The DNS Changer: End of the Internet–or not

There has been a lot of talk in the news about this DNS Changer worm, and how it will cause people to lose their internet connection on Monday. I wanted to take a moment to clear some things up, as the news basically points you to the FBI’s site (and their information). The link to their information is here.

So, here we go…

  1. Originally there were over 14 million estimated computers infected with these worms. Through the FBI and ISP’s sending out warnings, that number has decreased dramtically. RIght now, in the US, it’s estimated that only 70,000 devices are infected. (Worldwide stats are available from the FBI.) This is why they’re shutting down the servers.

  2. The FBI set up it’s own DNS Servers at the “rogue” IP Addresses, because with so many infected computers, it would have been catastrophic to shut the sites down cold. Imagine waking up to find that over 14 MILLION people have lost internet access suddenly.

  3. Basically what’s happening is this: DNS is like calling directory assistance and getting someone’s phone number. Your browser does this, when it doesn’t know the address (think phone number) of a website. That virus changed those “Directory Assistance” numbers to it’s own set. So it’s as if you were calling a special number for Directory Assistance, and they gave you what numbers they wanted you to dial (not necessarily the number to the person you were calling). Or they gave you a number that would charge your phone bill on their behalf (like using a Phone card to call).

In terms of DNS, your browser would either get sent to an ad site, porn site, or something else, when you typed in a site name. Or if you did a search, it would fake the results of the search with malicious sites (where you could be infected with other viruses), or it would replace the ads on a legitimate site (since your browser had to get the ads from somewhere), with their own ads. It was hinted that the viruses would also capture your passwords, but I haven’t seen anything openly saying that. Although if someone’s infected with any virus, they’ll want to change their passwords after fixing their computer.

** Another common analogy for DNS is like sending a letter through the Post Office, but to be honest, I’m not sure how this would play out in that scenario.

How do you know if you’re infected with the worm?

The easiest way to check your computer is to visit this site for their steps. They have a page which will tell you (via a green or red background on a picture) if you’re infected or not. One drawback is if your ISP “fixes” or alters DNS entries, it may look like you’re clean, when you’re really not.

As for what to check on your computer, here’s what to do:

For Windows Users:

  1. Click the Start orb, and type cmd in the bottom box (where it says “Search”).
  2. Click on Command Prompt (or cmd) in the results at the top.

** These instructions are for Windows Vista/7 users mainly. In older versions of windows, it would be the start button, then Run… and type cmd, or (in all versions of Windows) you can also press the Windows Key and the R key at the same time, and type cmd in the “Run…” box that pops up.

  1. Type in ipconfig /all (or copy and paste from this post).

You’re going to get a lot of information on the screen. What you’re looking for will say something like this:

Local Area Connection (Ethernet)
IP Address: 192.168.x.x (could be something like 192.168.2.100)
Subnet Mask: 255.255.255.0
Default Gateway: 192.168.x.1 or 192.168.x.254 (whatever the IP Address from your modem or router is)
DNS Servers: xxx.xxx.xxx.xxx
xxx.xxx.xxx.xxx

*Those are what you’re looking for ***

What the link said to do was look at the first set of xxx’s in each DNS server. If it’s in their table, then look at the second set of xxx’s in each server. If that’s in the table, look at the third set, and so on. If at ANY point, you find a set of xxx’s that’s not listed in their table, you can stop. Even if it’s one number.

Here is the table that they are referring to.

Rogue DNS Servers

85.255.112.0 through 85.255.127.255
67.210.0.0 through 67.210.15.255
93.188.160.0 through 93.188.167.255
77.67.83.0 through 77.67.83.255
213.109.64.0 through 213.109.79.255
64.28.176.0 through 64.28.191.255

If your DNS Servers are the same as your “Default Gateway” up above, then you need to log into your modem and check them from it. If you have just a modem, then you’ll probably want to call your ISP for help with this. Unless of course, you’ve logged into it enough times that you know what to do. If you have a separate router (like a Linksys, Cisco, or Netgear router for example) that your computer is plugged into, you should be able to go to their site and get information on how to log in. The steps here are general (as the pages and passwords are different for each router).

  1. In your browser, type in the IP Address for your Default Gateway and hti enter.
  2. On the screen that comes up, type in the username and password for your router (NOTE** if you haven’t changed these from the default (usually admin for both), YOU NEED TO DO THAT!!!!!!!!!!!)
  3. You will be presented with the setup screens for your router. You want to look for the DNS information screens (first look at your Status screens, and if the DNS Entries aren’t there (or are the rogue entries) then look for how to configure them).
  4. If your DNS Entries are the rogue entries in the table, then you need to change them back to “good” ones (or follow whatever steps are needed to have your ISP automatically provide them). Personally, I recommend using Public DNS entries (like 208.67.222.222 and 208.67.220.220 for OpenDNS or 8.8.8.8 and 8.8.4.4 for Google DNS), but it’s your decision whether to use your ISP’s or not.

Apply the changes, and restart your computers after the modem/router restarts. You should be all set for Monday.

For Linux users, you’ll either want to check your /etc/resolv.conf file to see if it has the rogue DNS servers or manually edit your network connections (or router/modem).

And for Mac users, you’ll want to check the instructions from the FBI’s website link.

If your computer is/was infected, you need to take steps to clean it. On the link that I provided above for detecting whether you’re infected, they have links to tools for cleaning your computer. After running these tool(s) and making sure your comptuer is clean, you most defiinitely want to change ALL of your passwords. This goes without saying for any malware that’s on your computer (not just this one).

Good luck, and I’ll see you on Monday (hopefully).

Have a great day:)
Patrick.

Configuring your DNS Servers Part 3 (Linux and Mac OS X, Routers/Modems, and testing the configuration.)

In the previous two parts, I explained why you may want to configure your DNS to another service besides what your ISP provides you, and how to configure it in Windows.  This post will explain how to configure your DNS on linux—using a GUI and a Command Line.  And finally, it will explain how to configure your DNS on Mac OS X.

Linux

In Linux, your DNS settings are stored in a file called resolv.conf, which is located in the /etc folder.  If you’re using a desktop such as Gnome or KDE, then you need to edit this file as root or sudo.  The easiest method that I found in KDE was to open a Terminal, and type in “sudo kate /etc/resolv.conf”.  When I did this in my VM, I received a few error messages in Terminal, but Kate opened up with the resolv.conf file loaded.

If you wish to do this via the command line, you simply enter “sudo vi /etc/resolv.conf” or “sudo emacs /etc/resolv.conf” (depending on your editor preference).  After being prompted for your password, it will open with resolv.conf loaded.

Once you have resolv.conf open, you may see something similar to the following:

nameserver 192.168.2.80
nameserver 128.28.38.232

or you may not have anything in the file at all.  It’s recommended that you write down any IP addresses listed in the file, and then edit them to the IP addresses for the Public DNS service that you wish to use.

After doing so, either Save the file (if in Kate), or use :w to write the file in vi (or the comparable method in Emacs or whatever your editor is).

Next, you’ll close your Internet clients (browsers, twitter apps, e-mail, etc) and restart them.

Mac OS X (10.5 and maybe later—I don’t have access to this, so I can’t confirm)

1.  Click on the Apple Menu, then click on System Preferences, and finally click on Network.  You may be prompted for an Administrator password.

2.  Select the connection that you wish to configure, and click Advanced.

3.  Select the DNS tab.

4. Click the +.  Either replace the DNS addresses with your Public DNS addresses, or add them to the top of the list (first listed has priority).

5.  Click Apply and OK.

**** Note that these instructions were taken almost verbatim from the “Using Google Public DNS” instructions located at http://code.google.com/speed/public-dns/docs/using.html.

Routers and Modems:

Typically your router will be located on 192.168.x.1 or 192.168.x.254 (where x represents a number such as 0 or 1).  You should consult the documentation for your router, or you can find instructions on accessing your router at http://www.portforward.com. If you use PortForward, simply choose any application to get into the instructions for setting up your router (as they don’t have instructions for a Public DNS, and you only need help getting into the router).

You will be prompted for your Administrator password.  If you haven’t changed it at all, then it will be the default password (supplied in your documentation or possibly listed on portforward). *****You really should change this password, while you’re in the router configuring your DNS.

Find the screen where you can change your DNS entries (on Linksys routers, it’s probably located on Setup—but this will vary).

If there are already IP addresses listed, then copy them down as backups.  Then replace them with the IP addresses for the Public DNS that you wish to use.

Save and exit (possibly will be “Save and Restart”).

Restart your browser.

Testing the new DNS entries:

Google recommends testing the new settings by navigating to a site, and then adding it to your bookmarks (if it opens).  Then try navigating to the site through the bookmark.  If it opens both ways, then you’re good to go.

If not, then try navigating to an IP address (they recommend http://18.62.1.6 which points to http://eecs.mit.edu) and bookmark that page.  If you can navigate back to the bookmark, but not through the site name, then you have an issue with your DNS entries.

If these tests don’t work, roll back your DNS settings (which is why you copied them down) and try again.  If the tests still fail, then you have network issues—and probably should contact your ISP for help.

Have a great day:)
Patrick.

Configuring Your DNS Servers Part 2 (Windows Computers Only)

So, you’ve decided that you want to ditch your ISP’s DNS servers for whatever reason.  In Part 1, I gave you the IP’s for Google Public DNS and OpenDNS.  Now, it’s time to get into the guts of the matter and make the changes.  As mentioned before, I will show you in two major sections “On your Computer” and “On your router/modem”.  I will further break the first section down into Windows, Mac OS X, and Linux. 

On Your Computer

Windows machines:

In Windows, the actual changes are the same, it’s how you get to them that differs.  The location is the “Properties” option of the Network adapter that you’re using (wired, or wireless).  Here’s how to find this location.

Windows XP and earlier:  Click your Start Menu.  Then either “right-click” on My Network Places (and choose Properties) or left click on Control Panel (if “My Network Places isn’t listed).  If you choose the Control Panel, then you need to click on “Internet and Network Connections (in category view) or “Network Connections” in Classic View.  In category View, you have an additional step—click on Network Connections at the bottom.

**Alternative Method**  If you have the network icon on your systray, you can always click on it and bring up the dialog box that says “Properties” or “Disable”.  This is the quickest method, because clicking on Properties will get you right to the point you need to be.

Windows Vista or Windows 7:  In Vista and Windows 7, the location has been hidden in an extra step.  Now, you have to go to the Network and Sharing Center, and move from there.  You can get there by either left clicking the network icon (and then clicking “Open Network and Sharing Center” in the box), right clicking the icon and selecting “Open Network and Sharing Center”, clicking your Start button and right clicking on the “Network” and choosing Properties, or clicking on Control Panel –> View Network Status and Tasks.

No matter how you get to the “Network and Sharing Center” in Vista or Windows 7, you need to click on “Change Adapter Settings” to get to the same location as you would in Windows XP or earlier.

Now that we’re in the Adapter Settings (or if you chose to do the Alternative Method, you’re still waiting for us to catch up), here’s how we change the properties.

1.  Right click on the Adapter that you’re using (it will usually say “Connected” somewhere in the information) and choose Properties  (this brings you up to speed with the Alternative Method people).

2.  In the box that opened, click on Internet Protocol TCP/IP (or Internet Protocol v4 TCP/IP, if you have both IPv4 and IPv6 installed).

3.  Click on Properties.

4.  Click on the button that says “Use the following DNS Servers”.

5.  Put the IP addresses from Part 1 into the spaces provided for the DNS Servers.  Remember, you can use one IP address from either service, both from one service, or one from each service.  But, if you put two IP addresses in, they have to be different.

6. Click OK. Then Click OK on the Properties box.

7.  You may have to restart the computer to make the changes take effect.  Otherwise, you’re good to go.

***Edit*** Originally, I intended for this to be a single post, but because it ended up being long, I’m breaking it up into at least two posts.  This post will cover Windows, and the next post will cover Linux, Mac OS X, and hopefully touch on routers/modems.

Have a great day:)
Patrick.

Configuring your DNS Servers Part 1.

My next two posts will help you to configure your computer (or router/modem) to use DNS servers that are different than your ISP provides.  As mentioned in my previous post on Google Public DNS, there are reasons why you may want to choose a public or “open DNS” server over your ISP’s servers.  Or you may want to install one on your computer or network.

First things first though:

If you’re considering installing your own DNS, there are two that I recommend highly.  The first is the BIND DNS Server that you can find here.  This is the basis for a lot of DNS Servers (including the ones that are present in most *nix systems).  The second is called TreeWalk DNS (which is based on BIND), and can be found here.

Both of these will configure the computer that you install them on, to use them instead of your ISP provided servers.

Ok, so you don’t want to deal with DNS yourself, but want to use Google Public DNS or OpenDNS.  In this post, I will give you some of the information needed to get started, and the next post will have the steps (based upon the steps provided by Google) for configuring your DNS.  I will break it down into “On your computer(s)”—which will be broken down into “Widows based”, “Mac OS-X based”, and “Linux based”, and “On your router or modem”—which will be generic instructions (since the steps will vary widely).

So, with that, here we go:

The IP addresses for the DNS Servers are as follows…  You do not need all of these, nor do you even need to put both of them in (for each provider).  In fact, you can use one from each provider, if you wish.  However, you cannot use the same IP address for both Primary and Secondary DNS Servers.

Google Public DNS:  8.8.8.8 and 8.8.4.4 are the IP addresses that you’ll choose from.  You’ll put one in the Primary and one in the Secondary (if you choose to do so).

OpenDNS:  208.67.222.222 and 208.67.220.220 are the IP addresses that you’ll choose from.  Like Google’s, you will put one in the Primary and one in the Secondary.  And it doesn’t matter which one is first or second.

In my next post, I will go through the actual configuration steps for you.

Have a great day:)
Patrick.

Google offers Public DNS and shows that you have a choice….

On December 3, 2009, Google opened up a new service for everyone.  Google Public DNS.  Most people probably don’t know what DNS is, or why they should care.  The typical theory is “It works, so why should I bother with it?” (aka “If it ain’t broke, don’t fix it.)  In this post, I will outline the value of DNS, and why you should care.  And I plan on touching on your options (and my opinion on why you should choose one over the other).

What is DNS?

There are two schools of thought about how to explain DNS.  The first is the most basic and doesn’t get into the technical aspects of how it works.  This is that DNS is similar to the Directory Assistance that you call, when you don’t know a phone number for someone.  You call them, and ask for “John Public’s phone number” and they look it up and reply with “It’s 412-555-2343.”  DNS does this same thing:  When you look up www.yahoo.com, the DNS server gets the IP address (that your computer needs to get the page from Yahoo) and returns it to your computer—then your computer goes to that address and gets the page.

The second school of thought is a bit more technical.  It compares DNS to the Post Office.  When you take a letter for Aunt Jane to the Post Office, they look to see if she’s in their area.  If not, then they send it to the next office in line which will send it to the central office, which will pass it to the central office that handles Aunt Jane’s town, and they will pass it down to the Post Office in Aunt Jane’s town.  DNS does the same thing.  If you ask for www.yahoo.com and it doesn’t know the IP address, it asks the next server in line.  If that one doesn’t know, it asks the next server up, and so on and so forth—until one of them replies with the IP address.

Why should I care about Google Public DNS or Open DNS or whatever?

There are a lot of reasons why you should care about this.  When you sign up with an ISP (Internet Service Provider), they assign specific DNS servers for you to use.  This may not be an issue, unless they change the IP addresses for the servers, or their servers are hit with a Denial of Service attack (which essentially shuts them down), or if they don’t keep their DNS servers updated (and are vulnerable to security problems).  And occasionally, they will use their DNS servers to redirect you to advertisements or preferred sites (in the event that your request cannot be answered).

Just a few years ago, Comcast had an issue where the majority of their DNS servers ceases functioning.  So a lot of their customers had no way of getting to pages that they hadn’t frequently visited.  They are not alone.  Qwest has had issues with DNS in the past, and so have the other major and minor ISP’s.

The “Public DNS” that Google is offering, or OpenDNS (which is offered by another service) take steps to prevent these types of issues from happening.  They keep their systems updated, and take steps to minimize the effects of Denial of Service attacks.  The biggest thing they do is offer you a choice.  You’re not locked into your ISP’s DNS Servers (and any controls that they have implemented in them).

Which is better?  Google Public DNS, OpenDNS, or your own server:

This question can only be really answered over time.  A lot of the answer will depend on what your preferences are.  And part of it will depend on whether you want to update your system, or just use it.

If you want total control over what happens with your DNS requests, then implementing your own server is best.  However, you will bear the responsibility of making sure that you have the latest updates for the server.

Google Public DNS offers you the comfort of not having to worry about security and updating.  And they offer you things like an error page when you type in a website that cannot be resolved. The biggest tradeoff is this:  If someone wants to surf porn, or download illegal content, or other malicious or questionable acts, Google’s Public DNS doesn’t offer you control over this.  They allow all sites to be resolved.

OpenDNS offers you the same comfort as Google Public DNS.  However, you lose the error page when something is wrong.  Instead, you are presented with a search page or a message page saying that the nameservers failed.  One of the benefits that OpenDNS offers is control and filtering.  You can control what categories and sites will be resolved.  I’ve used this system for an open wireless router.  I blocked porn, bittorrents, filesharing sites, and other content that could cause me legal issues.  It worked without much of an issue.

In a future post, I will give you some generic instructions on how to change your DNS servers, and the IP addresses for both Google Public DNS and OpenDNS.

Have a great day:)
Patrick.