Manually Configure Your DNS Settings in Linux

Using your ISP's or employer's DNS servers may or may not be a good idea. Are they configured properly? Are they monitoring your lookups? Note that some employers may have policies regarding what DNS servers clients use, so you may want to look into those policies.

When visiting a Wi-Fi hotspot, do you really trust their DNS settings? By default client machines using DHCP will get their DNS settings as well as other addressing information from the DHCP server, which would be the router at a wireless hotspot. Trustworthy? Why would anyone think so?

First, don't bother with the Gnome/Mate/Cinnamon networking applet. It will let you make the change, but doesn't successfully change the system configuration. Instead, find the Network Settings. In the Mate menu it's at System|Administration|Network. It should something look like this:

Click on the padlock where it says "Click to make changes" and enter your root password. Click on the connection you want to configure. For this example I'm using a desktop on a home network using Verizon FiOS. Feeling neither trust nor love for Verizon, I'd rather not trust their DNS servers. Instead, I'll use OpenDNS. Here's a little piece at the bottom of their home page:

Note the two IPv4 addresses, 208.67.222.222 and 208.67.220.220. Enter these addresses in the DNS Servers box under the DNS tab. There are other choices for a public DNS, e.g., Google.

One unfortunate aspect of the GUI management of DNS settings is that with wireless connections, the settings must be made for each access point, which means that the first time you connect to a new access point, the DNS server address will default to the access point or its DNS server. Fix it as above and then restart networking.

At the Google page there is a link to a nice little introduction to DNS security.

Ad Attitude

If it moves or makes noise, kill it.

Using the Hosts File to Block Advertising

A small chunk of my linkedin page is to the right. My machine doesn't look up the IP address for doubleclick, and so I never see their content. A drawback is that it also thwarts any attempt I make to click on a targeted advertising link from Google within Gmail. That's okay.

Here's my /etc/hosts file:

127.0.0.1       localhost
127.0.1.1       asusCG

127.0.0.1       ad.doubleclick.com
127.0.0.1       ad.doubleclick.net
127.0.0.1       ad2.netshelter.net
127.0.0.1       adbrite.com
127.0.0.1       ads.adsonar.com
127.0.0.1       ads.vrx.adbrite.com
127.0.0.1       an.tacoda.net
127.0.0.1       assets.bizjournals.com
127.0.0.1       b.scorecardresearch.com
127.0.0.1       itemnotfound.com
127.0.0.1       netshelter.net
127.0.0.1       pagead2.googlesyndication.com
127.0.0.1       s24.sitemeter.com
127.0.0.1       scorecardresearch.com
127.0.0.1       sitemeter.com
127.0.0.1       sitemeter.com
127.0.0.1       static.2mdn.net
127.0.0.1       stimpy.musicbrainz.com
127.0.0.1       stimpy.musicbrainz.org
127.0.0.1       tacoda.net
127.0.0.1       vrx.adbrite.com
127.0.0.1       www.itemnotfound.com
127.0.0.1       www.sitemeter.com
127.0.0.1       www.spoke.com
127.0.0.1       www.tacoda.net
127.0.0.1       wwwv.itemnotfound.com
127.0.0.1       wwwwv.itemnotfound.com


# The following lines are desirable for IPv6 capable hosts
::1     localhost ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
ff02::3 ip6-allhosts

You can edit your /etc/hosts, but I'd suggest leaving the stuff at the top of the file (above the doubleclick entries) and the bottom (below wwwwv.itemnotfound.com) alone.

The way this works is as a shortcut to name resolution, e.g., I can place an IP address and a domain name on a line in this file and rather than going out to the DNS to look up the name, it uses the IP address in the first column of the line. So, any lookup to tacoda.net
resolves to the IP loop-back address, which is my machine. I don't have a web server at that port, so the connection attempt fails.

This is a very common technique, and one can google to find other people's hosts files with lists of sites they block.

For simplicity of adding entries, I place my hosts file in a subdirectory writable by my account, and then place a soft link from /etc/hosts there.

For Windows people, the file is (as of a few years ago) hosts.txt, and I think it was buried somewhere in the system32 subdirectory. Of course, Windows doesn't support links, soft links, or anything like that. Windows does support shortcuts, but these aren't within the file system, and so are much less generally useful.

Some question the ethics of freeloading on advertiser-supplied content by blocking the ads. I have three responses:
(1) Advertising often contains scripting which threatens the safety and stability of my system. If they stop using insecure scripting languages, I might revisit this issue.
(2) Advertising sometimes starts unwelcome sound or video content, including animated gifs. This is intrusive and disruptive. Advertising scripts also often eat up many CPU cycles. If advertisers start treating users with more respect, I might revisit this issue.
(3) The above two points greatly reduce the value of the content presented along with the advertising, to the point that I would be less likely to visit any particular page. They cannot argue in the general case that they are losing revenue due to my blocking advertisements, because in many cases I simply would not visit the page.

I endorse a multilayered approach against intrusive advertisement: Adblock Plus, NoScript, and the hosts file. IMHO if a machine has private data on it, e.g., student grades, then the owner has a responsibility to block scripts from questionable source, e.g., advertisers. With personal information, e.g., financial information, it is foolish to not block these things.

The WikiLeaks Furor

There has been an uproar about WikiLeaks in the press lately, and until recently I've felt that Wikileaks has done more good than bad, pointing out cases where the US (and other) governments have lied to their populaces, condoned torture, etc. I won't go into the ethics of the current batch of releases because there is simply too much to review, but I would like to make a few comments.

1) http://news.netcraft.com/ has been doing a great job of covering the back-and-forth of WikiLeaks availability, changes in their hosting and DNS services, etc.

2) Tonight I decided to spend a few minutes looking at the site. Among other things, I was interested in whether it would be difficult to get to. Two things worked right away. (a) Googling WikiLeaks led directly to 213.251.145.96 (registered to wikileaks.org in a block owned by OVH ISP in Paris), so the DNS is not necessarily needed. (b) Verizon's DNS service redirected me to http://mirror.wikileaks.info/, but some of the links at that site, e.g., the one to obtain a secure connection, did not work.

3) Some of the calls for the US government to launch web attacks against WikiLeaks are largely over the top and naively stupid. I wouldn't be surprised to discover attempts to hack into their database or their servers, but the idea of launching DDoS attacks against ISPs and hosting services in the US, Europe, and elsewhere is just silly. The US launching cyber attacks against France and Russia? Not a good idea.

4) I read one leaked dispatch, http://213.251.145.96/cable/2009/08/09BRASILIA1017.html. This is tagged "UNCLASSIFIED//FOR OFFICIAL USE ONLY." One phrase I really like is advice to the USG (US Government, I suspect), "speak softly and carry no stick." The article talks about attempts to keep the Brazilian government from authorizing pharmaceuticals in Brazil to produce generic versions of AIDS drugs, in other words the bureaucratese seems to suggest that the US government is more interested in corporate profits than in dying Brazilians. Not a big surprise.

This is exactly the sort of thing US (and Brazilian) voters should be aware of, and also not the type of leak causing much of the uproar.

Verizon Violates DNS Standards

Verizon is in violation of DNS standards. When I type the address www.foo.bar.baz.no, assuming there is no such server in Norway, I am redirected to http://searchassist.teoma.com/. Interestingly, I see correct behavior if I leave out the www, "Server not found".

Kudos to XOHM's Treatment of the DNS

I'm not sure how long this will last with every corporation throwing ethics to the wind in order to wring every penny out of every customer, but XOHM isn't messing with the DNS. I previously mentioned my displeasure with CavTel's redirecting DNS lookup failures from the web browser to itemnotfound.com. XOHM's allowing the DNS to work as designed.

Charter Communications' Unethical Browser Hijacking

Tony Bradley at about.com has a very interesting article on how his ISP is hijacking Microsoft's Windows Live Search. This is a very good example of why we need strong net neutrality laws.

• June posting from Lauren Weinstein on net neutrality
• Recent post by Bruce Schneier on ISP's hijacking the DNS
• CavTel is also hijacking the DNS

itemnotfound.com

One annoying thing that's become a common source of extra revenue for ISPs is to damage the DNS. If a web page isn't found, rather than reporting it, the browser is redirected to itemnotfound.com or some such. Why does this matter? (1) The mis-typed URL is gone, so the user can't immediately see what the typo was. (2) It's a page of ads. Aren't we subjected to enough ads on a day-to-day, or minute-to-minute basis? Anyhow, in an effort to assert ownership of my computer and browser, I've added these lines to /etc/hosts: 127.0.0.1 wwwv.itemnotfound.com 127.0.0.1 www.itemnotfound.com 127.0.0.1 itemnotfound.com