how "secure" is DHCP? and DNS set to auto?

Discussion in 'other firewalls' started by jrx10, Feb 27, 2007.

Thread Status:
Not open for further replies.
  1. jrx10

    jrx10 Registered Member

    Jan 26, 2007
    can someone more knowledgeable in software firewall "network control rules" post what the best settings are for securing DHCP/DNS (or a link). I also run a firewall router with DHCP enabled but I'm not sure whether it's best to configure DNS manually (security-wise, since my ISP's DNS servers really blow (are slow), and for that matter, I've been told that it's more secure to configure a router manually and not use DHCP, but I'm just getting in to this and don't really know much about DHCP yet. sometimes I get outbound only UDP DNS (53) connections and other times I get both inbound and outbound UDP DNS (53)connections.
  2. cprtech

    cprtech Registered Member

    Feb 26, 2006
    No expert here, but it's more important if your router is wireless and you are using it on even one wireless pc. DHCP is not so bad if you limit the number of ip addresses available to only the number in your network, you use MAC address filtering so that only the mac addresses of your pcs are allowed ips via dhcp, and you use the better wpa-psk wireless encryption (there may even be a better encryption method than that now available, but wpa-psk is pretty good, especially if you use a "strong" password). Not only that, but if it's possible, turn down the router's radio power to a lower value if it can still give you the range needed.

    Finally, I did recently go with static ips on my 3 pc's because my laptop can acquire a wireless connection far faster than it could when I was using dhcp assigned ips. I'm also using mac address filtering and even went so far as to deny all other ips available in my router's range Internet access.

    As for dns, it is a good idea to manually enter the dns ips into your firewall for better security. I use Outpost Pro behind a router, and I turned off the "DNS Relay" function in my router and use the DNS Cache plug-in in OP instead, with my ISP's primary and secondary dns ips entered into OP's DNS Macro option, so that any dns lookup will be to only one of those ips. Hope this makes some sense.

    BTW, here is D-Link's description of "DNS Relay":

    When DNS Relay is enabled, DHCP clients of the router will be assigned the router’s LAN IP address as their DNS server. All DNS requests that the router receives will be forwarded to your ISPs DNS servers. When DNS relay is disabled, all DHCP clients of the router will be assigned the ISP DNS server.

    The big difference here is that the client pc(s) of the router are assigned the router's LAN ip address ( in this case) instead of the ISP's DNS ip addresses.
Thread Status:
Not open for further replies.