To protect your network against DNS hijacking attacks, there is a new way to configure the firewall so DNS traffic only uses the DNS server built-in to IPFire.
This will seamlessly redirect DNS queries to IPFire. This means that you do not need to reconfigure all systems which use hard-coded DNS (such as Smartphone apps which may not use DHCP-supplied DNS servers).
IPFire will use the DNS servers provided by your ISP (if using DHCP) or what you manually configure with the Setup program.
Example - redirect DNS
Do you have a device on the network that doesn't behave and looks to Microsoft, Google AND Amazon, (or some far away DNS system) for DNS services? The Firewall Rule below will grab the DNS request and redirect it to the IPFire box.
Create a new Firewall Group
- go to menu Firewall -> Firewall Groups
- Click Service Groups
- Enter a Group name of DNS (both)
- Add DNS (TCP) to the group
- Add DNS (UDP) to the group
Create a new Firewall Rule
Source
- Select Standard Networks and choose GREEN (or blue).
NAT
- Check Use Network Address Translation (NAT)
- Select Destination NAT (Port forwarding)
- Select Firewall Interface: Automatic
Destination
- Select Firewall and Select All from the drop down
Protocol
- Choose Preset from the drop down.
- Select Services Groups
- Choose DNS (both) from the drop down.
Final Notes
- Click the Add button when done.
- On the Firewall Rules page, press Apply Changes to make the new rule active.
Additional Configuration
- In the IPFire WebGUI go to DHCP configuration and set the Primary DNS to the IP address of the IPFire device.
- On client devices that are setup with a static IP, make sure the client network DNS server is set to the IP address of the IPFire device.
