Devices bypassing

Anyone has this issue?
More and more devices are forcefully sending traffic to their own DNS servers.

Sofar I identified
Windows 10, Android, Multimedia player, Security Camera DVR tend to use 8.8.8.8 or 8.8.4.4

Avast AV uses 8.8 and 4.4 too and sometimes IPS logs show some other traffic to port 53 e.g. 5.62.42.20, and many other questionable IP’s

ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port Opcode 8 through 15 set
Priority: 1
Type: Potential Corporate Privacy Violation

I will post some screenshots below

Here are some screenshots.
Just constantly forcing their own DNS

I created DNS forward rule and service groups but I am not sure if they are working,

I am blocking the obvious Google DNS servers, but don’t know how many there are

Hi,

yes, this is another sad trend in the industry. To some extend, I can understand vendors here, since DNS resolution can be broken pretty badly in some networks (we experienced that ourselves when we brought DNSSEC to our users), but in most cases, corporations are probably more interested in the data they can get from DNS requests.

Please have a look at this wiki page for information on how to force clients in your network to use the DNS resolver provided by your IPFire machine.

In addition, consider dropping any outgoing DNS traffic not emitted by your IPFire itself. Having the aforementioned enforcement in place, there is no legitimate reason anymore why any client should speak DNS directly to the internet.

By blocking destination port 853 (TCP), you can get rid of DNS over TLS (DoT) as well, since it typically uses this port. For privacy reasons, you might want to configure your IPFire to use DoT, so your ISP cannot snoop on your DNS traffic. In this case, only block port 853 for any forwarding traffic, not for outgoing one, which is generated by IPFire itself.

This leaves you with clients being able to use DNS over HTTPS (DoH) to query different DNS resolvers. An understandable effort in terms of privacy, it is quite a nightmare if you need to enforce a security/privacy policy on your infrastructure. By using the web proxy, you can at least block common FQDNs used by DoH service providers such as dns.google. There is no catch-all guarantee on that, but it’s better than nothing.

Hope to have helped. :slight_smile:

Thanks, and best regards,
Peter Müller

4 Likes

Thank you Peter,

I think I have been already using almost all the recommendations you mentioned in the Wiki.
These devices and Avast still somehow manage to bypass it.

I think the one recommendation I still have to work on is dropping 853

Hi,

hm, that’s odd. Actually, I don’t think so:

The FORWARDFW log hits you see do not come from actually dropped packets, but from logged packets. This is because you have the “log” checkbox ticked on the “redirect DNS” firewall rule, so every packet redirected by this gets logged as well.

For the record, the log prefix of actually dropped packets is DROP_FORWARD.

To ensure your redirecting firewall rule works correctly, you can create another one, dropping any DNS-related traffic (destination ports 53 UDP & TCP, port 853 TCP) to the internet, and enable logging for it. If you see any hits then in your logs, something indeed managed to bypass the redirection rule - otherwise, it would not get to the dropping rule in the first place.

By the way, in this screenshot of yours, the firewall rules 8 and 9 are unnecessary, since Google’s DNS resolver will never establish a connection on its own - it only responds to incoming connections. That way, you don’t need to create firewall rules for 8.8.8.8 and 8.8.4.4 as a source.

Thanks, and best regards,
Peter Müller

1 Like

I think since I setup some of these rules things changed.

I will have to redo them to make sure,

Interestingly, I think this rule works the best, because since then I have seen a lot of Windows 10 devices, showing “No Internet” and maybe this could be why Avast can’t get uipdates sometimes.
Or it could be a coincidence, it could be one of the IPS rules "ET DNS Non-DNS or Non-Compliant DNS traffic on DNS port "

Just found out that Avast AV has merged with Norton+Life Lock
So this could explain why Avast started to constantly contacting unknown DNS servers.