From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Forcing all DNS traffic from the LAN to the firewall Date: Sun, 15 Nov 2020 14:40:21 +0000 Message-ID: <3984C5BA-5DC2-43C6-9174-6C45A31EDDE9@ipfire.org> In-Reply-To: <20201113145533.GB218744@vesikko.tarvainen.info> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0207105239461153611==" List-Id: --===============0207105239461153611== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, > On 13 Nov 2020, at 14:55, Tapani Tarvainen wr= ote: >=20 > On Fri, Nov 13, 2020 at 02:23:10PM +0000, Michael Tremer (michael.tremer(a)= ipfire.org) wrote: >=20 >>> - Do we need this? >>> [Hm. ;-) As I heard, some folks do.] >>=20 >> Very good question. >>=20 >> I do not entirely understand the use-case for this. And I think >> nobody has shown an example at all here. >=20 > Agreed. The use case has been dubious to begin with, and as noted > DoH is making it increasingly so. >=20 >> So what I could come up with is this: >>=20 >> * You have a host on your network that does not use your DNS servers. >>=20 >> * You have a host on your network that does not allow you to put in custom= DNS servers. >>=20 >> I would simply say: Throw them away. That is not network equipment. >> It simply is a bug, and that should not be fixed by us. >=20 > Agreed. >=20 > But I guess the situation some people have in mind is that you have > *users* in your network you can't really control or trust not to mess > up with DNS settings in their machines. As in, children. Hmm, I get the problem with children on the network. But I do not think that the fix is a redirection. The fix is to cut them off = the network by simply dropping any packets to any alternative DNS servers. Th= is can simply be configured using the current firewall UI. For anybody else: If you have people on your network that you do not trust an= d who might temper with the settings: do not have them on your network. > But any kid smart enough to change DNS settings in their laptop or > whatever is also smart enough to work around such redirection. >=20 >> I would say that that checkbox that you have added should block >> using any other DNS server except the ones configured by the DHCP >> server. >=20 > Yes. That'd be better, although even its usefulness is doubtful. >=20 >> As an admin you want to know what is going wrong and not silently >> redirect this. >=20 > You should. At best it would give you an excuse, a way to claim you > tried to prevent . Might be useful in a school or a library > in some places... >=20 > But I seriously dislike such reasons and don't think IPFire should > cave in even if someone actually argues for them (not that people > are likely to, as it'd obviously undermine them!). >=20 >> If you really really want to redirect, I think the best option is to >> add that functionality to the firewall UI that users can create a >> rule that redirects this traffic. That way it is absolutely explicit >> and the admin hopefully knows what they are doing. >=20 > I could live with that, even if I doubt the need. >=20 > Actually I'd prefer a generic mechanism for setting redirections > for whatever types of packets. But not a high priority for me. I am currently leaning towards that, too. That way people can redirect whatever they like and we won=E2=80=99t only lim= it this to DNS. I do not see many other reasons why you would need this, but it is indeed a n= iche feature which some users might need sometimes. -Michael >=20 > --=20 > Tapani Tarvainen --===============0207105239461153611==--