Cloudflare dns server 1.1.1.1

 

Cloudflare has launched new free public DNS resolvers 1.1.1.1 and 1.0.0.1 on April Fools day 2018 (This is not a joke, its a real service). This service competes directly with Google's and OpenDNS's public resolvers.

Cloudflare claims to build the new resolvers with Security and Speed as basic features. Here are the results for latency test for both 1.1.1.1 and 8.8.8.8 from all over the world for comparison (Click on the image to zoom).

CloudFlare 1.1.1.1 DNS Latency Test

Cloudflare

Google 8.8.8.8 DNS Latency Test

Google

 

 

 

 

 

 

Of course this is just a simple latency test and actual performance may vary depending on different other factors.

Memorable IP Address

Until now Google 8.8.8.8 used to be the most memorable publicly used ip address followed by Level 3's 4.2.2.2. Cloudflare's 1.1.1.1 is not more memorable than Google's 8.8.8.8 but I have to admit its way cooler. This is important because you can use domain names so you dont have to remember ip addresses of websites but you cannot do it with DNS servers and you need to know the ip address.

DNS-over-TLS and DNS-over-HTTPS Support

DNS protocol was not designed with security in mind because at the time it was designed it did not need it. Its not true for today's internet. For that reason CloudFlare's DNS servers support both DNS-over-TLS and DNS-over-HTTPS from day 1.

Fastest DNS Server

Cloudflare has also posted in their blog that DNSPerf has ranked 1.1.1.1 as the fastest DNS server with an average of 14ms of query speed. Of course you will get different results based on your location and whether or not you are a Cloudflare customer.

DNS Query Name Minimisation to Improve Privacy

Cloudflare also supports DNS Query Name Minimisation to Improve Privacy as defined in RFC7816 which means that Cloudflare's DNS resolvers do not send full query to the upstream name servers which reduces the information leaked to upstream DNS servers, like the root and TLDs.

IPv6 Support

Along with 1.1.1.1 and 1.0.0.0.1 Cloudflare has also provided memorable ip addresses for their IPv6 DNS servers 2606:4700:4700::1111 and 2606:4700:4007::1001.

You can learn more about Cloudflare's DNS server's on https://1.1.1.1

Let's Encrypt has recently started supporting wildcard certificates using its new ACME2 protocol. This means that you can have a single wildcard certificate like *.asknetsec.com and use it on all the other sub-domains like blog.askenetsec.com, email.asknetsec.com.

This makes is very easy to manage certificates for different sub-domains. Until now each sub-domain needed its own certificate generated for the specific sub-domain.

Install Certbot

Certbot is not available in the default ubuntu repository. Run the below command to add ppa repository.

sudo add-apt-repository ppa:certbot/certbot

This will add the repository from where certbot can be installed

sudo add-apt-repository ppa:certbot/certbot
This is the PPA for packages prepared by Debian Let's Encrypt Team and backported for Ubuntu(s).
More info: https://launchpad.net/~certbot/+archive/ubuntu/certbot
Press [ENTER] to continue or ctrl-c to cancel adding it

gpg: keyring `/tmp/tmp1hyvak__/secring.gpg' created
gpg: keyring `/tmp/tmp1hyvak__/pubring.gpg' created
gpg: requesting key 75BCA694 from hkp server keyserver.ubuntu.com
gpg: /tmp/tmp1hyvak__/trustdb.gpg: trustdb created
gpg: key 75BCA694: public key "Launchpad PPA for certbot" imported
gpg: Total number processed: 1
gpg: imported: 1 (RSA: 1)
OK

Update packages

sudo apt update

Run below command to install certbot

sudo apt install certbot

Make sure that you are using Certbot version 0.22 or above. Certbot before the version 0.22 does not support wildcard certificate.

Steps to generate wildcard certificate

Run this below command on the linux cli.

$ sudo certbot certonly --manual -d *.asknetsec.com --agree-tos --no-bootstrap --manual-public-ip-logging-ok --preferred-challenges dns-01 --server https://acme-v02.api.letsencrypt.org/directory

Replace *.asknetsec.com with your domain name for example *.yourdomainname.com. Once you run this command it will generate a text DNS value.

The command output will be similar to the one below

debug log to /var/log/letsencrypt/letsencrypt.log
Plugins selected: Authenticator manual, Installer None
Enter email address (used for urgent renewal and security notices) (Enter 'c' to
cancel): admin@asknetsec.com
Starting new HTTPS connection (1): acme-v02.api.letsencrypt.org

-------------------------------------------------------------------------------
Would you be willing to share your email address with the Electronic Frontier
Foundation, a founding partner of the Let's Encrypt project and the non-profit
organization that develops Certbot? We'd like to send you email about EFF and
our work to encrypt the web, protect its users and defend digital rights.
-------------------------------------------------------------------------------
(Y)es/(N)o: N
Starting new HTTPS connection (1): supporters.eff.org
Obtaining a new certificate
Performing the following challenges:
dns-01 challenge for asknetsec.com

-------------------------------------------------------------------------------
Please deploy a DNS TXT record under the name
_acme-challenge.asknetsec.com with the following value:

AVOwxVcSTfASueHcoOosBFF4sxEFZuso5ip6w63GrMs

Before continuing, verify the record is deployed.

-------------------------------------------------------------------------------
Press Enter to Continue

Create a text DNS record for the sub-domain  _acme-challenge.yourdomainname.com with the value generated by certbot when the above command is run. In my case the value was AVOwxVcSTfASueHcoOosBFF4sxEFZuso5ip6w63GrMs.

You will have to wait for some time for the new DNS record to propagate over the internet. I waited for 10 minutes and pressed enter.

Press Enter to Continue
Waiting for verification...
Cleaning up challenges

IMPORTANT NOTES:
- Congratulations! Your certificate and chain have been saved at:
/etc/letsencrypt/live/asknetsec.com-0001/fullchain.pem
Your key file has been saved at:
/etc/letsencrypt/live/asknetsec.com-0001/privkey.pem
Your cert will expire on 2018-06-21. To obtain a new or tweaked
version of this certificate in the future, simply run certbot
again. To non-interactively renew *all* of your certificates, run
"certbot renew"
- If you like Certbot, please consider supporting our work by:

Donating to ISRG / Let's Encrypt: https://letsencrypt.org/donate
Donating to EFF: https://eff.org/donate-le

Congratulations!! The wildcard certificate is generated. You can use this wildcard certificate with any sub-domain you create for your domain name.

Microsoft has released an out of band patch to fix the "Meltdown" vulnerability on 3rd of Jan 2018. More details of the patch can be found on the official KB4056892 page.

This patch is available only for Windows 10 OS. The patch will install automatically once the PC connects to internet.

 

There has been multiple reports of some application not being compatible with this latest patch. Certain Antiviruses are causing blue-screen after installing the Meltdown patch.

There has been reports of some SSL VPN applications not connecting to the server after the patch is applied

Antivirus vendors are releasing patch to fix the compatibility issues but it may take a few days for all of them to be available.

I would recommend you to update all the important application installed on the PC before applying this patch to prevent any incompatibility issues.

If you the patch is already installed and there is some critical application causing issues, you can try to uninstall the patch and check if the application works without this patch.

 

Spectre

Spectre is the latest vulnerability discovered in processors which allow amalicious application to trick another application into exposing its memory to read by the malicious application.

This vulnerability affects almost all the processor variants from Intel/AMD/ARM. Which means that all computers both Desktop/Laptop and SBC and all the smartphones are affected by this Vulnerability.

 

More information about this vulnerability can be found at https://spectreattack.com/

CVE-2017-5753 and CVE-2017-5715 are the official references to Spectre. CVE is the Standard for Information Security Vulnerability Names maintained by MITRE.

All OS manufacturers are releasing patches to fix these vulnerability, You can follow below steps to update the OS and patch the vulnerability.

Fix the Spectre on a CentOS/RHEL/Fedora/Oracle/Scientific Linux

Type the following yum command:

sudo yum update

You must reboot your Linux server using shutdown/reboot command:

sudo reboot

Run the following dnf command if you are using a Fedora Linux:

sudo dnf --refresh update kernel

OR

sudo dnf update

Reboot the Linux box:

sudo reboot
.

Fix the Spectre on a Debian/Ubuntu Linux.

Use the following apt-get command/apt command:

sudo apt-get update
sudo apt-get upgrade
sudo shutdown -r 0

Fix the Spectre on an Amazon Linux running on AWS

Just run yum command:

yum update kernel

 

Recently  Mathy Vanhoef of imec-DistriNet has discovered a vulnerability in WPA2 standard which enables a Man in the Middle to sniff and decrypt packets over the wireless network. The details about this vulnerability is provided on https://www.krackattacks.com/

WPA2 is used to secure the wireless communication between the clients and access point. It was considered as unbreakable untill this vulnerability is discovered. Here are the key things you should know about this vulnerability.

The Positive

  • This vulnerability cannot be exploited remotely. The attacker or his device must be close enough to connect to the targeted wireless network to run the attack. This limits the effect of this vulnerability significantly.
  • There has been no reports of this vulnerability being exploited in the wild, yet.
  • This only enables the attacker to decrypt the wireless frames and expose the payload. Is the communication is over HTTPS/TLS the attacker can still not decrypt the payload and all of your communication data is still safe.
  • The vulnerability was discovered many months ago and was communicated to many vendors whose products are vulnerable. So the patches will be available soon.

The Negative

  • This vulnerability effects every client device that uses wireless as the vulnerability is in the WPA2 standard.
  • There are no patches available to fix it at this moment so till the time the device vendor releases a patch the wireless communication is prone to this attack.
  • This enables the attacker to get private information over wireless communication if the payload is sent over plain text/http protocol.
  • Though the HTTPS communication is safe from this attack, it still exposes your DNS traffic which is in clear text.
  • The attacker can modify the DNS traffic and can redirect you to a malicious website.

Things you should do to keep yourself safe from this attack.

  • Keep an eye on any update released by your device vendor, patch the device as soon as an update is available.
  • Do not send any private information like Username/Password, account login, Payment information, personal details over unencrypted connection. Always check of the website you are submitting the details is using HTTPS for encrypting all the communication related to private information.

  • Ensuring this green lock button on the browser is even more important now as the attacker can modify DNS traffic and redirect you to a malicious website. If that is the case you will get a certificate error on the browser. Do not proceed if your web browser warns you about any problems with the website certificate.
  • If possible always use VPN when connected over wireless, so that all the communication over wireless is protected by an extra layer of VPN encryption.
  • For the paranoids, keep yourself from using wireless at all until this vulnerability is patched.

The iptables rules regulate the traffic on a Linux system this also does the source and destination nat for any traffic as configured.

The IPTables Rules can listed by using the command

sudo iptables -L

IPTables rules are processed in a sequence from top to bottom so if a rule is matched for any traffic further rules below the matched rule will not be checked.

If you want to change the sequence of IPtables rules so that certain rules are checked before the other rules, you can use the following method.

1. Export the IPTables rules to a text file

sudo iptables-save > /tmp/iptables.txt

This command will create a text file iptables.txt in /tmp directory, this test file will have all the IPTables rules from all the chains

2. Edit the text file to change the sequence of rules

sudo nano /tmp/iptables.txt

This command will open the iptables.text in nano text editor, or you can use vi or any other text editor of your choice. Edit the iptables rules to change the sequence of rules as required

3. Restore the rules from text file to iptables

sudo iptables-restore < /tmp/iptables.txt

This command will import the rules from the text file to the IPTables.

The new IPtables rules sequence will be applied immediately and does not need a service reload or reboot of the system. You can check the sequence of the IPTables rules using the command

sudo iptables -L

DNS Stands for Domain Name System. DNS is one of the most important part of internet. All the computers on the internet are connected to each other and each one of them has a unique IP address and DNS maps these IP address with their Domain names. It is easier to remember and recall names than a bunch of numbers.

Whenever you try to browse a website on a browser like http://45.76.161.5, the browser uses DNS to get the IP address of the website asknetsec.com and then connects to that IP address and downloads the webpage.

DNS communication works in a server-client model where the client is the computer that needs to resolve a domain name to an ip address and the server is a computer which has the information about Domain name to IP address mappings.

A typical DNS transaction is made up of 2 packets. A request from the client to the server and a response from the server to the client. The request packet consists dns query for the domain name and the response packet consists of answer to that query in the form of IP address for the requested domain name.

Below is a typical DNS request and response packets taken from Wireshark that shows more info on the content of the DNS transaction.

DNS Query

Dns Query packet

 

DNS Response

Dns Response packet

 

 

The DNS query contains the domain name and DNS response contains the IP address associated with that domain name.

A new android Malware has been found by Trend Micro which it claims is a successor to a Dress Code malware found earlier.

This malware uses port 22 to establish a SSH session with its Command and Control (CnC) server owned by the attacker.

As it uses SSH all the data between the Android phone and its CnC server are encrypted which makes it difficult for the enterprise security infrastructure to detect it. Security solutions cannot detect the data inside the encrypted connection unless they are doing Deep Packet Inspection of SSH traffic.

MilkyDoor Vulnerability

                                                                                    How MilkyDoor Malware Works

 

Using this SSH session the attacker can run vulnerability scan on the internal network. This is important as many enterprise allows employees to use their own phones connected to the same network as the internal infrastructure.

MilkyDoor was recently found in over 200 Android applications available through the Play Store.

It is important for the enterprise security gateway solutions to block all ports for the BYOD network except the ports necessary.

To find the your public IP address from command line (CLI) you can use the below commands for Linux and Windows Operating systems.

Linux

curl icanhazip.com

curl canihazip.com/s

These 2 commands will generate web request and show the ip address as the response of the request.

 

dig myip.opendns.com. @resolver1.opendns.com +nocomments +noquestion +noauthority +noadditional +nostats | grep -oE "\b([0-9]{1,3}\.){3}[0-9]{1,3}\b"

This command runs DNS query and show the resolved ip address. The dns query to myip.opendns.com. using the resolver1.opendns.com DNS resolver outputs the public IP address from where the DNS query is generated.

Please note the period (.) at the end of the myip.opendns.com., this makes sure that the DNS suffix is not added to the query and query is absolute.

Windows

nslookup myip.opendns.com. resolver1.opendns.com | find "Address"

This outputs two IP addresses and the second IP address will be your public IP address