To protect your network against DNS hijacking attacks, there are two ways to configure the firewall so that DNS traffic only uses the DNS proxy built-in to IPFire.
Use only one of these two methods. The first is recommended as it will seamlessly redirect DNS queries to IPFire. This means that you do not need to reconfigure all systems which use hard-coded DNS (such as Smartphone apps which may not use DHCP-supplied DNS servers).
IPFire will use the DNS servers provided by your ISP (if using DHCP) or what you manually configure with the Setup program
Currently only option 2. Block all DNS traffic except through IPFire's DNS proxy (below) works.
This is because the target for redirected DNS requests is not the firewall itself and an “any” rule is currently not accepted for DNAT rules in the IPFire WUI. Hopefully this will be possible in future.
Force all DNS traffic through IPFire's built in DNS proxy by using specific firewall rules;
First, create an IPFire 'Service Group' for DNS
Second, configure new firewall rules
Do not do this if you have followed the previous example. Only one of these methods should be used.
To prevent the use of other DNS servers, block all DNS queries to the internet.
Forwarding rules should be defined as follows:
 For 'Service' one can either choose the predefines services DNS(UDP) and DNS(TCP) or a self-defined service group DNS containing DNS(UDP) and DNS(TCP) (as in the example below).
You should also: