1. The Web Interface
  2. Firewall Documentation
  3. Force clients to use IPFire's DNS proxy

Force clients to use IPFire's DNS proxy

Warning!
Changes in IPFire 2 Core Update 132 may cause these steps to block DNS entirely. See IPFire forum - Update 132 breaks DNS blocking.

To protect your network against DNS hijacking attacks, there are two ways to configure the firewall so that DNS traffic only uses the DNS proxy built-in to IPFire.

Use only one of these two methods. The first is recommended as it will seamlessly redirect DNS queries to IPFire. This means that you do not need to reconfigure all systems which use hard-coded DNS (such as Smartphone apps which may not use DHCP-supplied DNS servers).

IPFire will use the DNS servers provided by your ISP (if using DHCP) or what you manually configure with the Setup program.

1. Redirect all DNS traffic to IPFire's DNS proxy

Note!
Only option 2. Block all DNS traffic except through IPFire's DNS proxy (below) works. This is because the target for redirected DNS requests is not the firewall itself and an "any" rule is currently not accepted for DNAT rules in the IPFire WUI. Hopefully this will be possible in future.

Force all DNS traffic through IPFire's built in DNS proxy by using specific firewall rules;

First create an IPFire 'Service Group' for DNS:

  • In the IPFire WUI, open "Firewall" > "Firewall Groups"
  • Click the "Service Groups" button
  • In the "Group Name:" field, enter 'DNS'
  • Click the 'Add' button
  • Now click the yellow pencil icon next to the DNS service group to edit it
  • In the "Add" field select "DNS (TCP)" and click Add
  • Then, in the "Add" field select "DNS (UDP)" and click Add

Then configure new firewall rules:

  • Open the "Firewall" > "Firewall Rules" page
  • Click the "Apply changes" button at the top, as this will create the new DNS "Service Group" you previously configured
  • Now click the "New rule" button and configure the following fields:
    • Source: Standard networks GREEN
    • Check "Use Network Address Translation (NAT)" and leave "Firewall Interface" as "- Automatic -"
    • Destination: Firewall GREEN
    • Protocol: "- Preset -"
    • Service Groups "DNS"
    • Add a remark (or comment) to the "Remark:" field, like "Prevent DNS hijacking attack - GREEN"
    • Click the "Add" button
  • Back in the main "Firewall Rules" page, click the "Apply changes" button at the top
  • Create another rule identical to the one above, but for each separate network you have, for example for blue:
  • Click the "New rule" button and configure the following fields:
    • Source: Standard networks BLUE
    • Check "Use Network Address Translation (NAT)" and leave "Firewall Interface" as "- Automatic -"
    • Destination: Firewall BLUE
    • Protocol: "- Preset -"
    • Service Groups "DNS"
    • Add a remark (or comment) to the "Remark:" field, like "Prevent DNS hijacking attack - BLUE"
    • Click the "Add" button
  • Back in the main "Firewall Rules" page, click the "Apply changes" button at the top

2. Block all DNS traffic except through IPFire's DNS proxy

Note!
Do not do this if you have followed the previous example. Only one of these methods should be used.

To prevent the use of other DNS servers, add firewall rules to allow access in to IPFire's DNS server. Then add rules to reject all other DNS queries from being forwarded through the firewall to the internet. (See the Rule Processing page.)

1. Create an IPFire 'Service Group' for DNS

  • In the IPFire WUI, open "Firewall" > "Firewall Groups"
  • Click the "Services" button
  • Enter:
    • Service name: DNS over TLS
    • Protocol: TCP
    • Port(s): 853
  • Click the "Service Groups" button
  • In the "Group Name:" field, enter 'DNS'
  • Click the 'Add' button
  • Now click the yellow pencil icon next to the DNS service group to edit it
  • In the "Add" field select "DNS (TCP)" and click Add
  • then select "DNS (UDP)" and click Add
  • finally select "DNS over TLS" and click Add

2. Create "permit" incoming firewall rules for IPFire's DNS server

  • Source: Standard networks ( GREEN or BLUE )
  • Destination: Firewall ( GREEN or BLUE )
  • Protocol: "- Preset" Service Group: DNS
  • Action: ACCEPT

3. Create "deny" forwarding rules for all other DNS servers

  • Source: Standard networks ( GREEN or BLUE )
  • Destination: Standard networks RED
  • Protocol: "- Preset" Service Group: DNS
  • Action: REJECT

Additional Configuration

  • Configure IPFire as the DNS server in the DHCP configuration (for clients with dynamic and fixed leases)
  • Manually configure IPFire as DNS server (for clients with static IPs which are not using DHCP)
Edit Page ‐ Yes, you can edit!

Older Revisions • September 8, 2019 at 6:09 am • Aurien