To protect your network against DNS hijacking attacks, there are two ways to configure the firewall so that DNS traffic only uses the DNS proxy built-in to IPFire.
Use only one of these two methods. The first is recommended as it will seamlessly redirect DNS queries to IPFire. This means that you do not need to reconfigure all systems which use hard-coded DNS (such as Smartphone apps which may not use DHCP-supplied DNS servers).
IPFire will use the DNS servers provided by your ISP (if using DHCP) or what you manually configure with the Setup program.
1. Redirect all DNS traffic to IPFire's DNS proxy
Warning - Only option 2. Block all DNS traffic except through IPFire's DNS proxy (below) works. This is because the target for redirected DNS requests is not the firewall itself and an "any" rule is currently not accepted for DNAT rules in the IPFire WUI. Hopefully this will be possible in future.
Force all DNS traffic through IPFire's built in DNS proxy by using specific firewall rules;
First create an IPFire 'Service Group' for DNS:
In the IPFire WUI, open "Firewall" > "Firewall Groups"
Click the "Service Groups" button
In the "Group Name:" field, enter 'DNS'
Click the 'Add' button
Now click the yellow pencil icon next to the DNS service group to edit it
In the "Add" field select "DNS (TCP)" and click Add
Then, in the "Add" field select "DNS (UDP)" and click Add
Then configure new firewall rules:
Open the "Firewall" > "Firewall Rules" page
Click the "Apply changes" button at the top, as this will create the new DNS "Service Group" you previously configured
Now click the "New rule" button and configure the following fields:
Source: Standard networks GREEN
Check "Use Network Address Translation (NAT)" and leave "Firewall Interface" as "- Automatic -"
Destination: Firewall GREEN
Protocol: "- Preset -"
Service Groups "DNS"
Add a remark (or comment) to the "Remark:" field, like "Prevent DNS hijacking attack - GREEN"
Click the "Add" button
Back in the main "Firewall Rules" page, click the "Apply changes" button at the top
Create another rule identical to the one above, but for each separate network you have, for example for blue:
Click the "New rule" button and configure the following fields:
Source: Standard networks BLUE
Check "Use Network Address Translation (NAT)" and leave "Firewall Interface" as "- Automatic -"
Destination: Firewall BLUE
Protocol: "- Preset -"
Service Groups "DNS"
Add a remark (or comment) to the "Remark:" field, like "Prevent DNS hijacking attack - BLUE"
Click the "Add" button
Back in the main "Firewall Rules" page, click the "Apply changes" button at the top
2. Block all DNS traffic except through IPFire's DNS proxy
Note - Do not do this if you have followed the previous example. Only one of these methods should be used.
To prevent the use of other DNS servers, add firewall rules to allow access in to IPFire's DNS server. Then add rules to reject all other DNS queries from being forwarded through the firewall to the internet. (See the Rule Processing page.)
1. Create an IPFire 'Service Group' for DNS
In the IPFire WUI, open "Firewall" > "Firewall Groups"
Click the "Services" button
Enter:
Service name: DNS over TLS
Protocol: TCP
Port(s): 853
Click the "Service Groups" button
In the "Group Name:" field, enter 'DNS'
Click the 'Add' button
Now click the yellow pencil icon next to the DNS service group to edit it
In the "Add" field select "DNS (TCP)" and click Add
then select "DNS (UDP)" and click Add
finally select "DNS over TLS" and click Add
2. Create "permit" incoming firewall rules for IPFire's DNS server
Source: Standard networks ( GREEN or BLUE )
Destination: Firewall ( GREEN or BLUE )
Protocol: "- Preset" Service Group: DNS
Action: ACCEPT
3. Create "deny" forwarding rules for all other DNS servers
Source: Standard networks ( GREEN or BLUE )
Destination: Standard networks RED
Protocol: "- Preset" Service Group: DNS
Action: REJECT
Additional Configuration
Configure IPFire as the DNS server in the DHCP configuration (for clients with dynamic and fixed leases)
Manually configure IPFire as DNS server (for clients with static IPs which are not using DHCP)