How to get open dns to work on eircom router

nudist

Ive got eircom broadband with a dynamic address. Ive put the open dns servers in the dns section of the router but these only provide basic anti phishing settings-ive actually set the filtering to high but no domains at all are being filtered..how do i fix this?

blubloblu

Do you have an OpenDNS account and is your IP address linked to it?

nudist

blubloblu wrote: »

Do you have an OpenDNS account and is your IP address linked to it?

Yes

but the thing is that because the router hands out dynamic ip address only basic stuff like anti phishing is done. I set the filtering to high but i can still access porn, p2p and other illegal stuff...one of the main reasons i want filtering on is so that in the event someone breaks the wpa encryption on the wireless i can limit to a degree what they can do with my connection...

woolymammoth

opendns have a small app you can install to deal with dynamic IPs.

http://www.opendns.com/support/article/90

woolymammoth

sorry, i just thought that's with teh PC though.. it would probably not work on another pc connected to your wireless/wired network. If you have set up the wireless security correctly, you won't have anyone hacking into your network.

nudist

woolymammoth wrote: »

sorry, i just thought that's with teh PC though.. it would probably not work on another pc connected to your wireless/wired network. If you have set up the wireless security correctly, you won't have anyone hacking into your network.

Yes but ive only got wpa2 psk for home use only-if my key is stolen somehow i wont know until someone looks up kiddie porn on my network or some thing else like that...evidently if some one has stolen your key on a dynamic network then the open dns filtering does nothing...oh the irony

Correct me if im wrong but arent home routers with Radius authentication built into the router coming soon?

woolymammoth

i don't think anybody's going to crack your key while you have wpa2 with psk, unless it's a passphrase you made up yourself. Use a truly random bunch of characters and symbols will make it next to impossible. But that's just your encryption, it's not the only thing you can do in regards to wireless security... depending on the wireless router of course!

nudist

woolymammoth wrote: »

i don't think anybody's going to crack your key while you have wpa2 with psk, unless it's a passphrase you made up yourself. Use a truly random bunch of characters and symbols will make it next to impossible. But that's just your encryption, it's not the only thing you can do in regards to wireless security... depending on the wireless router of course!

The router i use is just a basic home router-in order to connect to my work network from home i have to use my work vpn-but i had to first give my wireless key to someone in the IT department in order to make the vpn work from my home connection. But i dont trust the IT department-call me crazy but i have this uneasy feeling that they copied and pasted my wireless key all over the internet like on facebook and stuff-i dont have any proof but since they have my wireless key for all i know someone could be wardriving my connection as i write this. Thats why i wont to lock down my wireless connection as much as possible-hence the opendns filtering or lack thereof.

What additional secuirty measures do you speak of? im all ears :pac:

woolymammoth

ok for a start, they do not need your wireless key to set up a vpn tunnel. That key is only used to set up the link between your pc and your wireless router. Once you have that connection, you gain network access, the router gives you your IP address, and you're afforded internet access. The VPN is a virtual connection between your pc and your work, and will work just as long as you have any connection to the internet, be it wired or wireless. Try changing your wireless key to test this out. What type of VPN software are you using?

The other measures i'm talking about include MAC filtering and static IP addresses, you can see them if you log into your router. Many people will differ on the effectiveness of these, and they're partly right. MAC filtering works by only allowing access to devices that have their MAC address listed on the router. MAC addresses can be spoofed, but they'd have to know it first. The router is also set up by default to hand out IP addresses automatically. If you set this to static, then if other computers connect, they will not get an IP address, and will not be able to access anything on the network. Now there's nothing stopping them from trying to figure out the correct IP range and assigning themselves a valid IP to get access. The point is that these are additional layers, and more of a deterrent.

So basically, you could set your router to static IP addressing and set your PC with a static address, enable mac filtering and assign only your mac address. Save your current wireless key and put in a new one. Test it out to see if it all works.

nudist

woolymammoth wrote: »

ok for a start, they do not need your wireless key to set up a vpn tunnel. That key is only used to set up the link between your pc and your wireless router. Once you have that connection, you gain network access, the router gives you your IP address, and you're afforded internet access. The VPN is a virtual connection between your pc and your work, and will work just as long as you have any connection to the internet, be it wired or wireless. Try changing your wireless key to test this out. What type of VPN software are you using?

The other measures i'm talking about include MAC filtering and static IP addresses, you can see them if you log into your router. Many people will differ on the effectiveness of these, and they're partly right. MAC filtering works by only allowing access to devices that have their MAC address listed on the router. MAC addresses can be spoofed, but they'd have to know it first. The router is also set up by default to hand out IP addresses automatically. If you set this to static, then if other computers connect, they will not get an IP address, and will not be able to access anything on the network. Now there's nothing stopping them from trying to figure out the correct IP range and assigning themselves a valid IP to get access. The point is that these are additional layers, and more of a deterrent.

So basically, you could set your router to static IP addressing and set your PC with a static address, enable mac filtering and assign only your mac address. Save your current wireless key and put in a new one. Test it out to see if it all works.

Its some cisco vpn software...i will change the wireless key though to see if it works...

mac filtering and static ip address sound more like the 'security through obscurity' argument.

oh how i wish i was using radius with wireless!

woolymammoth

nudist wrote: »

mac filtering and static ip address sound more like the 'security through obscurity' argument.

you're right, and it is just more of a deterrent. If someone really wants in they will get past these measures.

maybe get yourself one of these

http://www.google.ie/#sclient=psy&hl=en&q=linksys+wrt54gl&aq=3&aqi=g5&aql=&oq=linksys&gs_rfai=&pbx=1&fp=27da1557ba213437

nudist

woolymammoth wrote: »

you're right, and it is just more of a deterrent. If someone really wants in they will get past these measures.

maybe get yourself one of these

http://www.google.ie/#sclient=psy&hl=en&q=linksys+wrt54gl&aq=3&aqi=g5&aql=&oq=linksys&gs_rfai=&pbx=1&fp=27da1557ba213437

I think i see where your going here-you want me to flash one of these with tomato or ddrt right?

Do you have experience with this kind of firmware-what new features would i get from this?

woolymammoth

nudist wrote: »

I think i see where your going here-you want me to flash one of these with tomato or ddrt right?

Do you have experience with this kind of firmware-what new features would i get from this?

some. you get more control and some additional security options than standard routers. Research it, you don't have to get one. But if you're that paranoid about the set up you have, you've nothing to loose by trying this out.

personally, i think what you have is grand. You seem to know enough about the tech yourself to figure the rest out.

Razzuh

woolymammoth wrote: »

personally, i think what you have is grand. You seem to know enough about the tech yourself to figure the rest out.

Hi, I thought I'd throw in my two cents. I agree with everything wooly has said, your current set up is fine. I've never heard of anyone breaking WPA2 with a strong key. Also, I can't think of any reason your IT department would need your psk either, that's weird.

On the topic of strong keys, since you didn't get into it, a passphrase with 13 truly random characters should be sufficient. If you're using a passphrase that's easy to remember, I'd suggest you make it at least 30 characters long (you can have up to 63) and have symbols, numbers and upper and lowercase letters feature in a way you can remember. The longer the better. Your router should give you an option of TKIP or AES encryption; AES is significantly stronger.

On the other stuff, DNS isn't meant to provide any kind of security, that's completely the wrong track. DNS filtering is only about protecting kids using your home connection from getting at stuff they shouldn't. I'd also point out that even if someone put up your key online, for someone to actually use it they'd have to know where you live and then drive to your house and sit outside with a laptop. Or happen to be your neighbour. Lastly, if someone uses your connection for illegal activity you're not responsible for that. The person doing it is the criminal.

nudist

Razzuh wrote: »

Hi, I thought I'd throw in my two cents. I agree with everything wooly has said, your current set up is fine. I've never heard of anyone breaking WPA2 with a strong key. Also, I can't think of any reason your IT department would need your psk either, that's weird.

On the topic of strong keys, since you didn't get into it, a passphrase with 13 truly random characters should be sufficient. If you're using a passphrase that's easy to remember, I'd suggest you make it at least 30 characters long (you can have up to 63) and have symbols, numbers and upper and lowercase letters feature in a way you can remember. The longer the better. Your router should give you an option of TKIP or AES encryption; AES is significantly stronger.

On the other stuff, DNS isn't meant to provide any kind of security, that's completely the wrong track. DNS filtering is only about protecting kids using your home connection from getting at stuff they shouldn't. I'd also point out that even if someone put up your key online, for someone to actually use it they'd have to know where you live and then drive to your house and sit outside with a laptop. Or happen to be your neighbour. Lastly, if someone uses your connection for illegal activity you're not responsible for that. The person doing it is the criminal.

I know but its not dictionary attacks against my wpa key im worried about-i dont trust my IT department. They have my wpa and they obviously know where i live and my personal details (i work at their company). And I do have neighbours-for all i know someone could be running man in the middle attacks against me trying to log my passwords and see what im doing.

To prevent this from happening im using a linux machine with the firewall set to block all incoming connections and no open ports/services so nothing in theory should be able to connect to my machine on the same wireless local area network. To protect my internet traffic from being sniffed im doing everything over a vpn. And ive locked down the router with its own administration password and set configuration to physical access only-if someone wants to change my network settings they will have to be in my house to do that.

But to the garda though if my ip address is linked with x website or illegal activity wont i be the one charged with the crime? I mean isnt that why botnets are all the rage these days-because of the anonymity they provide for the attackers?

Razzuh

nudist wrote: »

I know but its not dictionary attacks against my wpa key im worried about-i dont trust my IT department. They have my wpa and they obviously know where i live and my personal details (i work at their company). And I do have neighbours-for all i know someone could be running man in the middle attacks against me trying to log my passwords and see what im doing.

To prevent this from happening im using a linux machine with the firewall set to block all incoming connections and no open ports/services so nothing in theory should be able to connect to my machine on the same wireless local area network. To protect my internet traffic from being sniffed im doing everything over a vpn. And ive locked down the router with its own administration password and set configuration to physical access only-if someone wants to change my network settings they will have to be in my house to do that.

But to the garda though if my ip address is linked with x website or illegal activity wont i be the one charged with the crime? I mean isnt that why botnets are all the rage these days-because of the anonymity they provide for the attackers?

If your really worried about your IT dept. knowing your wireless key you should just change it. Your VPN with your work network should still work fine. The only reason I can think of for them to ask you for your WPA PSK is that they wanted to make sure it was strong. If anyone using their VPN from home had a weak key (or none) it would be a security risk to their network. There's no other explanation that makes sense.

Regarding neighbours and Man in the Middle, for that attack or any other like it they'd need to crack your WPA2 key, and as I mentioned above it's just not possible if your key is strong.

I'm surprised you use a VPN for all your traffic. Is it the same one you use for work? If so, that wouldn't make sense since you don't trust your IT crowd. I'd point out that whoever your connecting to can log your traffic, you might be better off just using your ISP. At some point your web traffic has to be decrypted and forwarded if your using a (cryptographic) VPN for everything, so you'd want to trust whoever's doing it.

On the legal issue, I'm certain a trace to an IP address is no grounds for conviction on its own, for the very reason that anyone could have been using the connection. From what I remember of the news, most people for those kind of crimes are caught based on credit card records and posession of the offending material (computer forensics).

Lastly,the kind of attacks your taking so many measures against are very rare. The biggest threat for home users is from viruses, so that's what I'd target if I was you. On the networking side your absolutley fine.

bhickey

woolymammoth wrote: »

sorry, i just thought that's with teh PC though.. it would probably not work on another pc connected to your wireless/wired network. If you have set up the wireless security correctly, you won't have anyone hacking into your network.

The OpenDNS updating clients update your OpenDNS account with the new dynamic IP whenever it changes. As a result all machines on the local network will be using the chosen OpenDNS filtering as long as all the machines' DNS servers are set to the OpenDNS ones. So if you set your router to give out the OpenDNS servers via DHCP to all machines on the network AND you have at least 1 machine running the OpenDNS update software client 24/7 then you're sorted.

nudist

Razzuh wrote: »

If your really worried about your IT dept. knowing your wireless key you should just change it. Your VPN with your work network should still work fine. The only reason I can think of for them to ask you for your WPA PSK is that they wanted to make sure it was strong. If anyone using their VPN from home had a weak key (or none) it would be a security risk to their network. There's no other explanation that makes sense.

Regarding neighbours and Man in the Middle, for that attack or any other like it they'd need to crack your WPA2 key, and as I mentioned above it's just not possible if your key is strong.

I'm surprised you use a VPN for all your traffic. Is it the same one you use for work? If so, that wouldn't make sense since you don't trust your IT crowd. I'd point out that whoever your connecting to can log your traffic, you might be better off just using your ISP. At some point your web traffic has to be decrypted and forwarded if your using a (cryptographic) VPN for everything, so you'd want to trust whoever's doing it.

On the legal issue, I'm certain a trace to an IP address is no grounds for conviction on its own, for the very reason that anyone could have been using the connection. From what I remember of the news, most people for those kind of crimes are caught based on credit card records and posession of the offending material (computer forensics).

Lastly,the kind of attacks your taking so many measures against are very rare. The biggest threat for home users is from viruses, so that's what I'd target if I was you. On the networking side your absolutley fine.

Ok so i ran i quick test in relation to the wpa key. With the key i gave them i can use the company vpn. But if i change the key to something else i can connect to my normal isp but not the company vpn. I take it they must have whitelisted the wireless key somehow?

Yes your right-at some point along the line someone can read the vpn traffic. Though i obviously wont do anything stupid on the work vpn :pac:

No what i mean is that i think my IT department gave away my details and now everyone say along the street where i live has my wpa key. The advent of firesheep recently has made be extra cautious when using wireless at home-now any script kiddie can carry out a mitm attack over wireless-scary.

Hopefully no one is using my ip address for nasty stuff.

bhickey wrote: »

The OpenDNS updating clients update your OpenDNS account with the new dynamic IP whenever it changes. As a result all machines on the local network will be using the chosen OpenDNS filtering as long as all the machines' DNS servers are set to the OpenDNS ones. So if you set your router to give out the OpenDNS servers via DHCP to all machines on the network AND you have at least 1 machine running the OpenDNS update software client 24/7 then you're sorted.

Ta-it works now

Razzuh

nudist wrote: »

Ok so i ran i quick test in relation to the wpa key. With the key i gave them i can use the company vpn. But if i change the key to something else i can connect to my normal isp but not the company vpn. I take it they must have whitelisted the wireless key somehow?

I'm surprised, never heard of that before. Another test: does it work if you plug your laptop into your router directly using ethernet?

I'm 99% certain that any trace of wifi is removed by the router when wireless traffic arrives there. That means that it's the client VPN software they gave you that either has been configured (by the IT Dept.) to work only with a single wifi (yours), or it collects the key off your computer and sends it to the server when connecting (your whitelist suggestion). That's the best I can reason. I'd be inclined to go for the first one as I don't think it's plausible for the software to reliably be able to grab the 'in use' key., but it could certainly test to see if a connection uses a key it has been provided with. By this theory, your IT guys came back to you sometime after you gave them the wpa key and handed you a CD with the VPN software. Is that what happened? If they have the software on the company intranet for everyone to download the same copy or pass out the same CDs to everybody then I'm wrong.

Anyway, a solution...
See if your router supports multiple SSIDs. If so, you can have one for your work VPN, and another with a different wpa key for everything else.

If not, you could buy a router that does (upgrade to wireless n in the process maybe if you haven't already), or a wireless AP, which would allow the same thing.

That's the handiest solution I can think of to put your mind at rest.