DNS Configuration for Specific Device on IPFire

Hello,

I have a quick question. As a new user, I’ve set up IPFire with green and red interfaces, and everything is working great—except for one small issue.

My home alarm system primarily transmits over Wi-Fi or Ethernet (with cellular as a backup). The problem is that it only works if I use my ISP’s DNS over UDP. If I switch to any other DNS provider—especially over TLS—the alarm drops off the network. It seems to be the only device affected.

Ideally, I’d like to use a custom DNS with TLS for the rest of my network, but keep the alarm system on the ISP’s DNS over UDP.

Is there a way to assign a custom DNS (ISP over UDP) to a single MAC address, while the rest of the network uses DNS over TLS?

Thanks in advance for your help!

Never heard of it and don’t think so. You may run a seperate DHCP on a seperate network with only the alarm system in it, but this is not implemented in IPFire nor the WUI and will need to modify IPFire via CLI. Just config your alarm system with static information instead of DHCP. Problem solved.

Unfortunately giving it a static ip is not possible. The alarm assumes DHCP :frowning:

Sorry, but what a crap alarm system is this? In that case you’ve bad luck and need to put a seperate router in between, sacrifice the blue network for the alarm system or use the orange network without firewall and setup a seperate DHCP in there (but this is nothing for laymen).

Have you tried this.

1 Question.
Is this alarm system affiliated with your ISP?

Can you configure custom DNS servers on the alarm system? If so, then set it to your ISP’s DNS, let IPFire control DNS for the rest of your network, but do not configure any firewall rule to force clients to use IPFire’s DNS.

edit: another option (and I’m not sure it will work) is to have the ISP modem plug into a network switch, then plug IPFire and a different router into the switch. Configure them both the same, but leave the regular router using the default ISP stuff. Then plug the alarm system into the regular router.

1 Like

No - it is not associated with the ISP but it seems to have Cloudflare DNS hard coded in as a fallback. As soon as TLS is turned on, they fail and the device goes offline.

I have a similar issue with a (not so) smart TV. It will only connect with DHCP and I have no way of changing the DNS settings on the TV.

I have IPFire pointing to my paid AdGuard DNS subscription server. A certain streaming service calls directly to one of three domains (picked randomly each time) that are “holed” by AdGuard and the content will not stream until the ad plays. The only way to watch the content is to disable the blocklists in Adguard temporarily until the ad starts playing, then re-enable them.

I forget exactly what the three domains are (and I can’t dig through three days of logs while trying to appear gainfully employed at work), but we’re talking “googleanalytics.com”, and not even “ads.googleanalytics.com”, so permanently whitelisting those domains in AdGuard is not an option I’m willing to accept for my entire network.

So there’s really no way to make a local exception for a particular MAC address to point to a different DNS? No .conf file I can manually edit?

TLS where?
Your network can all use standard DNS.
Ipfire can use TLS / DoT DNS over TLS.
It will respond to your network devices
Over DNS.

I would block green from DoT
And force users to use ipfire DNS.
If this doesn’t work for this device.
You can add a rule befor your DNS block rule to allow it threw.

1 Like

Just to clarify—if I configure IPFire to use DNS over TLS for queries, my alarm system drops offline. I’d prefer to use TLS, but I’m not entirely sure why this happens. My best guess is that since the alarm has Cloudflare’s DNS hardcoded it attempts to use TLS to communicate with its fallback DNS.

The main point is: I would absolutely prefer to run DNS over TLS, but unless there’s a simple workaround, it doesn’t seem feasible. The only option I see would be setting up a separate network and running a dedicated Cat 5 cable from the router—which just isn’t practical.

It shouldn’t matter which protocol unbound ( IPFire’s DNS server ) uses to gather it’s information.
Local devices just use ‘normal’ DNS protocol to query name information.
If a device uses direct DNS requests to an outside server, there must be no FW rules for DNS redirection, or an allow rule for this device before the redirection rule.

Have you any block rules for Cloudflare ( FW, IP Block list, IPS )?

1 Like

The concept of forcing uses to use ipfire’s
DNS. Is devices like this are in essence MITM attacked by ipfire.
Your devices should not know any difference. It will think the answer was from cloudfair, google,etc.
Just because ipfire uses DoT doesn’t mean your net work needs to.

1 Like

Try adding a firewall rule to allow your alarm system to use its DNS.
Source Address: Your Alarm System MAC address
Destination Address: Static DNS used by the alarm
Protocol: DNS Service (UDP)

2 Likes

This got me thinking…

I think the solution may be to NOT force the alarm system to use IPFire’s DNS (but force it on all other devices).

I hadn’t considered that my TV (mentioned elsewhere in this thread) may have a hard-coded DNS setting - which appears to be the case. Disabling the FW rule mentioned in “www.ipfire.org - Force clients to use IPFire DNS Server” worked for my TV I just need to come up with a rule for the TV and put it ahead of the other rule that hyjacks the DNS requests and forces them to IPFire’s DNS.

2 Likes

Cloudflare 1.1.1.1 & 1.0.0.1 both work with TCP, UDP & DoT (DNS over TLS). How do you know that it is hard coded to Cloudflare?

So if your system is set up with Cloudflare as the DNS system with UDP, TCP or TLS it should just work.

However, I am not sure that will work in your situation as there seems to be something more going on.

You say that the alarm system has it’s DNS server hard coded to something. In that case when it gets an IP from your IPFire dhcp server, it will just ignore the dns server allocation that you have defined in the dhcp WUI page.
Also when it needs to connect to the internet it would just ignore the IPFire DNS server settings and just access the hard coded dns server directly. That should happen irrespective of the protocol setting for the IPFire unbound dns server and it should just bypass the IPFire DNS server.

As it fails to access the internet when the IPFire DNS system is not using the ISP DNS servers then it indicates that the alarm system is using the IPFire DNS system for its requests.

I would look through the IPFire DNS Server logs and, knowing the IP allocated to the alarm system, search for entries with that IP and see what messages are shown in the lines around those entries.
That might give some indication of what it is trying to access, which must be the full url of its website, for which it needs a DNS server to convert into an IP address.

3 Likes

An interesting detail I didn’t mention earlier — I wasn’t even using Cloudflare as my DNS, which is how I realized it was still being used. The alarm shows three DNS entries when connected, and only one of them is mine: the gateway IP.

Also worth noting, the alarm won’t connect via Wi-Fi or Ethernet at all when TLS is enabled. In fact, Wi-Fi connections fail with an error saying either the password is incorrect (it’s not) or there’s no internet connection.

I will check the logs now.

Looking at the logs I personally do not see any errors in Messages. But it would seem the alarm drops when the DHCP lease gets renewed.

I do see this right after the DHCP lease renews:
Jul 24 16:26:26 ipfire kernel: IPv4: martian source 255.255.255.255 from 10.1.1.1, on dev green0
Jul 24 16:26:26 ipfire kernel: ll header: 00000000: ff ff ff ff ff ff 00 1f 54 55 99 cf 08 00

You can give it a fixed / reserved ip in the DHCP page.
and reboot your alarm to pickup the new ip.
Out side of your DHCP range.

Tried this rule and it did not resolve the issue. Thank you though.

This means your alarm system is keeping its old address.
It doesn’t accept the one assigned by IPFire, and probably neither does DNS.
You should reset it.