Using 2 DNS services

This is a fantasy thread, because I'm pretty sure there is no way to accomplish this. Or is there?
I just got to thinking how cool it would be if a user could string two DNS services together, and get the added benefits of both.
Like I've been running Norton DNS (okay, Norton ConnectSafe) and really believe in it and like the protection it provides.
But I also am sold on the protection of OpenDNS's DNSCrypt.
I also happen to think Comodo Secure DNS is a viable alternative.
How cool would it be if we could piggyback two of them together, and have the benefits of two filters working for us?
But I'm sure there is no way.
And I'm also thinking someone will come along and say that it would be like running two firewalls or two AVs.
But a guy can dream, can't he?

 

I've used 2 different DNS's but differently than what you are describing I believe. I use OpenDNS with DynDNS as a secondary but obviously not concurrently. I think one service would have to be a filtering proxy service and then the other could be a filtering DNS.

 

Yeah I would always have a primary and secondary. I used ClearCloud as primary and norton as secondary. I'm not really sure if one just defaults and it uses the primary. If the primary doesn't work it goes through the alternate. Or does it filter through both? Not 100% sure.

 

Yes, I have used as many as 4 configured as primary and alternates, using Public DNS Server Tool v0.91. But concurrent use is what I am referencing. To be able to run everything through one tool, then through another... not necessarily through 4, but at least a couple. You mentioned a filtering proxy service and a filtering DNS... is that a potential way of achieving what I am day-dreaming about here?

 

Pretty sure it works as you have guessed, kjdmuth... if primary is down the alternate kicks in. What I'm wishing I could do would be to use two in sequence, one after another, like a double filter kind of thing.

 

I don't think that's quite possible. The secondary is not actually an alternative or replacement for the first server.

The first server is the main one, the secondary will just refresh to see if the first one has changes or not. then it will update itself according to the main one.
You can't just have 2 different dns server at the same time.

Btw, I think those expressions like DNSCrypt are just some marketing trick to attract people. If encrypting user's domain request was that easy then we should had this service a long time ago on every DNS servers out there.

Things like MITM cannot be stopped by this DNSCrypt or whatever. The way MITM works is to spoof MAC address and trick both router and user system. You really can't avoid that unless you have a Wifi Protection which checks on system's mac address continuously. From what I have seen, MITM attacker can even decrypt SSL 2.
Same thing for Network sniffers, the only way to stop it is having a firewall on router side.

Don't expect some magic changes on your system can make you secure. I believe all this software we use for AV/firewall/etc... are just some walls for kiddy attackers. We are just some home users. We have never been under a direct attack.

Note: I am not %100 sure about what I said above, It's just what I have heard or seen. Maybe they are all wrong.

 

The Secondary DNS will be queried if the Primary DNS is unreachable (Be it from server downtime, firewall blockage, server load, etc.). It is an intended backup for the initial server so that should the primary server go down all DNS queries do not fail outright. This is easily tested in Windows.

See above, in Internet Configurations the primary reason for 2 DNS servers is simply for the sake of redundancy.

This is not necessarily true, I believe that tools are created as risks become greater and technology advances enough to support it. For example, why not encrypt all HTTP Traffic everywhere? Because it has performance costs? Does it mean it doesn't have security benefits? No, but some sites use it why? Because they determine that protecting the selected information in transit is more important the increased overhead. I imagine this much the same. I also believe DNS Crypt was meant to focus on the transfer of the Users DNS Queries from their network to the DNS Server not within the Users Network itself.

Effectively this is correct, a malicious user attempts to spoof the mac address in order to route traffic through itself (ARP Poisoning is a great way of doing this) thus giviting all the rights and privelages of the system whose identity it is assuming (This has to be done to ensure network access is not lost for the target system so traffic must also be handled correctly by the Attacking Machine).

The best way I've found to mitigate this risk is by:
1.) Assigning Static IPs to all devices on the network
2.) Blocking all IPs/Mac Address not on the list of assigned IP/MAC Addresses
3.) Blocking any PC with a Mac Address that does not have the specified IP Address.

As DHCP is disabled for the router new devices cannot simply join the network however (Which is the desired function in my case anyways) which may prove a nuisance for more basic users.

Any Router with NAT+Firewall will be immune to sniffing though one seriously has to question the Port Forwarding practices I've seen people employing (eg: Forwarding 1-65535 to their PC which is just pointless and eliminates all the security benefits of NAT (Though I don't believe security was it's original use))

I personally believe their is no such thing as 'secure', you identify and assess the risks associated with the System and the data it contains and mitigate said risks appropriately.

AV will really only protect against the most trivial malware (Which is fine for most users) other mitigation such as Emet, sandboxing, Right limitation, etc. is necessary.

That you know of yes, but I believe the day will come (If it has not already) where the government has backdoors in all of our software (or trojans on every computer).

I hope I typed that all clearly enough if not I apologize.

 

Hi all.

2 or 3 x different DNS lookups possible, at once

You can achieve 2 x different DNS lookups by selecting the one of your choice, & combine that with Webroot WSA, or in my case Prevx PSOL. These both check your www's on the fly, to see if what your hoping for is what you actually get

Also you could install, for eg DNSSEC for FF. Right now it's not active but i mention it for people to keep in mind for when it's up & running. When it is, you could then have 3 x DNS lookups in parallel, but not conflicting. Best of both worlds, or 3

 

Yes that's correct. That is what I was trying to say. The secondary DNS is not used when main one is active. Maybe the OP thought they are both in use and then he can have benefits of secondary DNS on another host.

Agreed. I am not actually sure if that encryption on their own side helps with anything But as I know, It has nothing to do with helping user against MITM attack.
Not sure why many people in here mentioned MITM prevent as a feature of DNS Crypt.

I have already done the first 2 on my router. Although the third option is not available in a normal router.
But still, I could do MITM attack to my dad's Ipad using some little linux tools. Having Static IP and Mac address filter doesn't help and is a pain in the neck for new users.

That's why I said, the WIFI protectors are the only way detect this. The program checks the mac address of device connected every second and if there is sudden change, it will inform the user. But this is not effective. At least you can avoid your friends checking on your transmit data.

Anyway what you said is absolutely the right way to block it. If such rules could be implemented on routers that would make everyone safe from MITM attacker.

If I want to think in a bad way but mostly truth, I would say "They (AV Companies) are making the malwares too"
And that makes sense in my opinion. If there is no malware, there is no AV.

Sorry to disappoint you my friend, But that day has already happened.
Few weeks before, my father told me the company he works for got a $15,000 device which can log every kind of user's data (specially passwords) even if it's encrypted with SSL.
If such thing can happen in a small network with a small cost, Don't you think Governments has already got this ?

Who in the world said there is such thing as parallel DNS lookup ? And if there is, in what way the returned query is handled ?
Let's say : NortonDNS says "Good site", Comodo says "Bad Site", OpenDNS says "Good site". what is the final conclusion ?

 

@ xperator

You quoted Tomwa instead of me

I did, with the examples i gave

MITM !

 

You just said it's possible, but how ?

 

I don't even understand how that would work even if you could look at two DNS queries in parallel and compare them it would serve to simply double the time per every query (Or more depending on the number of DNS Servers involved in this hypothetical situation) not to mention I have no idea how DNS as it is would handle discrepancies between the two (Does one server take precedence? Does the query return nothing?) and additional software would have to be used most definitely to even make that possible.

MITM attacks can happen anywhere between either endpoints, I beleive the miscommunication happened when I divided your quote up and included the "Btw, I think those expressions like DNSCrypt are just some marketing trick to attract people" by accident. I do believe DNS Crypt can help mitigate the risk of MITM, I was trying to confirm your information on MITM attacks and how they work.

All three functions are available within my Routers most up to date firmware, though I'm sure there are routers without support. As I mentioned DHCP (Dynamic Host Configuration Protocol) is disabled on the router. This means that an attacking computer could not even join the network (Unless they know the IP/MAC of a user already on the network which they could not find as they cannot join the network) However, MITM that happen OUTSIDE my network (For example at a TOR exit node) could still happen and that is what I hope DNS Crypt will help mitigate as well as improving my privacy.

AV Companies do not need to make malware though, Malware is already out there and being made it's not like it's going out of style. AV software is easily passed as well.

I cannot confirm hearsay but as I said, "The day will come (If it has not already) they could easily implement backdoors into the Windows OS if Microsoft would play along.

 

Because PSOL/WSA looks up the IP's seperately, as does/will the FF plugin DNSSEC. If there is a mismatch, you will then be visually alerted by PSOL/WSA and/or DNSSEC.

 

@Toma & @CloneRanger :

Thanks a lot guys for teaching me Surely It was some great info about DNS stuff.

 

So you'll definitely need additional software, I suppose you will then handle the discrepancy? What about less tech savvy users (Okay they probably wont have it to begin with) will it just fail if theres differences in the query returns?

 

Pleasure I know you were being sarchastic, but that's ok as it made me smile Why don't you just tell us why you think my way won't work ? I would genuinly like to hear

Originally Posted by Toma

Looks like it, but the ones i listed are Very good & PSOL "facebook version" & DNSSEC are free

Quite a lot of them would have Prevx in one form or another, & now WSA.

If you mean, being prevented from visiting such a www ?, then i don't think so. But you would see alerts in PSOL/WSA/DNSSEC, so it's then up to the user to proceed or not. Most people obviously wouldn't, but with ShadowDefender active i would, just to see what happened

 

No I am not, Seriously.
It's because I never heard using multiple different DNS at the same time. As I expected it wasn't possible natively. We have to use the tools you mentioned to get it working.

Just a note on ShadowDefender. Not sure if you really tested it to check if malware is jailed inside the virtualization or not.

I installed that software and launched a Zeus trojan in shadow mode to check if it really works. and guess what the system got infected. this trojan is the type which makes some copy of itself upon launch time. there was around 4 copy and shadow defender only could stop 2 or 3. the last one slipped and the whole system was infected.

So I had to use MBAM to clean the system. I uninstalled shadow defender right away. But avast's sandbox passed same test. Nothing could come out of the box.

 

Because you used a Sarchastic smily ? i thought you Were being sarchastic ! Maybe the wink smily was your way of offsetting it ? Anyway i wasn't offended, but you see how i misinterpreted your intentions, if i did. But i'm pleased you were able to take something away from the post

Yes otherwise i would have been infected Many times over by now

When did you test with that Zeus trojan ?

What V of SD ?

If you had more than one partion, did you S-Defend all ?

 

About 2 weeks ago.
It was the latest version.
I only have one partition.

Maybe you tested it with some tiny no-harmful malware samples ?

 

Yeah that must be it, Blackhole/Flame etc & tons more feeble stuff