From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthias Fischer To: development@lists.ipfire.org Subject: Re: [PATCH] unbound: Update to 1.9.0 Date: Fri, 15 Feb 2019 17:48:35 +0100 Message-ID: In-Reply-To: <596AD0BF-1122-42AB-BE4D-667D2EC4595D@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7517007711217556248==" List-Id: --===============7517007711217556248== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable On 15.02.2019 12:34, Michael Tremer wrote: > On 14 Feb 2019, at 17:26, Matthias Fischer = wrote: >>=20 >> Hi Michael, >>=20 >> On 14.02.2019 12:01, Michael Tremer wrote: >>>>> I did *not* merge this one, yet. >>>> No problem - I'm in touch with Erik trying to help testing TFO and DoT. >>> Please don=E2=80=99t forget to share what you are doing on this list=20 >>=20 >> Of course. ;-) >>=20 >> So far, I got the same results as Erik. But my test environment is not >> as extensive as his. >>=20 >> One important result for me: the iptables rules to prevent dns hijacking >> are still working. >=20 > The ones for the captive portal? Or did you have any custom rules? I use custom rules in 'firewall.local' (Inspired by https://blog.ipfire.org/post/use-ipfire-to-protect-you-from-dnsc= hanger): ***SNIP*** sbin/iptables -t nat -A CUSTOMPREROUTING -i green0 -p udp --dport 53 -j DNAT = --to 192.168.100.254:53 /sbin/iptables -t nat -A CUSTOMPREROUTING -i green0 -p tcp --dport 53 -j DNAT= --to 192.168.100.254:53 /sbin/iptables -t nat -A CUSTOMPREROUTING -i blue0 -p udp --dport 53 -j DNAT = --to 192.168.101.254:53 /sbin/iptables -t nat -A CUSTOMPREROUTING -i blue0 -p tcp --dport 53 -j DNAT = --to 192.168.101.254:53 ***SNAP*** I'm still testing testing under various conditions. Best, Matthias --===============7517007711217556248==--