So, if someone comes over and hooks up to my home wireless network, can malware be transferred that way?

If that person can access your Macs (or iDevices) in addition to using your WiFi, then yes.

That was fast! No, none of my devices are shared and this is not someone with bad intent, just someone who uses their computer on a lot of public networks and may have picked-up something along the way.

It's like living in a gated community, but you still lock your doors. If someone manages to sneak through the gates, (like getting on your home network) they still have to break into your house. (hack your computer's network defenses)

Just because they're in the neighborhood doesn't mean they just can walk into your house. But that does remove one layer of defense. From there they have to (A) get the malware onto your computer, and (B) get it to execute

Great analogy.

If your router supports a guest network you can set one up with its own password. This would enable visitors to access the internet via your guest network, but they won't "see" your computer or any other devices on your local area network.

One caveat: there is no such thing as "invulnerable" when it comes to computing in general and networking in particular. The best anyone can do is make themselves less vulnerable to exploits.

EarthLink told me they offer a Firewall service for $6 a month. Is this useful? I don't really understand what it does.

Earthlink offers a pretty good explanation of what a firewall is and what their service purports to do. However, when you mentioned the $6 a month fee that conjured images of someone in a ski mask, pointing a gun, and demanding my wallet.

1. OS X has its own firewall. In El Capitan it is turned on or off and configured in System Preferences > Security & Privacy > Firewall
2. Most routers have a built in firewall and NAT (Network Address Translation) that will protect your entire Local Area Network
3. OpenDNS Family Shield service is FREE and offers similar protections for all your network devices and if you want even more control including whitelist capabilities it only costs $20 a year.
4. Sandboxing in iOS (and I would assume in sandboxed OS X Apps as well) arguably eliminates the need for firewall protection

I currently have NAT running on my router and the router is configured to use OpenDNS as its DNS server. I could configure all my computers on the LAN to use the OpenDNS servers as well but that seems to me overkill.

NOTE 1: In both OS X and iOS the DNS server is separately configured for each network, so if you have a laptop, iPhone, iPad, or iPod and you are connecting to multiple networks and wish to have the OpenDNS protection you will have to configure each network you join individually. On the other hand once you have joined a network either OS X or iOS will remember the configuration for that network.

NOTE 2: Data Cellular connections in iOS cannot be configured and will always use the host telco DNS service.

I have the following Internet Filter options on my router:

Filter anonymous internet requests (selected by default)
Filter multicast (deselected by default)
Filter internet NAT redirection (deselected by default)
Filter indent (Port 113) (Selected by default)

All the following are enabled by default:

Firewall:

IPv4 SPI firewall protection
IPv6 SPI firewall protection

VPN Passthrough:

IPSec Passthrough
PPTP Passthrough
L2TP Passthrough

Edit 1: It also has a button that says "Add IPv6 Firewall Setting"
Edit 2: I don't know where to change or set the DNS server?

The DNS settings are in the router setup where you specify the LAN settings, and that is different in every make and model router.

Failing that,

• in OS X you set the DNS server in System Preferences > Network > Advanced > DNS.
• in iOS 9 Settings > WiFI > your network id > touch the "info" icon > DNS

I drank too many caffeinated beverages at the Thanksgiving feed today and now i can't sleep so i looked up your router manual to find out how to configure it to disburse the OpenDNS servers to devices on your network. Too bad your router is not compatible with Apple's Airport Utility, or it would be a lot easier, but see page 27 of the Linksys WRT1900AC Wireless Router Manual for setting the DHCP (Dynamic Host Configuration Profile) values including the DNS values.

While you are rummaging around with the settings, I would also suggest turning NAT (Network Address Translation) ON unless you have a specific reason not to do so. It provides a layer of protection between devices on your network and the internet.

First of all, thank you so much for your research. That was very kind of you.

So, if I set the router as you specified, then it is not necessary or possibly a conflict to change the settings on my MBP as well?

Edit: Does getting the Open DNS Family Shield from EarthLink have any conflicts with changing the DNS settings on my router?

Note: I just feel the need to just lock things down because I really hate problems that might have been avoided.

Changing the DNS servers on your router will give any device connected to your LAN (Local Area Network) protection. If you set it in OS X or iOS only that one device is shielded. There is no advantage or disadvantage to changing the DNS server on the router and on OS X or iOS.

NOTE: a few years ago there was a trojan that would change the DNS setting in OS X, but Apple quickly got out an update that prevented the exploit from working.


There would be no conflict because changing the DNS settings on your router or OS X or IOS would replace the Earthlink service. If Earthling really said OpenDNS Family Shield, that the same name as the free service I suggested to you and is copyright protected by OpenDNS. I looked at the Earthlink web site and didn't find any mention of OpenDNS Family Shield but because of the copyright issue that would have to be the same service. If Earthlink is offering the service for $6 a month, why not get it FREE directly from OpenDNS? As I said previously if you want even more control OpenDNS Home VIP is available for $19.95 a year or an annual savings of $50.


You have the same desire that all prudent internet users should have. Unfortunately because there are billions of Dollars, Euros, Pounds Sterling, Yen, etc. that can be made via malware of one sort or another, there are no guaranteed protections short of totally abandoning the use of the internet. All any of us can do — even me who takes constant risks running beta software — is take reasonable precautions. The single best protection does not exist in software or hardware. It is in the grey matter between human ears and behind human eyes. Staying alert and maintaining a cautious attitude.

Yes, I remember the DNS Changer virus. What does OpenDNS exactly do? I remember awhile back I tried changing the DNS server because Earthlink's were slow, but there was a list of reports for each DNS's authenticity. Some were suspect.

It's not just people trying to get money by hacking, it's a 'sport' too. So, it seems even the experts are having trouble tracking down the motivation and intent.

Judging from your experience as you've related it, I assume that you've often tried to teach people to use "common sense", an endeavor in which I've experienced a hopelessly depressing, virtual 100% failure rate.

Have you done any better?

"Macs don't get viruses."

Artie, let's try to stay with troubleshooting in the non-lounge arena please....this comment doesn't lead the topic forward and in fact seems to be leading the topic sideways.

OpenDNS does the same thing any other DNS (Domain Name System) Server does, it translates URLs (Uniform Resource Locator) names such as www.finetunedmac.com into an IP (Internet Protocol) address such as decimal 192.254.225.125 (hexadecimal C0.FE.E1.7D or Binary 1100 0000 1111 1110 1110 0001 0111 1101) that is used to route traffic on the internet. URL naming services submit the domain name and its associated IP address to the system and it is then propagated or copied to every other DNS server in the world.

Although DNS service is free to the user providers often view the service as an additional source of revenue by legal or even illegal means. The legal means of getting revenue is from selling "suggested" alternative sites when an unknown or malformed URL is received. Illegal DNS servers either route the traffic to faux copies of legitimate sites or trap out data going to or from legitimate sites. In either case it is identity theft pure and simple.

Virtually all internet providers have their own DNS server(s) and a substantial number of them view the service as a legal revenue source. Additionally many ISPs save money by providing only minimal server capacity resulting in slow — sometimes painfully slow — response times. Google offers public DNS servers and not surprisingly makes money from advertisers for various services rendered. The financial model used by OpenDNS is to provide users with free protection from the bad guys and charging for additional controls and protections when they are desired or needed. The bulk of their income comes from institutional users who have more elaborate constraints and control needs than most individual users.

I use DNSCrypt which encrypts all communications with the DNS server on all my Macs and it controls the IP address of the OpenDNS server so that overrides the setting in my router. But my iOS devices are protected by the setting in the router when they are on my LAN.

FULL DISCLOSURE: I have no pecuniary or other relationship with Cisco or OpenDNS other than that of a user of long standing. I did try what OpenDNS now calls OpenDNS Home VIP for a year, but I found it did not offer enough added value to continue. I was unaware until today that OpenDNS is now owned by Cisco.

By-the-way any time you see an IP address in the range of
10.0.0.0 to 10.255.255.255
172.16.0.0 to 172.31.255.255
192.168.0.0 to 192.168.255.255
169.254.0.0 to 169.254.255.255
Those are "reserved" for use only on a LAN and your router will not route them to the internet.

Thanks. The name OpenDNS has that 'public' sound to it, but I now understand what it is. It is highly monitored, more secure than EarthLink. Sounds good. I think whenever I have slow internet access it is actually their DNS because in Firefox the black circle on the page tab goes backwards for awhile (sometimes a long while) and then turns to a forwards blue circle and the page loads shortly after that. I suspect that interval is the DNS look-up.

Is DNSCrypt unnecessary with a VPN (Virtual Private Network)?

DNSCrypt can be used with a VPN. They are complimentary services. DNSCrypt works with all traffic and some (many?) sites block VPN.

There is a way to setup your iOS devices using the same, public OpenDNS address settings as on one's Mac and will be in effect when one is on a different WiFi connection than is being provided by one's LAN router.

I also use OpenDNS / DNSCrypt on my Mac, having changed from Google's servers years ago, and I have my iPhone & iPad WiFi connections set to OpenDNS servers having used the following instructions from OS X Daily (albeit their instructions are showing settings for Google DNS servers):

Change iOS DNS Settings

1) Does DNSCrytp change my IP range? Can I still have a static IP for one of my devises?
2) Does DNSCrypt encrypt my email? One of my older accounts won't set up as SSL and that would be a good thing.
3) Does it not protect iOS devices?

I need an explanation I can understand.

I think I can help explain, but I'm not an expert.

DNSCrypt is a Mac client, residing in System Preferences and facilitating the connection to OpenDNS servers (now, owned by Cisco) for browser web site activity.

Using DNSCrypt (OpenDNS) only facilitates DNS activity on one's Mac.

On your Mac, when using DNSCrypt (OpenDNS), it's not changing your internal IP range.

In your OS X Network pref, there's a DNS Server setting (127.0.0.54) in the Advanced -> DNS -> DNS Servers tabs that points your Mac's Network pref to OpenDNS's public IP servers that are set within your router DNS settings, which have the OpenDNS's public DNS server addresses (208.67.222.222 & 208.67.220.220).

I have my Network pref "Config IPv4" set to "DHCP with manual address" where I've set my Mac's internal IP to a specific, internal IP address that my router reserves solely for my Mac.

For iOS devices, see my previous post where one can set an iOS device, for use outside one's WiFi router, to point towards the OpenDNS servers when in the public realm. When your iOS devices are on your own WiFi network (and you're using OpenDNS), your network router is governing how your iOS devices get DNS addresses for Mobile Safari.

DNSCrypt does not encrypt email.

Here's a link to GitHub, which provides a bit more detail, but is a real geek site and not oriented towards non-experts (myself included)... GitHub's DNSCrypt client

My IP range is 192.000... and I have a static IP on the range extender connected to the printer otherwise if I reboot the router, I have to find the printer again by having the print server print a page 'telling me' where it is and have to reset the print control panel. (note: if the Internet is slow or not working it doesn't effect my printer right now and I don't want to change that.)

Note: On the link you gave, it appears there is not a DNSCrypt version for OSX 7.5. Is OpenDNS something that will run well without it?

Does DNSCrypt encrypt your browsing history, I mean, is it just for privacy or is it for security, or just to assist openDNS?

And, does using OpenDNS make it difficult for someone who comes over to connect to my network? And am I right that DNSCrypt lives on my computer and OpenDNS lives on the router?

If your range extender's IP address is actually 192.000.xxx.xxx then it is outside of the "reserved" range recognized by standards compliant routers and can be distributed to the internet at large. To reiterate the IP addresses "reserved" for use on Local area networks are:



LAN IP addresses are assigned (leased) by your router via DHCP (Dynamic Host Configuration Protocol). You can assign fixed IP addresses within the range 192.168.0.0 to 192.168.255.255 but unless you limit your router to a subset of the range there is a possibility the router may assign your fixed IP address to a device other than your printer creating a network conflict. For example configure the router to assign IP addresses in the range 192.168.255.0 to 192.168.255.100 and assign your printer a fixed IP address above that range, say 192.168.255.101 and there will be no possibility of conflict and the printer address will not be routed outside of your LAN. However, even if you do not limit the range of assigned IP addresses, if you choose an address for the printer near the top of the range, say 192.168.255.254 a conflict is still possible but unlikely to occur.


Yes. While DNSCrypt was OpenDNS project, it has been spun off into a separate open source project DNSCrypt.org and there are now in addition to OpenDNS there are a number of other DNS servers throughout the world that have DNSCypt resolvers.


DNSCrypt does not encrypt anything within your computer rather it encrypts the DNS queries — requests for IP addresses. It does not assistOpenDNS per.se. rather it protects DNS requests as they travel between your computer or other internet device and the DNS server and as alluded to previously there are now a number of DNS servers that have DNSCrypt resolver capability other than OpenDNS.


DNSCrypt has nothing to do with logging onto your network or for that matter any network traffic on your LAN. As I said previously LAN IP addresses are resolved by your router and do not go outside of the LAN. The DNS server and DNSCrypt are only used for internet traffic outside of the LAN.

NAT (Network Address Translation) — which you indicated is turned off on your router — acts a bit like a firewall between your LAN and the internet by hiding device addresses on the LAN from the internet.

edited by MacManiac to fix a small typo in the printer address example for JoeMikeB...192.xxx -v- 1925.xxx.....

I was wrong, the printer IP is 192.168.1.128

I turned on the NAT filter.

Sorry about that; I thought it was apparent that my cynicism wasn't meant to be the start of a dialog. (Yeah...I know. )

Thanks Artie, happens to me too.....

For now, can I just do this and forget about installing anything? This would make my network more secure, possibly faster, without having to change any LAN addresses? (I appreciate the explanations and have a better grasp of it now but I am dealing with issues from my recent second back surgery and can't sit at my computer for extended periods of time.)

Sure! But don't expect a speed increase in anything but the initial contact with a web site. Your LAN speed is hardware limited and internet download and upload are limited by your ISP, internet traffic load, and the site's servers.

If it is available for your OS X version DNSCrypt offers a modicum of extra network security but it is a small modicum. Since Artie505 brought up Trusteer Rapport, if it is available for your financial institution it provides more secure communications with that bank, but not anything else. Both are quick downloads, cost nothing, and require little or no setup or configuration. (You may have to quit and restart your browser.) Personally I put both products in the category of nice to have, but definitely not essential

Ok, so I'll do this for now and then maybe explore some other options later. (I'm in a painkiller haze.)

Thanks for the perspective.

(Some of Trusteer's functionality actually is [was, anyhow] available for non-client banks, but I was never certain of its precise nature or usefulness.)

That is interesting because as I understand it Trusteer Rapport is dependent on software running on both ends of the connection. Otherwise why would any bank pay for the service?

my go-to for DNS when I'm in the field is quick n dirty, and easy to remember

primary: 8.8.8.8
alternate: 8.8.4.4

Responded to here.

I havent been able to sit at my laptop for awhile and am getting around to this now. Page 27 of the manual doesn't seem to give DCHP instructions, but my devices do have separate DCHP addresses.

Your devices have different DHCP addresses?

DHCP is not a device, it is a service provided by your network router so there is no DHCP address per se other than the IP address of your router.

DHCP service is used to simplify the process for devices joining a network. This Wikipedia article explains how DHCP works and the contents of the DHCP service message.

I recommend the ebooks by Joe Kissell, Take Control of Mac Security and Take Control of Privacy at Take Control Books.

My understanding is that the IP address is dynamic, i.e. it changes periodically by the ISP, rather than static.

I thought the IP your service provider gives you is always static and can't be changed. I remember, and don't ask me how many years ago and why because I don't remember, I needed my IP changed because of some serious problem, and it could not be done.

Around here a fixed IP address runs an extra $300 to $400 a month. Otherwise you lease an IP address usually for 24 hours or less. You may get the same IP address when the lease is renewed but that is not guaranteed. Fixed IP addresses are generally reserved for persons or businesses running their own web hosting server or having a business need to be transferring GigaBytes or TeraBytes of data up and down on a continuous basis.

See my previous posts on IP addresses in this thread.

So that's what that "Renew DHCP Lease" button is for!

Thanks.

Ok, so, since I can't figure out the DCHP stuff and my router, here:

https://www.flickr.com/photos/slolerner/albums/72157662399920719

Actually there are two "Renew Lease" buttons, one on the computer or network attached device and the other on the router. In either case the router signals the device when its lease has expired and the lease is automatically and invisibly renegotiated. The Renew Lease button is for the sole purpose of manually forcing the IP address lease to be renewed before it is up for renegotiation primarily as a troubleshooting technique.

When a device is attached to a LAN (Local Areea Network) it leases an IP address that by definition cannot be routed outside of the LAN. The Router on the other hand leases a WAN (Wide Area Network) IP address that provides access to the Internet from the IPS's router. If there is a network transaction outbound from a LAN device to an IP address that is not on the LAN the router appends a notation of what device originated the transaction to the message address and sends it using its own (the router's) WAN IP address as the return address. When the response comes back from the Internet the router the identifies the address notation it appended to the return address and routes the reply back to the LAN device using its LAN IP address. That process is called NAT (Network Address Translation) and the actual IP address of the device on the LAN is never exposed to the world.

NAT does two good things:

1. If every device on every LAN had its own external IP address the internet the number of possible IP addresses would have been exhausted many years ago. That is going to happen and much sooner than later, but at least it has postponed the inevitable because the same LAN IP addresses can be used on every LAN without fear of conflict or mis-addressing.
2. It provides an additional layer of protection and hiding for devices on the LAN. It isn't perfect and can be penetrated, but every additional layer of security helps.

Thanks for that informative and understandable post.

Networking is the area of computing that I've had the most trouble getting into, and you've just given me a good "leg-up".

Ok, so now, back to my original issue, I tried to put in the settings for OpenDNS into my router as instructed for the model I have but it did not change the settings in the report section of the router like it should have and Instructions said if it didn't work there was a hiccup in the firmware version and to go back one step with the firmware? Ok, now no 2.4 Ghz network. Everything funky, speed test wouldn't run. Boom, had to reset everything back to factory defaults. (said "sorry" to Ira's net extender for putting it through this type of mess again.)

So, when I did the free, no sign up version, that's what happened, just got instructions. If I do the sign up version, is it going to do something different, like install it or just give me the same instructions?

I put new Open DNS settings in both my router and in my Network prefs in the Mac's System prefs. I don't know if I had to do that but I did.

The instructions are how to change your setting to direct DNS queries to the OpenDNS servers and that is all you need to do. There is nothing to install. If you elect the paid version you have an account with OpenDNS and you logon there to set the additional constraints on what OpenDNS allows to reach you. Again there is nothing to install on your computer or router.

https://support.opendns.com/entries/4870...A6900-WRT1900AC

I did this and the last screenshot they show, under the troubleshooting tab, did not change as they said it would. So, I did what they said to do... See above what happened next.

I hate to ask this and please accept that no offense is intended. My question is based on a mistake I have made — more than once . After you went through the steps outlined in the OpenDNS instructions are you sure you clicked on the Apply button at the bottom of the router screen? If you answer is definite yes then skip to the next paragraph. If not go back and do it again and this time be absolutely certain you click on the Apply button.

The paid version of OpenDNS will give you the same instructions for setting up your router — no difference. The fact the instructions are not working is an issue you need to take up with Linksys Cisco, maybe they have a different set of instructions or even another firmware update for you to install.

While it would be simpler and easier to have the one setting on your router, until the problem with Linksys Cisco is cleared up you can still set the OpenDNS server addresses on your individual devices.

1. In OS X
   1. In System Preferences > Network
   2. Select your active network and then click on the Advanced button
   3. Click on the DNS tab
   4. select any listed DSN server addresses and click on the minus (-) sign at the bottom of the left hand pane
   5. Click on the plus (+) sign at the bottom of the left hand pane
   6. in the field that appears enter 208.67.220.220 and press enter
   7. Repeat steps 5 and 6 twice and enter 208.67.222.222 and 208.67.222.220
   8. you should naw have all three IP addresses listed — each on its own line
   9. Click OK at the bottom of the window
2. In iOS
   1. In Settings > WiFi
   2. touch the Info symbol (a letter i with a circle around it) to the right of your WiFi network ID
   3. scroll down to DNS
   4. Touch the line where the DNS IP address is listed and backspace the current IP address out
   5. enter the following including the commas 208.67.220.220,208.67.222.222,208.67.222.220
3. FWIW most internet devices will allow you to set a fixed DNS IP but it may take digging through a lot of menus and/or if all else fails reading their network setup User's Guide to figure out where and how.

No, I am not 100% sure, only 99%. Am I ready to go through resetting everything again if I did remember? (My parrot knows how to say "Dammit!" but I can't figure out why...)

When my daughter was a teenager our parrot learned to call out her name every time the telephone rang and I never figured out how that happened either.

I remember I did hit the 'Apply' button because it told me the router is about the apply the changes and will not be available for a while...

Then I lost the 2.4 Ghz network ( my iPad is on)

I just read that Cisco acquired OpenDNS.

https://labs.opendns.com

looove that!

(reminds me of a Rodney Dangerfield quote, "I think my wife's cheating on me - every time I come home the parrot yells 'quick, out the window!'")

Well, I signed up for OpenDNS from their website, and it seems they are doing all the work. They monitor my IP and filter based on my settings plus what others suggest and get voted on in discussion boards. I think MacKeeper tops the list!

Thanks, guys.

What does MacKeeper and its unsavory reputation have to do with OpenDNS?