption software” the author mentions at the end of paragraph 1 under the Session 3 heading.

October 19, 2014 at 1:23 pm Leave a comment


January 2022

Posts by Month

Posts by Category