How to protect yourself from cyber attacks?

RUN SAP BETTER

Cyber Security

Cyber Security Overview

Cyber security is the practice of defending computers, servers, mobile devices, electronic systems, networks, and data from malicious attacks. The term applies in a variety of contexts, from business to mobile computing, and can be divided into a few common categories.

Network security is the practice of securing a computer network from intruders, whether targeted attackers or opportunistic malware.
Application security focuses on keeping software and devices free of threats. A compromised application could provide access to the data its designed to protect. Successful security begins in the design stage, well before a program or device is deployed.
Information security protects the integrity and privacy of data, both in storage and in transit.
Operational security includes the processes and decisions for handling and protecting data assets. The permissions users have when accessing a network and the procedures that determine how and where data may be stored or shared all fall under this umbrella.
Disaster recovery and business continuity define how an organization responds to a cyber-security incident or any other event that causes the loss of operations or data. Disaster recovery policies dictate how the organization restores its operations and information to return to the same operating capacity as before the event. Business continuity is the plan the organization falls back on while trying to operate without certain resources.
End-user education addresses the most unpredictable cyber-security factor: people. Anyone can accidentally introduce a virus to an otherwise secure system by failing to follow good security practices. Teaching users to delete suspicious email attachments, not plug in unidentified USB drives, and various other important lessons is vital for the security of any organization.

Cyber Security Solution | XDR vs SIEM

XDR (Extended detection and response)

It is a comprehensive cybersecurity solution that combines multiple security technologies and data sources to provide enhanced threat detection, response, and remediation capabilities. XDR expands beyond traditional EDR (Endpoint Detection and Response) solutions and incorporates additional security telemetry data from various sources, such as network traffic, cloud environments, and other endpoints.

Key features and benefits

Enhanced visibility: XDR collects and analyzes data from diverse sources, including endpoints, network traffic, cloud platforms, and more. This broader visibility provides a comprehensive understanding of the organization's security posture and allows for the detection of complex threats that may span multiple layers.
Advanced analytics and detection: XDR leverages advanced analytics, machine learning, and threat intelligence to detect and prioritize potential security incidents accurately. By applying behavioral analytics and anomaly detection, XDR can identify and flag suspicious activities or indicators of compromise.
Automated and streamlined response: XDR streamlines the incident response process by automating investigation and remediation actions. It can orchestrate response activities across different security tools and endpoints, reducing the time and effort required to contain and mitigate threats.
Threat hunting capabilities: XDR enables proactive threat hunting by allowing security teams to search for indicators of compromise (IoCs) and suspicious activities across the entire security ecosystem. This helps in identifying and eliminating threats before they cause significant damage.
Improved operational efficiency: By consolidating and correlating security data from multiple sources, XDR simplifies security operations and reduces alert fatigue. It provides context-rich insights and actionable intelligence, enabling security teams to focus on critical threats and respond more efficiently.

SIEM (Security information and event management)

It is a cybersecurity solution that helps organizations collect, analyze, and correlate security event data from various sources within their IT infrastructure. SIEM systems provide real-time monitoring, threat detection, incident response, and compliance management capabilities.

Key features and benefits

Data Collection: SIEM collects log data, security events, and system activity logs from a wide range of sources, including network devices, servers, applications, firewalls, intrusion detection systems (IDS), and more. These logs contain valuable information about security events, user activities, and system behavior.
Log Management: SIEM systems store and manage log data in a centralized repository or database. This allows for easy search, retrieval, and long-term retention of logs for compliance and forensic purposes.
Event Correlation: SIEM analyzes and correlates log data from different sources to identify patterns, anomalies, and potential security incidents. It applies predefined rules or algorithms to match events and generate meaningful alerts or notifications.
Real-Time Monitoring: SIEM continuously monitors security events in real time and provides dashboards and visualizations to give security teams a holistic view of the organization's security posture. It allows them to track activities, detect threats, and respond promptly to incidents.
Threat Detection: SIEM uses rule-based correlation or advanced analytics techniques to detect potential security threats and malicious activities. It can identify patterns that indicate attacks, such as brute-force login attempts, suspicious network traffic, or unauthorized access attempts.
Incident Response: SIEM provides workflows and automation capabilities to streamline incident response processes. It enables security teams to investigate and respond to security incidents efficiently, including threat containment, analysis, and remediation.
Compliance Management: SIEM assists organizations in meeting regulatory compliance requirements by collecting and analyzing security logs for auditing purposes. It generates reports and provides evidence of compliance with standards such as PCI DSS, HIPAA, GDPR, and others.
Log Retention and Forensics: SIEM systems store logs for extended periods, allowing security teams to perform forensic analysis and investigations when necessary. This helps in understanding the scope and impact of security incidents and supports post incident remediation efforts.

XDR vs SIEM (Key Differences)

1. Data Sources:

SIEM primarily focuses on log data from various sources within the network, such as firewalls, servers, applications, and network devices. It collects and analyzes logs to identify security events and generate alerts.
XDR goes beyond logs and incorporates a broader range of security telemetry data. It collects and analyzes data from diverse sources, including endpoints, network traffic, cloud environments, and sometimes additional sources like cloud applications, email gateways, or user behavior analytics.

2. Endpoint vs. Network Focus:

SIEM traditionally places more emphasis on network-focused data sources, analyzing logs from network devices and servers. While it can incorporate some endpoint data, the primary focus is on network-centric security events.
XDR expands the scope to include both endpoint and network data. It incorporates endpoint detection and response (EDR) capabilities, analyzing endpoint activities, processes, and behaviors. It also includes network detection and response (NDR) functionalities to monitor network traffic and identify threats.

3. Threat Detection Approach:

SIEM typically relies on rule-based correlation and signature-based detection to identify security incidents. It uses predefined rules and signatures to match events and generate alerts based on known patterns.
XDR leverages advanced analytics, machine learning, and threat intelligence to detect sophisticated threats. It applies behavioral analytics, anomaly detection, and machine learning algorithms to identify anomalies, unknown threats, and indicators of compromise.

4. Response and Automation:

SIEM systems provide alerting and reporting capabilities, allowing security teams to investigate and respond to incidents manually. While some level of automation is possible, the focus is primarily on generating alerts and providing analysis for human decision-making.
XDR offers more extensive automation and orchestration capabilities. It can automate response actions, such as isolating compromised endpoints, blocking malicious network traffic, or initiating remediation tasks.

5. Holistic View and Context:

SIEM provides visibility into security events and logs, allowing security teams to monitor activities and detect threats within the network.
XDR aims to provide a unified and holistic view of the organization's security posture. By collecting and correlating data from various sources, including endpoints, network, and cloud.

Wazuh (XDR + SIEM Platform)

Wazuh is a free and open-source security platform that unifies XDR and SIEM capabilities. It protects workloads across on-premises, virtualized, containerized, and cloud-based environments. Wazuh unifies historically separate functions into a single agent and platform architecture.

Active XDR protection from modern threats: Wazuh provides analysts real-time correlation and context. Active responses are granular, encompassing on-device remediation so endpoints are kept clean and operational.

A comprehensive SIEM solution: The Wazuh Security Information and Event Management (SIEM) solution provides monitoring, detection, and alerting of security events and incidents.

Endpoint Security | Configuration Assessment, Malware Detection and File Integrity Monitoring
Threat Intelligence | Threat Hunting, Log Data Analysis and Vulnerability Detection
Security Operations | Incident Response, Regulatory Compliance and IT Hygiene
Cloud Security | Container Security, Posture Management and Workload Protection

How it is Structured

Wazuh is structured around three pivotal components, each playing a distinct role:

1 | Indexer | The Indexer is the backbone of Wazuh, responsible for efficiently storing and managing vast amounts of security data. It plays a crucial role in facilitating rapid data retrieval and analysis
- Stage 1 Installation |Certificate creation
- Stage 2 Installation |Nodes installation
- Stage 3 Installation |Cluster initialization
2 | Server | Acting as the core processing unit, the Server interprets and analyzes the data collected by agents. It executes essential security operations, such as threat detection, incident response, and compliance management
- Stage 1 Installation | Wazuh server node installation
- Stage 2 Installation |Cluster configuration for multi-node deployment
3 | Dashboard | The Dashboard is the user-friendly interface that provides a visual representation of your security data. It offers pre-built dashboards for quick insights into security events, vulnerabilities, file integrity monitoring, configuration assessments, cloud infrastructure monitoring, and compliance standards

Together, these three components form the foundation of Wazuh, offering a scalable and flexible solution to enhance your organization’s cybersecurity posture.

Requirements

OS: 64-bit Linux
OS Versions: RHEL 7, 8, 9 | Amazon Linux 2 | CentOS 7, 8 | Ubuntu 16.04, 18.04, 20.04, 22.04
Hardware for 1-25 agents:
- Minimum: 2 CPU (cores) | 4 RAM (GBs)
- Recommended: 4 CPU (cores) | 8 RAM (GBs)
Disk space for 1-25 agents: 50 GBs per 90 Days data
Browser Compatibility: Chrome 95 or later | Firefox 93 or later | Safari 13.7 or later
- Browser w/Limited Support: Other Chromium-based browsers
- Browser Not Supported: Internet Explorer 11 is not supported

Before Installation | Lessons Learned | Common constraints

CPU/Memory Error | In the installation step the process can be aborted if the requirements are not met
- Even with the right CPUs/Memory RAM set, the script consider the available at the moment of installation, and the system will be consuming some of the resources. You can just increase a little more
- 1 Option: If you are using a VM, you can increase the CPU cores and Memory RAM
- 2 Option: You the "-i" in the end of the command to bypass that (you will see in the prompt command)
Disk Space Error | In the final steps of the script (dashboard installation), the processes can fail and the installation reverted, due a lack of free disk
- Even with a large VM disk, this can happens due the way the Ubuntu setted the partitions
- 1 Option: You need to increase the partition before installation (How to do it)
Virtual Hard Disk expands to Maximum Size
- If you are using a VM with a dynamically expanding disk, be aware that Wazuh may expand exponentially until it reaches the maximum disk size, despite the internal space being unused and available. Restrict the maximum size accordingly

After Installation

To deploy your first agent
- On the Wazuh Dashboard, go to Menu > Server Management > Endpoints Summary
Lost Password | If you lost your initial admin password you can run this command
- Retrieve Users and Passwords | Command: tar -O -xvf wazuh-install-files.tar wazuh-install-files/wazuh-passwords.txt

Deploying on Ubuntu

This is the quickstart method, provided by Wazuh, to deploy the version v4.9.0 using the official bash script. You can check the official page for the latest version deployments. (https://documentation.wazuh.com/current/quickstart.html)

Open the terminal
For non-root users, use the command "sudo" to perform administrative tasks
(Optional) If your system id not updated | Update Ubuntu | Command: apt update
Download the Wazuh installation assistant | Command: curl -sO https://packages.wazuh.com/4.9/wazuh-install.sh
Execute the Wazuh Scrip using the assistant | Command: bash wazuh-install.sh -a
- (Optional) If the minimum hardware requirement error appears use "-i" | Command: bash wazuh-install.sh -a -i
Login to wazuh using the Browser | Command: https://<wazuh-dashboard-ip>
- Just wait a little longer if you get a message "Wazuh dashboard server is not ready yet"
Initial user and password is informed at the end of installation

Deploying on Docker

This is the installation alternative method, provided by Wazuh, to deploy the version v4.8.2 on docker. You can check the official page for the latest version deployments. (https://documentation.wazuh.com/current/deployment-options/docker/wazuh-container.html)

Open the terminal
For non-root users, use the command "sudo" to perform administrative tasks
(Optional) If your system id not updated | Update Ubuntu | Command: apt update
Install Docker and Docker Compose | Command: apt install docker.io docker-compose -y
Clone the Wazuh | Command: git clone https://github.com/wazuh/wazuh-docker.git -b v4.8.2
Check the new wazuh-docker directory | Command: ls
Enter in the new wazuh-docker directory (single-node) | Command: cd wazuh-docker/single-node/
Generate the certificate | Command: docker-compose -f generate-indexer-certs.yml run --rm generator
Deploy Wazuh single-node using docker-compose in background | Command: docker-compose up -d
Check the Docker Stats to see if all is done and running | Command: docker stats
Login to wazuh using the Browser | Command: https://<wazuh-dashboard-ip>
- Just wait a little longer if you get a message "Wazuh dashboard server is not ready yet"
Initial user and password | User: admin / Password: SecretPassword

Upgrading Wazuh on Docker

If you have a previous version like v4.8.2, in this example you can upgrade to v4.9.0

Open terminal
For non-root users, use the command "sudo" to perform administrative tasks
Enter in the new wazuh-docker directory (single-node) | Command: cd wazuh-docker/single-node/
Stop the outdated environment | Command: docker-compose down
Checkout the tag for the current version | Command: git checkout v4.9.0
Start the new version of Wazuh | Command: docker-compose up -d
Check the Docker Stats to see if all is done and running | Command: docker stats

Restarting the Wazuh Container

If you restart your VM, or for any other reason, your Wazuh dashboard starts giving errors, you can restart the Wazuh container to continue using it until you check the logs and fix the issues.

Open terminal
For non-root users, use the command "sudo" to perform administrative tasks
Enter in the new wazuh-docker directory (single-node) | Command: cd wazuh-docker/single-node/
Stop the outdated environment | Command: docker-compose down
Wait until all processes are "done"
Start the new version of Wazuh | Command: docker-compose up -d
Check the Docker Stats to see if all is done and running | Command: sudo docker stats

Reverse Proxy

A reverse proxy is a server that sits in front of web servers and forwards client (e.g. web browser) requests to those web servers. Reverse proxies are typically implemented to help increase security, performance, and reliability. In order to better understand how a reverse proxy works and the benefits it can provide, let’s first define what a proxy server is.

Benefits of a Proxy

To avoid state or institutional browsing restrictions
To block access to certain content
To protect their identity online

Benefits of a Reverse Proxy

Load balancing
Protection from attacks
GSLB (Global server load balancing)
Caching
SSL encryption

Forward Proxy Flow

Reverse Proxy Flow

Forward Proxy Flow

1/2

Google | Gmail Optimization | DNSSEC Webserver

Gmail Advanced Optimization

Plus Addressing

Probably you receive a lot of unsolicited emails every day. That happens because many companies sell your data for data brokers. The Google "Plus Addressing" feature helps you to add additional information in your gmail address.

Gmail Address: "Email Address" + "@gmail.com" (e.g. "johndoe@gmail.com")
Gmail Plus Addressing: "Email Address" + "Plus Addressing" + "@gmail.com" (e.g. "johndoe+amazon@gmail.com")

Example:

If your email is "johndoe@gmail.com" and you want to to create a Amazon Account
You can add "+amazon" in you email. So your email will be on Amazon "johndoe+amazon@gmail.com"
You will receive the amazon emails in your gmail like the other emails, but you will be able to see the receiver as "johndoe+amazon@gmail.com"
If Amazon sells your data for data brokers you will know what they did

Warning: Nowadays, many companies already know this trick and are blocking Plus Addressing

Dotted Addressing

Unlike Plus Addressing, companies don't block dots in the Gmail address.

It's not as flexible, but it's another way to change your email address without having to create another Gmail account.

Gmail Address: "Email Address" + "@gmail.com" (e.g. "johndoe@gmail.com")
Gmail Dotted Addressing: "Email prefix" + "." "+ "Email suffix" (e.g. "john.doe@gmail.com")

Gmail Filtering

You can use some filters in Gmail to find specific emails.

On the gmail account, go to 'Show Search Option"
In the field 'Has the words'
- Filter for emails with no Label | Syntax: has:nouserlabels
- Filter by Labels with space | Label '[ Important ]' nested on '[ Personal ]'|Syntax: user label:{[-Personal-] [-Important-]}
  - Filter removing a specific Label | Syntax: -{label:[-Personal-]-[-Important-]}
- Filter by emails with no label, from yourself, before a date | Syntax: has:nouserlabels -from:me before:01/01/2013

DNSSEC on Google Domain with Cloudflare

Activating DNSSEC on Google Domains with Cloudflare

In Cloudflare go to | DNS > Settings > Activate DNSSEC

Get the:
- Tag Key
- Digest

In Google Domains go to | DNS

Paste the:
- Tag Key
- Algorithm = 13
- Digest Type = SHA256
- Digest

Wait a couple minutes and it is done.

You can go back to Cloudflare and see the message "Success! Your domain is protected with DNSSEC."

Google Domains DNSSEC

1/1

DNS | Domain Name System

DNS is often compared to a phone book, and it allows users to type domain names into their browsers without having to remember IP addresses.

Browser: www.google.com > DNS Translates > IP Address: 142.250.187.228

Example: when a user types "www.google.com" into their browser, DNS translates that domain name into an IP address that their browser can use to load the website.

DNS Record Types

IP address resolution
- CNAME | CNAME records maps a domain name to another (canonical) domain name. They can be used to resolve other record types present on the target domain name
  - Example: CNAME = 'finance' on google, like 'finance.google.com', will be mapped to 'https://www.google.com/finance/'
- A | A records map a domain name to one or multiple IPv4 address(es)
  - Example: A = 'google.com' will be mapped to '142.250.187.238'
- AAAA | AAAA records map a domain name to one or multiple IPv6 address(es)
  - Example: AAAA = 'google.com' will be mapped to '2a00:1450:4009:827::200e'
Email authentication
- MX | A mail exchange (MX) record is required to deliver email to a mail server
- DKIM | A DomainKeys Identified Mail (DKIM) record ensures email authenticity by cryptographically signing emails
- SPF | A Sender Policy Framework (SPF) record lists authorized IP addresses and domains that can send email on behalf of your domain
- DMARK | A Domain-based Message Authentication Reporting and Conformance (DMARC) record helps generate aggregate reports about your email traffic and provide clear instructions for how email receivers should treat non-conforming emails
Specialized records
- TXT | A text (TXT) record lets you enter text into the DNS system
- NS | A nameserver (NS) record indicates which server should be used for authoritative DNS
- CCA | A Certificate Authority Authorization (CAA) record specifies which Certificate Authorities (CAs) are allowed to issue certificates for a domain
- SRV | A service record (SRV) specifies a host and port for specific services like voice over IP (VOIP), instant messaging, and more
- SVCB and HTTPS | Service Binding (SVCB) and HTTPS Service (HTTPS) records allow you to provide a client with information about how it should connect to a server upfront, without the need of an initial plaintext HTTP connection
- PTR | A pointer (PTR) record specifies the allowed hosts for a given IP address
- SOA | A start of authority (SOA) record stores information about your domain such as admin email address, when the domain was last updated, and more
- DS and DNSKEY | DS and DNSKEY records help implement DNSSEC, which cryptographically signs DNS records to prevent domain spoofing

There are 4 DNS servers involved in loading a webpage

DNS Recursor | The recursor can be thought of as a librarian who is asked to go find a particular book somewhere in a library. The DNS recursor is a server designed to receive queries from client machines through applications such as web browsers. Typically the recursor is then responsible for making additional requests in order to satisfy the client’s DNS query
Root Nameserver | The root server is the first step in translating (resolving) human readable host names into IP addresses. It can be thought of like an index in a library that points to different racks of books - typically it serves as a reference to other more specific locations
TLD Nameserver | The top level domain server (TLD) can be thought of as a specific rack of books in a library. This nameserver is the next step in the search for a specific IP address, and it hosts the last portion of a hostname (In example.com, the TLD server is “com”)
Authoritative Nameserver | This final nameserver can be thought of as a dictionary on a rack of books, in which a specific name can be translated into its definition. The authoritative nameserver is the last stop in the nameserver query. If the authoritative name server has access to the requested record, it will return the IP address for the requested hostname back to the DNS Recursor (the librarian) that made the initial request

DNS Lookup

For most situations, DNS is concerned with a domain name being translated into the appropriate IP address. Often DNS lookup information will be cached either locally inside the querying computer or remotely in the DNS infrastructure. There are typically 8 steps in a DNS lookup. When DNS information is cached, steps are skipped from the DNS lookup process which makes it quicker.

The example below outlines all 8 steps when nothing is cached

1. A user types ‘example.com’ into a web browser and the query travels into the Internet and is received by a DNS recursive resolver
2. The resolver then queries a DNS root nameserver (.)
3. The root server then responds to the resolver with the address of a Top Level Domain (TLD) DNS server (such as .com or .net), which stores the information for its domains. When searching for example.com, our request is pointed toward the .com TLD
4. The resolver then makes a request to the .com TLD
5. The TLD server then responds with the IP address of the domain’s nameserver, example.com
6. Lastly, the recursive resolver sends a query to the domain’s nameserver
7. The IP address for example.com is then returned to the resolver from the nameserver
8. The DNS resolver then responds to the web browser with the IP address of the domain requested initially

DNS Lookup

DNS Lookup and Webpage Query

DNS Record

Request Sequence

DNS Lookup

DNS Lookup and Webpage Query

1/2

Once the 8 steps of the DNS lookup have returned the IP address for 'example.com', the browser is able to make the request for the web page:

9. The browser makes a HTTP request to the IP address
10. The server at that IP returns the webpage to be rendered in the browser

DNS resolver

The DNS resolver is the first stop in the DNS lookup, and it is responsible for dealing with the client that made the initial request. The resolver starts the sequence of queries that ultimately leads to a URL being translated into the necessary IP address.

A typical uncached DNS lookup will involve both recursive and iterative queries.

It's important to differentiate between a recursive DNS query and a recursive DNS resolver. The query refers to the request made to a DNS resolver requiring the resolution of the query. A DNS recursive resolver is the computer that accepts a recursive query and processes the response by making the necessary requests.

3 types of DNS queries

Recursive Query | In a recursive query, a DNS client requires that a DNS server (typically a DNS recursive resolver) will respond to the client with either the requested resource record or an error message if the resolver can't find the record
Iterative Query | In this situation the DNS client will allow a DNS server to return the best answer it can. If the queried DNS server does not have a match for the query name, it will return a referral to a DNS server authoritative for a lower level of the domain namespace. The DNS client will then make a query to the referral address. This process continues with additional DNS servers down the query chain until either an error or timeout occurs
Non-recursive Query | Typically this will occur when a DNS resolver client queries a DNS server for a record that it has access to either because it's authoritative for the record or the record exists inside of its cache. Typically, a DNS server will cache DNS records to prevent additional bandwidth consumption and load on upstream servers

DNS Caching

The purpose of caching is to temporarily stored data in a location that results in improvements in performance and reliability for data requests. DNS caching involves storing data closer to the requesting client so that the DNS query can be resolved earlier and additional queries further down the DNS lookup chain can be avoided, thereby improving load times and reducing bandwidth/CPU consumption. DNS data can be cached in a variety of locations, each of which will store DNS records for a set amount of time determined by a time-to-live (TTL)

Public DNS Servers

A free, global DNS resolution service that you can use as an alternative to your current DNS provider.

It first appeared to simplify and direct internet traffic for users globally. Public DNS servers are accessible to anyone with an internet connection and are often provided by internet service providers or third-party companies. These servers are most commonly used by individuals and organizations that do not require a private network for their DNS queries. They offer a straightforward and efficient way to navigate the web, helping users access websites quickly and reliably.

DNS Ports

DNS Standard | Port: 53 | Protocol: TCP and UDP
DoH DNS-over-HTTPS | Port: 443 | Protocol: HTTPS (HTTP + SSL/TLS)
DoT DNS-over-TLS | Port: 853 | Protocol: TCP
DoQ DNS-over-QUIC | Port: 853 | Protocol: UDP
DNSCrypt | Port: 443, 4443, 5443 or 8443 | Protocol: TCP or UDP

Providers	Type	Category	DNS IPv4	DNS-over-HTTPS	DNS-over-TLS	DNS-over-QUIC	DNSCrypt IPv4	DNS IPv6	DNSCrypt IPv6	Ctry	Page	Comments
Google DNS		Top	8.8.8.8 and 8.8.4.4	https://dns.google/dns-query	tls://dns.google			2001:4860:4860::8888 and 2001:4860:4860::8844			https://developers.google.com/speed/public-dns/	Google DNS is a free, global DNS resolution service that you can use as an alternative to your current DNS provider
Cloudflare DNS	Standard	Top	1.1.1.1 and 1.0.0.1	https://dns.cloudflare.com/dns-query (IPv6: https://dns.cloudflare.com/dns-query)	tls://one.one.one.one			2606:4700:4700::1111 and 2606:4700:4700::1001			https://1.1.1.1/	Cloudflare DNS is a free and fast DNS service which functions as a recursive name server providing domain name resolution for any host on the Internet
Cloudflare DNS	Malware blocking only	Top	1.1.1.2 and 1.0.0.2	https://security.cloudflare-dns.com/dns-query	tls://security.cloudflare-dns.com			2606:4700:4700::1112 and 2606:4700:4700::1002			https://1.1.1.1/	Cloudflare DNS is a free and fast DNS service which functions as a recursive name server providing domain name resolution for any host on the Internet
Cloudflare DNS	Malware and adult content blocking	Top	1.1.1.3 and 1.0.0.3	https://family.cloudflare-dns.com/dns-query	tls://family.cloudflare-dns.com			2606:4700:4700::1113 and 2606:4700:4700::1003			https://1.1.1.1/	Cloudflare DNS is a free and fast DNS service which functions as a recursive name server providing domain name resolution for any host on the Internet
OpenDNS (Cisco)	Standard	Top	208.67.222.222 and 208.67.220.220	https://doh.opendns.com/dns-query	tls://dns.opendns.com		2.dnscrypt-cert.opendns.com (IP: 208.67.220.220)	2620:119:35::35 and 2620:119:53::53	2.dnscrypt-cert.opendns.com (IPv6: [2620:0:ccc::2])		https://www.opendns.com/	Cisco OpenDNS is a service which extends the DNS by incorporating features such as content filtering and phishing protection with a zero downtime
OpenDNS (Cisco)	FamilyShield	Top	208.67.222.123 and 208.67.220.123	https://doh.familyshield.opendns.com/dns-query	tls://familyshield.opendns.com		2.dnscrypt-cert.opendns.com (IP: 208.67.220.123)				https://www.opendns.com/	Cisco OpenDNS is a service which extends the DNS by incorporating features such as content filtering and phishing protection with a zero downtime
OpenDNS (Cisco)	Sandbox	Top	208.67.222.2 and 208.67.220.2	https://doh.sandbox.opendns.com/dns-query	tls://sandbox.opendns.com			2620:0:ccc::2 IP: 2620:0:ccd::2			https://www.opendns.com/	Cisco OpenDNS is a service which extends the DNS by incorporating features such as content filtering and phishing protection with a zero downtime
Quad9 DNS	Standard	Well Known	9.9.9.9 and 149.112.112.112	https://dns.quad9.net/dns-query	tls://dns.quad9.net		2.dnscrypt-cert.quad9.net (IP: 9.9.9.9:8443)	2620:fe::fe IP: 2620:fe::fe:9	2.dnscrypt-cert.quad9.net (IPv6: [2620:fe::fe]:8443)		https://quad9.net/	Quad9 DNS is a free, recursive, anycast DNS platform that provides high-performance, privacy, and security protection from phishing and spyware. Quad9 servers don't provide a censoring component. Regular DNS servers which provide protection from phishing and spyware. They include blocklists, DNSSEC validation, and other security features
Quad9 DNS	Unsecured	Well Known	9.9.9.10 and 149.112.112.10	https://dns10.quad9.net/dns-query	tls://dns10.quad9.net		2.dnscrypt-cert.quad9.net (IP: 9.9.9.10:8443)	2620:fe::10 IP: 2620:fe::fe:10	2.dnscrypt-cert.quad9.net (IPv6: [2620:fe::fe:10]:8443)		https://quad9.net/	Quad9 DNS is a free, recursive, anycast DNS platform that provides high-performance, privacy, and security protection from phishing and spyware. Quad9 servers don't provide a censoring component. Unsecured DNS servers don't provide security blocklists, DNSSEC, or EDNS Client Subnet
Quad9 DNS	ECS support	Well Known	9.9.9.11 and 149.112.112.11	https://dns11.quad9.net/dns-query	tls://dns11.quad9.net		2.dnscrypt-cert.quad9.net (IP: 9.9.9.11:8443)	2620:fe::11 IP: 2620:fe::fe:11	2.dnscrypt-cert.quad9.net (IPv6: [2620:fe::11]:8443)		https://quad9.net/	Quad9 DNS is a free, recursive, anycast DNS platform that provides high-performance, privacy, and security protection from phishing and spyware. Quad9 servers don't provide a censoring component. EDNS Client Subnet is a method that includes components of end-user IP address data in requests that are sent to authoritative DNS servers. It provides security blocklist, DNSSEC, EDNS Client Subnet
AdGuard	Default	Well Known	94.140.14.14 and 94.140.15.15	https://dns.adguard-dns.com/dns-query	tls://dns.adguard-dns.com	quic://dns.adguard-dns.com	2.dnscrypt.default.ns1.adguard.com (IP: 94.140.14.14:5443)	2a10:50c0::ad1:ff and 2a10:50c0::ad2:ff	2.dnscrypt.default.ns1.adguard.com (IPv6: [2a10:50c0::ad1:ff]:5443)		https://adguard-dns.io/welcome.html	AdGuard DNS is an alternative solution for ad blocking, privacy protection, and parental control. It provides the necessary number of protection features against online ads, trackers, and phishing, no matter what platform and device you use
AdGuard	Family Protection	Well Known	94.140.14.15 and 94.140.15.16	https://family.adguard-dns.com/dns-query	tls://family.adguard-dns.com	quic://family.adguard-dns.com	2.dnscrypt.family.ns1.adguard.com (IP: 94.140.14.15:5443)	2a10:50c0::bad1:ff and 2a10:50c0::bad2:ff	2.dnscrypt.family.ns1.adguard.com (IPv6: [2a10:50c0::bad1:ff]:5443)		https://adguard-dns.io/welcome.html	AdGuard DNS is an alternative solution for ad blocking, privacy protection, and parental control. It provides the necessary number of protection features against online ads, trackers, and phishing, no matter what platform and device you use
AdGuard	Non-filtering	Well Known	94.140.14.140 and 94.140.14.141	https://unfiltered.adguard-dns.com/dns-query	tls://unfiltered.adguard-dns.com	quic://unfiltered.adguard-dns.com	2.dnscrypt.unfiltered.ns1.adguard.com (IP: 94.140.14.140:5443)	2a10:50c0::1:ff and 2a10:50c0::2:ff	2.dnscrypt.unfiltered.ns1.adguard.com (IPv6: [2a10:50c0::1:ff]:5443)		https://adguard-dns.io/welcome.html	AdGuard DNS is an alternative solution for ad blocking, privacy protection, and parental control. It provides the necessary number of protection features against online ads, trackers, and phishing, no matter what platform and device you use
0ms DNS		Relevant		https://0ms.dev/dns-query							https://0ms.dev/	DNS is a global DNS resolution service provided by 0ms Group as an alternative to your current DNS provider. It uses OISD Big as the basic filter to give everyone a more secure environment. It is designed with various optimizations, such as HTTP/3, caching, and more. It leverages machine learning to protect users from potential security threats while also optimizing itself over time
360 Secure DNS		Relevant	101.226.4.6 and 218.30.118.6	https://doh.360.cn/dns-query	tls://dot.360.cn			123.125.81.6 and 140.207.198.6		CN
Ali DNS		Relevant	223.5.5.5 and 223.6.6.6	https://dns.alidns.com/dns-query	tls://dns.alidns.com	quic://dns.alidns.com:853		2400:3200::1 and 2400:3200:baba::1			https://alidns.com/	Ali DNS is a free recursive DNS service that committed to providing fast, stable and secure DNS resolution for the majority of Internet users. It includes AliGuard facility to protect users from various attacks and threats
BebasDNS by BebasID	Security	Relevant		https://antivirus.bebasid.com/dns-query	tls://antivirus.bebasid.com:853						https://github.com/bebasid/bebasdns	BebasDNS is a free and neutral public resolver based in Indonesia which supports OpenNIC domain. Created by Komunitas Internet Netral Indonesia (KINI) to serve Indonesian user with free and neutral internet connection
BebasDNS by BebasID	Family	Relevant		https://internetsehat.bebasid.com/dns-query	tls://internetsehat.bebasid.com:853		2.dnscrypt-cert.internetsehat.bebasid.com (IP: 103.87.68.196:8443)				https://github.com/bebasid/bebasdns	BebasDNS is a free and neutral public resolver based in Indonesia which supports OpenNIC domain. Created by Komunitas Internet Netral Indonesia (KINI) to serve Indonesian user with free and neutral internet connection
BebasDNS by BebasID	Family With Ad Filtering	Relevant		https://internetsehat.bebasid.com/adblock	tls://family-adblock.bebasid.com:853						https://github.com/bebasid/bebasdns	BebasDNS is a free and neutral public resolver based in Indonesia which supports OpenNIC domain. Created by Komunitas Internet Netral Indonesia (KINI) to serve Indonesian user with free and neutral internet connection
BebasDNS by BebasID	OISD Filter	Relevant		https://dns.bebasid.com/dns-oisd	tls://oisd.dns.bebasid.com:853						https://github.com/bebasid/bebasdns	BebasDNS is a free and neutral public resolver based in Indonesia which supports OpenNIC domain. Created by Komunitas Internet Netral Indonesia (KINI) to serve Indonesian user with free and neutral internet connection
BebasDNS by BebasID	Hagezi Multi Normal Filter	Relevant		https://dns.bebasid.com/dns-hagezi	tls://hagezi.dns.bebasid.com:853						https://github.com/bebasid/bebasdns	BebasDNS is a free and neutral public resolver based in Indonesia which supports OpenNIC domain. Created by Komunitas Internet Netral Indonesia (KINI) to serve Indonesian user with free and neutral internet connection
BebasDNS by BebasID	Unfiltered	Relevant		https://dns.bebasid.com/unfiltered	tls://unfiltered.dns.bebasid.com:853						https://github.com/bebasid/bebasdns	BebasDNS is a free and neutral public resolver based in Indonesia which supports OpenNIC domain. Created by Komunitas Internet Netral Indonesia (KINI) to serve Indonesian user with free and neutral internet connection
BebasDNS by BebasID	Default	Relevant		https://dns.bebasid.com/dns-query	tls://dns.bebasid.com:853		2.dnscrypt-cert.dns.bebasid.com (IP: 103.87.68.194:8443)				https://github.com/bebasid/bebasdns	BebasDNS is a free and neutral public resolver based in Indonesia which supports OpenNIC domain. Created by Komunitas Internet Netral Indonesia (KINI) to serve Indonesian user with free and neutral internet connection
CFIEC Public DNS		Relevant		https://dns.cfiec.net/dns-query	tls://dns.cfiec.net			240C::6666 and 240C::6644				IPv6-based anycast DNS service with strong security capabilities and protection from spyware, malicious websites. It supports DNS64 to provide domain name resolution only for IPv6 users
CleanBrowsing	Adult Filter	Relevant	185.228.168.10 and 185.228.169.11	https://doh.cleanbrowsing.org/doh/adult-filter/	tls://adult-filter-dns.cleanbrowsing.org		cleanbrowsing.org (IP: 185.228.168.10:8443)	2a0d:2a00:1::1 and 2a0d:2a00:2::1	cleanbrowsing.org (IPv6: [2a0d:2a00:1::1]:8443)		https://cleanbrowsing.org/	CleanBrowsing is a DNS service which provides customizable filtering. This service offers a safe way to browse the web without inappropriate content
CleanBrowsing	Family Filter	Relevant	185.228.168.168 and 185.228.169.168	https://doh.cleanbrowsing.org/doh/family-filter/	tls://family-filter-dns.cleanbrowsing.org		cleanbrowsing.org (IP: 185.228.168.168:8443)	2a0d:2a00:1:: and 2a0d:2a00:2::	cleanbrowsing.org (IPv6: [2a0d:2a00:1::]:8443)		https://cleanbrowsing.org/	CleanBrowsing is a DNS service which provides customizable filtering. This service offers a safe way to browse the web without inappropriate content
CleanBrowsing	Security Filter	Relevant	185.228.168.9 and 185.228.169.9	https://doh.cleanbrowsing.org/doh/security-filter/	tls://security-filter-dns.cleanbrowsing.org			2a0d:2a00:1::2 and 2a0d:2a00:2::2			https://cleanbrowsing.org/	CleanBrowsing is a DNS service which provides customizable filtering. This service offers a safe way to browse the web without inappropriate content
Comodo Secure DNS		Relevant	8.26.56.26 and 8.20.247.20				2.dnscrypt-cert.shield-2.dnsbycomodo.com (IP: 8.20.247.2)				https://comodo.com/secure-dns/	Comodo Secure DNS is a domain name resolution service that resolves your DNS requests through worldwide network of DNS servers. Removes excessive ads and protects from phishing and spyware
ControlD	Block malware	Relevant	76.76.2.1	https://freedns.controld.com/p1	tls://p1.freedns.controld.com						https://controld.com/free-dns	ControlD is a customizable DNS service with proxy capabilities. This means it not only blocks things (ads, porn, etc.), but can also unblock websites and services
ControlD	Block malware + ads	Relevant	76.76.2.2	https://freedns.controld.com/p2	tls://p2.freedns.controld.com						https://controld.com/free-dns	ControlD is a customizable DNS service with proxy capabilities. This means it not only blocks things (ads, porn, etc.), but can also unblock websites and services
ControlD	Block malware + ads + social	Relevant	76.76.2.3	https://freedns.controld.com/p3	tls://p3.freedns.controld.com						https://controld.com/free-dns	ControlD is a customizable DNS service with proxy capabilities. This means it not only blocks things (ads, porn, etc.), but can also unblock websites and services
ControlD	Non-filtering	Relevant	76.76.2.0 and 76.76.10.0	https://freedns.controld.com/p0	p0.freedns.controld.com			2606:1a40:: and 2606:1a40:1::			https://controld.com/free-dns	ControlD is a customizable DNS service with proxy capabilities. This means it not only blocks things (ads, porn, etc.), but can also unblock websites and services
DNS Privacy	Run by the Stubby developers	Relevant			tls://getdnsapi.net (IP: 185.49.141.37 and IPv6: 2a04:b900:0:100::37)						https://dnsprivacy.org/	A collaborative open project to promote, implement, and deploy DNS Privacy. DNS servers run by the Stubby developers
DNS Privacy	Run by the Stubby developers \| Provider: Surfnet	Relevant			tls://dnsovertls.sinodun.com (IP: 145.100.185.15 and IPv6: 2001:610:1:40ba:145:100:185:15)						https://dnsprivacy.org/	A collaborative open project to promote, implement, and deploy DNS Privacy. DNS servers run by the Stubby developers
DNS Privacy	Run by the Stubby developers \| Provider: Surfnet	Relevant			tls://dnsovertls1.sinodun.com (IP: 145.100.185.16 and IPv6: 2001:610:1:40ba:145:100:185:16)						https://dnsprivacy.org/	A collaborative open project to promote, implement, and deploy DNS Privacy. DNS servers run by the Stubby developers
DNS Privacy	No-logging policy \| Provider: UncensoredDNS	Relevant			tls://unicast.censurfridns.dk (IP: 89.233.43.71 and IPv6: 2a01:3a0:53:53::0)					DK	https://dnsprivacy.org/	A collaborative open project to promote, implement, and deploy DNS Privacy. Other DNS servers with no-logging policy
DNS Privacy	No-logging policy \| Provider: UncensoredDNS	Relevant			tls://anycast.censurfridns.dk (IP: 91.239.100.100 and IPv6: 2001:67c:28a4::)					DK	https://dnsprivacy.org/	A collaborative open project to promote, implement, and deploy DNS Privacy. Other DNS servers with no-logging policy
DNS Privacy	No-logging policy \| Provider: dkg	Relevant			tls://dns.cmrg.net (IP: 199.58.81.218 and IPv6: 2001:470:1c:76d::53)						https://dnsprivacy.org/	A collaborative open project to promote, implement, and deploy DNS Privacy. Other DNS servers with no-logging policy
DNS Privacy	No-logging policy	Relevant			tls://dns.larsdebruin.net (IP: 51.15.70.167)						https://dnsprivacy.org/	A collaborative open project to promote, implement, and deploy DNS Privacy. Other DNS servers with no-logging policy
DNS Privacy	No-logging policy	Relevant			tls://dns-tls.bitwiseshift.net (IP: 81.187.221.24 and IPv6: 2001:8b0:24:24::24)						https://dnsprivacy.org/	A collaborative open project to promote, implement, and deploy DNS Privacy. Other DNS servers with no-logging policy
DNS Privacy	No-logging policy	Relevant			tls://ns1.dnsprivacy.at (IP: 94.130.110.185 and IPv6: 2a01:4f8:c0c:3c03::2)					AT	https://dnsprivacy.org/	A collaborative open project to promote, implement, and deploy DNS Privacy. Other DNS servers with no-logging policy
DNS Privacy	No-logging policy	Relevant			tls://ns2.dnsprivacy.at (IP: 94.130.110.178 and IPv6: 2a01:4f8:c0c:3bfc::2)					AT	https://dnsprivacy.org/	A collaborative open project to promote, implement, and deploy DNS Privacy. Other DNS servers with no-logging policy
DNS Privacy	No-logging policy	Relevant			tls://dns.bitgeek.in (IP: 139.59.51.46)					IN	https://dnsprivacy.org/	A collaborative open project to promote, implement, and deploy DNS Privacy. Other DNS servers with no-logging policy
DNS Privacy	No-logging policy	Relevant			tls://dns.neutopia.org (IP: 89.234.186.112 and IPv6: 2a00:5884:8209::2)						https://dnsprivacy.org/	A collaborative open project to promote, implement, and deploy DNS Privacy. Other DNS servers with no-logging policy
DNS Privacy	No-logging policy \| Provider: Go6Lab	Relevant			tls://privacydns.go6lab.si (IPv6: 2001:67c:27e4::35)					SI	https://dnsprivacy.org/	A collaborative open project to promote, implement, and deploy DNS Privacy. Other DNS servers with no-logging policy
DNS Privacy	No-logging policy	Relevant			tls://dot.securedns.eu (IP: 146.185.167.43 and IPv6: 2a03:b0c0:0:1010::e9a:3001)					EU	https://dnsprivacy.org/	A collaborative open project to promote, implement, and deploy DNS Privacy. Other DNS servers with no-logging policy
DNS Privacy	Minimal logging/restrictions \| Provider: NIC Chile	Relevant			tls://dnsotls.lab.nic.cl (IP: 200.1.123.46 and IPv6: 2001:1398:1:0:200:1:123:46)					CL	https://dnsprivacy.org/	A collaborative open project to promote, implement, and deploy DNS Privacy. These servers use some logging, self-signed certs or no support for strict mode
DNS Privacy	Minimal logging/restrictions \| Provider: OARC	Relevant			tls://tls-dns-u.odvr.dns-oarc.net (IP: 184.105.193.78 and IPv6: 2620:ff:c000:0:1::64:25)						https://dnsprivacy.org/	A collaborative open project to promote, implement, and deploy DNS Privacy. These servers use some logging, self-signed certs or no support for strict mode
DNS.SB		Relevant	185.222.222.222 and 45.11.45.11	https://doh.dns.sb/dns-query	tls://dot.sb			2a09:: and 2a11::		SB	https://dns.sb/	DNS.SB provides free DNS service without logging and with DNSSEC enabled
DNSPod Public DNS+		Relevant	119.29.29.29 and 119.28.28.28	https://doh.pub/dns-query	tls://dot.pub						https://www.dnspod.com/	DNSPod Public DNS+ is a privacy-friendly DNS provider with years of experience in domain name resolution services development, it aims to provide users more rapid, accurate and stable recursive resolution service
DNSPod Public DNS+		Relevant		https://dns.pub/dns-query							https://www.dnspod.com/	DNSPod Public DNS+ is a privacy-friendly DNS provider with years of experience in domain name resolution services development, it aims to provide users more rapid, accurate and stable recursive resolution service
DNSWatchGO		Relevant	54.174.40.213 and 52.3.100.184								https://www.watchguard.com/wgrd-products/dnswatchgo	DNSWatchGO is a DNS service by WatchGuard that prevents people from interacting with malicious content
DeCloudUs DNS		Relevant		https://dns.decloudus.com/dns-query	tls://dns.decloudus.com		2.dnscrypt-cert.DeCloudUs-test (IP: 78.47.212.211:9443)		2.dnscrypt-cert.DeCloudUs-test (IPv6: [2a01:4f8:13a:250b::30]:9443)		https://decloudus.com/	DeCloudUs DNS is a DNS service that lets you block anything you wish while by default protecting you and your family from ads, trackers, malware, phishing, malicious sites, and much more
Dyn DNS		Relevant	216.146.35.35 and 216.146.36.36								https://help.dyn.com/internet-guide-setup/	Dyn DNS is a free alternative DNS service by Dyn
Freenom World		Relevant	80.80.80.80 and 80.80.81.81								https://freenom.world/en/index.html	Freenom World is a free anonymous DNS resolver by Freenom World
Hurricane Electric Public Recursor		Relevant	74.82.42.42	https://ordns.he.net/dns-query	tls://ordns.he.net			2001:470:20::2			https://dns.he.net/	Hurricane Electric Public Recursor is a free alternative DNS service by Hurricane Electric with anycast
Mullvad	Ad blocking	Relevant		https://adblock.dns.mullvad.net/dns-query	tls://adblock.dns.mullvad.net						https://mullvad.net/en/help/dns-over-https-and-dns-over-tls/	Mullvad provides publicly accessible DNS with QNAME minimization, endpoints located in Germany, Singapore, Sweden, United Kingdom and United States (Dallas & New York)
Mullvad	Non-filtering	Relevant		https://dns.mullvad.net/dns-query	tls://dns.mullvad.net						https://mullvad.net/en/help/dns-over-https-and-dns-over-tls/	Mullvad provides publicly accessible DNS with QNAME minimization, endpoints located in Germany, Singapore, Sweden, United Kingdom and United States (Dallas & New York)
Mullvad	Ad + malware blocking	Relevant		https://base.dns.mullvad.net/dns-query	tls://base.dns.mullvad.net						https://mullvad.net/en/help/dns-over-https-and-dns-over-tls/	Mullvad provides publicly accessible DNS with QNAME minimization, endpoints located in Germany, Singapore, Sweden, United Kingdom and United States (Dallas & New York)
Mullvad	Ad + malware + social media blocking	Relevant		https://extended.dns.mullvad.net/dns-query	tls://extended.dns.mullvad.net						https://mullvad.net/en/help/dns-over-https-and-dns-over-tls/	Mullvad provides publicly accessible DNS with QNAME minimization, endpoints located in Germany, Singapore, Sweden, United Kingdom and United States (Dallas & New York)
Mullvad	Ad + malware + adult + gambling blocking	Relevant		https://family.dns.mullvad.net/dns-query	tls://family.dns.mullvad.net						https://mullvad.net/en/help/dns-over-https-and-dns-over-tls/	Mullvad provides publicly accessible DNS with QNAME minimization, endpoints located in Germany, Singapore, Sweden, United Kingdom and United States (Dallas & New York)
Mullvad	Ad + malware + adult + gambling + social media blocking	Relevant		https://all.dns.mullvad.net/dns-query	tls://all.dns.mullvad.net						https://mullvad.net/en/help/dns-over-https-and-dns-over-tls/	Mullvad provides publicly accessible DNS with QNAME minimization, endpoints located in Germany, Singapore, Sweden, United Kingdom and United States (Dallas & New York)
Nawala Childprotection DNS		Relevant	180.131.144.144 and 180.131.145.145				2.dnscrypt-cert.nawala.id (IP: 180.131.144.144)				http://nawala.id/	Nawala Childprotection DNS is an anycast Internet filtering system that protects children from inappropriate websites and abusive contents
Neustar Recursive DNS	Reliability & Performance 2	Relevant	156.154.70.5 and 156.154.71.5					2610:a1:1018::5 and 2610:a1:1019::5			https://www.security.neustar/digital-performance/dns-services/recursive-dns	Neustar Recursive DNS is a free cloud-based recursive DNS service that delivers fast and reliable access to sites and online applications with built-in security and threat intelligence. These servers provide reliable and fast DNS lookups without blocking any specific categories and also prevent redirecting NXDomain (non-existent domain) responses to landing pages
Neustar Recursive DNS	Threat Protection	Relevant	156.154.70.2 and 156.154.71.2					2610:a1:1018::2 and 2610:a1:1019::2			https://www.security.neustar/digital-performance/dns-services/recursive-dns	Neustar Recursive DNS is a free cloud-based recursive DNS service that delivers fast and reliable access to sites and online applications with built-in security and threat intelligence. These servers provide protection against malicious domains and also include "Reliability & Performance" features
Neustar Recursive DNS	Family Secure	Relevant	156.154.70.3 and 156.154.71.3					2610:a1:1018::3 and 2610:a1:1019::3			https://www.security.neustar/digital-performance/dns-services/recursive-dns	Neustar Recursive DNS is a free cloud-based recursive DNS service that delivers fast and reliable access to sites and online applications with built-in security and threat intelligence. These servers provide adult content blocking and also include "Reliability & Performance" + "Threat Protection" features
Neustar Recursive DNS	Business Secure	Relevant	156.154.70.4 and 156.154.71.4					2610:a1:1018::4 and 2610:a1:1019::4			https://www.security.neustar/digital-performance/dns-services/recursive-dns	Neustar Recursive DNS is a free cloud-based recursive DNS service that delivers fast and reliable access to sites and online applications with built-in security and threat intelligence. These servers provide blocking unwanted and time-wasting content and also include "Reliability & Performance" + "Threat Protection" + "Family Secure" features
Neustar Recursive DNS	Reliability & Performance 1	Relevant	156.154.70.1 and 156.154.71.1					2610:a1:1018::1 and 2610:a1:1019::1			https://www.security.neustar/digital-performance/dns-services/recursive-dns	Neustar Recursive DNS is a free cloud-based recursive DNS service that delivers fast and reliable access to sites and online applications with built-in security and threat intelligence. These servers provide reliable and fast DNS lookups without blocking any specific categories
NextDNS	Anycast	Relevant		https://anycast.dns.nextdns.io	tls://anycast.dns.nextdns.io						https://nextdns.io/	NextDNS provides publicly accessible non-filtering resolvers without logging in addition to its freemium configurable filtering resolvers with optional logging
NextDNS	Ultra-low latency	Relevant		https://dns.nextdns.io	tls://dns.nextdns.io						https://nextdns.io/	NextDNS provides publicly accessible non-filtering resolvers without logging in addition to its freemium configurable filtering resolvers with optional logging
OpenBLD.net DNS	Strict Filtering (RIC)	Relevant		https://ric.openbld.net/dns-query	tls://ric.openbld.net						https://openbld.net/	OpenBLD.net DNS — Anycast/GeoDNS DNS-over-HTTPS, DNS-over-TLS resolvers with blocking: advertising, tracking, adware, malware, malicious activities and phishing companies, blocks ~1M domains. Has 24h/48h logs for DDoS/Flood attack mitigation. More strictly filtering policies with blocking — ads, marketing, tracking, clickbait, coinhive, malicious, and phishing domains
OpenBLD.net DNS	Adaptive Filtering (ADA)	Relevant		https://ada.openbld.net/dns-query	tls://ada.openbld.net						https://openbld.net/	OpenBLD.net DNS — Anycast/GeoDNS DNS-over-HTTPS, DNS-over-TLS resolvers with blocking: advertising, tracking, adware, malware, malicious activities and phishing companies, blocks ~1M domains. Has 24h/48h logs for DDoS/Flood attack mitigation. Recommended for most users, very flexible filtering with blocking most ads networks, ad-tracking, malware and phishing domains
RethinkDNS	Non-filtering	Relevant		https://basic.rethinkdns.com/	tls://max.rethinkdns.com						https://www.rethinkdns.com/configure
Safe DNS		Relevant	195.46.39.39 and 195.46.39.40								https://www.safedns.com/
Safe Surfer		Relevant	104.155.237.225 and 104.197.28.121				2.dnscrypt-cert.safesurfer.co.nz (IP: 104.197.28.121)			NZ	https://www.safesurfer.co.nz/
Verisign Public DNS		Relevant	64.6.64.6 and 64.6.65.6					2620:74:1b::1:1 and 2620:74:1c::2:2			https://www.verisign.com/security-services/public-dns/
Wikimedia DNS		Relevant		https://wikimedia-dns.org/dns-query	tls://wikimedia-dns.org (IP: 185.71.138.138 and IPv6: 2001:67c:930::1)						https://meta.wikimedia.org/wiki/Wikimedia_DNS
dns0.eu		Relevant	193.110.81.0 and 185.253.5.0	https://zero.dns0.eu/	tls://zero.dns0.eu	quic://zero.dns0.eu				EU	https://www.dns0.eu/	dns0.eu is a free, sovereign and GDPR-compliant recursive DNS resolver with a strong focus on security to protect the citizens and organizations of the European Union
114DNS	Family	Regional	114.114.114.110 and 114.114.115.110								https://www.114dns.com/
114DNS	Normal	Regional	114.114.114.114 and 114.114.115.115								https://www.114dns.com/
114DNS	Safe	Regional	114.114.114.119 and 114.114.115.119								https://www.114dns.com/
Applied Privacy DNS		Regional		https://doh.applied-privacy.net/query	tls://dot1.applied-privacy.net						https://applied-privacy.net/
ByteDance Public DNS		Regional	180.184.1.1 and 180.184.2.2
CIRA Canadian Shield DNS	Protected	Regional	149.112.121.20 and 149.112.122.20	https://protected.canadianshield.cira.ca/dns-query	tls://protected.canadianshield.cira.ca (IP: 149.112.121.20 and IPv6: 2620:10A:80BB::20)			2620:10A:80BB::20 and 2620:10A:80BC::20		CA	https://www.cira.ca/cybersecurity-services/canadianshield/how-works
CIRA Canadian Shield DNS	Family	Regional	149.112.121.30 and 149.112.122.30	https://family.canadianshield.cira.ca/dns-query	tls://family.canadianshield.cira.ca (IP: 149.112.121.30 and IPv6: 2620:10A:80BB::30)			2620:10A:80BB::30 and 2620:10A:80BC::30		CA	https://www.cira.ca/cybersecurity-services/canadianshield/how-works
CIRA Canadian Shield DNS	Private	Regional	149.112.121.10 and 149.112.122.10	https://private.canadianshield.cira.ca/dns-query	tls://private.canadianshield.cira.ca (IP: 149.112.121.10 and IPv6: 2620:10A:80BB::10)			2620:10A:80BB::10 and 2620:10A:80BC::10		CA	https://www.cira.ca/cybersecurity-services/canadianshield/how-works
CZ.NIC ODVR		Regional	193.17.47.1 and 185.43.135.1	https://odvr.nic.cz/doh	tls://odvr.nic.cz			2001:148f:ffff::1 and 2001:148f:fffe::1		CZ	https://www.nic.cz/odvr/
Comss.one DNS		Regional		https://dns.controld.com/comss	tls://comss.dns.controld.com	quic://comss.dns.controld.com				RU	https://www.comss.ru/page.php?id=7315
DNS for Family		Regional	94.130.180.225 and 78.47.64.161	https://dns-doh.dnsforfamily.com/dns-query	tls://dns-dot.dnsforfamily.com	quic://dnsforfamily.com (IP: 94.130.180.225)	dnsforfamily.com (IP: 94.130.180.225)	2a01:4f8:1c0c:40db::1 and 2a01:4f8:1c17:4df8::1	dnsforfamily.com (IPv6: [2a01:4f8:1c0c:40db::1])		https://dnsforfamily.com/
Digitale Gesellschaft DNS		Regional		https://dns.digitale-gesellschaft.ch/dns-query (IP: 185.95.218.42 and IPv6: 2a05:fc84::42)	tls://dns.digitale-gesellschaft.ch (IP: 185.95.218.43 and IPv6: 2a05:fc84::43)					CH	https://www.digitale-gesellschaft.ch/dns/
Fondation Restena DNS		Regional		https://kaitain.restena.lu/dns-query (IP: 158.64.1.29 and IPv6: 2001:a18:1::29)	tls://kaitain.restena.lu (IP: 158.64.1.29 and IPv6: 2001:a18:1::29)					LU	https://www.restena.lu/en/service/public-dns-resolver
IIJ.JP DNS		Regional		https://public.dns.iij.jp/dns-query	tls://public.dns.iij.jp					JP	https://public.dns.iij.jp/
JupitrDNS		Regional	35.215.30.118 and 35.215.48.207	https://dns.jupitrdns.com/dns-query	tls://dns.jupitrdns.com	quic://dns.jupitrdns.com					https://jupitrdns.com/
LibreDNS		Regional	88.198.92.222	https://doh.libredns.gr/dns-query	tls://dot.libredns.gr (IP: 116.202.176.26)					GR	https://libredns.gr/
LibreDNS	Ads	Regional		https://doh.libredns.gr/ads						GR	https://libredns.gr/
OneDNS	Pure Edition	Regional	117.50.10.10 and 52.80.52.52								https://www.onedns.net/
OneDNS	Block Edition	Regional	117.50.11.11 and 52.80.66.66								https://www.onedns.net/
OpenNIC DNS		Regional	217.160.70.42					2001:8d8:1801:86e7::1			https://www.opennic.org/
Quad101		Regional	101.101.101.101 and 101.102.103.104	https://dns.twnic.tw/dns-query	tls://101.101.101.101			2001:de4::101 and 2001:de4::102		TW	https://101.101.101.101/
SWITCH DNS		Regional	dns.switch.ch IP: 130.59.31.248	https://dns.switch.ch/dns-query	tls://dns.switch.ch (IP: 130.59.31.248 and IPv6: 2001:620:0:ff::2)			dns.switch.ch IPv6: 2001:620:0:ff::2		CH	https://www.switch.ch/security/info/public-dns/
SkyDNS RU		Regional	193.58.251.251							RU	https://www.skydns.ru/en/
Yandex DNS	Basic	Regional	77.88.8.8 and 77.88.8.1	https://common.dot.dns.yandex.net/dns-query	tls://common.dot.dns.yandex.net			2a02:6b8::feed:0ff and 2a02:6b8:0:1::feed:0ff		RU	https://dns.yandex.com/
Yandex DNS	Safe	Regional	77.88.8.88 and 77.88.8.2	https://safe.dot.dns.yandex.net/dns-query	tls://safe.dot.dns.yandex.net			2a02:6b8::feed:bad and 2a02:6b8:0:1::feed:bad		RU	https://dns.yandex.com/
Yandex DNS	Family	Regional	77.88.8.3 and 77.88.8.7	https://family.dot.dns.yandex.net/dns-query	tls://family.dot.dns.yandex.net			2a02:6b8::feed:a11 and 2a02:6b8:0:1::feed:a11		RU	https://dns.yandex.com/
AhaDNS		Small (Risky)	5.2.75.75	https://doh.nl.ahadns.net/dns-query	tls://dot.nl.ahadns.net			2a04:52c0:101:75::75		NL	https://ahadns.com/
AhaDNS		Small (Risky)	45.67.219.208	https://doh.la.ahadns.net/dns-query	tls://dot.la.ahadns.net			2a04:bdc7:100:70::70		US	https://ahadns.com/
Arapurayil		Small (Risky)		Host: https://dns.arapurayil.com/dns-query			2.dnscrypt-cert.dns.arapurayil.com (IP: 3.7.156.128)				https://dns.arapurayil.com/
BlackMagicc DNS		Small (Risky)	103.178.234.160	https://robin.techomespace.com/dns-query	tls://robin.techomespace.com:853			2405:19c0:2:ea2e::1			https://bento.me/blackmagicc
Captnemo DNS		Small (Risky)					2.dnscrypt-cert.captnemo.in (IP: 139.59.48.222:4434)			IN	https://captnemo.in/dnscrypt/
DNS Forge		Small (Risky)	176.9.93.198 and 176.9.1.117	https://dnsforge.de/dns-query	tls://dnsforge.de			2a01:4f8:151:34aa::198 and 2a01:4f8:141:316d::117		DE	https://dnsforge.de/
DNSWarden		Small (Risky)		https://dns.dnswarden.com/uncensored	tls://uncensored.dns.dnswarden.com						https://dnswarden.com/customfilter.html
Dandelion Sprout's Official DNS Server		Small (Risky)		https://dandelionsprout.asuscomm.com:2501/dns-query	tls://dandelionsprout.asuscomm.com:853	quic://dandelionsprout.asuscomm.com:48582					https://github.com/DandelionSprout/adfilt/tree/master/Dandelion%20Sprout's%20Official%20DNS%20Server
FFMUC DNS		Small (Risky)		https://doh.ffmuc.net/dns-query	tls://dot.ffmuc.net		2.dnscrypt-cert.ffmuc.net (IP: 5.1.66.255:8443)		2.dnscrypt-cert.ffmuc.net (IPv6: [2001:678:e68:f000::]:8443)		https://ffmuc.net/
Lelux DNS		Small (Risky)		https://resolver-eu.lelux.fi/dns-query	tls://resolver-eu.lelux.fi					FI	https://lelux.fi/resolver/
OSZX DNS	OSZX DNS	Small (Risky)	51.38.83.141	https://dns.oszx.co/dns-query	tls://dns.oszx.co		2.dnscrypt-cert.oszx.co (IP: 51.38.83.141:5353)	2001:41d0:801:2000::d64	2.dnscrypt-cert.oszx.co (IPv6: [2001:41d0:801:2000::d64]:5353)	UK	https://dns.oszx.co/
OSZX DNS	PumpleX	Small (Risky)	51.38.82.198	https://dns.pumplex.com/dns-query	tls://dns.pumplex.com		2.dnscrypt-cert.pumplex.com (IP: 51.38.82.198:5353)	2001:41d0:801:2000::1b28	2.dnscrypt-cert.pumplex.com (IPv6: [2001:41d0:801:2000::1b28]:5353)	UK	https://dns.oszx.co/
Privacy-First DNS	Japan Server	Small (Risky)	172.104.93.80	https://jp.tiar.app/dns-query	tls://jp.tiar.app		2.dnscrypt-cert.jp.tiar.app (IP: 172.104.93.80)	2400:8902::f03c:91ff:feda:c514	Provider: 2.dnscrypt-cert.jp.tiar.app IP: [2400:8902::f03c:91ff:feda:c514]	JP	https://tiarap.org/
Privacy-First DNS	Singapore Server	Small (Risky)	174.138.21.128	https://doh.tiar.app/dns-query	tls://dot.tiar.app	quic://doh.tiar.app	2.dnscrypt-cert.dns.tiar.app (IP: 174.138.21.128)	2400:6180:0:d0::5f6e:4001	2.dnscrypt-cert.dns.tiar.app (IPv6: [2400:6180:0:d0::5f6e:4001])	SG	https://tiarap.org/
Privacy-First DNS	Cached via third-party	Small (Risky)		https://jp.tiarap.org/dns-query						JP	https://tiarap.org/
Privacy-First DNS	Cached via third-party	Small (Risky)		https://doh.tiarap.org/dns-query						SG	https://tiarap.org/
Seby DNS		Small (Risky)	45.76.113.31		tls://dot.seby.io		2.dnscrypt-cert.dns.seby.io (IP: 45.76.113.31)			RS	https://dns.seby.io/
fvz DNS		Small (Risky)					2.dnscrypt-cert.dnsrec.meo.ws (IP: 185.121.177.177:5353)				http://meo.ws/
fvz DNS		Small (Risky)					2.dnscrypt-cert.dnsrec.meo.ws (IP: 169.239.202.202:5353)				http://meo.ws/
ibksturm DNS		Small (Risky)		https://ibksturm.synology.me/dns-query (IP: 213.196.191.96)	tls://ibksturm.synology.me (IP: 213.196.191.96)	quic://ibksturm.synology.me (IP: 213.196.191.96)	2.dnscrypt-cert.ibksturm (IP: 213.196.191.96:8443)				https://ibksturm.synology.me/

rDNS | Reverse DNS

What is reverse DNS?
A reverse DNS lookup is a DNS query for the domain name associated with a given IP address. This accomplishes the opposite of the more commonly used forward DNS lookup, in which the DNS system is queried to return an IP address.

Standards from the Internet Engineering Task Force (IETF) suggest that every domain should be capable of reverse DNS lookup, but as reverse lookups are not critical to the normal function of the Internet, they are not a hard requirement. As such, reverse DNS lookups are not universally adopted.

How does reverse DNS work?
Reverse DNS lookups query DNS servers for a PTR (pointer) record; if the server does not have a PTR record, it cannot resolve a reverse lookup. PTR records store IP addresses with their segments reversed, and they append ".in-addr.arpa" to that. For example if a domain has an IP address of 192.0.2.1, the PTR record will store the domain's information under 1.2.0.192.in-addr.arpa.

In IPv6, the latest version of the Internet Protocol, PTR records are stored within the ".ip6.arpa" domain instead of ".in-addr.arpa."

What are reverse DNS lookups used for?
Reverse lookups are commonly used by email servers. Email servers check and see if an email message came from a valid server before bringing it onto their network. Many email servers will reject messages from any server that does not support reverse lookups or from a server that is highly unlikely to be legitimate. Spammers often use IP addresses from hijacked machines, which means there will be no PTR record. Or, they may use dynamically assigned IP addresses that lead to server domains with highly generic names.

Logging software also employs reverse lookups in order to provide users with human-readable domains in their log data, as opposed to a bunch of numeric IP addresses.

mDNS | Multicast DNS

What is multicast DNS?

mDNS is meant to deal with having names for machines on local networks without needing to register them on DNS servers. This is especially useful when there are no DNS servers you can control – think of a home with a couple of devices who need to interact locally without going to the internet.

Examples: Chromecast and network printers are some good examples.

In the context of WebRTC, mDNS has been introduced to protect against the JavaScript application accessing the local IP addresses that are exchanged during ICE negotiation. This is achieved by the browser replacing its local IP addresses with random mDNS ones that it registers on the local network.

ICE | Interactive Connectivity Establishment

It is a standard method of NAT traversal used in WebRTC. It is defined in IETF RFC 5245. ICE deals with the process of connecting media through NATs by conducting connectivity checks.

ICE collects all available candidates (local IP addresses, reflexive addresses – STUN ones and relayed addresses – TURN ones). All the collected addresses are then sent to the remote peer via SDP. Once the WebRTC Client has all the collected ICE addresses of itself and its peer, it starts initiating connectivity checks. These checks essentially try sending media over the various addresses until success.

The downside of using ICE is the time it takes, which can be 10s of seconds. To run faster, a new mechanism was added in WebRTC called Trickle ICE.

Ping | How to Ping a Specific Port?

The Ping (Packet Internet or Inter-Network Groper) is a network tool for checking whether a remote system is up and running. In other words, the command determines if a certain IP address or a host are accessible. Ping uses a network layer protocol called Internet Control Message Protocol (ICMP) and is available on all operating systems.

On the other hand, port numbers belong to transport layer protocols, such as TCP and UDP. Port numbers help identify where an Internet or other network message is forwarded when it arrives.

Why Can't I Ping a Specific Port?

Network devices use ICMP to send error messages and information on whether communication with an IP address is successful or not. ICMP differs from transport protocols as ICMP is not used to exchange data between systems.

Ping uses ICMP packets, and ICMP does not use port numbers which means a port can’t be pinged.

How Can I Ping a Specific Port? (Workaround)

However, we can use ping with a similar intention to check if a port is open or not.

Some network tools and utilities can simulate an attempt to establish a connection to a specific port and wait to see if the target host responds. If there is a response, the target port is open. If not, the target port is closed, or the host is unable to accept a connection because there is no service configured to listen for connections on that port.

Tools to Ping a Port

Telnet (Windows / Linux)

On Windows, open the CMD Prompt (searching for "CMD") or Powershell (searching for "Powershell)
On Linux, you can use the command directly at the prompt
Command: telnet <ip> <port>
- Example: telnet 10.0.0.100 8006 (Port 8006 is used by Proxmox)
If the port is open, telnet establishes a connection. Otherwise, it states a failure

NC | Netcat (Linux)

Command: nc -vz <address> <port_number>
- Example: nc -vz 10.0.0.100 8006 (Port 8006 is used by Proxmox)
The output informs the user if the connection to the specified port is successful or not. If it is successful, the port is open

NMAP | Network Mapper (Linux)

Command: nmap -p <port_number> <address>
- Example: nmap -p 8006 10.0.0.100 (Port 8006 is used by Proxmox)
The output informs the user about the port’s state and service type, latency, and the time elapsed until the completion of the task
To ping more than one port. Command: nmap -p <number-range> <address>

Powershell (Windows)

Open Powershell (searching for "Powershell)
Command: Test-NetConnection <address> -p <port_number>
- Example: Test-NetConnection 10.0.0.100 -p 8006 (Port 8006 is used by Proxmox)
If the port is open and the connection passes, the TCP test is successful. Otherwise, a warning message appears saying the TCP connection failed

Installing the Tools

Telnet (Windows / Linux)

Ubuntu | Command: sudo apt install telnet
CentOS/Fedora | Command: yum -y install telnet
Windows | Check Here

NC | Netcat (Linux)

Debian, Ubuntu, and Mint
- Check if Netcat is installed| Command: netcat -h
Fedora, Red Hat Enterprise Linux, and CentOS
- Check if Netcat is installed| Command: ncat -h
If not installed | Command: sudo apt install netcat

NMAP | Network Mapper (Linux)

Check if NMAP is installed| Command: nmap -version
If not installed

Ubuntu or Debian | Command: sudo apt install nmap
CentOS or RHEL | Command: sudo yum install nmap

Telnet | Teletype Network

Telnet is a network protocol that allows users to connect to and communicate with remote computers using a transmission control protocol/Internet protocol (TCP/IP) network. It provides a command-line interface that acts like a virtual terminal, allowing users to access a remote system as if they were physically there.

It was developed in 1969 and has been an essential tool for connecting computers and devices remotely. Despite being an old protocol, it still plays a critical role in modern-day remote access solutions.

Security Issue: Telnet is a popular choice for remote access because it's reliable and secure, and it's also easy to use and configure. However, it does have some security concerns because it lacks encryption and transmits data in clear text. This means that anyone with access to the network could potentially intercept and read the data, including passwords and sensitive data. Alternatives like SSH offer more secure remote management options.

Common uses

Remote management: Users can access and manage network nodes, such as servers, routers, and switches, from a distance
Initial device setup: Users can set up network hardware
Testing services: Users can test services
Debugging email problems: Users can send emails directly from the server to detect errors
Configuring servers: Users can quickly and easily implement changes to the directory structure, file access rights, or passwords
Accessing legacy systems: Some legacy computer systems still rely on Telnet for remote access. It helps connect to these systems, run applications, process data, and manage resources.
Troubleshooting network connectivity: It can be used to test connectivity to a network device or server. By establishing a Telnet connection to the device or server, you can check whether it’s reachable, identify any errors or connectivity issues, and diagnose network problems.

How to use it to troubleshooting network connectivity

You can check if a specific port is open simply:

Open the PowerShell
Typing the command: telnet <ip> <port>
- Example: telnet 10.0.0.100 8006 (Port 8006 is used by Proxmox)
If the port is open, telnet establishes a connection. Otherwise, it states a failure

Installing Telnet

Ubuntu

Command: yum -y install telnet

CentOS/Fedora

Command: sudo apt install telnet

Windows

Open “Control Panel“
Open “Programs“
Select the “Turn Windows features on or off ” option
Check the “Telnet Client” box
Click “OK“. A box will appear that says “Windows features” and “Searching for required files“. When complete, the Telnet client should be installed in Windows

NMAP | Network Mapper

NMAP (Network Mapper) is a free and open source utility for network discovery and security auditing.

Nmap uses raw IP packets in novel ways to determine:

What hosts are available on the network
What services (application name and version) those hosts are offering
What operating systems (and OS versions) they are running
What type of packet filters/firewalls are in use and other characteristics

It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X.

Installing NMAP on Linux

Check if NMAP is installed| Command: nmap -version
If not installed
- Ubuntu or Debian | Command: sudo apt install nmap
- CentOS or RHEL | Command: sudo yum install nmap

Running NMAP

Run TCP Scan | Command: nmap -sT <Public IP Address>
Run Script to find Vulnerabilities | Command: nmap --script vuln <Public IP Address>

Wireshark | Open-Source Network Packet Analyzer

Wireshark, Originally named Ethereal but renamed in May 2006, is a free and open-source network packet analyzer. It is used for network troubleshooting, analysis, software and communications protocol development, and education.

A network packet analyzer presents captured packet data in as much detail as possible.

You could think of a network packet analyzer as a measuring device for examining what’s happening inside a network cable, just like an electrician uses a voltmeter for examining what’s happening inside an electric cable (but at a higher level, of course).

Intended Purposes

Network administrators use it to troubleshoot network problems
Network security engineers use it to examine security problems
QA engineers use it to verify network applications
Developers use it to debug protocol implementations
People use it to learn network protocol internals

What is not provided

Wireshark isn’t an intrusion detection system
Wireshark will not manipulate things on the network, it will only “measure” things from it

Features

Available for UNIX and Windows
Capture live packet data from a network interface
Open files containing packet data captured with tcpdump/WinDump, Wireshark, and many other packet capture programs
Import packets from text files containing hex dumps of packet data
Display packets with very detailed protocol information
Save packet data captured
Export some or all packets in a number of capture file formats
Filter packets on many criteria
Search for packets on many criteria
Colorize packet display based on filters
Create various statistics

Capabilities

Live capture from many different network media
- Wireshark can capture traffic from many different network media types, including Ethernet, Wireless LAN, Bluetooth, USB, and more
- The specific media types supported may be limited by several factors, including your hardware and operating system
Import files from many other capture programs
- Wireshark can open packet captures from a large number of capture programs
Export files for many other capture programs
- Wireshark can save captured packets in many formats, including those used by other capture programs
Many protocol dissectors
- There are protocol dissectors (or decoders, as they are known in other products) for a great many protocols

Ubuntu | Installing Wireshark

Using the APT (Advanced Package Tool) Method)

The software repository of Ubuntu includes Wireshark by default, which enables you to install the package using the APT. It is the easiest and most straightforward method. It ensures you have the latest version of Wireshark when the Ubuntu system is updated. Execute the following command in the Ubuntu terminal.

Install the Wireshark | Command: sudo apt install wireshark
You will be asked if a "non-superuser can capture packets". This means that a user other than the "root" user can run Wireshark.
- If you have another user, select "Yes"
  - Add your user to the wireshark group | Command: sudo usermod -aG wireshark <username>
    - Example: sudo usermod -aG wireshark john01
- If you use the "root" user, select "No" and you won't need to perform anything else
OPTIONAL | If you want to change your "non-superuser packet capture" option later, use the Command: sudo dpkg-reconfigure wireshark-common
Verify if the Wireshark was installed checking its version | Command: wireshark --version
Launch the Wireshark | Command: sudo wireshark

To uninstall Wireshark | Command: sudo apt-get remove --purge wireshark

Using the PPA (Personal Package Archive) Method

If the Ubuntu version of your computer is older, you can use the PPA maintained by the Wireshark developers.

Add the official Wireshark PPA to your list of repositories |Command: sudo add-apt-repository ppa:wireshark-dev/stable -y
Update the package list | Command: sudo apt update
Install the Wireshark | Command: sudo apt install wireshark

You will be asked if a "non-superuser can capture packets". This means that a user other than the "root" user can run Wireshark.
- If you have another user, select "Yes"
  - Add your user to the wireshark group | Command: sudo usermod -aG wireshark <username>
    - Example: sudo usermod -aG wireshark john01
- If you use the "root" user, select "No" and you won't need to perform anything else
OPTIONAL | If you want to change your "non-superuser packet capture" option later, use the Command: sudo dpkg-reconfigure wireshark-common
Verify if the Wireshark was installed checking its version | Command: wireshark --version
Launch the Wireshark | Command: sudo wireshark

To uninstall Wireshark | Command: sudo apt-get-repository –remove ppa:wireshark-dev/stable -y

Network Protocols

Network protocols are the sets of standards that allow two or more machines connected to the internet to communicate with each other. It works as a universal language, which can be interpreted by computers from any manufacturer, using any operating system.

They are responsible for taking data transmitted over the network and dividing it into small pieces, which are called packets. Each packet carries source and destination addressing information. Protocols are also responsible for systematizing the establishment, control, traffic and closure phases.

Key elements that define network protocols:

Syntax: Represents the format of the data and the order in which it is presented
Semantics: Refers to the meaning of each syntactic set that gives meaning to the message sent
Timing: Defines an acceptable packet transmission speed

Types of Network Protocols

For communication between computers to be carried out correctly, both computers must be configured according to the same parameters and comply with the same communication standards.

The network is divided into layers, each with a specific function. The different types of network protocols vary according to the type of service used and the corresponding layer.

The main layers and their main protocol types:

Application Layer: WWW, HTTP, SMTP, Telnet, FTP, SSH, NNTP, RDP, IRC, SNMP, POP3, IMAP, SIP, DNS, PING
Transport Layer: TCP, UDP, RTP, DCCP, SCTP
Network Layer: IPv4, IPv6, IPsec, ICMP
Physical Link Layer: Ethernet, Modem, PPP, FDDi

Transmission Control Protocol (TCP)

TCP is a popular communication protocol which is used for communicating over a network. It divides any message into series of packets that are sent from source to destination and there it gets reassembled at the destination.

Internet Protocol (IP)

IP is designed explicitly as addressing protocol. It is mostly used with TCP. The IP addresses in packets help in routing them through different nodes in a network until it reaches the destination system. TCP/IP is the most popular protocol connecting the networks.

User Datagram Protocol (UDP)

UDP is a substitute communication protocol to Transmission Control Protocol implemented primarily for creating loss-tolerating and low-latency linking between different applications.

Post office Protocol (POP)

POP3 is designed for receiving incoming E-mails.

Simple mail transport Protocol (SMTP)

SMTP is designed to send and distribute outgoing E-Mail.

File Transfer Protocol (FTP)

FTP allows users to transfer files from one machine to another. Types of files may include program files, multimedia files, text files, and documents, etc.

Hyper Text Transfer Protocol (HTTP)

HTTP is designed for transferring a hypertext among two or more systems. HTML tags are used for creating links. These links may be in any form like text or images. HTTP is designed on Client-server principles which allow a client system for establishing a connection with the server machine for making a request. The server acknowledges the request initiated by the client and responds accordingly.

Hyper Text Transfer Protocol Secure (HTTPS)

HTTPS is abbreviated as Hyper Text Transfer Protocol Secure is a standard protocol to secure the communication among two computers one using the browser and other fetching data from web server. HTTP is used for transferring data between the client browser (request) and the web server (response) in the hypertext format, same in case of HTTPS except that the transferring of data is done in an encrypted format. So it can be said that https thwart hackers from interpretation or modification of data throughout the transfer of packets.

SSL - Secure Sockets Layer

It is an encryption-based Internet security protocol. It was first developed by Netscape in 1995 for the purpose of ensuring privacy, authentication, and data integrity in Internet communications. SSL is the predecessor to the modern TLS encryption used today.

A website that implements SSL/TLS has "HTTPS" in its URL instead of "HTTP."

TLS - Transport Layer Security

It is a widely adopted security protocol designed to facilitate privacy and data security for communications over the Internet. A primary use case of TLS is encrypting the communication between web applications and servers, such as web browsers loading a website. TLS can also be used to encrypt other communications such as email, messaging, and voice over IP (VoIP). In this article we will focus on the role of TLS in web application security.

TLS was proposed by the Internet Engineering Task Force (IETF), an international standards organization, and the first version of the protocol was published in 1999. The most recent version is TLS 1.3, which was published in 2018.

Telnet

Telnet is a set of rules designed for connecting one system with another. The connecting process here is termed as remote login. The system which requests for connection is the local computer, and the system which accepts the connection is the remote computer.

Gopher

Gopher is a collection of rules implemented for searching, retrieving as well as displaying documents from isolated sites. Gopher also works on the client/server principle.

Protocols used by SAP

Common Programming Interface for Communication (CPI-C)

SAP uses Common Programming Interface for Communication (CPIC) protocol to transfer data between systems. CPIC is an SAP specific protocol.

Open Data Protocol (OData)

The Open Data Protocol (OData) is a standardized protocol for exposing and accessing information from
various sources. OData is based on core protocols, including HTTP, AtomPub (Atom Publishing Protocol), XML,
and JSON (Java Script Object Notation).

MQTT - Message Queuing Telemetry Transport

MQTT is a message protocol for machine-to-machine communication (M2M) and IoT. You can use the MQTT source system to set up a connection to an MQTT broker (MQTT server). It is most commonly run over TCP/IP stack, but there are MQTT implementations that use other protocols.

The supported communication protocol between SAP S/4HANA and SAP Cloud Platform Enterprise Messaging will be MQTT (over Websocket). With the feature of Enterprise Event Enablement of S/4HANA, you can pass the S/4HANA event to the external systems via the middleware called SAP Cloud Platform Enterprise Messaging.

HTTP vs MQTT: HTTP is typically a transient interface in which each request is a short-lived session. MQTT sessions are long-lived. Another important difference is that HTTP operates on a command-response basis. A command gets sent to the server and a response returns.

TCP vs UDP | Protocol Comparison

Whether your data is transferred quickly and in full depends on which network protocols you use, UDP or TCP. They both do the same job but in different ways. One is more reliable and the other one is faster.

TCP (transmission control protocol) is connection-based, so it establishes a connection between the receiver and sender and maintains it while transferring data. It guarantees that the data arrives completely intact.

UDP (User Datagram Protocol) is connectionless, so it doesn’t establish a prior connection between two parties. It has the potential to lose data along the way, but in return you’ll have much higher speeds.

Reliability
- TCP: High
- UDP: Lower
Speed
- TCP: Lower
- UDP: High
Transfer Method
- TCP: Packets are delivered in a sequence
- UDP: Packets are delivered in a stream
Error Detection and Correction
- TCP: Yes
- UDP: No
Congestion Control
- TCP: Yes
- UDP: No
Acknowledgement
- TCP: Yes
- UDP: Only the Checksum (Checksum is the final two bytes of the UDP header, a field that's used by the sender and receiver to check for data corruption)

Warning: UDP is not recommended for transmitting large files.

SSL vs TLS | Protocol Comparison

Protocol Evolution: SSL 1.0 > SSL 2.0 > SSL 3.0 > TLS 1.0 > TLS 1.1 > TLS 1.2 > TLS 1.3

SSL (Secure Sockets Layer)

Secure Sockets Layer (SSL) is a protocol that encrypts and secures data transmitted over the internet. SSL protects data from being intercepted by hackers and prevents them from stealing personal or financial information.

SSL works by:

Encryption: SSL encrypts data sent between a browser and a website or between two servers
Authentication: SSL authenticates web servers. SSL initiates an authentication process between two devices called a handshake
Integrity: SSL digitally signs data to verify that it hasn't been tampered with

SSL was introduced by Netscape in 1995 and was the first widely used protocol for securing online transactions. Although it has been replaced by a more updated protocol called Transport Layer Security (TLS), SSL is still commonly used today.

TLS (Transport Layer Security)

Transport Layer Security (TLS) is a security protocol that encrypts data sent between computers over the internet. It's used to protect data from hackers and ensure that all parties involved in a transaction are who they claim to be.

TLS has three main functions:

Encryption: Hides sensitive data during transfer
Authentication: Verifies the identities of the client and server
Integrity: Verifies that data hasn't been tampered with or forged

TLS is the most widely used security protocol today. It's primarily used to encrypt communication between web browsers and servers, but it can also secure email and other protocols. TLS handshakes are a multi-step process that involves the client authenticating the server and the client and server exchanging a shared secret.

TLS replaced SSL in 2015 after SSL was compromised by vulnerabilities. Most people still use the term SSL because it's more widely known.

Protocol Comparison

Stands For
- SSL: Secure Sockets Layer
- TLS: Transport Layer Security
Version History
- SSL: Replaced with TLS. SSL moved through versions 1.0, 2.0, and 3.0
- TLS: Upgraded version of SSL. TLS has moved through versions 1.0, 1.1, 1.2, and 1.3
Algorithm
- SSL: Supports older algorithms with known security vulnerabilities
- TLS: Utilizes advanced encryption algorithms (Fortezza algorithm is not supported)
Activity
- SSL: It is now considered deprecated due to significant vulnerabilities
- TLS: Currently the versions 1.2 and 1.3 are actively used due to its robust security
Alert Messages
- SSL has only two types of alert messages. Alert messages are unencrypted
- TLS alert messages are encrypted and more diverse
Message Authentication
- SSL: Uses Message Authentication Code (MAC) protocols
- TLS: Deploys Hashed Message Authentication Code (HMAC) protocols
Cipher Suites
- SSL: Supports older algorithms with known security vulnerabilities
- TLS: Uses advanced encryption algorithms
Handshake
- SSL: Handshake is complex and slow
- TLS: Handshake is simplified (it has fewer steps), faster, and more secure
Connection
- SSL: Establishes connection using a port
- TLS: Establishes connection using protocol

References: Palo Alto Networks (www.paloaltonetworks.com); Wikipedia (www.wikipedia.org); Google (www.google.com); Oracle (www.oracle.com); Raspberry PI (www.raspberrypi.org); Microsoft (www.microsoft.com); CloudFlare (www.cloudflare.com); NordVPN (nordvpn.com)