Re: Forcing all DNS traffic from the LAN to the firewall

[Tapani Tarvainen <ipfire@tapanitarvainen.fi>]

[-- Attachment #1: Type: text/plain, Size: 2238 bytes --]

On Fri, Nov 13, 2020 at 02:23:10PM +0000, Michael Tremer (michael.tremer(a)ipfire.org) wrote:

> > - Do we need this?
> >  [Hm. ;-) As I heard, some folks do.]
> 
> Very good question.
> 
> I do not entirely understand the use-case for this. And I think
> nobody has shown an example at all here.

Agreed. The use case has been dubious to begin with, and as noted
DoH is making it increasingly so.

> So what I could come up with is this:
> 
> * You have a host on your network that does not use your DNS servers.
> 
> * You have a host on your network that does not allow you to put in custom DNS servers.
>
> I would simply say: Throw them away. That is not network equipment.
> It simply is a bug, and that should not be fixed by us.

Agreed.

But I guess the situation some people have in mind is that you have
*users* in your network you can't really control or trust not to mess
up with DNS settings in their machines. As in, children.

But any kid smart enough to change DNS settings in their laptop or
whatever is also smart enough to work around such redirection.

> I would say that that checkbox that you have added should block
> using any other DNS server except the ones configured by the DHCP
> server.

Yes. That'd be better, although even its usefulness is doubtful.

> As an admin you want to know what is going wrong and not silently
> redirect this.

You should. At best it would give you an excuse, a way to claim you
tried to prevent <whatever>. Might be useful in a school or a library
in some places...

But I seriously dislike such reasons and don't think IPFire should
cave in even if someone actually argues for them (not that people
are likely to, as it'd obviously undermine them!).

> If you really really want to redirect, I think the best option is to
> add that functionality to the firewall UI that users can create a
> rule that redirects this traffic. That way it is absolutely explicit
> and the admin hopefully knows what they are doing.

I could live with that, even if I doubt the need.

Actually I'd prefer a generic mechanism for setting redirections
for whatever types of packets. But not a high priority for me.

-- 
Tapani Tarvainen