Re: Forcing all DNS traffic from the LAN to the firewall

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 2809 bytes --]

Hi,

> On 15 Nov 2020, at 15:33, Tapani Tarvainen <ipfire(a)tapanitarvainen.fi> wrote:
> 
> On Sun, Nov 15, 2020 at 02:16:46PM +0100, Matthias Fischer (matthias.fischer(a)ipfire.org) wrote:
> 
>>> But I guess the situation some people have in mind is that you have
>>> *users* in your network you can't really control or trust not to mess
>>> up with DNS settings in their machines. As in, children.
>> 
>> Or you have *machines* (in this case, Apps) you can't control, because
>> they don't even have an input field for "DNS".
> 
> ... and have their own hardcoded DNS servers instead of trusting what
> DHCP says nor any Private DNS configuration in the phone (I presume
> you've tried that). Yeah, such abominations do exist.

Again, what are those apps?

This is absolutely unacceptable behaviour.

I do not understand how these vendors always try to be “smart” and build these things so that their advertising is always loading, but actually are only causing us to create another hurdle which they will have to find another way to hop over, and so on…

It is a silly game of catch we are playing here.

> And if you really can't avoid using them and still really need to be
> able to control which addresses they see, I guess port 53 redirection
> in the firewall makes sense.
> 
> I doubt that's a common enough case to warrant a custom setting in
> IPFire, but I don't mind having one (I'm not doing the work after
> all).
> 
>>> But any kid smart enough to change DNS settings in their laptop or
>>> whatever is also smart enough to work around such redirection.
> 
>> I'm curious. How could this be done? I have tested the REDIRECT rules
>> with various arbitrary entries, even with non-existing addresses. So
>> far, DNS queries were always redirected to the DNS servers specified in
>> IPFire until now. I even didn't notice that I tested with irregular or
>> invalid addresses.
> 
> Well, today the easy way is to use DoH.
> 
> Or DoT, if you don't block port 853.

We cannot redirect DoT or DoH because the clients would validate the certificate which won’t match.

This is only possible for plain old DNS over UDP or TCP.

> Other ways exist for the more nerdy types, from just /etc/hosts to
> tunneling DNS via some other port or another app, even over Facebook.
> (I was in working Saudi Arabia some 20 years ago when they introduced
> Internet there, along with DNS-based censorship - people can be pretty
> creative.)
> 
> Wardriving isn't an entirely forgotten art either.
> 
> And today's kids... you could find a 10-year-old running a virtual
> machine in his laptop or a Raspberry Pi with a custom DNS+DHCP server
> that fetches the forbidden addresses from his friends over WhatsApp.
> 
> -- 
> Tapani Tarvainen