Category Archives: Internet Access

Posts concerning xDSL/fiber/cable Internet connections, merely for private usage. In Germany, these are the ISPs such as 1&1, Deutsche Telekom, Kabel Deutschland.

#heiseshow: IPv6 setzt sich langsam durch – die wichtigsten Fragen

Ich durfte zu Gast bei der #heiseshow zum Thema IPv6 sein. In Anlehnung an die Artikelserie über IPv6 in der c’t 7/2022, in der auch mein Artikel über die Vorteile von IPv6-Adressen erschienen ist, ging es bei diesem Video-Podcast um gängige Fragen zu IPv6 sowohl im Heimanwender- als auch im Enterprise-Segment. Ne knappe Stunde lief die Schose und ich empfand es als ziemlich kurzweilig. ;)

Continue reading #heiseshow: IPv6 setzt sich langsam durch – die wichtigsten Fragen

Pi-hole Installation Guide

You probably know already the concept of the Pi-hole. If not: It’s a (forwarding) DNS server that you can install on your private network at home. All your clients, incl. every single smartphone, tablet, laptop, and IoT devices such as smart TVs or light bulb bridges, can use this Pi-hole service as their DNS server. Now here’s the point: it not only caches DNS entries, but blocks certain queries for hostnames that are used for ads, tracking, or even malware. That is: You don’t have to use an ad- or track-blocker on your devices (which is not feasible on smart TVs or smartphone apps, etc.), but you’re blocking this kind of sites entirely. Nice approach!

Yes, there are already some setup tutorials for the Pi-hole out there. However, it’s not only about installing the mere Pi-hole, but setting it up with your own recursive DNS server (since the default installation forwards to public DNS servers), using DNSSEC, and adding some more adlists. That’s why I am listing my installation procedure here as well. However, it’s not a complete beginners guide. You’ll need some basic Linux know-how.

Continue reading Pi-hole Installation Guide

Capturing – because I can: IS-IS, GLBP, VRRP

I am constantly trying to add more protocols to the Ultimate PCAP. Hence I used some time in my (old) Cisco lab to configure and capture the following protocols: IS-IS, GLBP, and VRRP. And since Alexis La Goutte sent me some CAPWAP traffic, this protocol is also added. All packets are now found in another update of the Ultimate PCAP. Here are some details:

Continue reading Capturing – because I can: IS-IS, GLBP, VRRP

iperf3 on a FortiGate

This is a really nice feature: you can run iperf3 directly on a FortiGate to speed-test your network connections. It’s basically an iperf3 client. Using some public iperf servers you can test your Internet bandwidth; using some internal servers you can test your own routed/switched networks, VPNs, etc. However, the maximum throughput for the test is CPU dependent. So please be careful when interpreting the results. Here we go:

Continue reading iperf3 on a FortiGate

2001:db8::/32 in the Wild

If you have ever read some docs or RFCs about IPv6 you should be quite familiar with the 2001:db8::/32 “IPv6 Address Prefix Reserved for Documentation”, RFC 3849. This RFC clearly states how you should handle addresses within this range: “This assignment implies that IPv6 network operators should add this address prefix to the list of non-routeable IPv6 address space, and if packet filters are deployed, then this address prefix should be added to packet filters.”

I was interested whether those addresses are actually used in the Internet. For this purpose I analyzed my firewall logs for 6 months to get an idea. Though it was not that much, I actually got a couple of connections inbound and outbound (!) sourced or destined to those reserved IPv6 addresses.

Continue reading 2001:db8::/32 in the Wild

Internet’s Noise

If you are following the daily IT news you have probably seen many articles claiming they have scanned the whole Internet for this or that. Indeed there are tools such as the ZMap Project “that enable researchers to perform large-scale studies of the hosts and services that compose the public Internet”.

This time I was not interested in scanning something, but in the question about “how many scans happen during one day on my home ISP connection?” Or in other words: What is the Internet background noise as seen by almost any customer? For this I sacrificed my Internet connection at home for 24 hours, while a factory-resetted router established a fresh Internet connection (IPv6 & IPv4) without any end devices behind it. No outgoing connections that could confuse or trigger any scans. That is: All incoming connections are really unsolicited and part of some third-party port scans, worm activities, or whatever. Using a network TAP device I captured these 24 hours and analyzed them with Wireshark.

In this blogpost I will present some stats about these incoming port scans. Furthermore I am publishing the pcap file so you can have a look at it by yourself.

Continue reading Internet’s Noise

TROOPERS18: Dynamic IPv6 Prefix Problems and VPNs

Just a few days ago I gave a talk at Troopers 18 in Heidelberg, Germany, about the problems of dynamic (non-persistent) IPv6 prefixes, as well as IPv6 VPNs in general. Following are my slides and the video of the talk:

Continue reading TROOPERS18: Dynamic IPv6 Prefix Problems and VPNs

Internetanschlusswechsel innerhalb der Telekom: Ein Albtraum

Anstelle von technischen Details heute mal ein Erfahrungsbericht. Vielleicht sollte ich eher sagen: ein Odysseebericht. Für einen meiner Kunden habe ich den Business-Internetanschluss umgezogen. “Einfache Sache”, so dachte ich anfangs, zumal der alte und neue Anschluss beide bei dem gleichen Anbieter liegen: der Telekom. Von einem “Company Connect” der T-Systems (ok, doch nicht exakt Telekom) hin zu einem DeutschlandLAN Connect IP.

Es war fürchterlich:

Continue reading Internetanschlusswechsel innerhalb der Telekom: Ein Albtraum

Detect DNS Spoofing: dnstraceroute

Another great tool from Babak Farrokhi is dnstraceroute. It is part of the DNSDiag toolkit from which I already showed the dnsping feature. With dnstraceroute you can verify whether a DNS request is indeed answered by the correct DNS server destination or whether a man-in-the-middle has spoofed/hijacked the DNS reply. It works by using the traceroute trick by incrementing the TTL value within the IP header from 1 to 30.

Beside detecting malicious DNS spoofing attacks, it can also be used to verify security features such as DNS sinkholing. I am showing the usage as well as a test case for verifying a sinkhole feature.

Continue reading Detect DNS Spoofing: dnstraceroute

RTTs with different ISPs

Just a short post this time, but an interesting fact concerning different Internet Service Providers (ISPs) and their routing to/from other countries. I have a customer in Germany that has a remote office in France, connected via a site-to-site VPN. Around April last year the french office decided to change the ISP to a cheaper competitor that offers the same speed/bandwidth and therefore has no disadvantages… Well, I disagree.

Continue reading RTTs with different ISPs

1&1 DSL Routing: Hop Counts unterschiedlich

Seit über einem Jahr zeichne ich die Anzahl der Hops von einer Reihe DSL-Anschlüssen auf (siehe hier). Mein Monitoring-Server läuft dabei hinter einem statischen Anschluss der Telekom, während die privaten Internetanschlüsse von diversen Anbietern (1&1, Kabel Deutschland, Telekom) kommen. Nun habe ich leider nicht im Detail die Ahnung davon, wie diese Anbieter ihren Traffic routen, zumindest scheint aber 1&1 irgendetwas Komisches bei sich verbaut zu haben, da sehr oft nach der nächtlichen Zwangstrennung ein deutlicher Unterschied in der Anzahl der Hops zu sehen ist.

Continue reading 1&1 DSL Routing: Hop Counts unterschiedlich

Telekom Dual-Stack Verbindungsaufbau

Bis neulich hatte ich einen normalen DSL-Anschluss von 1&1: Per PPPoE eingewählt und eine IPv4-Adresse bekommen – fertig. Das kann neben der FRITZ!Box natürlich auch jeder vernünftige Router oder Firewall.

Jetzt habe ich endlich einen richtigen Dual-Stack (IPv4 und IPv6) Anschluss der Telekom (Glasfaser “MagentaZuhause M” ohne Fernsehen, siehe hier). Juchu! ;) Bevor ich jedoch den mitgelieferten Speedport durch diverse andere Testgeräte ersetze, wollte ich mal vernünftig mitschneiden, welche Protokolle denn bei einem Verbindungsaufbau genau eingesetzt werden. Vor allem die Prefix Delegation über DHCPv6 interessierte mich…

Continue reading Telekom Dual-Stack Verbindungsaufbau

Ping Times/Latency: DSL vs. Glasfaser, IPv4 vs. IPv6

Seit wenigen Tagen bin ich glücklicher Kunde eines Telekom Glasfaseranschlusses. Mit satten 50/10 MBit/s rasen die Daten bei mir ein und aus. Neben der deutlich höheren Geschwindigkeit war ich aber auch an den Latenzen der beiden Anschlüsse interessiert und habe entsprechende Tests gemacht. Hier kommen die Ergebnisse.

Continue reading Ping Times/Latency: DSL vs. Glasfaser, IPv4 vs. IPv6

Idea: IPv6 Dynamic Prefix

For dynamic IPv4 addresses, dynamic DNS services such as Dyn or No-IP are well-known. If an ISP issues a single dynamic IPv4 address every 24 hours (or the like), the router or any other device registers the IPv4 address for a DNS record. With port-forwardings on the router, several services on different clients can be accessed.

Since there are some ISPs that offer dynamic IPv6 prefixes as well, I have a suggestion on how to optimize the “dynamic DNS” service for several IPv6 addresses and names. The main idea is to update only the IPv6 prefix, while the host IDs are static configured on the DNS server. This limits the DNS updates and expands the usage of DNS names even for devices that have no “DynDNS update client” built-in.

Continue reading Idea: IPv6 Dynamic Prefix

“IPv6-Präfixe würfeln” – Was soll das?

Seit Monaten sieht man auf heise online an der rechten Seite den Link zu einem Artikel namens “IPv6-Präfixe würfeln“. Dabei geht es darum, OpenWRT einen Teil des IPv6-Präfixes innerhalb gewisser Zeitspannen würfeln zu lassen, damit normale IPv6-Clients nicht nur die Interface-ID der Adresse per Privacy Extensions regelmäßig ändern, sondern auch die Subnetz-ID. Da diese Idee aber so gar keinen Vorteil für den Datenschutz mit sich bringt, möchte ich hier mal etwas dazu schreiben.

Continue reading “IPv6-Präfixe würfeln” – Was soll das?