From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Forcing all DNS traffic from the LAN to the firewall Date: Fri, 13 Nov 2020 14:24:23 +0000 Message-ID: <03670AF5-4C3C-42C5-AFB3-B501A0ACEB7F@ipfire.org> In-Reply-To: <20201110130726.GA4026767@vesikko.tarvainen.info> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8194284503861697750==" List-Id: --===============8194284503861697750== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, > On 10 Nov 2020, at 13:07, Tapani Tarvainen wr= ote: >=20 > Hi, >=20 > Just two quick points: >=20 > (1) In general changes like this that could break existing installations > should be left off by default, letting just those who want it turn it on. >=20 > (2) This has already become almost moot by the ever-increasing use of DoH. > On the other hand, unbound already supports DoH, so how about enabling it > in IPFire, too? I do not see how that would be possible with dynamic configuration of clients= with DHCP and getting some sort of valid certificate for the DNS service. -Michael >=20 > Tapani >=20 > On Mon, Nov 09, 2020 at 06:47:26PM +0100, Matthias Fischer (matthias.fische= r(a)ipfire.org) wrote: >>=20 >> Hi, >>=20 >> there have been several discussions with several solution attempts in >> both IPFire forums (old/new), generally starting with (e.g.) "...I am >> trying to redirect all of my DNS traffic to go thru the IPFire DNS >> instead of directly to an outside DNS server...". >>=20 >> Current discussion =3D> >> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the= -firewall/3512 >>=20 >> But not only in the forums - the oldest Wiki article is dated "May 22, >> 2015". Long time, but still editing scripts manually... >>=20 >> Hoping that there is a chance for a (final) integrated solution which >> doesn't include editing code, but having a checkbox to switch this >> functionality ON/OFF on a standardized and more secure base, I would >> like to open a discussion on the list. >>=20 >> For a start and to test how this could probably be done - and to find >> out if I can do it - I customized '/srv/web/ipfire/cgi-bin/optionsfw.cgi'. >>=20 >> Screenshots of the result can be found in the forum thread cited above: >> =3D> >> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the= -firewall/3512/91 >>=20 >> But some points are IMHO still unclear and need clarification. And I >> think I'm not the one to decide where to go... >>=20 >> My thoughts until now: >>=20 >> - Do we need this? >> [Hm. ;-) As I heard, some folks do.] >>=20 >> - Is the 'optionsfwcgi' the right place for this? >> [In my opinion: yes. It was easy to add and sits beside other >> interface "options"] >>=20 >> - Do we really want this for all installations? >> [For someone, who doesn't want or doesn't need it: it can be switched OFF] >>=20 >> - Is this function usable under ALL circumstances? >> [If not: it can be switched OFF] >>=20 >> - Where (E.g: firewall init script, rules.pl, wirelessctrl.c, ...) >> should the necessary iptables rules be processed? >> [Some ideas how this could be done, but no "breakthrough". Current >> option-settings are processed in several scripts. Which one to use!?] >>=20 >> Before going on and investing more time in this (on the forum), I'd like >> to know how the developers think about this and would like to collect >> ideas and suggestions here. >>=20 >> Any hints are welcome... >>=20 >> Best, >> Matthias >=20 > --=20 > Tapani Tarvainen --===============8194284503861697750==--