From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthias Fischer To: development@lists.ipfire.org Subject: Re: Forcing all DNS traffic from the LAN to the firewall Date: Sun, 15 Nov 2020 14:16:46 +0100 Message-ID: <008da5bd-4700-e382-c228-1faf3895dfb1@ipfire.org> In-Reply-To: <20201113145533.GB218744@vesikko.tarvainen.info> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2385864069396510760==" List-Id: --===============2385864069396510760== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, On 13.11.2020 15:55, Tapani Tarvainen wrote: > On Fri, Nov 13, 2020 at 02:23:10PM +0000, Michael Tremer (michael.tremer(a)= ipfire.org) wrote: > ... >> So what I could come up with is this: >>=20 >> * You have a host on your network that does not use your DNS servers. >>=20 >> * You have a host on your network that does not allow you to put in custom= DNS servers. >> >> I would simply say: Throw them away. That is not network equipment. >> It simply is a bug, and that should not be fixed by us. >=20 > Agreed. >=20 > But I guess the situation some people have in mind is that you have > *users* in your network you can't really control or trust not to mess > up with DNS settings in their machines. As in, children. Or you have *machines* (in this case, Apps) you can't control, because they don't even have an input field for "DNS". > But any kid smart enough to change DNS settings in their laptop or > whatever is also smart enough to work around such redirection. I'm curious. How could this be done? I have tested the REDIRECT rules with various arbitrary entries, even with non-existing addresses. So far, DNS queries were always redirected to the DNS servers specified in IPFire until now. I even didn't notice that I tested withirregular or invalid addresses. ... Best, Matthias --===============2385864069396510760==--