@scottalanmiller said in Best DNS choice for a financial institution?:

@dave247 said in Best DNS choice for a financial institution?:

So then what good/safe/secure/reliable/free DNS servers should I be using?? All I know of right now is google and DNSwatch..

Google. It's what everyone uses. Unless you are going to pay for something, which is perfectly fine as things like Cisco Umbrella really do a good job, you just use Google. Google's DNS servers are screaming fast, insanely secure, and standard the world over. Google's only competition was OpenDNS' free servers and they were only competitive when they did free filtering and other tools. Without that, Google is still the best. So no reason to look around for anything else.

rips hair out google it is then

@scottalanmiller said in Best DNS choice for a financial institution?:

@dave247 said in Best DNS choice for a financial institution?:

@scottalanmiller said in Best DNS choice for a financial institution?:

@dave247 said in Best DNS choice for a financial institution?:

I just reverted my DNS settings to what they were before. Screw it.

That's the one thing I would not do. If you are concerned about speed or security, you never use ISP DNS. That's been a best practice for over a decade (since the advent of free, enterprise DNS options like Google.) The one option that should never get considered is ISP DNS.

Why is that?

Because ISPs have these issues:

• It is not a service that they make money or clout on. They provide it because they have to for consumers. They don't care about making it good or safe, this is not in their interest. So it makes no business sense for them to do it well, or for customers to expect it to be a good service.
• ISP DNS is famously slow and risky, for exactly the reasons above. It is where attacks happen because ISPs aren't DNS specialists, they just throw up free DNS servers and ignore them. So DNS Injection attacks happen here. That entire, and very major, attack vector exists solely for companies that use ISP DNS. Google and Cisco have never been hacked like this, it's not a realistic attack on them.
• Propagation is notoriously problematic and unknown. Causing delays in failover or outages as other services change and you do not.
• You are unnecessarily tied to the ISP, even in a very trivial way.
• You make things non-standard for no reason. Why make things extra hard for negative benefits?
• You will have to have discussions like this every time you talk about DNS internally or externally. Making it a financial loss without benefit. Just use Google like everyone else and be done and eliminate having to explain the use of ISP DNS anytime someone looks at the system.
• Multiple sites can share configuration.
• Services like Google and OpenDNS take pride in their high availability, your ISP does not.
• If you switch ISPs, have an outage, etc. you get to keep configuration instead of needing to manually change anytime anything else changes.

So then what good/safe/secure/reliable/free DNS servers should I be using?? All I know of right now is google and DNSwatch..

@jaredbusch said in Best DNS choice for a financial institution?:

@dashrender said in Best DNS choice for a financial institution?:

@reid-cooper said in Best DNS choice for a financial institution?:

OpenDNS is good. Or just use Google, it's not bad.

For pure DNS probably so - but the OP is claiming (and JB is refuting) that OpenDNS provides filtering for free that no one else does.

And from my own testing about 3 years ago, I agree with the OP, OpenDNS did provide a free level of filtering, but I don't recall what the limitations were.

OpenDNS does provide a free service. But that is not what was stated, nor what I refuted.

What was stated was to simply put the OpenDNS servers in as your DNS. That does nothing. It is a public DNS service. To make use of the basic filtering you have to create an account and link everything up.

But all of that said, you are also using the service against the ToS. There is no free service available for commercial use. There is only a trial for Umbrella.

For OpenDNS Home, it specifically states that it is for home use in the ToS.

Still not really helping the convo..

@scottalanmiller said in Best DNS choice for a financial institution?:

@dave247 said in Best DNS choice for a financial institution?:

I just reverted my DNS settings to what they were before. Screw it.

That's the one thing I would not do. If you are concerned about speed or security, you never use ISP DNS. That's been a best practice for over a decade (since the advent of free, enterprise DNS options like Google.) The one option that should never get considered is ISP DNS.

Why is that?

@marcinozga said in Best DNS choice for a financial institution?:

@dave247 Why? ISP DNS servers are the worst thing you can pick. If you don't want to mess with OpenDNS, go with Google servers.

Got any good info to back that statement up? I'm not saying I don't believe you, but I've always just heard that via word of mouth.. not sure if it's really true or not

I just reverted my DNS settings to what they were before. Screw it.

@dashrender said in Best DNS choice for a financial institution?:

@danp said in Best DNS choice for a financial institution?:

@jaredbusch said in Best DNS choice for a financial institution?:

@dave247 said in Best DNS choice for a financial institution?:

@coliver said in Best DNS choice for a financial institution?:

I don't see anything wrong with this. OpenDNS, Google DNS, Comodo DNS, are all big names that are very unlikely to fall victim to DNS poisoning attacks.

Yeah I was just trying OpenDNS out because someone mentioned that they seem to filter out some "bad"/spam sites and things of that nature. Example: I've had some people accidentally type the wrong URL (off by a letter) and it takes them to a malicious website.

They do no such thing.

How would you classify this functionality then?

is that in the free service?

This is really all I was going for.. better than nothing

@jaredbusch said in Best DNS choice for a financial institution?:

@dave247 said in Best DNS choice for a financial institution?:

@coliver said in Best DNS choice for a financial institution?:

I don't see anything wrong with this. OpenDNS, Google DNS, Comodo DNS, are all big names that are very unlikely to fall victim to DNS poisoning attacks.

Yeah I was just trying OpenDNS out because someone mentioned that they seem to filter out some "bad"/spam sites and things of that nature. Example: I've had some people accidentally type the wrong URL (off by a letter) and it takes them to a malicious website.

They do no such thing.

Not really helpful.

@travisdh1 said in Best DNS choice for a financial institution?:

@dave247 OpenDNS is just fine to use, like the other major DNS providers they will probably be a step up from your ISP provided service.

What they don't do is filtering of any kind unless you add a paid service on. I've started running my own DNS server now that does block known advertising IP addresses called Pi-Hole (Yes, I've seen many names that are better.)

Ah yes, that really makes sense now that you mention it.

@coliver said in Best DNS choice for a financial institution?:

I don't see anything wrong with this. OpenDNS, Google DNS, Comodo DNS, are all big names that are very unlikely to fall victim to DNS poisoning attacks.

Yeah I was just trying OpenDNS out because someone mentioned that they seem to filter out some "bad"/spam sites and things of that nature. Example: I've had some people accidentally type the wrong URL (off by a letter) and it takes them to a malicious website.

I work at a financial institution and am currently the only sysadmin here. I'm still green and learning as I go.
I've been working to improve security by cleaning up firewall access rules and other things. One thing I did recently was switch our DNS from the ISP provided addresses to OpenDNS's servers. I just made the change but then I had the thought, is this ok to do? Is this secure?

Does anyone know if it's wise for me to use OpenDNS or if I should look into any other DNS options? Any input is welcome.

@scottalanmiller said in Forum Posting Etiquette:

@dave247 said in Forum Posting Etiquette:

@scottalanmiller said in Forum Posting Etiquette:

@dashrender said in Forum Posting Etiquette:

I do like the idea of many smaller posts - but it also runs into the problem of many thing to respond to at once. While I'm no where near as fast as Scott, I can typically type two to three small posts before the OP (or anyone other than Scott) replies to my first reply. So unlike your

I like red.
So do I, but have you considered orange,
no but, ...

you aren't having a real back and forth because you run into the same problem as the wall of text issue. I real time conversation where all involved parties get the information simultaneously, in a forum you have people jumping in in the middle and fleeing, or someone who just throws out 5 ideas, each in their own post before any responses are made, and eventually many people just stop reading anything but the last few posts.

I'm not sure you can solve this problem, but it's just good to know it's there.

But smaller posts make it easier to respond. No matter how much time you have, making it faster and easier helps you. Wall of text in the same situation would mean no ability to respond at all.

I noticed this with how you post back in Spiceworks and I was like, what the hell is this guy doing. But having broken up posts to respond to is kind of nice. It becomes not nice when there are many of them peppered throughout the whole forum page. Then you have to scroll around like crazy to find what it is you need to respond to.

You still have to scroll a lot with a wall of text, too. The multiple postings doesn't really make for much more scrolling. And it can only happen if no one is actively responding on a thread, if there was an active discussion it can't happen. The effect that you see is generally created by someone kicking it off via a wall of text to which many responses need to be generated at once. So walls of text actually are the key source of the non-wall of text system that many people dislike.

Usually people do that thing where they break up a wall of text in one post and reply to sections. It's the best of both worlds. Example:

Creation vs Evolutoin debate

blah blah blah blahblah blah blah blahblah blah blah blah
blah blah blah blah

Well actually your point is invalid here because...

blah blah blah blah blah blah blah blah blah blah blah blah

Ah yes, you are correct here because...

blah blah blah blahblah blah blah blah blah blah blah blah
blah blah blah blahblah blah blah blah blah blah blah blah
blah blah blah blahblah blah blah blah blah blah blah blah

I can't argue with that logic

@scottalanmiller said in Forum Posting Etiquette:

@dashrender said in Forum Posting Etiquette:

I do like the idea of many smaller posts - but it also runs into the problem of many thing to respond to at once. While I'm no where near as fast as Scott, I can typically type two to three small posts before the OP (or anyone other than Scott) replies to my first reply. So unlike your

I like red.
So do I, but have you considered orange,
no but, ...

you aren't having a real back and forth because you run into the same problem as the wall of text issue. I real time conversation where all involved parties get the information simultaneously, in a forum you have people jumping in in the middle and fleeing, or someone who just throws out 5 ideas, each in their own post before any responses are made, and eventually many people just stop reading anything but the last few posts.

I'm not sure you can solve this problem, but it's just good to know it's there.

But smaller posts make it easier to respond. No matter how much time you have, making it faster and easier helps you. Wall of text in the same situation would mean no ability to respond at all.

I noticed this with how you post back in Spiceworks and I was like, what the hell is this guy doing. But having broken up posts to respond to is kind of nice. It becomes not nice when there are many of them peppered throughout the whole forum page. Then you have to scroll around like crazy to find what it is you need to respond to.

@scottalanmiller said in VLAN confusion:

@dave247 said in VLAN confusion:

Well, thanks everyone for all your input. I'm still not sure what I'm going to do regarding the VoIP situation, but I suppose I should read up about FreePBX or NTG or something...

Not a bad idea But to be clear, no one has specifically recommended any specific product or approach, just offered that Cisco is a terrible one, and getting a reseller instead of a consultant guarantees a bad result and it is clear that the reseller is trying to take advantage of the situation.

It's not that FreePBX or even NTG is the "right" answer. Is that you have a clearly bad answer arrived at through a clearly in appropriate business decision making process that lacks both business and IT oversights. So all of the checks and balances that should exist in a healthy business are being skipped.

Well I asked my boss if I could check out alternative voice systems for comparison and he said it's my call... so it looks like I have the chance to do things the right way. That being said, I have no idea where to start. I looked at the NTG website and didn't find much valuable info, nor on the FreePBX site.. also, the vultr website looks like it has nothing to do with telephony and is instead a webhosting platform.. so I don't understand that...

Maybe I could give someone a call and go over some plans or something??

Well, thanks everyone for all your input. I'm still not sure what I'm going to do regarding the VoIP situation, but I suppose I should read up about FreePBX or NTG or something...

@jaredbusch said in VLAN confusion:

@dave247 said in VLAN confusion:

@jaredbusch said in VLAN confusion:

@dave247 said in VLAN confusion:

@jaredbusch said in VLAN confusion:

@dave247 said in VLAN confusion:

@jaredbusch said in VLAN confusion:

@dave247 said in VLAN confusion:

@black3dynamite said in VLAN confusion:

@dashrender said in VLAN confusion:

@jaredbusch said in VLAN confusion:

Then you change your few static devices (if you do not have only a few static systems, you have other issues).

What JB means by this is - he uses static assignments in DHCP for things like printers. This allows you to reboot a printer to get the new settings when things like this change.

Servers are about the only thing that should be set statically, the rest can rely on Static DHCP assignment.

Domain Controller would pretty much be the only server that needs to be manually set to static.

Yeah but if DNS and/or DHCP went down, you will probably have trouble getting to your servers. Static IP's on all system critical servers seems like a better decision since they will function in almost any environment state.

Not unless you have a stupidly short lease time. I use 8 hour leases on most LAN stuff. Yeah it tries to renew every 4, but it will not require a DHCP server until 8 hours.

I set mine to three days.

Then you won't have a problem if the DHCP server is missing.

Are all the address leases synchronized to the same time or is do leases expire x amount of days after each individual host received it's address? If that's the case, there may be staggered renewals and I wouldn't know what system is going to expire when.. (I just realized I didn't know this)

You are correct that they happen randomly based on the machine that requested, but with a 3 day lease, the odds are low to be greatly impacted for any minor outage.

So if a couple of servers have leases that expire 10 minutes after my DHCP server goes down (DC dies or something) then that's going to be more systems down. I wouldn't want to risk it..

A bit of perspective here...

First of all why would your DHCP server be down and not get failed over or restored quickly.

Next, all of your systems should be rebooted on a regular basis, so you will know quite firmly the status of your DHCP leases on the servers without even needing to check.

Finally, with a 3 day (72 hours) lease it is impossible for you to lose a DHCP address in less than 36 hours because all DHCP clients ask for a renew at 50% of lease time (or should). So your little doomsday scenario simply cannot happen.

I don't know, I was just saying like worst-case scenario, like if I was out of town on vacation and couldn't remote in or something. I do have two domain controllers but my second DHCP range is not active yet since I don't have enough free IP addresses. I was expecting to have our new phone system on a separate network and VLAN, which would free up addresses on the current config. I guess the alternative is to increase the size of my subnet, like we talked about earlier.

@jaredbusch said in VLAN confusion:

@dave247 said in VLAN confusion:

@jaredbusch said in VLAN confusion:

@dave247 said in VLAN confusion:

@jaredbusch said in VLAN confusion:

@dave247 said in VLAN confusion:

@black3dynamite said in VLAN confusion:

@dashrender said in VLAN confusion:

@jaredbusch said in VLAN confusion:

Then you change your few static devices (if you do not have only a few static systems, you have other issues).

What JB means by this is - he uses static assignments in DHCP for things like printers. This allows you to reboot a printer to get the new settings when things like this change.

Servers are about the only thing that should be set statically, the rest can rely on Static DHCP assignment.

Domain Controller would pretty much be the only server that needs to be manually set to static.

Yeah but if DNS and/or DHCP went down, you will probably have trouble getting to your servers. Static IP's on all system critical servers seems like a better decision since they will function in almost any environment state.

Not unless you have a stupidly short lease time. I use 8 hour leases on most LAN stuff. Yeah it tries to renew every 4, but it will not require a DHCP server until 8 hours.

I set mine to three days.

Then you won't have a problem if the DHCP server is missing.

Are all the address leases synchronized to the same time or is do leases expire x amount of days after each individual host received it's address? If that's the case, there may be staggered renewals and I wouldn't know what system is going to expire when.. (I just realized I didn't know this)

You are correct that they happen randomly based on the machine that requested, but with a 3 day lease, the odds are low to be greatly impacted for any minor outage.

So if a couple of servers have leases that expire 10 minutes after my DHCP server goes down (DC dies or something) then that's going to be more systems down. I wouldn't want to risk it..

@jaredbusch said in VLAN confusion:

@dave247 said in VLAN confusion:

@jaredbusch said in VLAN confusion:

@dave247 said in VLAN confusion:

@black3dynamite said in VLAN confusion:

@dashrender said in VLAN confusion:

@jaredbusch said in VLAN confusion:

Then you change your few static devices (if you do not have only a few static systems, you have other issues).

What JB means by this is - he uses static assignments in DHCP for things like printers. This allows you to reboot a printer to get the new settings when things like this change.

Servers are about the only thing that should be set statically, the rest can rely on Static DHCP assignment.

Domain Controller would pretty much be the only server that needs to be manually set to static.

Yeah but if DNS and/or DHCP went down, you will probably have trouble getting to your servers. Static IP's on all system critical servers seems like a better decision since they will function in almost any environment state.

Not unless you have a stupidly short lease time. I use 8 hour leases on most LAN stuff. Yeah it tries to renew every 4, but it will not require a DHCP server until 8 hours.

I set mine to three days.

Then you won't have a problem if the DHCP server is missing.

Are all the address leases synchronized to the same time or do leases expire x amount of days after each individual host received it's address? If that's the case, there may be staggered renewal times and I wouldn't know what system is going to expire when.. (I just realized I didn't know this)

@black3dynamite said in VLAN confusion:

@coliver said in VLAN confusion:

@jaredbusch said in VLAN confusion:

@coliver said in VLAN confusion:

@dashrender said in VLAN confusion:

@coliver said in VLAN confusion:

@dave247 said in VLAN confusion:

in the meantime, are there any good voice solution alternatives that you guys could provide? Part of our requirement for our phones is that we may not want to have it cloud-hosted due to the fact that our internet connection goes down every so often during business hours. YES I get that this is another problem that should be resolved vs applying a bandaid, but we live out in the country and have limited ISP options (Spec---m and Centu---ink).

FreePBX will probably meet your needs as it generally meets the needs of most people. It's opensource and free, can be hosted in house, and integrates with any SIP based IP Phone. There are people, here in the community that support it.

And will likely cost 1/10 what Cisco will cost. Seriously, you should give @JaredBusch a call and ask him to quote you a full on replacement and compare it's cost to Cisco.

1/10? I'd be surprised if it cost 1/100th.

Well, I'm not that cheap of a date.

Haven't seen Cisco pricing lately?

Ever heard of a Cisco voice router costing $250,000?

Is that a real price for a router??!