Hello, > On 5 Nov 2019, at 12:45, Stefan Schantl wrote: > > Hello Michael, >> Hi, >> >> Shouldn’t HOME_NET still be in DNS_SERVERS for users who are running >> a DNS server behind their firewall? > > set HOME_NET here would result in DNS related intrusion rules which > will only match if DNS requests will be sent to a internal DNS server, > which was the default in the past. > > The current approach is to set this value to the used DNS servers, or > if unbound is used in recursor mode to every external address > (!HOME_NET). Yes, I know what the patch does. I was just asking about that this patch removes that DNS traffic will be scanned when it is coming from the Internet to a local DNS server in a local subnet. That worked before and I think it should continue to work. HOME_NET should be in DNS_SERVERS, *as well as* the resolvers that unbound is using. -Michael > > Best regards, > > -Stefan >> >>> On 5 Nov 2019, at 09:32, Stefan Schantl >>> wrote: >>> >>> These settings now will be read from >>> /var/ipfire/suricata/suricata-dns-servers.yaml, which will be >>> generated by the generate_dns_servers_file() function, located in >>> ids-functions.pl and called by various scripts. >>> >>> Fixes #12166. >>> >>> Signed-off-by: Stefan Schantl >>> --- >>> config/suricata/suricata.yaml | 4 +++- >>> 1 file changed, 3 insertions(+), 1 deletion(-) >>> >>> diff --git a/config/suricata/suricata.yaml >>> b/config/suricata/suricata.yaml >>> index e921781cf..af9cb75a9 100644 >>> --- a/config/suricata/suricata.yaml >>> +++ b/config/suricata/suricata.yaml >>> @@ -11,12 +11,14 @@ vars: >>> # Include HOME_NET declaration from external file. >>> include: /var/ipfire/suricata/suricata-homenet.yaml >>> >>> + # Include DNS_SERVERS declaration from external file. >>> + include: /var/ipfire/suricata/suricata-dns-servers.yaml >>> + >>> EXTERNAL_NET: "any" >>> >>> HTTP_SERVERS: "$HOME_NET" >>> SMTP_SERVERS: "$HOME_NET" >>> SQL_SERVERS: "$HOME_NET" >>> - DNS_SERVERS: "$HOME_NET" >>> TELNET_SERVERS: "$HOME_NET" >>> AIM_SERVERS: "$EXTERNAL_NET" >>> DC_SERVERS: "$HOME_NET" >>> -- >>> 2.20.1 >>> >