IP addresses - bypassing DNS

[greengeek]

Sorry for putting this in "Security" - I couldn't think where else to put it (and in any case DNS issues are sometimes related to security settings etc...)

From time to time I have problems accessing websites and it appears that my DNS server must have gone offline.
(could be an ISP issue, or router buffer fault etc etc...)

As an alternative to relying on the browser connecting via DNS i sometimes insert the IP address of the target host into my browser address bar. (this can also be a suitable method to see if it is just your DNS server that is faulty, or if the whole internet connection is down)

You can also use a terminal/console to ping an IP address - which if successful will tell you that you are actually connected to the internet, even if you can't resolve domain names.

For example, the IP address of the Murga website is:
45.33.15.200

and the address of this forum is:
http://45.33.15.200/puppy/

When i think the internet is down i sometimes ping Google DNS server:
8.8.8.8

Code: Select all

# ping 8.8.8.8
PING 8.8.8.8 (8.8.8.8): 56 data bytes
64 bytes from 8.8.8.8: seq=0 ttl=57 time=28.513 ms
64 bytes from 8.8.8.8: seq=1 ttl=57 time=28.345 ms
64 bytes from 8.8.8.8: seq=2 ttl=57 time=28.365 ms
64 bytes from 8.8.8.8: seq=3 ttl=57 time=28.483 ms
64 bytes from 8.8.8.8: seq=4 ttl=57 time=28.509 ms
^C
--- 8.8.8.8 ping statistics ---
5 packets transmitted, 5 packets received, 0% packet loss
round-trip min/avg/max = 28.345/28.443/28.513 ms
# 

Here is a web page that lists IP addresses of some other common places you might visit:

http://www.danielyerelian.com/blog/2012 ... -websites/

Does anyone have any other IP addresses they find useful?

ps: i found this story funny. Not because I understand IP (i barely do...) but because the frustration of the IP tech reminds me of so many customer interactions...

[williams2]

You can put ip addresses in the file /etc/hosts

For example:
45.33.15.200 murga-linux.com
93.158.201.21 search.disroot.org

These ip addresses will be used instead of looking them up using a dns server.

You can block addresses like this:
0.0.0.0 005.free-counter.co.uk
0.0.0.0 005.free-counters.co.uk

There are block lists you can put in the hosts file.
For example:
https://raw.githubusercontent.com/Energ ... mats/hosts

You can put the addresses of alternate dns servers in /etc/resolv.conf.head or /etc/resolv.conf.tail

For example:
#CloudFlare
nameserver 1.1.1.1
nameserver 1.0.0.1

[greengeek]

You can block addresses like this:
0.0.0.0 005.free-counter.co.uk
0.0.0.0 005.free-counters.co.uk

So in this case does using 0.0.0.0 "black out" the domain name listed? (like sending something to dev>null ?)

[williams2]

0.0.0.0 is the address of your own computer
127.0.0.1 is also the address of your own computer.
Either address will work.

So it asks your computer for the data, it isn't found, so it gives up. This is fast because it doesn't need to use the internet, it uses your own local network.

https://en.wikipedia.org/wiki/0.0.0.0

[greengeek]

Ok, thanks. So it's a bit like a local DNS list - you can either direct a domain name to the correct IP, or to the wrong one. Good to know. Thanks!

[williams2]

Your Puppy probably has the program pup-advert-blocker
It should be in the menu somewhere.

# advert blocker
# downloads a list of known advert servers
# then appends them to /etc/hosts so that
# many online adverts are blocked from sight

[belham2]

Hi Greengeek & Williams,

I've a question that's bugged me for awhile now:

To counteract against the pervasive (and quite destructive) DNS redirects and spoofing that is going on across the world, I've always made it a habit to enter the actual IP address of the sensitive places (when booting the frugal, pristine OS designed for use only when accessing these sites) in a pristine, update no-add-ons whasoever browser url bar.

I always told myself that by doing this, the connection was going straight from my browser to the site (i.e. bank, insurance, etc) that I wanted to go to. Hence, no worry about DNS and all the worry/headaches that brings.

But, then, last week, I was talking to backbone-network consultant gurus, and told them this, and they both cracked a smile at me, like I was an idiot. When I asked, they simply said (which sort of shattered my illusions) this: you do realize, Belham, that no matter what you enter into your browser's urlbar, whether it be a worded address that needs domain translation and/or an actual IP number address, both entries are still going to hit some DNS server (either the DNS Server you've set up at home, or somewhere) along its route outbound across the worldwide Web. That Browsers cannot just pass by DNS Servers even with IP number entries.

Is this true? Did I understand them correctly?? For example, like you wrote, Greengeek, running "ping" means there is no "DNS Serer/Translator/Router" anywhere along that "ping" route, correct? Why would an IP address in a browser be any different than running 'ping'? Or have I been totally misunderstanding this too??

All these years, in my sometimes confused grasp of the Net's structure & operation, I had always relied on the thought that if we entered actual IP number in a browser, then doggone it, that darn browser didn't need to talk to any DNS Server or anything (other than huge backbone routers) for ANY reason and thus would just head across the Net until it hit the IP number destination we entered. But these two guys said I am misunderstanding DNS and domain attacks, and that is just not translation attacks. The attacks are happening at the IP number level on those backbone routers/servers around the world.

Would appreciate your guys' take on this, as I am feeling really foolish if I have been misunderstanding this all along & doing this (for no good reason) extra-security precaution when being online.

[tallboy]

Hmm, interesting info, thanks belham2.

[greengeek]

Did I understand them correctly?? ... But these two guys said I am misunderstanding DNS and domain attacks, and that is just not translation attacks. The attacks are happening at the IP number level on those backbone routers/servers around the world.

Unfortunately I am not knowledgeable enough to offer an accurate analysis about this - i can only voice an opinion.

I worked on networked equipment for a couple of decades (mainframe computers, PCs, routers, VOIP, fax, networked scanners/printers etc) and I have a number of friends involved in maintaining national and local communications (southern cross cable etc) and what I see and hear makes me believe that the backbone of the internet (and other telephone networks) is always at the disposal of the "Defence" forces (particularly US and Israeli).

In which case EVERYTHING is transparent to those agencies.

Recently in New Zealand we had a situation where our "security service" prevented our main communications provider (Spark) from using Huawei electronics gear for the rollout of the 5G national network.

The implication being that this would make our communications transparent to the Chinese. (I am sure it is not only the Chinese who have the ability to remotely utilise routers and network gear for monitoring purposes)

So overall my answer is that the end user has almost no security at all.

I believe that any IP packet (whether via browser or ping or ssh whatever) is transparent once it hits your router. It can be echoed, memory holed, redirected, spoofed, analysed, stored etc etc.

I don't pretend to have much knowledge about this - I really just wanted to express that using IP addresses can sometimes achieve things that using a url cannot - and is especially useful when troubleshooting issues where you can't connect to the internet.

I have seen utilities on this forum which allow spoofing of MAC addresses so i feel it is likely that IP spoofing in the network backbone can occur too.

And then of course - NAT routing adds another layer of addressing on top of direct IP connection. I don't pretend to understand how that works.

[wiak]

I had always relied on the thought that if we entered actual IP number in a browser, then doggone it, that darn browser didn't need to talk to any DNS Server or anything (other than huge backbone routers) for ANY reason and thus would just head across the Net until it hit the IP number destination we entered.

I'm with you on this one Belham . Certainly attacks can very well be at IP layer or any other TCP/IP stack layer, but if using IP addresses then no DNS translation is involved. IP packets get routed via routers (local and international backbone), which entirely rely on IP layer routing protocol (and lower layer ARP) until they reach their destination (DNS is a separate so-called application-layer protocol that uses UDP underneath). TCP/IP layer attacks (such as to IP or UDP or TCP) could happen at these routers but that's not DNS attacks per se. Also some routers may also be setup to run DNS services and these may be being attacked and the router unable to operate correctly because its whole system is floundering from overall attack effects. Nevertheless, it remains a fact that the IP packet itself is not being directly attacked via some DNS spoof/redirect etc attack; reverse DNS lookups are not involved in IP-level routing as far as I'm aware.

wiak

[purple379]

Like say simultaneously doing the DNS Query to OpenDNS, CloudFlare, Google, Personal on my computer list, and comparing all of them? Telling me of any difference? Or at least allowing me to store the IP address I wanted to use.

Slow. Opens me up to being watched. Not sure if there is not an ability in the Network where which ever number I use, that it could not be changed by the Server I am connecting to the Internet through. That is, the IP I request, is layered through a protocol where the IP I actually go to, is not the one the DNS gave me. I guess what is reported back to me as the address IP is not correct. I realize the standard code in an ISP is not supposed to allow this. Still, like my individual connection is in a box controlled by the ISP.

Wonder what the Tor folks think of all the potentials in IP's not being accurate?

And I thought IP numbers could change, which is how Denial of Service Attacks are stopped. Also someone once said something about subnets, I think he meant that a site could have some IP numbers under the main one I enter.

[williams2]

belham2 said:

That Browsers cannot just pass by DNS Servers even with IP number entries.
Is this true? Did I understand them correctly??

I disabled dns by editing /etc/resolv.conf and deleting the contents of the file and then starting Firefox.

As expected, the address http://www.murga-linux.com/puppy/ does not work.
The address http://45.33.15.200/puppy/ works well. I'm posting from this address now.

That is, using a numeric ipv4 address in the browser works, and bypasses any dns server. It seems to do what you think it should do.

traceroute shows that getting a webpage or any other data typically goes through at least a few devices, any of which might be compromised ... but probably are not.

For example, 2 or 3 times I have clicked on a link to a webpage and got a webpage from my isp asking if I would fill out a questionaire. Each time I closed the tab and clicked the link again to get the webpage that I wanted.

Your isp can spy on you, and can send you webpages that are not what you asked for.

You could search for dns hacking. For example:
https://en.wikipedia.org/wiki/DNS_hijacking

dns is a bit of a weak link. It's typically not encrypted.

I am also not a dns expert. I know that Windows has a hosts file too, that works the same way. My hosts file is /Windows/System32/Drivers/etc/hosts
http://winhelp2002.mvps.org/hosts.htm
But Windows won't block some addresses (owned by MS)

[s243a]

I am also not a dns expert. I know that Windows has a hosts file too, that works the same way. My hosts file is /Windows/System32/Drivers/etc/hosts
http://winhelp2002.mvps.org/hosts.htm
But Windows won't block some addresses (owned by MS)

You can still block these addresses by using some device between your windows computer and the Internet in order to block these addresses.

[greengeek]

but if using IP addresses then no DNS translation is involved.

Just a question - does each PC on a home network have a unique IP address? I have been told that NAT addressing is used to identify individual PCs connected behind a router - and that the "world" sees each of those PCs as having the same external IP.

If NAT addressing is used - then can we be sure that every IP is absolutely unique? (ie: are there really enough IP addresses available to allow every device in every home to have it's own unique IP?)

Or does "NAT" effectively rely on a form of DNS??

[s243a]

but if using IP addresses then no DNS translation is involved.

Just a question - does each PC on a home network have a unique IP address? I have been told that NAT addressing is used to identify individual PCs connected behind a router - and that the "world" sees each of those PCs as having the same external IP.

If NAT addressing is used - then can we be sure that every IP is absolutely unique? (ie: are there really enough IP addresses available to allow every device in every home to have it's own unique IP?)

Or does "NAT" effectively rely on a form of DNS??

The connection will involve both an IP address and a port. This is enough information to uniquely identify each computer. For IPv4 the port is not usually assigned until the connection to the remote device is made. However, if you want your computer to be visible to the public Internet from behind a NAT you can forward a port. This could present a security issue.

In IPv6 each gateway to the internet is typically assigned a small subnet so provided you don't have too many computers then you can have a unique public IPv6 address for each computer in your home but you can presumably use your router firewall to make your computers less visible to the public Internet even in the IPv6 address space. My guess is that in this mode the router wouldn't assign a public IPv6 address for the computer until the connection is made.

disclaimer: I'm not an expert here so I may need to double check some of the above info.

[rufwoof]

but if using IP addresses then no DNS translation is involved.

Just a question - does each PC on a home network have a unique IP address? I have been told that NAT addressing is used to identify individual PCs connected behind a router - and that the "world" sees each of those PCs as having the same external IP.

If NAT addressing is used - then can we be sure that every IP is absolutely unique? (ie: are there really enough IP addresses available to allow every device in every home to have it's own unique IP?)

Or does "NAT" effectively rely on a form of DNS??

Commonly 192.168.xxx.xxx IP's are used behind your ISP's box (router). One external IP address, 77.78.79.80 for instance allocated for that router and then each box/device behind that router is allocated a 192.168.x.x IP address. If you add another router to a 'internal' IP address (such as 192.0.1.9) usually that uses/issues 10.0.x.x internal/local IP numbers.

As far as web pages are concerned traffic is received/returned to that external 77.78.79.80 IP, your local router/network handles the internal direction to the relevant local 192.168.x.x IP.

So you could have thousands of devices in your home, each with their own 192.168.x.x IP, and so could your neighbour, who also has 192.168.x.x IP's, local/internal IP's, but you both had a single distinct/separate external IP.

[greengeek]

Interesting article about IP theft (addresses not data) here

I had not realised that IPv4 addresses can run out "locally" before they run out "globally". I thought it was one big pool.

[greengeek]

With regard to the idea that using an IP address rather than a url will get you straight to the target host - I am not sure this is guaranteed.

Here is an article which talks about Deep Packet Inspection - and I wonder if this means that even packets addressed direct to an IP address can be relayed/delayed/re-routed?

https://nakedsecurity.sophos.com/2019/0 ... ampaigners

[s243a]

With regard to the idea that using an IP address rather than a url will get you straight to the target host - I am not sure this is guaranteed.

Here is an article which talks about Deep Packet Inspection - and I wonder if this means that even packets addressed direct to an IP address can be relayed/delayed/re-routed?

https://nakedsecurity.sophos.com/2019/0 ... ampaigners

For the best security one should use some method to verify the server is who the sever claims to be. Usually this is done via ssl, which would typically require a rouge certificate authority to spoof, but if someone has hacked your system then they could install a rogue certificate authority.

Personally, I'd rather some kind of decentralized verification like pgp, or a darknet based web of trust like exists on freenet.

[rufwoof]

Worth reading : https://news.netcraft.com/archives/2016 ... tacks.html

If you have access to a remote ssh server (I'm in London/UK and use a New York/USA ssh server for instance) and are using keys (rather than password), then a man in middle attack will result in a warning (i.e. is pre-validated). You can then either route via that ssh server (socks proxy), or use it and its dns server to confirm a reported http sites IP matches what your local dns servers reports. In some cases however they will differ (not necessarily an attack) as some sites use such IP switching as a means to mitigate DOS attacks.