Hi, > On 10 Nov 2020, at 13:07, Tapani Tarvainen wrote: > > Hi, > > Just two quick points: > > (1) In general changes like this that could break existing installations > should be left off by default, letting just those who want it turn it on. > > (2) This has already become almost moot by the ever-increasing use of DoH. > On the other hand, unbound already supports DoH, so how about enabling it > in IPFire, too? I do not see how that would be possible with dynamic configuration of clients with DHCP and getting some sort of valid certificate for the DNS service. -Michael > > Tapani > > On Mon, Nov 09, 2020 at 06:47:26PM +0100, Matthias Fischer (matthias.fischer(a)ipfire.org) wrote: >> >> Hi, >> >> there have been several discussions with several solution attempts in >> both IPFire forums (old/new), generally starting with (e.g.) "...I am >> trying to redirect all of my DNS traffic to go thru the IPFire DNS >> instead of directly to an outside DNS server...". >> >> Current discussion => >> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512 >> >> But not only in the forums - the oldest Wiki article is dated "May 22, >> 2015". Long time, but still editing scripts manually... >> >> Hoping that there is a chance for a (final) integrated solution which >> doesn't include editing code, but having a checkbox to switch this >> functionality ON/OFF on a standardized and more secure base, I would >> like to open a discussion on the list. >> >> For a start and to test how this could probably be done - and to find >> out if I can do it - I customized '/srv/web/ipfire/cgi-bin/optionsfw.cgi'. >> >> Screenshots of the result can be found in the forum thread cited above: >> => >> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512/91 >> >> But some points are IMHO still unclear and need clarification. And I >> think I'm not the one to decide where to go... >> >> My thoughts until now: >> >> - Do we need this? >> [Hm. ;-) As I heard, some folks do.] >> >> - Is the 'optionsfwcgi' the right place for this? >> [In my opinion: yes. It was easy to add and sits beside other >> interface "options"] >> >> - Do we really want this for all installations? >> [For someone, who doesn't want or doesn't need it: it can be switched OFF] >> >> - Is this function usable under ALL circumstances? >> [If not: it can be switched OFF] >> >> - Where (E.g: firewall init script, rules.pl, wirelessctrl.c, ...) >> should the necessary iptables rules be processed? >> [Some ideas how this could be done, but no "breakthrough". Current >> option-settings are processed in several scripts. Which one to use!?] >> >> Before going on and investing more time in this (on the forum), I'd like >> to know how the developers think about this and would like to collect >> ideas and suggestions here. >> >> Any hints are welcome... >> >> Best, >> Matthias > > -- > Tapani Tarvainen