wiki.ipfire.org

The community-maintained documentation platform of IPFire

User Tools

Site Tools


configuration:firewall:dns

Force clients to use IPFire's DNS proxy

To protect your network against DNS hijacking attacks, there are two ways to configure the firewall so that DNS traffic only uses the DNS proxy built-in to IPFire.

Use only one of these two methods. The first is recommended as it will seamlessly redirect DNS queries to IPFire. This means that you do not need to reconfigure all systems which use hard-coded DNS (such as Smartphone apps which may not use DHCP-supplied DNS servers).

IPFire will use the DNS servers provided by your ISP (if using DHCP) or what you manually configure with the Setup program

1. Redirect all DNS traffic to IPFire's DNS proxy

Important! Currently only option 2. Block all DNS traffic except through IPFire's DNS proxy works.

This is because the target for the redirected DNS requests is not the firewall itself and an “any” rule is currently not accepted for DNAT rules in the IPFire WUI. It is hoped this will be possible in future.

Force all DNS traffic through IPFire's built in DNS proxy by using specific firewall rules;

First, create an IPFire 'Service Group' for DNS

  1. In the IPFire WUI, open “Firewall” > “Firewall Groups”
  2. Click the “Service Groups” button
  3. In the “Group Name:” field, enter 'DNS'
  4. Click the 'Add' button
  5. Now click the yellow pencil icon next to the DNS service group to edit it
  6. In the “Add” field select “DNS (TCP)” and click Add
  7. Then, in the “Add” field select “DNS (UDP)” and click Add

Second, configure new firewall rules

  1. Open the “Firewall” > “Firewall Rules” page
  2. Click the “Apply changes” button at the top, as this will create the new DNS “Service Group” you previously configured
  3. Now click the “New rule” button and configure the following fields:
    • Source: Standard networks GREEN
    • Check “Use Network Address Translation (NAT)” and leave “Firewall Interface” as “- Automatic -”
    • Firewall: GREEN
    • Protocol: “- Preset -”
    • Service Groups “DNS
    • Add a remark (or comment) to the “Remark:” field, like “Prevent DNS hijacking attack - GREEN”
    • Click the “Add” button
  4. Back in the main “Firewall Rules” page, click the “Apply changes” button at the top
  5. Create another rule identical to the one above, but for each separate network you have, for example for blue:
    1. Click the “New rule” button and configure the following fields:
      • Source: Standard networks BLUE
      • Check “Use Network Address Translation (NAT)” and leave “Firewall Interface” as “- Automatic -”
      • Firewall: BLUE
      • Protocol: “- Preset -”
      • Service Groups “DNS
      • Add a remark (or comment) to the “Remark:” field, like “Prevent DNS hijacking attack - BLUE”
      • Click the “Add” button
  6. Back in the main “Firewall Rules” page, click the “Apply changes” button at the top

2. Block all DNS traffic except through IPFire's DNS proxy

Do not do this if you have followed the previous example. Only one of these methods should be used.

To prevent the use of other DNS servers, block all DNS queries to the internet.

Forwarding rules should be defined as follows:

  • Source: Standard networks ( GREEN or BLUE )
  • Destination: Standard networks RED
  • Protocol: Service: DNS [1]
  • Action: Either REJECT or DROP

[1] For 'Service' one can either choose the predefines services DNS(UDP) and DNS(TCP) or a self-defined service group DNS containing DNS(UDP) and DNS(TCP) (as in the example below).

You should also:

  • Configure IPFire as the DNS server in the DHCP configuration ( for clients with dynamic and fixed leases )
  • Manually configure IPFire as DNS server ( for clients with static IPs which are not using DHCP )
configuration/firewall/dns.txt · Last modified: 2018/11/24 20:03 by Jon