≡ Menu

IANA ROOT DNS Object-Group

The following object-group consists the latest IANA ROOT DNS Servers which can be used on the Cisco ASA firewalls.

IANA Root DNS Servers (IPv4/IPv6)
object-group network IANA-ROOT-DNS
 description IANA Root DNS Servers (IPv4/IPv6)
 network-object host 198.41.0.4
 network-object host 2001:503:ba3e::2:30
 network-object host 192.228.79.201
 network-object host 2001:500:84::b
 network-object host 192.33.4.12
 network-object host 2001:500:2::c
 network-object host 199.7.91.13
 network-object host 2001:500:2d::d
 network-object host 192.203.230.10
 network-object host 192.5.5.241
 network-object host 2001:500:2f::f
 network-object host 192.112.36.4
 network-object host 128.63.2.53
 network-object host 2001:500:1::803f:235
 network-object host 192.36.148.17
 network-object host 2001:7fe::53
 network-object host 192.58.128.30
 network-object host 2001:503:c27::2:30
 network-object host 193.0.14.129
 network-object host 2001:7fd::1
 network-object host 199.7.83.42
 network-object host 2001:500:3::42
 network-object host 202.12.27.33
 network-object host 2001:dc3::35

[click to continue…]

Best Practice Access Control List Firewall Rules

When it comes to firewall rules, there are a number of things I follow as best practice. To start with, you need to make sure you have all the necessary information in place before writing your firewall rules.

Ask yourself the following questions… If you don’t have the answers, go back to the drawing board and get all the necessary information.

  • Do you have all the necessary ports required for the firewall?
  • Do you have all the IP/Subnet information?

Make the ACLs short and sweet

It is always a best practice to avoid using IP addresses in ACLs.

  • Make sure that the ACLs are intuitive to anyone who is not familiar with your network.
  • You should be able to understand how the firewalling is done by reading the ACLs.

[click to continue…]

Remove or Move Interface from VSAN Database

This will guide you through adding and removing interfaces from VSAN Database. Even though I have tested this on Cisco MDS 9124, the process is virtually the same on the Cisco Nexus platforms with a slight difference on interface names.

When you issue the command show VSAN membership will tell you which VSAN member an interface is part of.

Interfaces are usually in VSAN 1 being the default and it can be moved to other VSAN by using the following commend.

vsan database
 vsan 100 interface fc1/1

If you want to remove an interface from a particular VSAN, you need to move it back to VSAN 1.

Changing Linux Interface Numbering

T he following method is useful when you have cloned a Linux VM and end up with a interface other than eth0. This usually happen when you are cloning or creating a VM from template with interface name eth0 and the cloned copy will have eth1 and not eth0 as the interface name. According to VMware, this is by design and can only be fixed by the following method.

Start up the VM and open up the following file with your favourite text editor and find the interface you want to remove.

/etc/udev/rules.d/70-persistent-net.rules

[click to continue…]

Allowing Specific DNS Servers on ASA Firewall

The following post shows how to specifically allow specific DNS servers on a Cisco ASA firewall. In this example, I am using Google DNS to be allowed through the firewall.

DNS Rules
object-group service DNS-PORTS
 service-object udp destination eq domain 

object-group network GOOGLE-DNS
 network-object host 8.8.8.8
 network-object host 8.8.4.4

access-list ACL_in extended permit object-group DNS-PORTS NETWORK 255.255.255.0 object-group GOOGLE-DNS

How to fix the Windows 10 DNS resolver DNS Leaks

The design of Windows 10 allows the Operating System to send DNS queries to all the available interfaces on the machine. The OS does not take into account the network interface priority nor does it take into account any default route.

This design is somewhat okay until we face a VPN scenario where the DNS request has to go through the VPN tunnel for security reasons and this will allow a hacker to intercept a DNS request and modify the reply to perform a man-in-the-middle attack.

The easy fix it to add a DWORD name of DisableSmartNameResolution with a value of 0 under the following path.

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\DNSClient

How to restrict WordPress login to specific IPs

This involves adding the following code to the .htaccess file within the root of the WordPress installation directory and add each IP addresses to a new line and IP subnet in the CIDR format.

The below code is displayed as an image due to WordPress limitation.

Screen Shot 08-04-15 at 10.17 AM

A Closer Look at LG G4

I have had the pleasure to be given the opportunity to participate in the #TryLGG4 program. I am someone who usually change my phone every 9-12 months and am currently a LG G3 user. I was not looking for any upgrade because I felt that all current devices on the market can’t match what a G3 offers. This all changed when I had the chance to use the LG G4. Here are my thoughts of the device as I opened the box.

1) Lightweight
2) Ergonomic design
3) Interchangeable battery
4) Expandable storage
[click to continue…]

RFC 3330 Traffic Filtering From The Internet

The following post will explain one of the recommended method of filtering unwanted traffic from the internet to the internal network.

Most administrators filter RFC-1918 traversing from the internet to internal networks, while they are allowing a list of bogons prefixes which is defined in RFC-3330. These addresses are _not_ publically assigned, therefore should not see them as source IP destined to your internal network. Furthermore, it is a best practice from a security prospective to filter these ranges in case you are targeted with a spoofing attack.

As a reference to this post, please check RFC-3330 which contains all the prefixes in question.
[click to continue…]

Difference between Port-Object and Service-Object

When it comes to Cisco ASA, both Port-Object and Service-Object achieve the same result. However, application of extended Access Control List (ACL) and calling the Port-Object or Service-Object would differ in the ACL statement.

Below, we look at two tcp protocols, namely www and https defined using Port-Object and Service-Object as follows…

Port Object

object-group service WEB-PORTS tcp
 port-object eq www
 port-object eq https

[click to continue…]

PREVIOUS POSTS NEXT POSTS

Copyright © Nish Vamadevan 2002-2018. All Rights Reserved. Terms and Policies.