Page 1 of 2 12 LastLast
Results 1 to 10 of 17
  1. #1
    Untangler
    Join Date
    Jun 2018
    Posts
    40

    Default School IT departments *sigh*

    Hey all!

    Hope everyone is enjoying the New Year, and had a chance to rest and relax over the holiday's. I've been mainly lurking/reading, as things on the home and work front have been super busy.... which brings me to today's issue.

    The wonderful IT department for the school district recently focused on improving security. Unfortunately, as part of this effort, they decided to "secure" all the kids' laptops without testing them outside of the school! Because, of course they did.

    My daughter brought me her laptop this morning, saying the Wireless wasn't working anymore (as she's using the wireless on her phone....). I checked, and everything looked fine, it pulled a correct IP from the DHCP range, had the correct subnet mask and gateway.... hold the phone, where the heck did that DNS server address come from?!? Yep - they are forcibly overwriting the DHCP provided DNS addresses. And here's what they are "forcing" instead:

    10.72.34.70 and
    10.72.34.166


    *facepalm*

    Is there a way to force anything for those addresses to the ones DHCP would normally provide? I've already tried
    Code:
    route add 10.72.34.70 mask 255.255.255.255 192.168.XX.XX
    from the laptop, but it's locked down pretty tight (and no, I'm not going to bust in and grant myself admin privileges.)

    I'm assuming it'll have to be the dnsmasq equivalent of "route add" above, but I have never messed with it before and don't want to accidentally break something.
    Last edited by Synical; 01-26-2020 at 03:11 PM.

  2. #2
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,524

    Default

    You could create a port forward (works for incoming and outgoing) and just force the laptop to use the UT as the DNS server.
    Last edited by jcoffin; 01-26-2020 at 03:47 PM.
    Synical likes this.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  3. #3
    Untangle Ninja
    Join Date
    May 2008
    Posts
    1,091

    Default

    It wont help with tethering from her phone will it?

    You need to talk to the IT director and hope it was done by a student who can learn by his mistakes.

  4. #4
    Untangler
    Join Date
    Aug 2016
    Posts
    69

    Default

    What solution did they choose/install to lock down the DNS?

  5. #5
    Untangler jcoffin's Avatar
    Join Date
    Aug 2008
    Location
    Sunnyvale, CA
    Posts
    8,524

    Default

    Quote Originally Posted by skearton View Post
    What solution did they choose/install to lock down the DNS?
    Google Device Management is the easy choice.

    https://support.google.com/chrome/a/.../1289314?hl=en
    skearton likes this.
    Attention: Support and help on the Untangle Forums is provided by
    volunteers and community members like yourself.
    If you need Untangle support please call or email support@untangle.com

  6. #6
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    1,714

    Default

    and maybe a work-around would be DoH?
    but those are just words, I don't have a method.

  7. #7
    Untangler
    Join Date
    Jun 2018
    Posts
    40

    Default

    Using the phone as a hotspot, no - because it goes and changes DNS to those local addresses again. Didn't try using the phone as a bluetooth modem - she still has a desktop in her room she can use. I told her to submit a ticket tomorrow, and gave her a note to copy over.

    I'm thinking the lack of teacher emails and Schoology updates over the weekend indicate it was a system wide push, so they'll likely get an earful tomorrow.

  8. #8
    Untangler
    Join Date
    Jun 2018
    Posts
    40

    Default

    Quote Originally Posted by jcoffin View Post
    You could create a port forward (works for incoming and outgoing) and just force the laptop to use the UT as the DNS server.
    This is what I ended up using just in case it doesn't get fixed by the school - I'll be traveling tomorrow, and don't want to risk an extended outage. Rather than doing a blanket rule I did two, adding the specific destination addresses as conditions. That should only impact the school laptops, and leave everything that's working normally alone. :P

  9. #9
    Untangle Ninja f1assistance's Avatar
    Join Date
    Apr 2009
    Location
    Holly Springs, NC
    Posts
    1,308

    Default

    A couple questions immediately come to mind:
    1) If you are NOT using Untangle at home, why?
    2) If you're using Untangle, why would any of 'your devices' connecting to the internet outside your domain not use OpenVPN and always stay within your control (e.g., deny a change in system configuration)?
    3) If you're using Untangle, and you have devices which regularly connect to the internet outside your domain without OpenVPN, why do you allow such a promiscuous device(s) to again connect back with your domain?
    4) Do you provide a separate subnet for the promiscuous devices?
    Security is serious, and should be taken seriously! The school district's IT clearly doesn't understand security because a solution of system change to achieve said security for promiscuous devices is wrongheaded.
    What are you not telling us and leaving out of your scenario?
    Vanguard Untangle...because nothing's worse than doing nothing!
    -------
    2, Pentium (R) Dual-Core CPU E5300 @ 2.60GHz 2599.968, 2089.96MB RAM
    And building #7 didn't kill itself!

  10. #10
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    1,714

    Default

    Here are my assumptions (reading between the lines):

    1. The laptop is owned, issued and administered by the school district.
    2. The laptop is not a chrome device, but runs Windowz (or Mac).


    you bring up a good point, f1assistance - relegate this device and other BYODs to a guest Wi-Fi SSID that is segregated from the rest of the internal network for Internet access. Perhaps poke a hole for a printer?

    Other than that, this is an interesting story.

    I will leave this here: https://www.zdnet.com/article/how-to-enable-dns-over-https-doh-in-google-chrome/
    If you think I got Grumpy

Page 1 of 2 12 LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

SEO by vBSEO 3.6.0 PL2