March 17, 2019

Fios Issue #2: tracert on Windows

Odd behavior was observed on Windows using Fios.  When I ran 'tracert' in cmd on Windows 10, it showed only two hops.  But on Linux it showed all the hops.

See this on Windows:


On Linux:


In short, it's Verizon Fios interfering with ICMP as Windows using ICMP, but Linux is using UDP.  I also tried Ubuntu on Windows, but got the same results of two hops.  It seems only true Linux traceroute works properly with Fios.

Solutions


1. CountryTraceRoute -
http://www.snapfiles.com/get/ctraceroute.html
Simple application, not perfect, but seems to be ok.  Below screenshot is from the download site, but when it's ran, it shows same information as tracert for #1, #2 hops, but shows more afterward.



2. NMAP - https://nmap.org
This is the real replacement of tracert; it requires to install npcap.  (WinCap is no longer developed.)


Use:
nmap -sU --traceroute www.google.com

References

Discussion

Windows MTR

Note that this is here fore reference.  Using 'mtr' did not fix the issue nor worked around the Fios issue.



March 13, 2019

Fios Issue #1: DNS

Run cmd and run nslookup.  Lookup on any words, like "badfios".  If it resolves to 92.242.140.21, then it is Verizon doing this.

That IP resolves to (search for "reverse IP lookup") "unallocated.barefruit.co.uk" Verizon has some kind of agreement with that company to redirect to sponsored sites instead.

Change FiOS router DNS to:

71.250.0.14
71.242.0.14


If the entry were "automatic", but before you enter into edit mode, it should show:

71.250.0.12
71.242.0.12


See here for more info:
https://forums.verizon.com/t5/Fios-Internet/FIOS-DNS-Hack-Directed-to-unallocated-barefruit-co-uk92-242-140/m-p/726545#M49607
    djjsin Contributor
    Posts: 4
    Registered: ‎07-11-2014
    Re: FIOS DNS Hack Directed to unallocated.barefruit.co.uk92.242.140.21

    ‎08-08-2014 10:00 AM Message 10 of 18
    (33,970 Views)

    I got a response from Verizon today about this.

    "This is expected bahavior.  The Verizon Online DNS resolvers have NXDOMAIN redirection services that redirect any unknown host to a sponsored search page.  You can opt out of this by changing your resolver from .12 to .14."


How to change the DNS in FIOS router -- follow this page.  Image may look little different but the steps are correct.


[Parental Control] OpenDNS, ddclient

There are several ways of parental control, and usually single solution is not enough.
Here is how internet is used from home setting:

User → device (ipad, computer) → [home router] → Internet
                                     
                                    [DNS]

DNS is like a yellow book.  When user types this URL "www.google.com" in the browser, computer looks it up on DNS, it responses with it's address ("IP"), and then it uses the IP to get to the destination.
 
Parental control can be done in each layer:
  • User (by parents)
  • Device
  • Router
  • DNS
In this posting, User and DNS level control is discussed.

Parental Control at User Level

Educating children and set usage limit is the most important.

Set rules on:
  1. Time
  2. Place
  3. Content
I trust my kids, but don't trust those sites.  They want traffic to make money and they'll do anything to trick or attract people to visit the sites.
  • Time limit - duration of use and time of the day. 
  • Agree on where in the house the devices will be used.
  • Talk about content types - what's inappropriate, and some sites may be harmful for them and also might damage the device (e.g. virus).

Parental Control with DNS

Blocking is done at DNS, it simply denies to give the address for inappropriate sites.  Set devices to use OpenDNS to block inappropriate sites.

Two methods to change it:
  1. On each device
  2. On home router
Changing DNS setting in device is different for each device and for routers.  If you don't know how, just search for it, or visit this page - https://www.opendns.com/setupguide/#familyshield.

A couple of ways to use OpenDNS:
  1. Use predefined settings:
    Just sent your devices' DNS to these without any registration.  It has pre-configured family setting (for "Family Shield"): 
    • 208.67.222.123
    • 208.67.220.123
  2. Use custom settings:
    Register with OpenDNS, update your IP with them, and it will block with customization -- custom category, custom blacklist (unfortunately, limited to 25 entries).
Custom OpenDNS Settings

Benefits of using custom OpenDNS:
  • Custom message on blocked sites
  • Customize categories to block
  • Customized black/white lists (up to only 25 though)
I won't go into details here, however.  It is assumed you have some advanced knowledge, otherwise search on the topic.
  1. Register - https://signup.opendns.com/homefree/
  2. Update your dynamic IP with OpenDNS, one of these methods:
    1. via web page, manually
    2. Windows
    3. Linux
    4. Mac
These days, with high speed internet, even if it's dynamic IP, it doesn't change often.  So even your computer is turned on once every a few days for short period of time, running on that computer to update the IP with OpenDNS will be suffice.

For Windows and Mac, just search for "ddclient" and will find the applications.  Examples (not tried):
For Linux, I use 'ddclient' to update the setting at OpenDNS.  As of January 2019, OpenDNS has changed a few things around, and the older way (using ddclient directly to opendns) doesn't work any longer.  You must use dnsomatic until OpenDNS change their way.
  1. Set DNS to 208.67.222.222 and 208.67.220.220 (different from FamilyShield DNS)
  2. Go to https://www.dnsomatic.com and use your OpenDNS ID/PW.  And set up things there.
  3. Set up ddclient, or wget/curl.
ddclient settings for dnsomatic:

use=web, web=myip.dnsomatic.com
server=updates.dnsomatic.com,      \
protocol=dyndns2,                  \
login=dnsomatic_username,          \
password=dnsomatic_password        \
all.dnsomatic.com


curl or wget:

curl --user "username:password" "https://@updates.dnsomatic.com/nic/update?hostname=hostname"

wget --user "username" --password="password" "https://@updates.dnsomatic.com/nic/update?hostname=hostname"



Advantages of using ddclient:
  • It supports other dynamic IP DNS services.  (Now with dnsomatic.com service, you can also do that with dnsomatic settings.)
  • ddclient caches IP address it updated previously and if it hasn't been changed, it won't update again.