Hi,
On 13 Nov 2020, at 14:55, Tapani Tarvainen ipfire@tapanitarvainen.fi wrote:
On Fri, Nov 13, 2020 at 02:23:10PM +0000, Michael Tremer (michael.tremer@ipfire.org) wrote:
- Do we need this?
[Hm. ;-) As I heard, some folks do.]
Very good question.
I do not entirely understand the use-case for this. And I think nobody has shown an example at all here.
Agreed. The use case has been dubious to begin with, and as noted DoH is making it increasingly so.
So what I could come up with is this:
You have a host on your network that does not use your DNS servers.
You have a host on your network that does not allow you to put in custom DNS servers.
I would simply say: Throw them away. That is not network equipment. It simply is a bug, and that should not be fixed by us.
Agreed.
But I guess the situation some people have in mind is that you have *users* in your network you can't really control or trust not to mess up with DNS settings in their machines. As in, children.
Hmm, I get the problem with children on the network.
But I do not think that the fix is a redirection. The fix is to cut them off the network by simply dropping any packets to any alternative DNS servers. This can simply be configured using the current firewall UI.
For anybody else: If you have people on your network that you do not trust and who might temper with the settings: do not have them on your network.
But any kid smart enough to change DNS settings in their laptop or whatever is also smart enough to work around such redirection.
I would say that that checkbox that you have added should block using any other DNS server except the ones configured by the DHCP server.
Yes. That'd be better, although even its usefulness is doubtful.
As an admin you want to know what is going wrong and not silently redirect this.
You should. At best it would give you an excuse, a way to claim you tried to prevent <whatever>. Might be useful in a school or a library in some places...
But I seriously dislike such reasons and don't think IPFire should cave in even if someone actually argues for them (not that people are likely to, as it'd obviously undermine them!).
If you really really want to redirect, I think the best option is to add that functionality to the firewall UI that users can create a rule that redirects this traffic. That way it is absolutely explicit and the admin hopefully knows what they are doing.
I could live with that, even if I doubt the need.
Actually I'd prefer a generic mechanism for setting redirections for whatever types of packets. But not a high priority for me.
I am currently leaning towards that, too.
That way people can redirect whatever they like and we won’t only limit this to DNS.
I do not see many other reasons why you would need this, but it is indeed a niche feature which some users might need sometimes.
-Michael
-- Tapani Tarvainen