top of page
BackGround_DarkMap.jpg

RUN SAP BETTER

Cyber Security

Cyber Security Overview

 

Cyber security is the practice of defending computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks. The term applies in a variety of contexts, from business to mobile computing, and can be divided into a few common categories.

  • Network security is the practice of securing a computer network from intruders, whether targeted attackers or opportunistic malware.

  • Application security focuses on keeping software and devices free of threats. A compromised application could provide access to the data its designed to protect. Successful security begins in the design stage, well before a program or device is deployed.

  • Information security protects the integrity and privacy of data, both in storage and in transit.

  • Operational security includes the processes and decisions for handling and protecting data assets. The permissions users have when accessing a network and the procedures that determine how and where data may be stored or shared all fall under this umbrella.

  • Disaster recovery and business continuity define how an organization responds to a cyber-security incident or any other event that causes the loss of operations or data. Disaster recovery policies dictate how the organization restores its operations and information to return to the same operating capacity as before the event. Business continuity is the plan the organization falls back on while trying to operate without certain resources.

  • End-user education addresses the most unpredictable cyber-security factor: people. Anyone can accidentally introduce a virus to an otherwise secure system by failing to follow good security practices. Teaching users to delete suspicious email attachments, not plug in unidentified USB drives, and various other important lessons is vital for the security of any organization.

Cyber Security Solution | XDR vs SIEM

 

XDR (Extended detection and response)

 

It is a comprehensive cybersecurity solution that combines multiple security technologies and data sources to provide enhanced threat detection, response, and remediation capabilities. XDR expands beyond traditional EDR (Endpoint Detection and Response) solutions and incorporates additional security telemetry data from various sources, such as network traffic, cloud environments, and other endpoints.

Key features and benefits

  • Enhanced visibility: XDR collects and analyzes data from diverse sources, including endpoints, network traffic, cloud platforms, and more. This broader visibility provides a comprehensive understanding of the organization's security posture and allows for the detection of complex threats that may span multiple layers.

  • Advanced analytics and detection: XDR leverages advanced analytics, machine learning, and threat intelligence to detect and prioritize potential security incidents accurately. By applying behavioral analytics and anomaly detection, XDR can identify and flag suspicious activities or indicators of compromise.

  • Automated and streamlined response: XDR streamlines the incident response process by automating investigation and remediation actions. It can orchestrate response activities across different security tools and endpoints, reducing the time and effort required to contain and mitigate threats.

  • Threat hunting capabilities: XDR enables proactive threat hunting by allowing security teams to search for indicators of compromise (IoCs) and suspicious activities across the entire security ecosystem. This helps in identifying and eliminating threats before they cause significant damage.

  • Improved operational efficiency: By consolidating and correlating security data from multiple sources, XDR simplifies security operations and reduces alert fatigue. It provides context-rich insights and actionable intelligence, enabling security teams to focus on critical threats and respond more efficiently.

SIEM (Security information and event management)

 

It is a cybersecurity solution that helps organizations collect, analyze, and correlate security event data from various sources within their IT infrastructure. SIEM systems provide real-time monitoring, threat detection, incident response, and compliance management capabilities.

Key features and benefits

  • Data Collection: SIEM collects log data, security events, and system activity logs from a wide range of sources, including network devices, servers, applications, firewalls, intrusion detection systems (IDS), and more. These logs contain valuable information about security events, user activities, and system behavior.

  • Log Management: SIEM systems store and manage log data in a centralized repository or database. This allows for easy search, retrieval, and long-term retention of logs for compliance and forensic purposes.

  • Event Correlation: SIEM analyzes and correlates log data from different sources to identify patterns, anomalies, and potential security incidents. It applies predefined rules or algorithms to match events and generate meaningful alerts or notifications.

  • Real-Time Monitoring: SIEM continuously monitors security events in real time and provides dashboards and visualizations to give security teams a holistic view of the organization's security posture. It allows them to track activities, detect threats, and respond promptly to incidents.

  • Threat Detection: SIEM uses rule-based correlation or advanced analytics techniques to detect potential security threats and malicious activities. It can identify patterns that indicate attacks, such as brute-force login attempts, suspicious network traffic, or unauthorized access attempts.

  • Incident Response: SIEM provides workflows and automation capabilities to streamline incident response processes. It enables security teams to investigate and respond to security incidents efficiently, including threat containment, analysis, and remediation.

  • Compliance Management: SIEM assists organizations in meeting regulatory compliance requirements by collecting and analyzing security logs for auditing purposes. It generates reports and provides evidence of compliance with standards such as PCI DSS, HIPAA, GDPR, and others.

  • Log Retention and Forensics: SIEM systems store logs for extended periods, allowing security teams to perform forensic analysis and investigations when necessary. This helps in understanding the scope and impact of security incidents and supports post incident remediation efforts.

XDR vs SIEM (Key Differences)

1. Data Sources:

  • SIEM primarily focuses on log data from various sources within the network, such as firewalls, servers, applications, and network devices. It collects and analyzes logs to identify security events and generate alerts.

  • XDR goes beyond logs and incorporates a broader range of security telemetry data. It collects and analyzes data from diverse sources, including endpoints, network traffic, cloud environments, and sometimes additional sources like cloud applications, email gateways, or user behavior analytics.

2. Endpoint vs. Network Focus:

  • SIEM traditionally places more emphasis on network-focused data sources, analyzing logs from network devices and servers. While it can incorporate some endpoint data, the primary focus is on network-centric security events.

  • XDR expands the scope to include both endpoint and network data. It incorporates endpoint detection and response (EDR) capabilities, analyzing endpoint activities, processes, and behaviors. It also includes network detection and response (NDR) functionalities to monitor network traffic and identify threats.

3. Threat Detection Approach:

  • SIEM typically relies on rule-based correlation and signature-based detection to identify security incidents. It uses predefined rules and signatures to match events and generate alerts based on known patterns.

  • XDR leverages advanced analytics, machine learning, and threat intelligence to detect sophisticated threats. It applies behavioral analytics, anomaly detection, and machine learning algorithms to identify anomalies, unknown threats, and indicators of compromise.

4. Response and Automation:

  • SIEM systems provide alerting and reporting capabilities, allowing security teams to investigate and respond to incidents manually. While some level of automation is possible, the focus is primarily on generating alerts and providing analysis for human decision-making.

  • XDR offers more extensive automation and orchestration capabilities. It can automate response actions, such as isolating compromised endpoints, blocking malicious network traffic, or initiating remediation tasks.

5. Holistic View and Context:

  • SIEM provides visibility into security events and logs, allowing security teams to monitor activities and detect threats within the network.

  • XDR aims to provide a unified and holistic view of the organization's security posture. By collecting and correlating data from various sources, including endpoints, network, and cloud.

Wazuh (XDR + SIEM Platform)

 

Wazuh is a free and open-source security platform that unifies XDR and SIEM capabilities. It protects workloads across on-premises, virtualized, containerized, and cloud-based environments. Wazuh unifies historically separate functions into a single agent and platform architecture.

Active XDR protection from modern threats: Wazuh provides analysts real-time correlation and context. Active responses are granular, encompassing on-device remediation so endpoints are kept clean and operational.

A comprehensive SIEM solution: The Wazuh Security Information and Event Management (SIEM) solution provides monitoring, detection, and alerting of security events and incidents.

  • Endpoint Security | Configuration Assessment, Malware Detection and File Integrity Monitoring

  • Threat Intelligence | Threat Hunting, Log Data Analysis and Vulnerability Detection

  • Security Operations | Incident Response, Regulatory Compliance and IT Hygiene

  • Cloud Security | Container Security, Posture Management and Workload Protection

How it is Structured

Wazuh is structured around three pivotal components, each playing a distinct role:

  • 1 | Indexer | The Indexer is the backbone of Wazuh, responsible for efficiently storing and managing vast amounts of security data. It plays a crucial role in facilitating rapid data retrieval and analysis

    • Stage 1 Installation |Certificate creation

    • Stage 2 Installation |Nodes installation

    • Stage 3 Installation |Cluster initialization

  • 2 | Server | Acting as the core processing unit, the Server interprets and analyzes the data collected by agents. It executes essential security operations, such as threat detection, incident response, and compliance management

    • ​Stage 1 Installation | Wazuh server node installation

    • Stage 2 Installation |Cluster configuration for multi-node deployment

  • 3 | Dashboard | The Dashboard is the user-friendly interface that provides a visual representation of your security data. It offers pre-built dashboards for quick insights into security events, vulnerabilities, file integrity monitoring, configuration assessments, cloud infrastructure monitoring, and compliance standards

Together, these three components form the foundation of Wazuh, offering a scalable and flexible solution to enhance your organization’s cybersecurity posture.

Requirements

 

  • OS: 64-bit Linux

  • OS Versions: RHEL 7, 8, 9 | Amazon Linux 2 | CentOS 7, 8 | Ubuntu 16.04, 18.04, 20.04, 22.04

  • Hardware for 1-25 agents:

    • Minimum: 2 CPU (cores) | 4 RAM (GBs)

    • Recommended: 4 CPU (cores) | 8 RAM (GBs)

  • ​Disk space for 1-25 agents: 50 GBs per 90 Days data​

  • Browser Compatibility: Chrome 95 or later | Firefox 93 or later | Safari 13.7 or later

    • Browser w/Limited Support: Other Chromium-based browsers

    • Browser Not Supported: Internet Explorer 11 is not supported

Before Installation | Lessons Learned | Common constraints

  • CPU/Memory Error | In the installation step the process can be aborted if the requirements are not met

    • Even with the right CPUs/Memory RAM set, the script consider the available at the moment of installation, and the system will be consuming some of the resources. You can just increase a little more

    • 1 Option: If you are using a VM, you can increase the CPU cores and Memory RAM

    • 2 Option: You the "-i" in the end of the command to bypass that (you will see in the prompt command)

  • Disk Space Error | In the final steps of the script (dashboard installation), the processes can fail and the installation reverted, due a lack of free disk​

    • Even with a large VM disk, this can happens due the way the Ubuntu setted the partitions

    • 1 Option: You need to increase the partition before installation (How to do it)

  • Virtual Hard Disk expands to Maximum Size

    • If you are using a VM with a dynamically expanding disk, be aware that Wazuh may expand exponentially until it reaches the maximum disk size, despite the internal space being unused and available. Restrict the maximum size accordingly

After Installation

  • To deploy your first agent

    • On the Wazuh Dashboard, go to Menu > Server Management > Endpoints Summary 

  • Lost Password | If you lost your initial admin password you can run this command

    • Retrieve Users and Passwords | Command: tar -O -xvf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt

Deploying on Ubuntu

This is the quickstart method, provided by Wazuh, to deploy the version v4.9.0 using the official bash script. You can check the official page for the latest version deployments. (https://documentation.wazuh.com/current/quickstart.html)

  • Open the terminal

  • For non-root users, use the command "sudo" to perform administrative tasks​

  • (Optional) If your system id not updated | Update Ubuntu | Command: apt update

  • Download the Wazuh installation assistant | Command: curl -sO https://packages.wazuh.com/4.9/wazuh-install.sh

  • Execute the Wazuh Scrip using the assistant | Command: bash wazuh-install.sh -a

    • (Optional) If the minimum hardware requirement error appears use "-i" | Command: bash wazuh-install.sh -a -i

  • Login to wazuh using the Browser | Command: https://<wazuh-dashboard-ip>

    • Just wait a little longer if you get a message "Wazuh dashboard server is not ready yet"

  • Initial user and password is informed at the end of installation

Deploying on Docker

This is the installation alternative method, provided by Wazuh, to deploy the version v4.8.2 on docker. You can check the official page for the latest version deployments. (https://documentation.wazuh.com/current/deployment-options/docker/wazuh-container.html)

  • Open the terminal

  • For non-root users, use the command "sudo" to perform administrative tasks​

  • (Optional) If your system id not updated | Update Ubuntu | Command: apt update

  • Install Docker and Docker Compose | Command: apt install docker.io docker-compose -y

  • Clone the Wazuh | Command: git clone https://github.com/wazuh/wazuh-docker.git -b v4.8.2

  • Check the new wazuh-docker directory | Command: ls

  • Enter in the new wazuh-docker directory (single-node) | Command: cd wazuh-docker/single-node/

  • Generate the certificate | Command: docker-compose -f generate-indexer-certs.yml run --rm generator

  • Deploy Wazuh single-node using docker-compose in background | Command: docker-compose up -d

  • Check the Docker Stats to see if all is done and running | Command: docker stats

  • Login to wazuh using the Browser | Command: https://<wazuh-dashboard-ip>

    • Just wait a little longer if you get a message "Wazuh dashboard server is not ready yet"
  • Initial user and password | User: admin / Password: SecretPassword

Upgrading Wazuh on Docker

If you have a previous version like v4.8.2, in this example you can upgrade to v4.9.0

  • Open terminal

  • For non-root users, use the command "sudo" to perform administrative tasks​

  • Enter in the new wazuh-docker directory (single-node) | Command: cd wazuh-docker/single-node/

  • Stop the outdated environment | Command: docker-compose down

  • Checkout the tag for the current version | Command: git checkout v4.9.0

  • Start the new version of Wazuh | Command: docker-compose up -d

  • Check the Docker Stats to see if all is done and running | Command: docker stats

Restarting the Wazuh Container

If you restart your VM, or for any other reason, your Wazuh dashboard starts giving errors, you can restart the Wazuh container to continue using it until you check the logs and fix the issues.

  • Open terminal

  • For non-root users, use the command "sudo" to perform administrative tasks​

  • Enter in the new wazuh-docker directory (single-node) | Command: cd wazuh-docker/single-node/

  • Stop the outdated environment | Command: docker-compose down

  • Wait until all processes are "done"

  • Start the new version of Wazuh | Command: docker-compose up -d

  • Check the Docker Stats to see if all is done and running | Command: sudo docker stats

Reverse Proxy

 

A reverse proxy is a server that sits in front of web servers and forwards client (e.g. web browser) requests to those web servers. Reverse proxies are typically implemented to help increase security, performance, and reliability. In order to better understand how a reverse proxy works and the benefits it can provide, let’s first define what a proxy server is.

Benefits of a Proxy

  • To avoid state or institutional browsing restrictions

  • To block access to certain content

  • To protect their identity online

Benefits of a Reverse Proxy

  • Load balancing

  • Protection from attacks

  • GSLB (Global server load balancing) 

  • Caching

  • SSL encryption

Google | Gmail Optimization | DNSSEC Webserver 

Gmail Advanced Optimization

 

Plus Addressing

Probably you receive a lot of unsolicited emails every day. That happens because many companies sell your data for data brokers. The Google "Plus Addressing" feature helps you to add additional information in your gmail address.

Example:

  • If your email is "johndoe@gmail.com" and you want to to create a Amazon Account

  • You can add "+amazon" in you email. So your email will be on Amazon "johndoe+amazon@gmail.com"

  • You will receive the amazon emails in your gmail like the other emails, but you will be able to see the receiver as "johndoe+amazon@gmail.com"

  • If Amazon sells your data for data brokers you will know what they did

Warning: Nowadays, many companies already know this trick and are blocking Plus Addressing

Dotted Addressing

Unlike Plus Addressing, companies don't block dots in the Gmail address.

It's not as flexible, but it's another way to change your email address without having to create another Gmail account.

Gmail Filtering

You can use some filters in Gmail to find specific emails.

  • On the gmail account, go to 'Show Search Option"

  • In the field 'Has the words'

    • Filter for emails with no Label | Syntax: has:nouserlabels

    • Filter by Labels with space | Label '[ Important ]' nested on '[ Personal ]'|Syntax: user label:{[-Personal-] [-Important-]}

      • Filter removing a specific Label | Syntax: -{label:[-Personal-]-[-Important-]}

    • Filter by emails with no label, from yourself, before a date | Syntax: has:nouserlabels -from:me before:01/01/2013 ​

DNSSEC on Google Domain with Cloudflare

 

Activating DNSSEC on Google Domains with Cloudflare

In Cloudflare go to | DNS > Settings > Activate DNSSEC

  • Get the:

    • Tag Key

    • Digest

In Google Domains go to | DNS

  • Paste the:

    • Tag Key

    • Algorithm = 13

    • Digest Type = SHA256

    • Digest

Wait a couple minutes and it is done.

You can go back to Cloudflare and see the message "Success! Your domain is protected with DNSSEC."

DNS | Domain Name System

DNS is often compared to a phone book, and it allows users to type domain names into their browsers without having to remember IP addresses. 

 

Browser: www.google.com > DNS Translates > IP Address: 142.250.187.228

Example: when a user types "www.google.com" into their browser, DNS translates that domain name into an IP address that their browser can use to load the website.

DNS Record Types

  • IP address resolution

    • CNAME | CNAME records maps a domain name to another (canonical) domain name. They can be used to resolve other record types present on the target domain name

    • A | A records map a domain name to one or multiple IPv4 address(es)

      • Example: A = 'google.com' will be mapped to '142.250.187.238'

    • AAAA | AAAA records map a domain name to one or multiple IPv6 address(es)

      • Example: AAAA = 'google.com' will be mapped to '2a00:1450:4009:827::200e'

  • Email authentication

    • MX | A mail exchange (MX) record is required to deliver email to a mail server

    • DKIM | A DomainKeys Identified Mail (DKIM) record ensures email authenticity by cryptographically signing emails

    • SPF | A Sender Policy Framework (SPF) record lists authorized IP addresses and domains that can send email on behalf of your domain

    • DMARK | A Domain-based Message Authentication Reporting and Conformance (DMARC) record helps generate aggregate reports about your email traffic and provide clear instructions for how email receivers should treat non-conforming emails

  • Specialized records

    • TXT | A text (TXT) record lets you enter text into the DNS system

    • NS | A nameserver (NS) record indicates which server should be used for authoritative DNS

    • CCA | A Certificate Authority Authorization (CAA) record specifies which Certificate Authorities (CAs) are allowed to issue certificates for a domain

    • SRV | A service record (SRV) specifies a host and port for specific services like voice over IP (VOIP), instant messaging, and more

    • SVCB and HTTPS | Service Binding (SVCB) and HTTPS Service (HTTPS) records allow you to provide a client with information about how it should connect to a server upfront, without the need of an initial plaintext HTTP connection

    • PTR | A pointer (PTR) record specifies the allowed hosts for a given IP address

    • SOA | A start of authority (SOA) record stores information about your domain such as admin email address, when the domain was last updated, and more

    • DS and DNSKEY | DS and DNSKEY records help implement DNSSEC, which cryptographically signs DNS records to prevent domain spoofing

There are 4 DNS servers involved in loading a webpage

 

  • DNS Recursor | The recursor can be thought of as a librarian who is asked to go find a particular book somewhere in a library. The DNS recursor is a server designed to receive queries from client machines through applications such as web browsers. Typically the recursor is then responsible for making additional requests in order to satisfy the client’s DNS query

  • Root Nameserver | The root server is the first step in translating (resolving) human readable host names into IP addresses. It can be thought of like an index in a library that points to different racks of books - typically it serves as a reference to other more specific locations

  • TLD Nameserver | The top level domain server (TLD) can be thought of as a specific rack of books in a library. This nameserver is the next step in the search for a specific IP address, and it hosts the last portion of a hostname (In example.com, the TLD server is “com”)

  • Authoritative Nameserver | This final nameserver can be thought of as a dictionary on a rack of books, in which a specific name can be translated into its definition. The authoritative nameserver is the last stop in the nameserver query. If the authoritative name server has access to the requested record, it will return the IP address for the requested hostname back to the DNS Recursor (the librarian) that made the initial request

DNS Lookup

For most situations, DNS is concerned with a domain name being translated into the appropriate IP address. Often DNS lookup information will be cached either locally inside the querying computer or remotely in the DNS infrastructure. There are typically 8 steps in a DNS lookup. When DNS information is cached, steps are skipped from the DNS lookup process which makes it quicker.

The example below outlines all 8 steps when nothing is cached

  • 1. A user types ‘example.com’ into a web browser and the query travels into the Internet and is received by a DNS recursive resolver

  • 2. The resolver then queries a DNS root nameserver (.)

  • 3. The root server then responds to the resolver with the address of a Top Level Domain (TLD) DNS server (such as .com or .net), which stores the information for its domains. When searching for example.com, our request is pointed toward the .com TLD

  • 4. The resolver then makes a request to the .com TLD

  • 5. The TLD server then responds with the IP address of the domain’s nameserver, example.com

  • 6. Lastly, the recursive resolver sends a query to the domain’s nameserver

  • 7. The IP address for example.com is then returned to the resolver from the nameserver

  • 8. The DNS resolver then responds to the web browser with the IP address of the domain requested initially

Once the 8 steps of the DNS lookup have returned the IP address for 'example.com', the browser is able to make the request for the web page:

  • 9. The browser makes a HTTP request to the IP address

  • 10. The server at that IP returns the webpage to be rendered in the browser

DNS resolver


The DNS resolver is the first stop in the DNS lookup, and it is responsible for dealing with the client that made the initial request. The resolver starts the sequence of queries that ultimately leads to a URL being translated into the necessary IP address.

 

A typical uncached DNS lookup will involve both recursive and iterative queries.

It's important to differentiate between a recursive DNS query and a recursive DNS resolver. The query refers to the request made to a DNS resolver requiring the resolution of the query. A DNS recursive resolver is the computer that accepts a recursive query and processes the response by making the necessary requests.

3 types of DNS queries

  • Recursive Query | In a recursive query, a DNS client requires that a DNS server (typically a DNS recursive resolver) will respond to the client with either the requested resource record or an error message if the resolver can't find the record

  • Iterative Query | In this situation the DNS client will allow a DNS server to return the best answer it can. If the queried DNS server does not have a match for the query name, it will return a referral to a DNS server authoritative for a lower level of the domain namespace. The DNS client will then make a query to the referral address. This process continues with additional DNS servers down the query chain until either an error or timeout occurs

  • Non-recursive Query | Typically this will occur when a DNS resolver client queries a DNS server for a record that it has access to either because it's authoritative for the record or the record exists inside of its cache. Typically, a DNS server will cache DNS records to prevent additional bandwidth consumption and load on upstream servers

DNS Caching

The purpose of caching is to temporarily stored data in a location that results in improvements in performance and reliability for data requests. DNS caching involves storing data closer to the requesting client so that the DNS query can be resolved earlier and additional queries further down the DNS lookup chain can be avoided, thereby improving load times and reducing bandwidth/CPU consumption. DNS data can be cached in a variety of locations, each of which will store DNS records for a set amount of time determined by a time-to-live (TTL)

Public DNS Servers

A free, global DNS resolution service that you can use as an alternative to your current DNS provider.

It first appeared to simplify and direct internet traffic for users globally. Public DNS servers are accessible to anyone with an internet connection and are often provided by internet service providers or third-party companies. These servers are most commonly used by individuals and organizations that do not require a private network for their DNS queries. They offer a straightforward and efficient way to navigate the web, helping users access websites quickly and reliably.

DNS Ports

  • DNS Standard | Port: 53 | Protocol: TCP and UDP

  • DoH DNS-over-HTTPS | Port: 443 | Protocol: HTTPS (HTTP + SSL/TLS)

  • DoT DNS-over-TLS | Port: 853 | Protocol: TCP

  • DoQ DNS-over-QUIC | Port: 853 | Protocol: UDP

  • DNSCrypt | Port: 443, 4443, 5443 or 8443 | Protocol: TCP or UDP

Providers
Type
Category
DNS IPv4
DNS-over-HTTPS
DNS-over-TLS
DNS-over-QUIC
DNSCrypt IPv4
DNS IPv6
DNSCrypt IPv6
Ctry
Page
Comments
Google DNS​
Top
8.8.8.8 and 8.8.4.4
https://dns.google/dns-query
tls://dns.google
2001:4860:4860::8888 and 2001:4860:4860::8844
https://developers.google.com/speed/public-dns/
Google DNS is a free, global DNS resolution service that you can use as an alternative to your current DNS provider
Cloudflare DNS​
Standard​
Top
1.1.1.1 and 1.0.0.1
https://dns.cloudflare.com/dns-query (IPv6: https://dns.cloudflare.com/dns-query)
tls://one.one.one.one
2606:4700:4700::1111 and 2606:4700:4700::1001
https://1.1.1.1/
Cloudflare DNS is a free and fast DNS service which functions as a recursive name server providing domain name resolution for any host on the Internet
Cloudflare DNS​
Malware blocking only​
Top
1.1.1.2 and 1.0.0.2
https://security.cloudflare-dns.com/dns-query
tls://security.cloudflare-dns.com
2606:4700:4700::1112 and 2606:4700:4700::1002
https://1.1.1.1/
Cloudflare DNS is a free and fast DNS service which functions as a recursive name server providing domain name resolution for any host on the Internet
Cloudflare DNS​
Malware and adult content blocking​
Top
1.1.1.3 and 1.0.0.3
https://family.cloudflare-dns.com/dns-query
tls://family.cloudflare-dns.com
2606:4700:4700::1113 and 2606:4700:4700::1003
https://1.1.1.1/
Cloudflare DNS is a free and fast DNS service which functions as a recursive name server providing domain name resolution for any host on the Internet
OpenDNS​ (Cisco)
Standard​
Top
208.67.222.222 and 208.67.220.220
https://doh.opendns.com/dns-query
tls://dns.opendns.com
2.dnscrypt-cert.opendns.com (IP: 208.67.220.220)
2620:119:35::35 and 2620:119:53::53
2.dnscrypt-cert.opendns.com (IPv6: [2620:0:ccc::2])
https://www.opendns.com/
Cisco OpenDNS is a service which extends the DNS by incorporating features such as content filtering and phishing protection with a zero downtime
OpenDNS​ (Cisco)
FamilyShield​
Top
208.67.222.123 and 208.67.220.123
https://doh.familyshield.opendns.com/dns-query
tls://familyshield.opendns.com
2.dnscrypt-cert.opendns.com (IP: 208.67.220.123)
https://www.opendns.com/
Cisco OpenDNS is a service which extends the DNS by incorporating features such as content filtering and phishing protection with a zero downtime
OpenDNS​ (Cisco)
Sandbox​
Top
208.67.222.2 and 208.67.220.2
https://doh.sandbox.opendns.com/dns-query
tls://sandbox.opendns.com
2620:0:ccc::2 IP: 2620:0:ccd::2
https://www.opendns.com/
Cisco OpenDNS is a service which extends the DNS by incorporating features such as content filtering and phishing protection with a zero downtime
Quad9 DNS​
Standard​
Well Known
9.9.9.9 and 149.112.112.112
https://dns.quad9.net/dns-query
tls://dns.quad9.net
2.dnscrypt-cert.quad9.net (IP: 9.9.9.9:8443)
2620:fe::fe IP: 2620:fe::fe:9
2.dnscrypt-cert.quad9.net (IPv6: [2620:fe::fe]:8443)
https://quad9.net/
Quad9 DNS is a free, recursive, anycast DNS platform that provides high-performance, privacy, and security protection from phishing and spyware. Quad9 servers don't provide a censoring component. Regular DNS servers which provide protection from phishing and spyware. They include blocklists, DNSSEC validation, and other security features
Quad9 DNS​
Unsecured​
Well Known
9.9.9.10 and 149.112.112.10
https://dns10.quad9.net/dns-query
tls://dns10.quad9.net
2.dnscrypt-cert.quad9.net (IP: 9.9.9.10:8443)
2620:fe::10 IP: 2620:fe::fe:10
2.dnscrypt-cert.quad9.net (IPv6: [2620:fe::fe:10]:8443)
https://quad9.net/
Quad9 DNS is a free, recursive, anycast DNS platform that provides high-performance, privacy, and security protection from phishing and spyware. Quad9 servers don't provide a censoring component. Unsecured DNS servers don't provide security blocklists, DNSSEC, or EDNS Client Subnet
Quad9 DNS​
ECS support​
Well Known
9.9.9.11 and 149.112.112.11
https://dns11.quad9.net/dns-query
tls://dns11.quad9.net
2.dnscrypt-cert.quad9.net (IP: 9.9.9.11:8443)
2620:fe::11 IP: 2620:fe::fe:11
2.dnscrypt-cert.quad9.net (IPv6: [2620:fe::11]:8443)
https://quad9.net/
Quad9 DNS is a free, recursive, anycast DNS platform that provides high-performance, privacy, and security protection from phishing and spyware. Quad9 servers don't provide a censoring component. EDNS Client Subnet is a method that includes components of end-user IP address data in requests that are sent to authoritative DNS servers. It provides security blocklist, DNSSEC, EDNS Client Subnet
AdGuard
Default
Well Known
94.140.14.14 and 94.140.15.15
https://dns.adguard-dns.com/dns-query
tls://dns.adguard-dns.com
quic://dns.adguard-dns.com
2.dnscrypt.default.ns1.adguard.com (IP: 94.140.14.14:5443)
2a10:50c0::ad1:ff and 2a10:50c0::ad2:ff
2.dnscrypt.default.ns1.adguard.com (IPv6: [2a10:50c0::ad1:ff]:5443)
https://adguard-dns.io/welcome.html
AdGuard DNS is an alternative solution for ad blocking, privacy protection, and parental control. It provides the necessary number of protection features against online ads, trackers, and phishing, no matter what platform and device you use
AdGuard
Family Protection​
Well Known
94.140.14.15 and 94.140.15.16
https://family.adguard-dns.com/dns-query
tls://family.adguard-dns.com
quic://family.adguard-dns.com
2.dnscrypt.family.ns1.adguard.com (IP: 94.140.14.15:5443)
2a10:50c0::bad1:ff and 2a10:50c0::bad2:ff
2.dnscrypt.family.ns1.adguard.com (IPv6: [2a10:50c0::bad1:ff]:5443)
https://adguard-dns.io/welcome.html
AdGuard DNS is an alternative solution for ad blocking, privacy protection, and parental control. It provides the necessary number of protection features against online ads, trackers, and phishing, no matter what platform and device you use
AdGuard
Non-filtering​
Well Known
94.140.14.140 and 94.140.14.141
https://unfiltered.adguard-dns.com/dns-query
tls://unfiltered.adguard-dns.com
quic://unfiltered.adguard-dns.com
2.dnscrypt.unfiltered.ns1.adguard.com (IP: 94.140.14.140:5443)
2a10:50c0::1:ff and 2a10:50c0::2:ff
2.dnscrypt.unfiltered.ns1.adguard.com (IPv6: [2a10:50c0::1:ff]:5443)
https://adguard-dns.io/welcome.html
AdGuard DNS is an alternative solution for ad blocking, privacy protection, and parental control. It provides the necessary number of protection features against online ads, trackers, and phishing, no matter what platform and device you use
0ms DNS​
Relevant
https://0ms.dev/dns-query
https://0ms.dev/
DNS is a global DNS resolution service provided by 0ms Group as an alternative to your current DNS provider. It uses OISD Big as the basic filter to give everyone a more secure environment. It is designed with various optimizations, such as HTTP/3, caching, and more. It leverages machine learning to protect users from potential security threats while also optimizing itself over time
360 Secure DNS​
Relevant
101.226.4.6 and 218.30.118.6
https://doh.360.cn/dns-query
tls://dot.360.cn
123.125.81.6 and 140.207.198.6
CN
Ali DNS​
Relevant
223.5.5.5 and 223.6.6.6
https://dns.alidns.com/dns-query
tls://dns.alidns.com
quic://dns.alidns.com:853
2400:3200::1 and 2400:3200:baba::1
https://alidns.com/
Ali DNS is a free recursive DNS service that committed to providing fast, stable and secure DNS resolution for the majority of Internet users. It includes AliGuard facility to protect users from various attacks and threats
BebasDNS by BebasID​
Security​
Relevant
https://antivirus.bebasid.com/dns-query
tls://antivirus.bebasid.com:853
https://github.com/bebasid/bebasdns
BebasDNS is a free and neutral public resolver based in Indonesia which supports OpenNIC domain. Created by Komunitas Internet Netral Indonesia (KINI) to serve Indonesian user with free and neutral internet connection
BebasDNS by BebasID​
Family​
Relevant
https://internetsehat.bebasid.com/dns-query
tls://internetsehat.bebasid.com:853
2.dnscrypt-cert.internetsehat.bebasid.com (IP: 103.87.68.196:8443)
https://github.com/bebasid/bebasdns
BebasDNS is a free and neutral public resolver based in Indonesia which supports OpenNIC domain. Created by Komunitas Internet Netral Indonesia (KINI) to serve Indonesian user with free and neutral internet connection
BebasDNS by BebasID​
Family With Ad Filtering​
Relevant
https://internetsehat.bebasid.com/adblock
tls://family-adblock.bebasid.com:853
https://github.com/bebasid/bebasdns
BebasDNS is a free and neutral public resolver based in Indonesia which supports OpenNIC domain. Created by Komunitas Internet Netral Indonesia (KINI) to serve Indonesian user with free and neutral internet connection
BebasDNS by BebasID​
OISD Filter​
Relevant
https://dns.bebasid.com/dns-oisd
tls://oisd.dns.bebasid.com:853
https://github.com/bebasid/bebasdns
BebasDNS is a free and neutral public resolver based in Indonesia which supports OpenNIC domain. Created by Komunitas Internet Netral Indonesia (KINI) to serve Indonesian user with free and neutral internet connection
BebasDNS by BebasID​
Hagezi Multi Normal Filter​
Relevant
https://dns.bebasid.com/dns-hagezi
tls://hagezi.dns.bebasid.com:853
https://github.com/bebasid/bebasdns
BebasDNS is a free and neutral public resolver based in Indonesia which supports OpenNIC domain. Created by Komunitas Internet Netral Indonesia (KINI) to serve Indonesian user with free and neutral internet connection
BebasDNS by BebasID​
Unfiltered​
Relevant
https://dns.bebasid.com/unfiltered
tls://unfiltered.dns.bebasid.com:853
https://github.com/bebasid/bebasdns
BebasDNS is a free and neutral public resolver based in Indonesia which supports OpenNIC domain. Created by Komunitas Internet Netral Indonesia (KINI) to serve Indonesian user with free and neutral internet connection
BebasDNS by BebasID​
Default​
Relevant
https://dns.bebasid.com/dns-query
tls://dns.bebasid.com:853
2.dnscrypt-cert.dns.bebasid.com (IP: 103.87.68.194:8443)
https://github.com/bebasid/bebasdns
BebasDNS is a free and neutral public resolver based in Indonesia which supports OpenNIC domain. Created by Komunitas Internet Netral Indonesia (KINI) to serve Indonesian user with free and neutral internet connection
CFIEC Public DNS​
Relevant
https://dns.cfiec.net/dns-query
tls://dns.cfiec.net
240C::6666 and 240C::6644
IPv6-based anycast DNS service with strong security capabilities and protection from spyware, malicious websites. It supports DNS64 to provide domain name resolution only for IPv6 users
CleanBrowsing​
Adult Filter​
Relevant
185.228.168.10 and 185.228.169.11
https://doh.cleanbrowsing.org/doh/adult-filter/
tls://adult-filter-dns.cleanbrowsing.org
cleanbrowsing.org (IP: 185.228.168.10:8443)
2a0d:2a00:1::1 and 2a0d:2a00:2::1
cleanbrowsing.org (IPv6: [2a0d:2a00:1::1]:8443)
https://cleanbrowsing.org/
CleanBrowsing is a DNS service which provides customizable filtering. This service offers a safe way to browse the web without inappropriate content
CleanBrowsing​
Family Filter​
Relevant
185.228.168.168 and 185.228.169.168
https://doh.cleanbrowsing.org/doh/family-filter/
tls://family-filter-dns.cleanbrowsing.org
cleanbrowsing.org (IP: 185.228.168.168:8443)
2a0d:2a00:1:: and 2a0d:2a00:2::
cleanbrowsing.org (IPv6: [2a0d:2a00:1::]:8443)
https://cleanbrowsing.org/
CleanBrowsing is a DNS service which provides customizable filtering. This service offers a safe way to browse the web without inappropriate content
CleanBrowsing​
Security Filter​
Relevant
185.228.168.9 and 185.228.169.9
https://doh.cleanbrowsing.org/doh/security-filter/
tls://security-filter-dns.cleanbrowsing.org
2a0d:2a00:1::2 and 2a0d:2a00:2::2
https://cleanbrowsing.org/
CleanBrowsing is a DNS service which provides customizable filtering. This service offers a safe way to browse the web without inappropriate content
Comodo Secure DNS​
Relevant
8.26.56.26 and 8.20.247.20
2.dnscrypt-cert.shield-2.dnsbycomodo.com (IP: 8.20.247.2)
https://comodo.com/secure-dns/
Comodo Secure DNS is a domain name resolution service that resolves your DNS requests through worldwide network of DNS servers. Removes excessive ads and protects from phishing and spyware
ControlD​
Block malware​
Relevant
76.76.2.1
https://freedns.controld.com/p1
tls://p1.freedns.controld.com
https://controld.com/free-dns
ControlD is a customizable DNS service with proxy capabilities. This means it not only blocks things (ads, porn, etc.), but can also unblock websites and services
ControlD​
Block malware + ads​
Relevant
76.76.2.2
https://freedns.controld.com/p2
tls://p2.freedns.controld.com
https://controld.com/free-dns
ControlD is a customizable DNS service with proxy capabilities. This means it not only blocks things (ads, porn, etc.), but can also unblock websites and services
ControlD​
Block malware + ads + social​
Relevant
76.76.2.3
https://freedns.controld.com/p3
tls://p3.freedns.controld.com
https://controld.com/free-dns
ControlD is a customizable DNS service with proxy capabilities. This means it not only blocks things (ads, porn, etc.), but can also unblock websites and services
ControlD​
Non-filtering​
Relevant
76.76.2.0 and 76.76.10.0
https://freedns.controld.com/p0
p0.freedns.controld.com
2606:1a40:: and 2606:1a40:1::
https://controld.com/free-dns
ControlD is a customizable DNS service with proxy capabilities. This means it not only blocks things (ads, porn, etc.), but can also unblock websites and services
DNS Privacy​
Run by the Stubby developers
Relevant
tls://getdnsapi.net (IP: 185.49.141.37 and IPv6: 2a04:b900:0:100::37)
https://dnsprivacy.org/
A collaborative open project to promote, implement, and deploy DNS Privacy. DNS servers run by the Stubby developers
DNS Privacy​
Run by the Stubby developers | Provider: Surfnet
Relevant
tls://dnsovertls.sinodun.com (IP: 145.100.185.15 and IPv6: 2001:610:1:40ba:145:100:185:15)
https://dnsprivacy.org/
A collaborative open project to promote, implement, and deploy DNS Privacy. DNS servers run by the Stubby developers
DNS Privacy​
Run by the Stubby developers​ | Provider: Surfnet
Relevant
tls://dnsovertls1.sinodun.com (IP: 145.100.185.16 and IPv6: 2001:610:1:40ba:145:100:185:16)
https://dnsprivacy.org/
A collaborative open project to promote, implement, and deploy DNS Privacy. DNS servers run by the Stubby developers
DNS Privacy​
No-logging policy​ | Provider: UncensoredDNS
Relevant
tls://unicast.censurfridns.dk (IP: 89.233.43.71 and IPv6: 2a01:3a0:53:53::0)
DK
https://dnsprivacy.org/
A collaborative open project to promote, implement, and deploy DNS Privacy. Other DNS servers with no-logging policy
DNS Privacy​
No-logging policy​ | Provider: UncensoredDNS
Relevant
tls://anycast.censurfridns.dk (IP: 91.239.100.100 and IPv6: 2001:67c:28a4::)
DK
https://dnsprivacy.org/
A collaborative open project to promote, implement, and deploy DNS Privacy. Other DNS servers with no-logging policy
DNS Privacy​
No-logging policy​ | Provider: dkg
Relevant
tls://dns.cmrg.net (IP: 199.58.81.218 and IPv6: 2001:470:1c:76d::53)
https://dnsprivacy.org/
A collaborative open project to promote, implement, and deploy DNS Privacy. Other DNS servers with no-logging policy
DNS Privacy​
No-logging policy​
Relevant
tls://dns.larsdebruin.net (IP: 51.15.70.167)
https://dnsprivacy.org/
A collaborative open project to promote, implement, and deploy DNS Privacy. Other DNS servers with no-logging policy
DNS Privacy​
No-logging policy​
Relevant
tls://dns-tls.bitwiseshift.net (IP: 81.187.221.24 and IPv6: 2001:8b0:24:24::24)
https://dnsprivacy.org/
A collaborative open project to promote, implement, and deploy DNS Privacy. Other DNS servers with no-logging policy
DNS Privacy​
No-logging policy​
Relevant
tls://ns1.dnsprivacy.at (IP: 94.130.110.185 and IPv6: 2a01:4f8:c0c:3c03::2)
AT
https://dnsprivacy.org/
A collaborative open project to promote, implement, and deploy DNS Privacy. Other DNS servers with no-logging policy
DNS Privacy​
No-logging policy​
Relevant
tls://ns2.dnsprivacy.at (IP: 94.130.110.178 and IPv6: 2a01:4f8:c0c:3bfc::2)
AT
https://dnsprivacy.org/
A collaborative open project to promote, implement, and deploy DNS Privacy. Other DNS servers with no-logging policy
DNS Privacy​
No-logging policy​
Relevant
tls://dns.bitgeek.in (IP: 139.59.51.46)
IN
https://dnsprivacy.org/
A collaborative open project to promote, implement, and deploy DNS Privacy. Other DNS servers with no-logging policy
DNS Privacy​
No-logging policy​
Relevant
tls://dns.neutopia.org (IP: 89.234.186.112 and IPv6: 2a00:5884:8209::2)
https://dnsprivacy.org/
A collaborative open project to promote, implement, and deploy DNS Privacy. Other DNS servers with no-logging policy
DNS Privacy​
No-logging policy | ​Provider: Go6Lab
Relevant
tls://privacydns.go6lab.si (IPv6: 2001:67c:27e4::35)
SI
https://dnsprivacy.org/
A collaborative open project to promote, implement, and deploy DNS Privacy. Other DNS servers with no-logging policy
DNS Privacy​
No-logging policy​
Relevant
tls://dot.securedns.eu (IP: 146.185.167.43 and IPv6: 2a03:b0c0:0:1010::e9a:3001)
EU
https://dnsprivacy.org/
A collaborative open project to promote, implement, and deploy DNS Privacy. Other DNS servers with no-logging policy
DNS Privacy​
Minimal logging/restrictions​ | Provider: NIC Chile
Relevant
tls://dnsotls.lab.nic.cl (IP: 200.1.123.46 and IPv6: 2001:1398:1:0:200:1:123:46)
CL
https://dnsprivacy.org/
A collaborative open project to promote, implement, and deploy DNS Privacy. These servers use some logging, self-signed certs or no support for strict mode
DNS Privacy​
Minimal logging/restrictions​ | Provider: OARC
Relevant
tls://tls-dns-u.odvr.dns-oarc.net (IP: 184.105.193.78 and IPv6: 2620:ff:c000:0:1::64:25)
https://dnsprivacy.org/
A collaborative open project to promote, implement, and deploy DNS Privacy. These servers use some logging, self-signed certs or no support for strict mode
DNS.SB​
Relevant
185.222.222.222 and 45.11.45.11
https://doh.dns.sb/dns-query
tls://dot.sb
2a09:: and 2a11::
SB
https://dns.sb/
DNS.SB provides free DNS service without logging and with DNSSEC enabled
DNSPod Public DNS+​
Relevant
119.29.29.29 and 119.28.28.28
https://doh.pub/dns-query
tls://dot.pub
https://www.dnspod.com/
DNSPod Public DNS+ is a privacy-friendly DNS provider with years of experience in domain name resolution services development, it aims to provide users more rapid, accurate and stable recursive resolution service
DNSPod Public DNS+​
Relevant
https://dns.pub/dns-query
https://www.dnspod.com/
DNSPod Public DNS+ is a privacy-friendly DNS provider with years of experience in domain name resolution services development, it aims to provide users more rapid, accurate and stable recursive resolution service
DNSWatchGO​
Relevant
54.174.40.213 and 52.3.100.184
https://www.watchguard.com/wgrd-products/dnswatchgo
DNSWatchGO is a DNS service by WatchGuard that prevents people from interacting with malicious content
DeCloudUs DNS​
Relevant
https://dns.decloudus.com/dns-query
tls://dns.decloudus.com
2.dnscrypt-cert.DeCloudUs-test (IP: 78.47.212.211:9443)
2.dnscrypt-cert.DeCloudUs-test (IPv6: [2a01:4f8:13a:250b::30]:9443)
https://decloudus.com/
DeCloudUs DNS is a DNS service that lets you block anything you wish while by default protecting you and your family from ads, trackers, malware, phishing, malicious sites, and much more
Dyn DNS​
Relevant
216.146.35.35 and 216.146.36.36
https://help.dyn.com/internet-guide-setup/
Dyn DNS is a free alternative DNS service by Dyn
Freenom World​
Relevant
80.80.80.80 and 80.80.81.81
https://freenom.world/en/index.html
Freenom World is a free anonymous DNS resolver by Freenom World
Hurricane Electric Public Recursor​
Relevant
74.82.42.42
https://ordns.he.net/dns-query
tls://ordns.he.net
2001:470:20::2
https://dns.he.net/
Hurricane Electric Public Recursor is a free alternative DNS service by Hurricane Electric with anycast
Mullvad​
Ad blocking​
Relevant
https://adblock.dns.mullvad.net/dns-query
tls://adblock.dns.mullvad.net
https://mullvad.net/en/help/dns-over-https-and-dns-over-tls/
Mullvad provides publicly accessible DNS with QNAME minimization, endpoints located in Germany, Singapore, Sweden, United Kingdom and United States (Dallas & New York)
Mullvad​
Non-filtering​
Relevant
https://dns.mullvad.net/dns-query
tls://dns.mullvad.net
https://mullvad.net/en/help/dns-over-https-and-dns-over-tls/
Mullvad provides publicly accessible DNS with QNAME minimization, endpoints located in Germany, Singapore, Sweden, United Kingdom and United States (Dallas & New York)
Mullvad​
Ad + malware blocking​
Relevant
https://base.dns.mullvad.net/dns-query
tls://base.dns.mullvad.net
https://mullvad.net/en/help/dns-over-https-and-dns-over-tls/
Mullvad provides publicly accessible DNS with QNAME minimization, endpoints located in Germany, Singapore, Sweden, United Kingdom and United States (Dallas & New York)
Mullvad​
Ad + malware + social media blocking​
Relevant
https://extended.dns.mullvad.net/dns-query
tls://extended.dns.mullvad.net
https://mullvad.net/en/help/dns-over-https-and-dns-over-tls/
Mullvad provides publicly accessible DNS with QNAME minimization, endpoints located in Germany, Singapore, Sweden, United Kingdom and United States (Dallas & New York)
Mullvad​
Ad + malware + adult + gambling blocking​
Relevant
https://family.dns.mullvad.net/dns-query
tls://family.dns.mullvad.net
https://mullvad.net/en/help/dns-over-https-and-dns-over-tls/
Mullvad provides publicly accessible DNS with QNAME minimization, endpoints located in Germany, Singapore, Sweden, United Kingdom and United States (Dallas & New York)
Mullvad​
Ad + malware + adult + gambling + social media blocking​
Relevant
https://all.dns.mullvad.net/dns-query
tls://all.dns.mullvad.net
https://mullvad.net/en/help/dns-over-https-and-dns-over-tls/
Mullvad provides publicly accessible DNS with QNAME minimization, endpoints located in Germany, Singapore, Sweden, United Kingdom and United States (Dallas & New York)
Nawala Childprotection DNS​
Relevant
180.131.144.144 and 180.131.145.145
2.dnscrypt-cert.nawala.id (IP: 180.131.144.144)
http://nawala.id/
Nawala Childprotection DNS is an anycast Internet filtering system that protects children from inappropriate websites and abusive contents
Neustar Recursive DNS​
Reliability & Performance 2​
Relevant
156.154.70.5 and 156.154.71.5
2610:a1:1018::5 and 2610:a1:1019::5
https://www.security.neustar/digital-performance/dns-services/recursive-dns
Neustar Recursive DNS is a free cloud-based recursive DNS service that delivers fast and reliable access to sites and online applications with built-in security and threat intelligence. These servers provide reliable and fast DNS lookups without blocking any specific categories and also prevent redirecting NXDomain (non-existent domain) responses to landing pages
Neustar Recursive DNS​
Threat Protection​
Relevant
156.154.70.2 and 156.154.71.2
2610:a1:1018::2 and 2610:a1:1019::2
https://www.security.neustar/digital-performance/dns-services/recursive-dns
Neustar Recursive DNS is a free cloud-based recursive DNS service that delivers fast and reliable access to sites and online applications with built-in security and threat intelligence. These servers provide protection against malicious domains and also include "Reliability & Performance" features
Neustar Recursive DNS​
Family Secure​
Relevant
156.154.70.3 and 156.154.71.3
2610:a1:1018::3 and 2610:a1:1019::3
https://www.security.neustar/digital-performance/dns-services/recursive-dns
Neustar Recursive DNS is a free cloud-based recursive DNS service that delivers fast and reliable access to sites and online applications with built-in security and threat intelligence. These servers provide adult content blocking and also include "Reliability & Performance" + "Threat Protection" features
Neustar Recursive DNS​
Business Secure​
Relevant
156.154.70.4 and 156.154.71.4
2610:a1:1018::4 and 2610:a1:1019::4
https://www.security.neustar/digital-performance/dns-services/recursive-dns
Neustar Recursive DNS is a free cloud-based recursive DNS service that delivers fast and reliable access to sites and online applications with built-in security and threat intelligence. These servers provide blocking unwanted and time-wasting content and also include "Reliability & Performance" + "Threat Protection" + "Family Secure" features
Neustar Recursive DNS​
Reliability & Performance 1​
Relevant
156.154.70.1 and 156.154.71.1
2610:a1:1018::1 and 2610:a1:1019::1
https://www.security.neustar/digital-performance/dns-services/recursive-dns
Neustar Recursive DNS is a free cloud-based recursive DNS service that delivers fast and reliable access to sites and online applications with built-in security and threat intelligence. These servers provide reliable and fast DNS lookups without blocking any specific categories
NextDNS​
Anycast​
Relevant
https://anycast.dns.nextdns.io
tls://anycast.dns.nextdns.io
https://nextdns.io/
NextDNS provides publicly accessible non-filtering resolvers without logging in addition to its freemium configurable filtering resolvers with optional logging
NextDNS​
Ultra-low latency​
Relevant
https://dns.nextdns.io
tls://dns.nextdns.io
https://nextdns.io/
NextDNS provides publicly accessible non-filtering resolvers without logging in addition to its freemium configurable filtering resolvers with optional logging
OpenBLD.net DNS​
Strict Filtering (RIC)​
Relevant
https://ric.openbld.net/dns-query
tls://ric.openbld.net
https://openbld.net/
OpenBLD.net DNS — Anycast/GeoDNS DNS-over-HTTPS, DNS-over-TLS resolvers with blocking: advertising, tracking, adware, malware, malicious activities and phishing companies, blocks ~1M domains. Has 24h/48h logs for DDoS/Flood attack mitigation. More strictly filtering policies with blocking — ads, marketing, tracking, clickbait, coinhive, malicious, and phishing domains
OpenBLD.net DNS​
Adaptive Filtering (ADA)​
Relevant
https://ada.openbld.net/dns-query
tls://ada.openbld.net
https://openbld.net/
OpenBLD.net DNS — Anycast/GeoDNS DNS-over-HTTPS, DNS-over-TLS resolvers with blocking: advertising, tracking, adware, malware, malicious activities and phishing companies, blocks ~1M domains. Has 24h/48h logs for DDoS/Flood attack mitigation. Recommended for most users, very flexible filtering with blocking most ads networks, ad-tracking, malware and phishing domains
RethinkDNS​
Non-filtering​
Relevant
https://basic.rethinkdns.com/
tls://max.rethinkdns.com
https://www.rethinkdns.com/configure
Safe DNS​
Relevant
195.46.39.39 and 195.46.39.40
https://www.safedns.com/
Safe Surfer​
Relevant
104.155.237.225 and 104.197.28.121
2.dnscrypt-cert.safesurfer.co.nz (IP: 104.197.28.121)
NZ
https://www.safesurfer.co.nz/
Verisign Public DNS​
Relevant
64.6.64.6 and 64.6.65.6
2620:74:1b::1:1 and 2620:74:1c::2:2
https://www.verisign.com/security-services/public-dns/
Wikimedia DNS​
Relevant
https://wikimedia-dns.org/dns-query
tls://wikimedia-dns.org (IP: 185.71.138.138 and IPv6: 2001:67c:930::1)
https://meta.wikimedia.org/wiki/Wikimedia_DNS
dns0.eu​
Relevant
193.110.81.0 and 185.253.5.0
https://zero.dns0.eu/
tls://zero.dns0.eu
quic://zero.dns0.eu
EU
https://www.dns0.eu/
dns0.eu is a free, sovereign and GDPR-compliant recursive DNS resolver with a strong focus on security to protect the citizens and organizations of the European Union
114DNS​
Family​
Regional
114.114.114.110 and 114.114.115.110
https://www.114dns.com/
114DNS​
Normal​
Regional
114.114.114.114 and 114.114.115.115
https://www.114dns.com/
114DNS​
Safe​
Regional
114.114.114.119 and 114.114.115.119
https://www.114dns.com/
Applied Privacy DNS​
Regional
https://doh.applied-privacy.net/query
tls://dot1.applied-privacy.net
https://applied-privacy.net/
ByteDance Public DNS​
Regional
180.184.1.1 and 180.184.2.2
CIRA Canadian Shield DNS​
Protected​
Regional
149.112.121.20 and 149.112.122.20
https://protected.canadianshield.cira.ca/dns-query
tls://protected.canadianshield.cira.ca (IP: 149.112.121.20 and IPv6: 2620:10A:80BB::20)
2620:10A:80BB::20 and 2620:10A:80BC::20
CA
https://www.cira.ca/cybersecurity-services/canadianshield/how-works
CIRA Canadian Shield DNS​
Family​
Regional
149.112.121.30 and 149.112.122.30
https://family.canadianshield.cira.ca/dns-query
tls://family.canadianshield.cira.ca (IP: 149.112.121.30 and IPv6: 2620:10A:80BB::30)
2620:10A:80BB::30 and 2620:10A:80BC::30
CA
https://www.cira.ca/cybersecurity-services/canadianshield/how-works
CIRA Canadian Shield DNS​
Private​
Regional
149.112.121.10 and 149.112.122.10
https://private.canadianshield.cira.ca/dns-query
tls://private.canadianshield.cira.ca (IP: 149.112.121.10 and IPv6: 2620:10A:80BB::10)
2620:10A:80BB::10 and 2620:10A:80BC::10
CA
https://www.cira.ca/cybersecurity-services/canadianshield/how-works
CZ.NIC ODVR​
Regional
193.17.47.1 and 185.43.135.1
https://odvr.nic.cz/doh
tls://odvr.nic.cz
2001:148f:ffff::1 and 2001:148f:fffe::1
CZ
https://www.nic.cz/odvr/
Comss.one DNS​
Regional
https://dns.controld.com/comss
tls://comss.dns.controld.com
quic://comss.dns.controld.com
RU
https://www.comss.ru/page.php?id=7315
DNS for Family​
Regional
94.130.180.225 and 78.47.64.161
https://dns-doh.dnsforfamily.com/dns-query
tls://dns-dot.dnsforfamily.com
quic://dnsforfamily.com (IP: 94.130.180.225)
dnsforfamily.com (IP: 94.130.180.225)
2a01:4f8:1c0c:40db::1 and 2a01:4f8:1c17:4df8::1
dnsforfamily.com (IPv6: [2a01:4f8:1c0c:40db::1])
https://dnsforfamily.com/
Digitale Gesellschaft DNS​
Regional
https://dns.digitale-gesellschaft.ch/dns-query (IP: 185.95.218.42 and IPv6: 2a05:fc84::42)
tls://dns.digitale-gesellschaft.ch (IP: 185.95.218.43 and IPv6: 2a05:fc84::43)
CH
https://www.digitale-gesellschaft.ch/dns/
Fondation Restena DNS​
Regional
https://kaitain.restena.lu/dns-query (IP: 158.64.1.29 and IPv6: 2001:a18:1::29)
tls://kaitain.restena.lu (IP: 158.64.1.29 and IPv6: 2001:a18:1::29)
LU
https://www.restena.lu/en/service/public-dns-resolver
IIJ.JP DNS​
Regional
https://public.dns.iij.jp/dns-query
tls://public.dns.iij.jp
JP
https://public.dns.iij.jp/
JupitrDNS​
Regional
35.215.30.118 and 35.215.48.207
https://dns.jupitrdns.com/dns-query
tls://dns.jupitrdns.com
quic://dns.jupitrdns.com
https://jupitrdns.com/
LibreDNS​
Regional
88.198.92.222
https://doh.libredns.gr/dns-query
tls://dot.libredns.gr (IP: 116.202.176.26)
GR
https://libredns.gr/
LibreDNS​
Ads
Regional
https://doh.libredns.gr/ads
GR
https://libredns.gr/
OneDNS​
Pure Edition​
Regional
117.50.10.10 and 52.80.52.52
https://www.onedns.net/
OneDNS​
Block Edition​
Regional
117.50.11.11 and 52.80.66.66
https://www.onedns.net/
OpenNIC DNS​
Regional
217.160.70.42
2001:8d8:1801:86e7::1
https://www.opennic.org/
Quad101​
Regional
101.101.101.101 and 101.102.103.104
https://dns.twnic.tw/dns-query
tls://101.101.101.101
2001:de4::101 and 2001:de4::102
TW
https://101.101.101.101/
SWITCH DNS​
Regional
dns.switch.ch IP: 130.59.31.248
https://dns.switch.ch/dns-query
tls://dns.switch.ch (IP: 130.59.31.248 and IPv6: 2001:620:0:ff::2)
 dns.switch.ch IPv6: 2001:620:0:ff::2
CH
https://www.switch.ch/security/info/public-dns/
SkyDNS RU​
Regional
193.58.251.251
RU
https://www.skydns.ru/en/
Yandex DNS​
Basic​
Regional
77.88.8.8 and 77.88.8.1
https://common.dot.dns.yandex.net/dns-query
tls://common.dot.dns.yandex.net
2a02:6b8::feed:0ff and 2a02:6b8:0:1::feed:0ff
RU
https://dns.yandex.com/
Yandex DNS​
Safe​
Regional
77.88.8.88 and 77.88.8.2
https://safe.dot.dns.yandex.net/dns-query
tls://safe.dot.dns.yandex.net
2a02:6b8::feed:bad and 2a02:6b8:0:1::feed:bad
RU
https://dns.yandex.com/
Yandex DNS​
Family​
Regional
77.88.8.3 and 77.88.8.7
https://family.dot.dns.yandex.net/dns-query
tls://family.dot.dns.yandex.net
2a02:6b8::feed:a11 and 2a02:6b8:0:1::feed:a11
RU
https://dns.yandex.com/
AhaDNS​
Small (Risky)
5.2.75.75
https://doh.nl.ahadns.net/dns-query
tls://dot.nl.ahadns.net
2a04:52c0:101:75::75
NL
https://ahadns.com/
AhaDNS​
Small (Risky)
45.67.219.208
https://doh.la.ahadns.net/dns-query
tls://dot.la.ahadns.net
2a04:bdc7:100:70::70
US
https://ahadns.com/
Arapurayil​
Small (Risky)
Host: https://dns.arapurayil.com/dns-query
2.dnscrypt-cert.dns.arapurayil.com (IP: 3.7.156.128)
https://dns.arapurayil.com/
BlackMagicc DNS​
Small (Risky)
103.178.234.160
https://robin.techomespace.com/dns-query
tls://robin.techomespace.com:853
2405:19c0:2:ea2e::1
https://bento.me/blackmagicc
Captnemo DNS​
Small (Risky)
2.dnscrypt-cert.captnemo.in (IP: 139.59.48.222:4434)
IN
https://captnemo.in/dnscrypt/
DNS Forge​
Small (Risky)
176.9.93.198 and 176.9.1.117
https://dnsforge.de/dns-query
tls://dnsforge.de
2a01:4f8:151:34aa::198 and 2a01:4f8:141:316d::117
DE
https://dnsforge.de/
DNSWarden​
Small (Risky)
https://dns.dnswarden.com/uncensored
tls://uncensored.dns.dnswarden.com
https://dnswarden.com/customfilter.html
Dandelion Sprout's Official DNS Server​
Small (Risky)
https://dandelionsprout.asuscomm.com:2501/dns-query
tls://dandelionsprout.asuscomm.com:853
quic://dandelionsprout.asuscomm.com:48582
https://github.com/DandelionSprout/adfilt/tree/master/Dandelion%20Sprout's%20Official%20DNS%20Server
FFMUC DNS​
Small (Risky)
https://doh.ffmuc.net/dns-query
tls://dot.ffmuc.net
2.dnscrypt-cert.ffmuc.net (IP: 5.1.66.255:8443)
2.dnscrypt-cert.ffmuc.net (IPv6: [2001:678:e68:f000::]:8443)
https://ffmuc.net/
Lelux DNS​
Small (Risky)
https://resolver-eu.lelux.fi/dns-query
tls://resolver-eu.lelux.fi
FI
https://lelux.fi/resolver/
OSZX DNS​
OSZX DNS​
Small (Risky)
51.38.83.141
https://dns.oszx.co/dns-query
tls://dns.oszx.co
2.dnscrypt-cert.oszx.co (IP: 51.38.83.141:5353)
2001:41d0:801:2000::d64
2.dnscrypt-cert.oszx.co (IPv6: [2001:41d0:801:2000::d64]:5353)
UK
https://dns.oszx.co/
OSZX DNS​
PumpleX​
Small (Risky)
51.38.82.198
https://dns.pumplex.com/dns-query
tls://dns.pumplex.com
2.dnscrypt-cert.pumplex.com (IP: 51.38.82.198:5353)
2001:41d0:801:2000::1b28
2.dnscrypt-cert.pumplex.com (IPv6: [2001:41d0:801:2000::1b28]:5353)
UK
https://dns.oszx.co/
Privacy-First DNS​
Japan Server​
Small (Risky)
172.104.93.80
https://jp.tiar.app/dns-query
tls://jp.tiar.app
2.dnscrypt-cert.jp.tiar.app (IP: 172.104.93.80)
2400:8902::f03c:91ff:feda:c514
Provider: 2.dnscrypt-cert.jp.tiar.app IP: [2400:8902::f03c:91ff:feda:c514]
JP
https://tiarap.org/
Privacy-First DNS​
Singapore Server​
Small (Risky)
174.138.21.128
https://doh.tiar.app/dns-query
tls://dot.tiar.app
quic://doh.tiar.app
2.dnscrypt-cert.dns.tiar.app (IP: 174.138.21.128)
2400:6180:0:d0::5f6e:4001
2.dnscrypt-cert.dns.tiar.app (IPv6: [2400:6180:0:d0::5f6e:4001])
SG
https://tiarap.org/
Privacy-First DNS​
Cached via third-party
Small (Risky)
https://jp.tiarap.org/dns-query
JP
https://tiarap.org/
Privacy-First DNS​
Cached via third-party
Small (Risky)
https://doh.tiarap.org/dns-query
SG
https://tiarap.org/
Seby DNS​
Small (Risky)
45.76.113.31
tls://dot.seby.io
2.dnscrypt-cert.dns.seby.io (IP: 45.76.113.31)
RS
https://dns.seby.io/
fvz DNS​
Small (Risky)
2.dnscrypt-cert.dnsrec.meo.ws (IP: 185.121.177.177:5353)
http://meo.ws/
fvz DNS​
Small (Risky)
2.dnscrypt-cert.dnsrec.meo.ws (IP: 169.239.202.202:5353)
http://meo.ws/
ibksturm DNS​
Small (Risky)
https://ibksturm.synology.me/dns-query (IP: 213.196.191.96)
tls://ibksturm.synology.me (IP: 213.196.191.96)
quic://ibksturm.synology.me (IP: 213.196.191.96)
2.dnscrypt-cert.ibksturm (IP: 213.196.191.96:8443)
https://ibksturm.synology.me/

rDNS | Reverse DNS

 

What is reverse DNS?
A reverse DNS lookup is a DNS query for the domain name associated with a given IP address. This accomplishes the opposite of the more commonly used forward DNS lookup, in which the DNS system is queried to return an IP address.

Standards from the Internet Engineering Task Force (IETF) suggest that every domain should be capable of reverse DNS lookup, but as reverse lookups are not critical to the normal function of the Internet, they are not a hard requirement. As such, reverse DNS lookups are not universally adopted.

How does reverse DNS work?
Reverse DNS lookups query DNS servers for a PTR (pointer) record; if the server does not have a PTR record, it cannot resolve a reverse lookup. PTR records store IP addresses with their segments reversed, and they append ".in-addr.arpa" to that. For example if a domain has an IP address of 192.0.2.1, the PTR record will store the domain's information under 1.2.0.192.in-addr.arpa.

In IPv6, the latest version of the Internet Protocol, PTR records are stored within the ".ip6.arpa" domain instead of ".in-addr.arpa."

What are reverse DNS lookups used for?
Reverse lookups are commonly used by email servers. Email servers check and see if an email message came from a valid server before bringing it onto their network. Many email servers will reject messages from any server that does not support reverse lookups or from a server that is highly unlikely to be legitimate. Spammers often use IP addresses from hijacked machines, which means there will be no PTR record. Or, they may use dynamically assigned IP addresses that lead to server domains with highly generic names.

Logging software also employs reverse lookups in order to provide users with human-readable domains in their log data, as opposed to a bunch of numeric IP addresses.

mDNS | Multicast DNS

 

What is multicast DNS?

mDNS is meant to deal with having names for machines on local networks without needing to register them on DNS servers. This is especially useful when there are no DNS servers you can control – think of a home with a couple of devices who need to interact locally without going to the internet.

 

Examples: Chromecast and network printers are some good examples.

In the context of WebRTC, mDNS has been introduced to protect against the JavaScript application accessing the local IP addresses that are exchanged during ICE negotiation. This is achieved by the browser replacing its local IP addresses with random mDNS ones that it registers on the local network.

ICE | Interactive Connectivity Establishment

It is a standard method of NAT traversal used in WebRTC. It is defined in IETF RFC 5245. ICE deals with the process of connecting media through NATs by conducting connectivity checks.

ICE collects all available candidates (local IP addresses, reflexive addresses – STUN ones and relayed addresses – TURN ones). All the collected addresses are then sent to the remote peer via SDP. Once the WebRTC Client has all the collected ICE addresses of itself and its peer, it starts initiating connectivity checks. These checks essentially try sending media over the various addresses until success.

The downside of using ICE is the time it takes, which can be 10s of seconds. To run faster, a new mechanism was added in WebRTC called Trickle ICE.

Ping | How to Ping a Specific Port?

The Ping (Packet Internet or Inter-Network Groper) is a network tool for checking whether a remote system is up and running. In other words, the command determines if a certain IP address or a host are accessible. Ping uses a network layer protocol called Internet Control Message Protocol (ICMP) and is available on all operating systems.

On the other hand, port numbers belong to transport layer protocols, such as TCP and UDP. Port numbers help identify where an Internet or other network message is forwarded when it arrives.

Why Can't I Ping a Specific Port?


Network devices use ICMP to send error messages and information on whether communication with an IP address is successful or not. ICMP differs from transport protocols as ICMP is not used to exchange data between systems.

Ping uses ICMP packets, and ICMP does not use port numbers which means a port can’t be pinged.

 

How Can I Ping a Specific Port? (Workaround)

However, we can use ping with a similar intention to check if a port is open or not.

Some network tools and utilities can simulate an attempt to establish a connection to a specific port and wait to see if the target host responds. If there is a response, the target port is open. If not, the target port is closed, or the host is unable to accept a connection because there is no service configured to listen for connections on that port.

Tools to Ping a Port

Telnet (Windows / Linux)

  • On Windows, open the CMD Prompt (searching for "CMD") or Powershell (searching for "Powershell)

  • On Linux, you can use the command directly at the prompt

  • Command: telnet <ip> <port>

    • Example: telnet 10.0.0.100 8006 (Port 8006 is used by Proxmox)

  • If the port is open, telnet establishes a connection. Otherwise, it states a failure

NC | Netcat (Linux)

  • Command: nc -vz <address> <port_number>

    • Example: nc -vz 10.0.0.100 8006 (Port 8006 is used by Proxmox)

  • The output informs the user if the connection to the specified port is successful or not. If it is successful, the port is open

NMAP | Network Mapper (Linux)

  • Command: nmap -p <port_number> <address>

    • Example: nmap -p 8006 10.0.0.100 (Port 8006 is used by Proxmox)

  • The output informs the user about the port’s state and service type, latency, and the time elapsed until the completion of the task

  • To ping more than one port. Command: nmap -p <number-range> <address>

Powershell (Windows)

  • Open Powershell (searching for "Powershell)

  • Command: Test-NetConnection <address> -p <port_number>

    • Example: Test-NetConnection 10.0.0.100 -p 8006 (Port 8006 is used by Proxmox)

  • If the port is open and the connection passes, the TCP test is successful. Otherwise, a warning message appears saying the TCP connection failed

Installing the Tools

Telnet (Windows / Linux)

  • Ubuntu | Command: sudo apt install telnet

  • CentOS/Fedora | Command: yum -y install telnet

  • Windows | Check Here

NC | Netcat (Linux)

  • Debian, Ubuntu, and Mint

    • Check if Netcat is installed| Command: netcat -h

  • Fedora, Red Hat Enterprise Linux, and CentOS

    • Check if Netcat is installed| Command: ncat -h

  • If not installed | Command: sudo apt install netcat

NMAP | Network Mapper (Linux)

  • Check if NMAP is installed| Command: nmap -version

  • If not installed

 

  • ​Ubuntu or Debian | Command: sudo apt install nmap

  • CentOS or RHEL | Command: sudo yum install nmap

Telnet | Teletype Network

Telnet is a network protocol that allows users to connect to and communicate with remote computers using a transmission control protocol/Internet protocol (TCP/IP) network. It provides a command-line interface that acts like a virtual terminal, allowing users to access a remote system as if they were physically there.

It was developed in 1969 and has been an essential tool for connecting computers and devices remotely. Despite being an old protocol, it still plays a critical role in modern-day remote access solutions.

Security Issue: Telnet is a popular choice for remote access because it's reliable and secure, and it's also easy to use and configure. However, it does have some security concerns because it lacks encryption and transmits data in clear text. This means that anyone with access to the network could potentially intercept and read the data, including passwords and sensitive data. Alternatives like SSH offer more secure remote management options.

Common uses

  • Remote management: Users can access and manage network nodes, such as servers, routers, and switches, from a distance 

  • Initial device setup: Users can set up network hardware 

  • Testing services: Users can test services 

  • Debugging email problems: Users can send emails directly from the server to detect errors 

  • Configuring servers: Users can quickly and easily implement changes to the directory structure, file access rights, or passwords 

  • Accessing legacy systems: Some legacy computer systems still rely on Telnet for remote access. It helps connect to these systems, run applications, process data, and manage resources.

  • Troubleshooting network connectivity: It can be used to test connectivity to a network device or server. By establishing a Telnet connection to the device or server, you can check whether it’s reachable, identify any errors or connectivity issues, and diagnose network problems.

How to use it to troubleshooting network connectivity

You can check if a specific port is open simply:

  • Open the PowerShell

  • Typing the command: telnet <ip> <port>

    • Example: telnet 10.0.0.100 8006 (Port 8006 is used by Proxmox)

  • If the port is open, telnet establishes a connection. Otherwise, it states a failure

Installing Telnet

Ubuntu

  • Command: yum -y install telnet

CentOS/Fedora

  • Command: sudo apt install telnet

Windows

  • Open “Control Panel“

  • Open “Programs“

  • Select the “Turn Windows features on or off ” option

  • Check the “Telnet Client” box

  • Click “OK“. A box will appear that says “Windows features” and “Searching for required files“. When complete, the Telnet client should be installed in Windows

NMAP | Network Mapper

NMAP (Network Mapper) is a free and open source utility for network discovery and security auditing.

Nmap uses raw IP packets in novel ways to determine:

  • What hosts are available on the network

  • What services (application name and version) those hosts are offering

  • What operating systems (and OS versions) they are running

  • What type of packet filters/firewalls are in use and other characteristics

 

It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X.

Installing NMAP on Linux

  • Check if NMAP is installed| Command: nmap -version

  • If not installed

    • ​Ubuntu or Debian | Command: sudo apt install nmap

    • CentOS or RHEL | Command: sudo yum install nmap

Running NMAP

  • Run TCP Scan | Command: nmap -sT <Public IP Address>

  • Run Script to find Vulnerabilities | Command: nmap --script vuln <Public IP Address>

Wireshark | Open-Source Network Packet Analyzer

Wireshark, Originally named Ethereal but renamed in May 2006, is a free and open-source network packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.

A network packet analyzer presents captured packet data in as much detail as possible.

You could think of a network packet analyzer as a measuring device for examining what’s happening inside a network cable, just like an electrician uses a voltmeter for examining what’s happening inside an electric cable (but at a higher level, of course).

Intended Purposes

  • Network administrators use it to troubleshoot network problems

  • Network security engineers use it to examine security problems

  • QA engineers use it to verify network applications

  • Developers use it to debug protocol implementations

  • People use it to learn network protocol internals

What is not provided

  • Wireshark isn’t an intrusion detection system

  • Wireshark will not manipulate things on the network, it will only “measure” things from it

Features

  • Available for UNIX and Windows

  • Capture live packet data from a network interface

  • Open files containing packet data captured with tcpdump/WinDump, Wireshark, and many other packet capture programs

  • Import packets from text files containing hex dumps of packet data

  • Display packets with very detailed protocol information

  • Save packet data captured

  • Export some or all packets in a number of capture file formats

  • Filter packets on many criteria

  • Search for packets on many criteria

  • Colorize packet display based on filters

  • Create various statistics

Capabilities

  • Live capture from many different network media

    • Wireshark can capture traffic from many different network media types, including Ethernet, Wireless LAN, Bluetooth, USB, and more

    • The specific media types supported may be limited by several factors, including your hardware and operating system

  • Import files from many other capture programs

    • Wireshark can open packet captures from a large number of capture programs

  • Export files for many other capture programs

    • Wireshark can save captured packets in many formats, including those used by other capture programs

  • Many protocol dissectors

    • There are protocol dissectors (or decoders, as they are known in other products) for a great many protocols

Ubuntu | Installing Wireshark

Using the APT (Advanced Package Tool)  Method)

The software repository of Ubuntu includes Wireshark by default, which enables you to install the package using the APT. It is the easiest and most straightforward method. It ensures you have the latest version of Wireshark when the Ubuntu system is updated. Execute the following command in the Ubuntu terminal.

  • Install the Wireshark | Command: sudo apt install wireshark

  • You will be asked if a "non-superuser can capture packets". This means that a user other than the "root" user can run Wireshark.

    • If you have another user, select "Yes"

      • Add your user to the wireshark group | Command: sudo usermod -aG wireshark <username>

        • Example: sudo usermod -aG wireshark john01

    • If you use the "root" user, select "No" and you won't need to perform anything else​​

  • OPTIONAL | If you want to change your "non-superuser packet capture" option later, use the Command: sudo dpkg-reconfigure wireshark-common

  • Verify if the Wireshark was installed checking its version | Command:  wireshark --version

  • Launch the Wireshark | Command: sudo wireshark

To uninstall Wireshark | Command: sudo apt-get remove --purge wireshark

Using the PPA (Personal Package Archive) Method

If the Ubuntu version of your computer is older, you can use the PPA maintained by the Wireshark developers.

  • Add the official Wireshark PPA to your list of repositories |Command: sudo add-apt-repository ppa:wireshark-dev/stable -y

  • Update the package list | Command: sudo apt update

  • Install the Wireshark | Command: sudo apt install wireshark

  • You will be asked if a "non-superuser can capture packets". This means that a user other than the "root" user can run Wireshark.

    • If you have another user, select "Yes"

      • Add your user to the wireshark group | Command: sudo usermod -aG wireshark <username>

        • Example: sudo usermod -aG wireshark john01

    • If you use the "root" user, select "No" and you won't need to perform anything else​​

  • OPTIONAL | If you want to change your "non-superuser packet capture" option later, use the Command: sudo dpkg-reconfigure wireshark-common

  • Verify if the Wireshark was installed checking its version | Command:  wireshark --version

  • Launch the Wireshark | Command: sudo wireshark

To uninstall Wireshark | Command: sudo apt-get-repository –remove ppa:wireshark-dev/stable -y

Network Protocols

 

Network protocols are the sets of standards that allow two or more machines connected to the internet to communicate with each other. It works as a universal language, which can be interpreted by computers from any manufacturer, using any operating system.

They are responsible for taking data transmitted over the network and dividing it into small pieces, which are called packets. Each packet carries source and destination addressing information. Protocols are also responsible for systematizing the establishment, control, traffic and closure phases.

Key elements that define network protocols:

  • Syntax: Represents the format of the data and the order in which it is presented

  • Semantics: Refers to the meaning of each syntactic set that gives meaning to the message sent

  • Timing: Defines an acceptable packet transmission speed

Types of Network Protocols

For communication between computers to be carried out correctly, both computers must be configured according to the same parameters and comply with the same communication standards.

The network is divided into layers, each with a specific function. The different types of network protocols vary according to the type of service used and the corresponding layer.

 

The main layers and their main protocol types:

 

  • Application Layer: WWW, HTTP, SMTP, Telnet, FTP, SSH, NNTP, RDP, IRC, SNMP, POP3, IMAP, SIP, DNS, PING

  • Transport Layer: TCP, UDP, RTP, DCCP, SCTP

  • Network Layer: IPv4, IPv6, IPsec, ICMP

  • Physical Link Layer: Ethernet, Modem, PPP, FDDi

Transmission Control Protocol (TCP)

 

TCP is a popular communication protocol which is used for communicating over a network. It divides any message into series of packets that are sent from source to destination and there it gets reassembled at the destination.

 

Internet Protocol (IP)

 

IP is designed explicitly as addressing protocol. It is mostly used with TCP. The IP addresses in packets help in routing them through different nodes in a network until it reaches the destination system. TCP/IP is the most popular protocol connecting the networks.


User Datagram Protocol (UDP)

 

UDP is a substitute communication protocol to Transmission Control Protocol implemented primarily for creating loss-tolerating and low-latency linking between different applications.


Post office Protocol (POP)

 

POP3 is designed for receiving incoming E-mails.


Simple mail transport Protocol (SMTP)

 

SMTP is designed to send and distribute outgoing E-Mail.

 

File Transfer Protocol (FTP)

 

FTP allows users to transfer files from one machine to another. Types of files may include program files, multimedia files, text files, and documents, etc.

 

Hyper Text Transfer Protocol (HTTP)

 

HTTP is designed for transferring a hypertext among two or more systems. HTML tags are used for creating links. These links may be in any form like text or images. HTTP is designed on Client-server principles which allow a client system for establishing a connection with the server machine for making a request. The server acknowledges the request initiated by the client and responds accordingly.

 

Hyper Text Transfer Protocol Secure (HTTPS)

 

HTTPS is abbreviated as Hyper Text Transfer Protocol Secure is a standard protocol to secure the communication among two computers one using the browser and other fetching data from web server. HTTP is used for transferring data between the client browser (request) and the web server (response) in the hypertext format, same in case of HTTPS except that the transferring of data is done in an encrypted format. So it can be said that https thwart hackers from interpretation or modification of data throughout the transfer of packets.

 

SSL - Secure Sockets Layer

 

It is an encryption-based Internet security protocol. It was first developed by Netscape in 1995 for the purpose of ensuring privacy, authentication, and data integrity in Internet communications. SSL is the predecessor to the modern TLS encryption used today.

A website that implements SSL/TLS has "HTTPS" in its URL instead of "HTTP."

TLS - Transport Layer Security

It is a widely adopted security protocol designed to facilitate privacy and data security for communications over the Internet. A primary use case of TLS is encrypting the communication between web applications and servers, such as web browsers loading a website. TLS can also be used to encrypt other communications such as email, messaging, and voice over IP (VoIP). In this article we will focus on the role of TLS in web application security.

TLS was proposed by the Internet Engineering Task Force (IETF), an international standards organization, and the first version of the protocol was published in 1999. The most recent version is TLS 1.3, which was published in 2018.

Telnet

 

Telnet is a set of rules designed for connecting one system with another. The connecting process here is termed as remote login. The system which requests for connection is the local computer, and the system which accepts the connection is the remote computer.

 

Gopher

 

Gopher is a collection of rules implemented for searching, retrieving as well as displaying documents from isolated sites. Gopher also works on the client/server principle.

Protocols used by SAP

Common Programming Interface for Communication (CPI-C)

SAP uses Common Programming Interface for Communication (CPIC) protocol to transfer data between systems. CPIC is an SAP specific protocol.

Open Data Protocol (OData)

The Open Data Protocol (OData) is a standardized protocol for exposing and accessing information from
various sources. OData is based on core protocols, including HTTP, AtomPub (Atom Publishing Protocol), XML,
and JSON (Java Script Object Notation).

MQTT - Message Queuing Telemetry Transport

MQTT is a message protocol for machine-to-machine communication (M2M) and IoT. You can use the MQTT source system to set up a connection to an MQTT broker (MQTT server). It is most commonly run over TCP/IP stack, but there are MQTT implementations that use other protocols.

The  supported communication protocol between SAP S/4HANA and SAP Cloud Platform Enterprise Messaging will be MQTT (over Websocket). With the feature of Enterprise Event Enablement of S/4HANA, you can pass the S/4HANA event to the external systems via the middleware called SAP Cloud Platform Enterprise Messaging.

HTTP vs MQTT: HTTP is typically a transient interface in which each request is a short-lived session. MQTT sessions are long-lived. Another important difference is that HTTP operates on a command-response basis. A command gets sent to the server and a response returns.

TCP vs UDP | Protocol Comparison

 

Whether your data is transferred quickly and in full depends on which network protocols you use, UDP or TCP. They both do the same job but in different ways. One is more reliable and the other one is faster.

TCP (transmission control protocol) is connection-based, so it establishes a connection between the receiver and sender and maintains it while transferring data. It guarantees that the data arrives completely intact.

UDP (User Datagram Protocol) is connectionless, so it doesn’t establish a prior connection between two parties. It has the potential to lose data along the way, but in return you’ll have much higher speeds.

  • Reliability

    • TCP: High

    • UDP: Lower

  • Speed

    • TCP: Lower

    • UDP: High

  • Transfer Method

    • TCP: Packets are delivered in a sequence

    • UDP: Packets are delivered in a stream

  • Error Detection and Correction

    • TCP: Yes

    • UDP: No

  • Congestion Control

    • TCP: Yes

    • UDP: No

  • Acknowledgement

    • TCP: Yes

    • UDP: Only the Checksum (Checksum is the final two bytes of the UDP header, a field that's used by the sender and receiver to check for data corruption)

Warning: UDP is not recommended for transmitting large files.

SSL vs TLS | Protocol Comparison

 

Protocol Evolution: SSL 1.0 > SSL 2.0 > SSL 3.0 > TLS 1.0 > TLS 1.1 > TLS 1.2 > TLS 1.3

SSL (Secure Sockets Layer)

Secure Sockets Layer (SSL) is a protocol that encrypts and secures data transmitted over the internet. SSL protects data from being intercepted by hackers and prevents them from stealing personal or financial information.

SSL works by:

  • Encryption: SSL encrypts data sent between a browser and a website or between two servers

  • Authentication: SSL authenticates web servers. SSL initiates an authentication process between two devices called a handshake

  • Integrity: SSL digitally signs data to verify that it hasn't been tampered with

 
SSL was introduced by Netscape in 1995 and was the first widely used protocol for securing online transactions. Although it has been replaced by a more updated protocol called Transport Layer Security (TLS), SSL is still commonly used today.

TLS (Transport Layer Security)

Transport Layer Security (TLS) is a security protocol that encrypts data sent between computers over the internet. It's used to protect data from hackers and ensure that all parties involved in a transaction are who they claim to be. 


TLS has three main functions:

  • Encryption: Hides sensitive data during transfer

  • Authentication: Verifies the identities of the client and server

  • Integrity: Verifies that data hasn't been tampered with or forged 

 

TLS is the most widely used security protocol today. It's primarily used to encrypt communication between web browsers and servers, but it can also secure email and other protocols. TLS handshakes are a multi-step process that involves the client authenticating the server and the client and server exchanging a shared secret.

TLS replaced SSL in 2015 after SSL was compromised by vulnerabilities. Most people still use the term SSL because it's more widely known. 

Protocol Comparison

  • Stands For

    • SSL: Secure Sockets Layer

    • TLS: Transport Layer Security

  • Version History 

    • SSL: Replaced with TLS. SSL moved through versions 1.0, 2.0, and 3.0

    • TLS: Upgraded version of SSL. TLS has moved through versions 1.0, 1.1, 1.2, and 1.3

  • Algorithm

    • SSL: Supports older algorithms with known security vulnerabilities

    • TLS: Utilizes advanced encryption algorithms (Fortezza algorithm is not supported)

  • Activity

    • SSL: It is now considered deprecated due to significant vulnerabilities

    • TLS: Currently the versions 1.2 and 1.3 are actively used due to its robust security

  • Alert Messages

    • SSL has only two types of alert messages. Alert messages are unencrypted

    • TLS alert messages are encrypted and more diverse

  • Message Authentication

    • SSL: Uses Message Authentication Code (MAC) protocols

    • TLS: Deploys Hashed Message Authentication Code (HMAC) protocols

  • Cipher Suites

    • SSL: Supports older algorithms with known security vulnerabilities

    • TLS: Uses advanced encryption algorithms

  • Handshake

    • SSL: Handshake is complex and slow

    • TLS: Handshake is simplified (it has fewer steps), faster, and more secure

  • Connection

    • SSL: Establishes connection using a port

    • TLS: Establishes connection using protocol​

References: Palo Alto Networks (www.paloaltonetworks.com); Wikipedia (www.wikipedia.org); Google (www.google.com); Oracle (www.oracle.com); Raspberry PI (www.raspberrypi.org); Microsoft (www.microsoft.com); CloudFlare (www.cloudflare.com); NordVPN (nordvpn.com)

bottom of page