On 15.02.2019 12:34, Michael Tremer wrote:
> On 14 Feb 2019, at 17:26, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
>> 
>> Hi Michael,
>> 
>> On 14.02.2019 12:01, Michael Tremer wrote:
>>>>> I did *not* merge this one, yet.
>>>> No problem - I'm in touch with Erik trying to help testing TFO and DoT.
>>> Please don’t forget to share what you are doing on this list 
>> 
>> Of course. ;-)
>> 
>> So far, I got the same results as Erik. But my test environment is not
>> as extensive as his.
>> 
>> One important result for me: the iptables rules to prevent dns hijacking
>> are still working.
> 
> The ones for the captive portal? Or did you have any custom rules?

I use custom rules in 'firewall.local'
(Inspired by https://blog.ipfire.org/post/use-ipfire-to-protect-you-from-dnschanger):

***SNIP***
sbin/iptables -t nat -A CUSTOMPREROUTING -i green0 -p udp --dport 53 -j DNAT --to 192.168.100.254:53

/sbin/iptables -t nat -A CUSTOMPREROUTING -i green0 -p tcp --dport 53 -j DNAT --to 192.168.100.254:53

/sbin/iptables -t nat -A CUSTOMPREROUTING -i blue0 -p udp --dport 53 -j DNAT --to 192.168.101.254:53

/sbin/iptables -t nat -A CUSTOMPREROUTING -i blue0 -p tcp --dport 53 -j DNAT --to 192.168.101.254:53
***SNAP***

I'm still testing testing under various conditions.

Best,
Matthias