Re: Forcing all DNS traffic from the LAN to the firewall

[Tapani Tarvainen <ipfire@tapanitarvainen.fi>]

[-- Attachment #1: Type: text/plain, Size: 2742 bytes --]

Hi,

Just two quick points:

(1) In general changes like this that could break existing installations
should be left off by default, letting just those who want it turn it on.

(2) This has already become almost moot by the ever-increasing use of DoH.
On the other hand, unbound already supports DoH, so how about enabling it
in IPFire, too?

Tapani

On Mon, Nov 09, 2020 at 06:47:26PM +0100, Matthias Fischer (matthias.fischer(a)ipfire.org) wrote:
> 
> Hi,
> 
> there have been several discussions with several solution attempts in
> both IPFire forums (old/new), generally starting with (e.g.) "...I am
> trying to redirect all of my DNS traffic to go thru the IPFire DNS
> instead of directly to an outside DNS server...".
> 
> Current discussion =>
> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512
> 
> But not only in the forums - the oldest Wiki article is dated "May 22,
> 2015". Long time, but still editing scripts manually...
> 
> Hoping that there is a chance for a (final) integrated solution which
> doesn't include editing code, but having a checkbox to switch this
> functionality ON/OFF on a standardized and more secure base, I would
> like to open a discussion on the list.
> 
> For a start and to test how this could probably be done - and to find
> out if I can do it - I customized '/srv/web/ipfire/cgi-bin/optionsfw.cgi'.
> 
> Screenshots of the result can be found in the forum thread cited above:
> =>
> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512/91
> 
> But some points are IMHO still unclear and need clarification. And I
> think I'm not the one to decide where to go...
> 
> My thoughts until now:
> 
> - Do we need this?
>   [Hm. ;-) As I heard, some folks do.]
> 
> - Is the 'optionsfwcgi' the right place for this?
>   [In my opinion: yes. It was easy to add and sits beside other
> interface "options"]
> 
> - Do we really want this for all installations?
>   [For someone, who doesn't want or doesn't need it: it can be switched OFF]
> 
> - Is this function usable under ALL circumstances?
>   [If not: it can be switched OFF]
> 
> - Where (E.g: firewall init script, rules.pl, wirelessctrl.c, ...)
> should the necessary iptables rules be processed?
>   [Some ideas how this could be done, but no "breakthrough". Current
> option-settings are processed in several scripts. Which one to use!?]
> 
> Before going on and investing more time in this (on the forum), I'd like
> to know how the developers think about this and would like to collect
> ideas and suggestions here.
> 
> Any hints are welcome...
> 
> Best,
> Matthias

-- 
Tapani Tarvainen