From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: Forcing all DNS traffic from the LAN to the firewall Date: Mon, 16 Nov 2020 10:32:20 +0000 Message-ID: In-Reply-To: <20201115153318.GB727329@vesikko.tarvainen.info> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============8763961268925177224==" List-Id: --===============8763961268925177224== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hi, > On 15 Nov 2020, at 15:33, Tapani Tarvainen wr= ote: >=20 > On Sun, Nov 15, 2020 at 02:16:46PM +0100, Matthias Fischer (matthias.fische= r(a)ipfire.org) wrote: >=20 >>> But I guess the situation some people have in mind is that you have >>> *users* in your network you can't really control or trust not to mess >>> up with DNS settings in their machines. As in, children. >>=20 >> Or you have *machines* (in this case, Apps) you can't control, because >> they don't even have an input field for "DNS". >=20 > ... and have their own hardcoded DNS servers instead of trusting what > DHCP says nor any Private DNS configuration in the phone (I presume > you've tried that). Yeah, such abominations do exist. Again, what are those apps? This is absolutely unacceptable behaviour. I do not understand how these vendors always try to be =E2=80=9Csmart=E2=80= =9D and build these things so that their advertising is always loading, but a= ctually are only causing us to create another hurdle which they will have to = find another way to hop over, and so on=E2=80=A6 It is a silly game of catch we are playing here. > And if you really can't avoid using them and still really need to be > able to control which addresses they see, I guess port 53 redirection > in the firewall makes sense. >=20 > I doubt that's a common enough case to warrant a custom setting in > IPFire, but I don't mind having one (I'm not doing the work after > all). >=20 >>> But any kid smart enough to change DNS settings in their laptop or >>> whatever is also smart enough to work around such redirection. >=20 >> I'm curious. How could this be done? I have tested the REDIRECT rules >> with various arbitrary entries, even with non-existing addresses. So >> far, DNS queries were always redirected to the DNS servers specified in >> IPFire until now. I even didn't notice that I tested with irregular or >> invalid addresses. >=20 > Well, today the easy way is to use DoH. >=20 > Or DoT, if you don't block port 853. We cannot redirect DoT or DoH because the clients would validate the certific= ate which won=E2=80=99t match. This is only possible for plain old DNS over UDP or TCP. > Other ways exist for the more nerdy types, from just /etc/hosts to > tunneling DNS via some other port or another app, even over Facebook. > (I was in working Saudi Arabia some 20 years ago when they introduced > Internet there, along with DNS-based censorship - people can be pretty > creative.) >=20 > Wardriving isn't an entirely forgotten art either. >=20 > And today's kids... you could find a 10-year-old running a virtual > machine in his laptop or a Raspberry Pi with a custom DNS+DHCP server > that fetches the forbidden addresses from his friends over WhatsApp. >=20 > --=20 > Tapani Tarvainen --===============8763961268925177224==--