On 4 Mar 2020, at 06:00, Tapani Tarvainen ipfire@tapanitarvainen.fi wrote:
On Tue, Mar 03, 2020 at 06:32:00PM +0000, Peter Müller (peter.mueller@ipfire.org) wrote:
I like your suggestion, and see something like "reject any client connecting to any other DNS server on the internet" similar to blocking outbound connections to port 25 in order to prevent spamming.
In both cases and for most SOHO networks, there is little legitimate reason to do so. Regarding external DNS servers, IoT and similar things come to my mind, which have their resolvers hard-coded in the firmware.
Thinking about those, how about an option to *redirect* connections to port 53 of external servers to IPFire rather than rejecting them?
Yes, we could do that for 53 UDP and TCP, but not for 853 obviously.
-- Tapani Tarvainen