If using something like Pihole.
I think the easiest way would be
1 firewall rule to allow Pihole to ports 53 and 853 DNS.
And a 2nd rule to block all others.
This would force them to use Pihole DNS.
Piholes DNS could be / Should be IPFire.
1 Like
But the idea was to also hijack DNS in case users had other DNS servers configured, and not just to block them…
That’s why firewall rule 2.
Block everyone else the whole network.
1 Like
Rather than block, we wanted to redirect it to PiHole with a Port Forward. This then requires an SNAT rule as well, but the UI blocks you from doing it.
This defeats IPFires DNS DNSSEC protection.
You are counting on Pihole for All DNS.
I my example Pihole gets DNS from IPFire.
Users get DNS from Pihole.
No DNS bypass.
Except DOH is more difficult.
1 Like
Here PiHole should be getting DNS from IPF if they manage to work out the exception rule mentioned much higher up.
I do not see the problem here.
iptables rules are applied in the defined sequence, so
- allow DNS for PiHole
- redirect DNS to PiHole
should do the job. Rule 2 isn’t applied to DNS requests from PiHole, because of rule 1.
EDIT: to avoid loops this can be extended to
- allow PiHole:<some port> → IPFire:<DNS ports>
- deny PiHole:<some port> → :<DNS ports>
- redirect DNS to PiHole
That is the easy bit. Applying the required SNAT rule is a bit trickier.
What SNAT rule?