dslreports logo
site
 
    All Forums Hot Topics Gallery
spc

spacer




how-to block ads


Search Topic:
uniqs
1321
share rss forum feed


elkido122

join:2011-02-23
Folsom, CA

[DNS] Dnssec severs question

So Comcast has them rolled out now I know that. My router is assigned to obtain them automatically. When I do an ip config on command prompt it says my computer is using the default router ip for the dns. Does this mean my pc is pulling whatever DNs the router is getting from my modem and just listing it as the router ip?



EG
The wings of love
Premium
join:2006-11-18
Union, NJ
kudos:9

Exactly. Your router is acting as a DNS proxy. Look in your router's status for the exact DNS IP addresses that are being assigned by Comcast's DHCP server.



NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

1 edit
reply to elkido122

As EG said, your router is likely just acting as a DNS proxy (AKA a DNS forwarding server).

If you really want to know what DNS servers you are using (not just the two IP addresses that are supplied by Comcast's DHCP server), run the DNS Nameserver Spoofability Test at GRC. My Windows DNS server and my routers all forward to the Comcast DNSSEC servers, but that test usually lists ~30 Comcast DNS servers, none of which have the 75.75.75.75 or 75.75.76.76 IP addresses. That is of course the nature of the AnyCast system, you will connect to the closest server that is available to answer your query, and if the closest server is busy, you will get the next closest, and ...
--
History does not long entrust the care of freedom to the weak or the timid.
-- Dwight D. Eisenhower



EG
The wings of love
Premium
join:2006-11-18
Union, NJ
kudos:9

Thanks for expanding NetFixer See Profile !



NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

1 recommendation

said by EG:

Thanks for expanding NetFixer See Profile !

I thought about explaining the difference between a DNS proxy and a DNS forwarder, but I figured that too many eyes would turn glassy.
--
History does not long entrust the care of freedom to the weak or the timid.
-- Dwight D. Eisenhower


EG
The wings of love
Premium
join:2006-11-18
Union, NJ
kudos:9

HehHeh !!



elkido122

join:2011-02-23
Folsom, CA
reply to elkido122

So I'm fine then basically? And I'm most likely using the dnssec



NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

1 edit

said by elkido122:

So I'm fine then basically? And I'm most likely using the dnssec

Only someone with access to your router and your connected devices can answer that question.

If your router is getting the DNS server information from Comcast's DHCP servers, and the devices connected to your router are using the router's DHCP server (and if the router is acting as a DNS forwarder if that is to where the DNS server entries in the connected devices point), then most likely you are using Comcast's DNSSEC servers.

You however, are the only one who can verify that. Look at your router's configuration, and at the TCPIP configuration of your connected devices, and you will have the answer.

Here is a sample of what to look for (from my own equipment):










C:\>ipconfig /all
 
Windows IP Configuration
 
        Host Name . . . . . . . . . . . . : rws-wks
        Primary Dns Suffix  . . . . . . . : dcs-net
        Node Type . . . . . . . . . . . . : Hybrid
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : dcs-net
 
Ethernet adapter Local Area Connection:
 
        Connection-specific DNS Suffix  . :
        Description . . . . . . . . . . . : NETGEAR GA311 Gigabit Adapter
        Physical Address. . . . . . . . . : E0-91-F5-95-B6-9D
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 192.168.9.100
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.9.10
        DHCP Server . . . . . . . . . . . : 192.168.9.2
        DNS Servers . . . . . . . . . . . : 192.168.9.2
                                            192.168.9.10
        Lease Obtained. . . . . . . . . . : Wednesday, February 01, 2012 05:17:36
        Lease Expires . . . . . . . . . . : Wednesday, February 08, 2012 05:17:36
 
 

The only things that may not be readily apparent from the above information is that the IP address 192.168.9.2 belongs to my Windows server, and its DNS server simply forwards to the Comcast DNSSEC servers the same as the two routers do. Also I do not use DHCP on the Netgear router's WAN because I have a static IP block from Comcast, but pointing it to the SMC router's gateway accomplishes the same thing since that makes it use the SMC router's DNS forwarding to the Comcast DNSSEC servers).

Here is an image of my current network to help clarify the above information (which is from the XP workstation in the lower right corner):




--
History does not long entrust the care of freedom to the weak or the timid.
-- Dwight D. Eisenhower


elkido122

join:2011-02-23
Folsom, CA
reply to elkido122

It doesn't even look likely connection to the modem is receiving the dnssec servers. Looks like the old DNA servers how could this be I thought they rolled it out to everyone



NetFixer
Freedom is NOT Free
Premium
join:2004-06-24
The Boro
Reviews:
·Cingular Wireless
·Comcast Business..
·Vonage

4 edits

said by elkido122:

It doesn't even look likely connection to the modem is receiving the dnssec servers. Looks like the old DNA servers how could this be I thought they rolled it out to everyone

Just because you don't see 75.75.75.75 and 75.75.76.76 showing up as the DHCP supplied DNS server IP addresses, that does not mean that you are not using the Comcast DNSSEC servers. Those two IP addresses are simply the AnyCast gateway IP addresses, the actual DNS servers are still in many cases the same IP addresses that were in use prior to Comcast's official announcement that the DNSSEC rollout was complete.

The screen shot below from my Comcast SMC gateway shows that I am not being supplied the 75.75.x.x DNS server IP addresses either, but the IP addresses shown are nonetheless Comcast DNSSEC server IP addresses. How do I know? I ran the DNS Nameserver Spoofability Test (that I previously suggested that you use) and that verified that I was using Comcast DNSSEC servers.




The GRC DNS Benchmark Test can also be configured to test for DNSSEC compliance, and the screen shot below shows that the two 68.87.x.x IP addresses (the ones in my SMC modem/router) and the 75.75.x.x IP addresses are DNSSEC servers (as is my local router at IP address 192.168.9.10 since it simply forwards to the 68.87.x.x servers that are programmed into the SMC modem/router).




The green "Resolves queries and authenticates security" statement indicates a DNSSEC server.

The amber "Bad domain names are intercepted by provider" statement indicates a "domain helper" type of server.

If you really want to know the DNSSEC compliance status of the DNS servers you are using, run the above tests and find out. Another test that can verify DNSSEC compliance is the ICSI Netalyzer test.

If you really don't understand how to run the above mentioned tests (or don't understand the results), then post the DHCP supplied DNS server IP addresses that you are getting from Comcast, and I can do the test for you and interpret the results. There is absolutely no security risk to you from posting those IP addresses if that is why you have been hesitant to provide them.
--
History does not long entrust the care of freedom to the weak or the timid.
-- Dwight D. Eisenhower