Re: Forcing all DNS traffic from the LAN to the firewall

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 3093 bytes --]

Hi,

> On 10 Nov 2020, at 13:07, Tapani Tarvainen <ipfire(a)tapanitarvainen.fi> wrote:
> 
> Hi,
> 
> Just two quick points:
> 
> (1) In general changes like this that could break existing installations
> should be left off by default, letting just those who want it turn it on.
> 
> (2) This has already become almost moot by the ever-increasing use of DoH.
> On the other hand, unbound already supports DoH, so how about enabling it
> in IPFire, too?

I do not see how that would be possible with dynamic configuration of clients with DHCP and getting some sort of valid certificate for the DNS service.

-Michael

> 
> Tapani
> 
> On Mon, Nov 09, 2020 at 06:47:26PM +0100, Matthias Fischer (matthias.fischer(a)ipfire.org) wrote:
>> 
>> Hi,
>> 
>> there have been several discussions with several solution attempts in
>> both IPFire forums (old/new), generally starting with (e.g.) "...I am
>> trying to redirect all of my DNS traffic to go thru the IPFire DNS
>> instead of directly to an outside DNS server...".
>> 
>> Current discussion =>
>> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512
>> 
>> But not only in the forums - the oldest Wiki article is dated "May 22,
>> 2015". Long time, but still editing scripts manually...
>> 
>> Hoping that there is a chance for a (final) integrated solution which
>> doesn't include editing code, but having a checkbox to switch this
>> functionality ON/OFF on a standardized and more secure base, I would
>> like to open a discussion on the list.
>> 
>> For a start and to test how this could probably be done - and to find
>> out if I can do it - I customized '/srv/web/ipfire/cgi-bin/optionsfw.cgi'.
>> 
>> Screenshots of the result can be found in the forum thread cited above:
>> =>
>> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512/91
>> 
>> But some points are IMHO still unclear and need clarification. And I
>> think I'm not the one to decide where to go...
>> 
>> My thoughts until now:
>> 
>> - Do we need this?
>>  [Hm. ;-) As I heard, some folks do.]
>> 
>> - Is the 'optionsfwcgi' the right place for this?
>>  [In my opinion: yes. It was easy to add and sits beside other
>> interface "options"]
>> 
>> - Do we really want this for all installations?
>>  [For someone, who doesn't want or doesn't need it: it can be switched OFF]
>> 
>> - Is this function usable under ALL circumstances?
>>  [If not: it can be switched OFF]
>> 
>> - Where (E.g: firewall init script, rules.pl, wirelessctrl.c, ...)
>> should the necessary iptables rules be processed?
>>  [Some ideas how this could be done, but no "breakthrough". Current
>> option-settings are processed in several scripts. Which one to use!?]
>> 
>> Before going on and investing more time in this (on the forum), I'd like
>> to know how the developers think about this and would like to collect
>> ideas and suggestions here.
>> 
>> Any hints are welcome...
>> 
>> Best,
>> Matthias
> 
> -- 
> Tapani Tarvainen