| [DNS] Dnssec severs question So Comcast has them rolled out now I know that. My router is assigned to obtain them automatically. When I do an ip config on command prompt it says my computer is using the default router ip for the dns. Does this mean my pc is pulling whatever DNs the router is getting from my modem and just listing it as the router ip? |
|
 EGThe wings of lovePremium
join:2006-11-18
Union, NJ
kudos:9 | Exactly. Your router is acting as a DNS proxy. Look in your router's status for the exact DNS IP addresses that are being assigned by Comcast's DHCP server. |
|
 NetFixerFrom my cold dead handsPremium
join:2004-06-24
The Boro
 ·Comcast Business..
 ·Vonage
 ·Cingular Wireless
·Comcast
1 edit | reply to elkido122
As EG said, your router is likely just acting as a DNS proxy (AKA a DNS forwarding server).
If you really want to know what DNS servers you are using (not just the two IP addresses that are supplied by Comcast's DHCP server), run the DNS Nameserver Spoofability Test at GRC. My Windows DNS server and my routers all forward to the Comcast DNSSEC servers, but that test usually lists ~30 Comcast DNS servers, none of which have the 75.75.75.75 or 75.75.76.76 IP addresses. That is of course the nature of the AnyCast system, you will connect to the closest server that is available to answer your query, and if the closest server is busy, you will get the next closest, and ...
--
History does not long entrust the care of freedom to the weak or the timid.
-- Dwight D. Eisenhower |
|
EGThe wings of lovePremium
join:2006-11-18
Union, NJ
kudos:9 | Thanks for expanding NetFixer  !  |
|
NetFixerFrom my cold dead handsPremium
join:2004-06-24
The Boro Reviews:
·Comcast Business..
·Vonage
·Cingular Wireless
·Comcast
| said by EG:Thanks for expanding NetFixer !
I thought about explaining the difference between a DNS proxy and a DNS forwarder, but I figured that too many eyes would turn glassy. 
--
History does not long entrust the care of freedom to the weak or the timid.
-- Dwight D. Eisenhower |
|
EGThe wings of lovePremium
join:2006-11-18
Union, NJ
kudos:9 | HehHeh !!  |
|
| reply to elkido122
So I'm fine then basically? And I'm most likely using the dnssec |
|
NetFixerFrom my cold dead handsPremium
join:2004-06-24
The Boro Reviews:
·Comcast Business..
·Vonage
·Cingular Wireless
·Comcast
1 edit | said by elkido122:So I'm fine then basically? And I'm most likely using the dnssec
Only someone with access to your router and your connected devices can answer that question.
If your router is getting the DNS server information from Comcast's DHCP servers, and the devices connected to your router are using the router's DHCP server (and if the router is acting as a DNS forwarder if that is to where the DNS server entries in the connected devices point), then most likely you are using Comcast's DNSSEC servers.
You however, are the only one who can verify that. Look at your router's configuration, and at the TCPIP configuration of your connected devices, and you will have the answer.
Here is a sample of what to look for (from my own equipment):
C:\>ipconfig /all
Windows IP Configuration
Host Name . . . . . . . . . . . . : rws-wks
Primary Dns Suffix . . . . . . . : dcs-net
Node Type . . . . . . . . . . . . : Hybrid
IP Routing Enabled. . . . . . . . : No
WINS Proxy Enabled. . . . . . . . : No
DNS Suffix Search List. . . . . . : dcs-net
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : NETGEAR GA311 Gigabit Adapter
Physical Address. . . . . . . . . : E0-91-F5-95-B6-9D
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.9.100
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.9.10
DHCP Server . . . . . . . . . . . : 192.168.9.2
DNS Servers . . . . . . . . . . . : 192.168.9.2
192.168.9.10
Lease Obtained. . . . . . . . . . : Wednesday, February 01, 2012 05:17:36
Lease Expires . . . . . . . . . . : Wednesday, February 08, 2012 05:17:36
The only things that may not be readily apparent from the above information is that the IP address 192.168.9.2 belongs to my Windows server, and its DNS server simply forwards to the Comcast DNSSEC servers the same as the two routers do. Also I do not use DHCP on the Netgear router's WAN because I have a static IP block from Comcast, but pointing it to the SMC router's gateway accomplishes the same thing since that makes it use the SMC router's DNS forwarding to the Comcast DNSSEC servers).
Here is an image of my current network to help clarify the above information (which is from the XP workstation in the lower right corner):
--
History does not long entrust the care of freedom to the weak or the timid.
-- Dwight D. Eisenhower |
|
| reply to elkido122
It doesn't even look likely connection to the modem is receiving the dnssec servers. Looks like the old DNA servers how could this be I thought they rolled it out to everyone |
|
NetFixerFrom my cold dead handsPremium
join:2004-06-24
The Boro Reviews:
·Comcast Business..
·Vonage
·Cingular Wireless
·Comcast
4 edits | said by elkido122:It doesn't even look likely connection to the modem is receiving the dnssec servers. Looks like the old DNA servers how could this be I thought they rolled it out to everyone
Just because you don't see 75.75.75.75 and 75.75.76.76 showing up as the DHCP supplied DNS server IP addresses, that does not mean that you are not using the Comcast DNSSEC servers. Those two IP addresses are simply the AnyCast gateway IP addresses, the actual DNS servers are still in many cases the same IP addresses that were in use prior to Comcast's official announcement that the DNSSEC rollout was complete.
The screen shot below from my Comcast SMC gateway shows that I am not being supplied the 75.75.x.x DNS server IP addresses either, but the IP addresses shown are nonetheless Comcast DNSSEC server IP addresses. How do I know? I ran the DNS Nameserver Spoofability Test (that I previously suggested that you use) and that verified that I was using Comcast DNSSEC servers.
The GRC DNS Benchmark Test can also be configured to test for DNSSEC compliance, and the screen shot below shows that the two 68.87.x.x IP addresses (the ones in my SMC modem/router) and the 75.75.x.x IP addresses are DNSSEC servers (as is my local router at IP address 192.168.9.10 since it simply forwards to the 68.87.x.x servers that are programmed into the SMC modem/router).
The green "Resolves queries and authenticates security" statement indicates a DNSSEC server.
The amber "Bad domain names are intercepted by provider" statement indicates a "domain helper" type of server.
If you really want to know the DNSSEC compliance status of the DNS servers you are using, run the above tests and find out. Another test that can verify DNSSEC compliance is the ICSI Netalyzer test.
If you really don't understand how to run the above mentioned tests (or don't understand the results), then post the DHCP supplied DNS server IP addresses that you are getting from Comcast, and I can do the test for you and interpret the results. There is absolutely no security risk to you from posting those IP addresses if that is why you have been hesitant to provide them.
--
History does not long entrust the care of freedom to the weak or the timid.
-- Dwight D. Eisenhower |
|
|
|
