From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Forcing all DNS traffic from the LAN to the firewall Date: Fri, 13 Nov 2020 14:23:10 +0000 Message-ID: In-Reply-To: <893404c4-16eb-2055-5702-7a3b44377443@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2795066052988487828==" List-Id: --===============2795066052988487828== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi Matthias, Sorry for my late reply. I am surprised this discussion is so quiet. > On 9 Nov 2020, at 17:47, Matthias Fischer w= rote: >=20 > Hi, >=20 > there have been several discussions with several solution attempts in > both IPFire forums (old/new), generally starting with (e.g.) "...I am > trying to redirect all of my DNS traffic to go thru the IPFire DNS > instead of directly to an outside DNS server...". >=20 > Current discussion =3D> > https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-= firewall/3512 >=20 > But not only in the forums - the oldest Wiki article is dated "May 22, > 2015". Long time, but still editing scripts manually... >=20 > Hoping that there is a chance for a (final) integrated solution which > doesn't include editing code, but having a checkbox to switch this > functionality ON/OFF on a standardized and more secure base, I would > like to open a discussion on the list. Very good. I like a discussion. > For a start and to test how this could probably be done - and to find > out if I can do it - I customized '/srv/web/ipfire/cgi-bin/optionsfw.cgi'. >=20 > Screenshots of the result can be found in the forum thread cited above: > =3D> > https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-= firewall/3512/91 >=20 > But some points are IMHO still unclear and need clarification. And I > think I'm not the one to decide where to go... >=20 > My thoughts until now: >=20 > - Do we need this? > [Hm. ;-) As I heard, some folks do.] Very good question. I do not entirely understand the use-case for this. And I think nobody has sh= own an example at all here. So what I could come up with is this: * You have a host on your network that does not use your DNS servers. * You have a host on your network that does not allow you to put in custom DN= S servers. I would simply say: Throw them away. That is not network equipment. It simply= is a bug, and that should not be fixed by us. * You might have a host or an app (YouTube is my favourite) that simply does = not give a fuck about your network configuration and will try to break any fi= ltering either by DNS or proxy just to show you advertising and to increase $= BIGCORP=E2=80=99s revenue. I consider that malware or simply broken. Should we fix that by redirecting? I don=E2=80=99t think so. I would say that that checkbox that you have added should block using any oth= er DNS server except the ones configured by the DHCP server. As an admin you want to know what is going wrong and not silently redirect th= is. If you really really want to redirect, I think the best option is to add that= functionality to the firewall UI that users can create a rule that redirects= this traffic. That way it is absolutely explicit and the admin hopefully kno= ws what they are doing. > - Is the 'optionsfwcgi' the right place for this? > [In my opinion: yes. It was easy to add and sits beside other > interface "options"] Yes. I believe this is the right place. > - Do we really want this for all installations? > [For someone, who doesn't want or doesn't need it: it can be switched OFF] Default must be OFF. We should not tamper with people=E2=80=99s packets. Apart from blocking packets, IPFire=E2=80=99s most popular feature is forward= ing them. > - Is this function usable under ALL circumstances? > [If not: it can be switched OFF] No, I believe that this should be the exception and users can switch it on if= they want to. > - Where (E.g: firewall init script, rules.pl, wirelessctrl.c, ...) > should the necessary iptables rules be processed? > [Some ideas how this could be done, but no "breakthrough". Current > option-settings are processed in several scripts. Which one to use!?] This would probably go into /etc/init.d/firewall. > Before going on and investing more time in this (on the forum), I'd like > to know how the developers think about this and would like to collect > ideas and suggestions here. I hope I could answer the questions. I would like to hear more opinions. Best, -Michael >=20 > Any hints are welcome... >=20 > Best, > Matthias >=20 --===============2795066052988487828==--