Contact Info

Welcome to Euclid Networks’ Tech-Tips Blog : Please navigate using the categories on the right sidebar.

Using a Synology NAS as a Backup DNS Server for Active Directory

As we onboard any new IT support partner, one of our security and network assessment tasks is to validate a client’s server and disaster recovery environment.

As part of this assessment, we often find a customer will have a single point of failure with their active directory environment – most small businesses don’t have the resources to afford multiple servers, and often times previous systems administrators will have not had the foresight to follow best practices regarding building server resiliency.

One example of a point of failure with a single-server environment that we see all too often is DNS. In many cases, the Primary Domain Controller (PDC) will serve as the sole internal DNS provider. Meaning, if a power outage occurs, or if a PDC goes down for any reason, the entire office will “lose” internet connectivity – often a costly outage until technical help can arrive!

Many of these clients do, however, have secondary “server”-like devices – NAS units, Linux machines, et cetera. While using these as a “backup” DNS provider is not a best practice, we aim to provide the best tech support we can while utilizing resources a client already has in place – thus saving them money!

In the following, we outline steps to convert a Synology NAS device into a backup DNS server for an Active Directory (Windows Server 2019) environment.

1. Install DNS Package on Synology NAS – straightforward, by opening Package Manager.

2. Set up a “Slave Zone” – Within Synology’s DNS manager, create a slave zone, set domain type to Forward Lookup Zone, and enter your PDC’s DNS information.

3. Set up DNS Resolution and forwarding on the NAS – In the below, we have enabled the resolution service, and also forwarders. In our lab, we actually do have a backup local DNS server (192.168.1.8 here), but also forward on DNS requests to Google (8.8.8.8/8.8.6.6) to allow for internet connectivity during PDC downtime.

4. Configure DNS Forwarding on PDC – On your server, open DNS, select your AD’s forward lookup zone, open properties.

4.1 Under Zone Transfers, ensure Allow Zone Transfers is enabled, to servers listed in the DNS Tab.
4.2 Under Notify – Ensure the same setting is enabled.
4.3 Add your Slave Name Server to the list of configured name servers. Important – ensure your server validates, with a green check once its FQDN is added.

5. Verify DNS records and Zone Transfer has completed On the Synology DNS Manager, under ‘Zones’, select ‘Edit’ and open ‘Resource Record’ you should find propagated records.

Optional but recommended – repeat steps 2-5 for the Reverse Lookup Zone (EG, 1.168.192.in-addr.arpa) and _msdcs.yourlocal.domain. You *do* have a reverse lookup zone configured, don’t you? =)

6. Add your New DNS Server to DHCP – Don’t forget to configure your DHCP leases to include your new backup DNS server!

7. Test out DNS resolution – Finally, test your new server to ensure it’s resolving external domain names correctly, and test a failure of your PDC by taking it offline. Success!

If this writeup has been helpful to you, please share your comments below. And as always, if you’re looking for proactive managed IT service in Atlanta, Euclid is here to help!


Scam Mail & E-Mails – License Scheme Targeting Corporation and LLC Owners

Many of Euclid Networks’ clients approach us, regularly asking for feedback on the validity of e-mails and mails they have received. Most typically, scammers have targeted a business owner, or senior partner – and are attempting to gain access to the company’s computer network.

In some cases, the attack is not targeted directly at the servers or network itself – but rather the employees themselves in an attempt to bypass all security measures that have been put into place. These attempts often appeal to authority – either by impersonating senior members of staff – or by appearing as credible communications from outside vendors or service providers.

The most recent attempt we’ve seen along these lines is a scam being run in states nationwide, where a sender impersonates a state’s department of revenue / licensing office – example below.

The above document shows a scam being run in Hawaii, but in Atlanta, Fulton County, and Georgia as well, similar schemes have been set up.

On the document we were asked about, an entity calling itself “C.P.F.S , 4279 Roswell Rd. NE – #208-339, Atlanta, GA 30342” requested payment on a “2020 – Annual Registration Instruction Form” for Georgia LLCs.

How to Spot Misleading Communications

The key indicator that a solicitation is not a valid request can be found in the fine print. By law, the soliciting company (the company that sends out these mailings) must include some variation of the following disclaimers:“SOLICITING COMPANY is not a government agency and does not represent a government agency.”

“SOLICITING COMPANY is not a government agency and does not have a contract with any government agency to provide this service.”

“SOLICITING COMPANY is not a government agency and is not affiliated with the Secretary of State or any other government agency.”

In this case, it’s relatively easy to spot – but in other cases, where businesses and their IT systems have been targeted by more malicious actors, the consequences can be more dire! Having a trusted technology partner on your side can help prevent targeted attacks – and when your business comes under attack, you’ll have someone in your corner to help fight back.

If you have been a victim of a mailing like the one we highlighted today, we strongly encourage you to report these misleading solicitations to the Secretary of State or Attorney General of the state where your business is registered. Many of these offices have been cracking down on those entities sending out fraudulent mailings, enforcing heavy fines and even taking legal action.

Also contact the Secretary of State or Attorney General if you have remitted payment in response to a solicitation that you suspect was fraudulent. You may be able to have your money refunded.

For more information and to contact the Georgia Secretary of State, you can visit :

https://sos.ga.gov/index.php/corporations/kemp_warns_businesses_about_scam_mail


Subdomain and Domain forwarding not working properly with GoDaddy and Sonicwall Firewall

Godaddy ​Domain and Subdomain Forwarding times out without forwarding, unexpectedly, when using a Sonicwall Firewall.

Domain Forwarding is typically used to redirect a user to a different website when they type in a URL in a browser. In this case, the forwarding will time out – with either a browser 404 error – or a CONNECTION_TIMED_OUT message. DNS resolution will work properly – subdomain.domain.com for example will return the correct A record, pointing to Godaddy’s IP addresses.

The domain redirect may work sporadically on some phones or computers where traffic is not directly passing through a Sonicwall firewall.

The reason for the failed domain forwarding is that by default the Sonicwall enables TCP Packet Sequence Randomization which causes Godaddy’s Domain Forwarding service to break. When doing packet analysis in Wireshark, we saw TCP ACK connections out of sequence and dropped connections.

To fix this issue:

  1. Login into the IP address of the Sonicwall firewall.
  2. Go to http://{firewall.ip.address}/diag.html – You will get a warning about Advanced Settings
  3. Click on Internal Settings.
  4. Untick the box: “Enable TCP sequence number randomization”
  5. Scroll up and click Accept.
  6. Click Close.
  7. Reboot the firewall.

Verify you can now access a Domain forwarded address.  Note that servers behind the firewall will be slightly more vulnerable to host identification by disabling this TCP Sequence Randomization. But in this case, it would be a fairly targetted attack, so the overall risk is low.


How to keep your children safe online?

Summer is here and your kids are home for long stretches of time. Here are our tips on keeping your home and children safe online.

Our number 1 tip is talk to your children! Communication is essential in maintaining a safe environment.
  1. Have a conversation with your kids: warn them about malware, dangerous websites, and sex offenders. Let your kids know you’re looking out for them, speak honestly with them, and listen. After all, if it’s just you talking, it’s not a conversation. It’s a lecture. And no one likes a lecture.
  2. Keep your computer in a common area of the house: it’s more difficult for sex offenders and online bullies to harass your child when you can see what your child is up to. So make sure your kids aren’t going to bed with their laptops and phones. Keep internet time in the common areas.
  3. Know which other computers your children are using: your children most likely have access to computers at school or their friends’ houses. Ask them where they go online, and talk to their friends’ parents about how they supervise their own kids’ internet use.
  4. Remind your children, “Don’t talk to strangers — or meet them”: Remind your children that people often lie about their age, and online predators often pretend to be children. Emphasize that your children should never reveal personal information like their name, address, phone number, school name, or even their friends’ names. Knowing any of this could help an online predator find your kid in real life. And under no circumstances should your child ever meet up with someone they met online without your permission. If you do agree to a meeting, go with your child and meet in a public place.
  5. Make internet time family time: You watch movies together. Why not browse the web together? Making it a family event can be fun. You’ll learn more about your kids’ interests, and can guide them to websites that are more appropriate to their age.
  6. Know your children’s passwords: If you’ve got a younger kid, create an account for them in your own name to avoid exposing your kid’s name — and so you’ll have the password. But please respect the age limitations on accounts. If a site says you should be 18 to sign up, then maybe your child should wait. Whatever your choice, though, make sure you get their passwords and warn them that you’ll be checking their accounts from time to time to make sure everything’s kosher. (Spying on your kids’ accounts without their knowledge could weaken their trust in you.)
  7. Watch for changes in your children’s behavior: Being secretive about what they do online, withdrawing from the family, and other personality changes could be signs that an online sex offender is preying on your kid. So keep an eye out for any behavioral changes.
  8. Pay attention to any gifts anyone gives your children: Sexual predators may send physical letters, photos, or gifts to children to seduce them. Stay alert, and ask your kids about any new toys they bring home.
  9. Check your children’s browsing history: Open your child’s web browser and look for “History” to see a list of websites they’ve been to. Also check the recycle bin to see if any files have been deleted. You may be surprised.
  10. Set rules — and stick to them: As a parent, it’s your job to limit your kids’ screen time, set boundaries for inappropriate content, and make sure your children stick to them. Talk to your internet service provider about filters you can use to block pornographic or violent websites, or invest in a Wi-Fi router with parental controls.
Searching and using the internet together is a great way to teach your children about navigating the multilayered online world.

Page 2 of 6123...Last