From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Forcing all DNS traffic from the LAN to the firewall Date: Sun, 15 Nov 2020 14:45:35 +0000 Message-ID: <98A8702B-307A-42B3-B10E-9B0D028E4C07@ipfire.org> In-Reply-To: <008da5bd-4700-e382-c228-1faf3895dfb1@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1069598500242369638==" List-Id: --===============1069598500242369638== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable > On 15 Nov 2020, at 13:16, Matthias Fischer = wrote: >=20 > Hi, >=20 > On 13.11.2020 15:55, Tapani Tarvainen wrote: >> On Fri, Nov 13, 2020 at 02:23:10PM +0000, Michael Tremer (michael.tremer(a= )ipfire.org) wrote: >> ... >>> So what I could come up with is this: >>>=20 >>> * You have a host on your network that does not use your DNS servers. >>>=20 >>> * You have a host on your network that does not allow you to put in custo= m DNS servers. >>>=20 >>> I would simply say: Throw them away. That is not network equipment. >>> It simply is a bug, and that should not be fixed by us. >>=20 >> Agreed. >>=20 >> But I guess the situation some people have in mind is that you have >> *users* in your network you can't really control or trust not to mess >> up with DNS settings in their machines. As in, children. >=20 > Or you have *machines* (in this case, Apps) you can't control, because > they don't even have an input field for "DNS". Do you have any examples? I have never encountered that, because if they allow static configuration of = the IP address, they won=E2=80=99t get a DNS server at all. For devices that only support DHCP, this might make sense. I have a Philips H= ue bridge that does not support static configuration and simply gets a lease = from the DHCP server. The intention probably is being all zero-configuration. >> But any kid smart enough to change DNS settings in their laptop or >> whatever is also smart enough to work around such redirection. >=20 > I'm curious. How could this be done? I have tested the REDIRECT rules > with various arbitrary entries, even with non-existing addresses. So > far, DNS queries were always redirected to the DNS servers specified in > IPFire until now. I even didn't notice that I tested withirregular or > invalid addresses. Proxies. VPNs. Tor. Remotely logging in to another computer - like RDP, VNC, = etc. > ... >=20 > Best, > Matthias --===============1069598500242369638==--