DNSthingy services are now available as a preview release that can be installed on pfSense® software from ESF.
Minimimum system requirement is simply any existing pfSense® installation version 2.3+. pfSense® is a platform chosen by many seasoned IT veterans that focus on managed gateways for a variety of business sectors. Based on FreeBSD, this platform’s strength is in its stability and subscription-free operating system. While DNSthingy is subscription-based, it is still a fit based on the high number of requests over the past while to offer our services on this platform.
For a preview-release installation and a free evaluation, simply contact our support team. We are looking in particular for more multi-WAN environments as well as usage of several VLANs with restrictive/hardened environments.
pfSense® is a registered trademark owned by Electric Sheep Fencing LLC and is used herein with permission.
More information as to pfSense® can be found at www.pfsense.org.
Did you know you can schedule your Internet access rules?
Here’s a screenshot of a sample schedule in use by one of our homeschoolers, designed to minimize distractions during the schooldays, while providing entertainment and social media access in specific times of the day:
You can completely customize it your own. Here are some typical use cases:
Your small business likes to keep staff focused on specific tasks during specific hours. Create a ruleset and a schedule that whitelists only required services for required times.
While the office is closed, no Internet access is required except for services such as operating system updates and online backups. Create a schedule that these are the only services allowed during closed hours.
Not sure what your Internet-of-Things devices are doing? Schedule them to be online only when they’re in use.
Here’s a short 3-minute video to give you an alternate example:
Posted February 15, 2016
by David Redekop
How often do you end up having to remember IP addresses to access internal resources such as a NAS or any of your IoT devices? Consider using names instead of IP addresses:
By IP address
By memorable name
Hard to remember
Easy to remember
Might change with a factory reset
Never needs to change
Incompatible with future network schemes
Never needs to change
Will need to change with IPv6
Never needs to change
A better practice is to simply choose an easy-to-remember name and use your DNSthingy to create an authoritative list and enable it on your rulesets. Now you’ll never have to remember the IP address by simply following these steps, for example, if you had a NAS at 192.168.1.10 you wish to access by various names:
From DNSthingy.com/dashboard, login and create a new authoritative list like this:
Fill in the IP address and the full list of names you want to work, similar to this:
Finally, enable the list in your rulesets so it looks like this:
That’s it! You’re all set! Now you can always access your NAS via http://mynas.local or http://nas.local or http://yournas.local or http://newnas.local.
Important: this feature requires version 2.7.0 which will be automatically upgraded for all subscribers and non-subscribers alike.
Securing the world of Internet communications with self-signed SSL certificates has had an unintended consequence:
We would like to undo this. The reasons why prosumer-grade or even commercial-grade routers have never done this is two-fold:
The nature of manual firmware upgrade cycles. Manufacturers have traditionally waited for the end-user to download and apply firmware upgrades.
Certificates have an actual expiry date. Therefore, if the end-user does not upgrade the certificate (i.e. firmware), the certificate expires, in which case it’s even worse than a self-signed or unsigned certificate as some browsers don’t even allow for an override to continue.
Since DNSthingy firmware in prosumer gateways are upgraded without the option of opting out, it opened the door for us to include a real SSL certificate and at the very least contribute to the undoing of the comfort level of self-signed or unsigned certificates. When you access the gateway of any of our ASUS routers flashed with DNSthingy firmware and inspect the SSL certificate, this is what you will see:
We recognize that this approach could be analyzed as a weakness insomuch as reverse engineers could capture the private key off any of our firmware devices. That means in combination with DNS poisoning in a man-in-the-middle scenario + possession of the private key, our domain mybox.management could be abused. However, the domain mybox.management is used nowhere else except on the devices themselves, and is irrelevant to our device-to-controller communications. From our perspective, the upside is dramatically more pronounced than the down-side.
Posted November 12, 2015
by David Redekop
The nature of mobile devices that roam from site to site, often means that private DNS records unintentionally leak out to the public Internet. For example:
DNS record OK to be public visible
DNS record that should remain secret
As long as your devices stay on your business network, network information leakage isn’t a concern. However, let’s say a mobile device is setup at the office with an application that references YourSecretServer.YourCompany.local and then it is taken home by a team member.
As soon as the app is launched at home, the home router is asked:
Hi, where is YourSecretServer.YourCompany.local?
And, of course, it sends that request upstream to your Internet Service Provider. Even though it cannot answer it, the DNS request (the question above) has been sent across the Internet in clear-text and therefore subject to surveillance of the most trivial kind.
To avoid this type of DNS leakage, DNSthingy firmware never allows DNS queries to be sent to the Internet unless they are part of the Mozilla Public Suffix list found at:
We’re thrilled to announce readiness of the DNSthingy app on the ClearOS Marketplace upon version 7 reaching production status. Launch is expected in October of 2015.
ClearOS is an excellent Network, Gateway, Server (NGS) platform for organizations of varying sizes. The power of ClearOS’s linux foundation combined with an easy-to-use click/install marketplace for a variety of apps, makes it a preferred choice for DNSthingy services deployment for Canadian Tire stores, for example.
Contact support for backward compatibility with version 6.6. DNSthingy will not install on ClearOS 6.5 and earlier.
Official support is available for both Community and Professional editions of ClearOS.
Contact firstname.lastname@example.org if you would like to try DNSthingy on ClearOS 7 beta.