WARNING: Changes in IPFire 2 Core Update 132 may cause these steps to block DNS entirely - see the forums.
To protect your network against DNS hijacking attacks, there are two ways to configure the firewall so that DNS traffic only uses the DNS proxy built-in to IPFire.
Use only one of these two methods. The first is recommended as it will seamlessly redirect DNS queries to IPFire. This means that you do not need to reconfigure all systems which use hard-coded DNS (such as Smartphone apps which may not use DHCP-supplied DNS servers).
IPFire will use the DNS servers provided by your ISP (if using DHCP) or what you manually configure with the Setup program
Currently only option 2. Block all DNS traffic except through IPFire's DNS proxy (below) works.
This is because the target for redirected DNS requests is not the firewall itself and an “any” rule is currently not accepted for DNAT rules in the IPFire WUI. Hopefully this will be possible in future.
Force all DNS traffic through IPFire's built in DNS proxy by using specific firewall rules;
First create an IPFire 'Service Group' for DNS
Then configure new firewall rules
Do not do this if you have followed the previous example. Only one of these methods should be used.
To prevent the use of other DNS servers, add firewall rules to allow access in to IPFire's DNS server. Then add rules to reject all other DNS queries from being forwarded through the firewall to the internet. (See the Rule Processing page.)
1. Create an IPFire 'Service Group' for DNS
2. Create “permit” incoming firewall rules for IPFire's DNS server
3. Create “deny” forwarding rules for all other DNS servers