I have a quick question. As a new user, I’ve set up IPFire with green and red interfaces, and everything is working great—except for one small issue.
My home alarm system primarily transmits over Wi-Fi or Ethernet (with cellular as a backup). The problem is that it only works if I use my ISP’s DNS over UDP. If I switch to any other DNS provider—especially over TLS—the alarm drops off the network. It seems to be the only device affected.
Ideally, I’d like to use a custom DNS with TLS for the rest of my network, but keep the alarm system on the ISP’s DNS over UDP.
Is there a way to assign a custom DNS (ISP over UDP) to a single MAC address, while the rest of the network uses DNS over TLS?
Never heard of it and don’t think so. You may run a seperate DHCP on a seperate network with only the alarm system in it, but this is not implemented in IPFire nor the WUI and will need to modify IPFire via CLI. Just config your alarm system with static information instead of DHCP. Problem solved.
Sorry, but what a crap alarm system is this? In that case you’ve bad luck and need to put a seperate router in between, sacrifice the blue network for the alarm system or use the orange network without firewall and setup a seperate DHCP in there (but this is nothing for laymen).
Can you configure custom DNS servers on the alarm system? If so, then set it to your ISP’s DNS, let IPFire control DNS for the rest of your network, but do not configure any firewall rule to force clients to use IPFire’s DNS.
edit: another option (and I’m not sure it will work) is to have the ISP modem plug into a network switch, then plug IPFire and a different router into the switch. Configure them both the same, but leave the regular router using the default ISP stuff. Then plug the alarm system into the regular router.
No - it is not associated with the ISP but it seems to have Cloudflare DNS hard coded in as a fallback. As soon as TLS is turned on, they fail and the device goes offline.
I have a similar issue with a (not so) smart TV. It will only connect with DHCP and I have no way of changing the DNS settings on the TV.
I have IPFire pointing to my paid AdGuard DNS subscription server. A certain streaming service calls directly to one of three domains (picked randomly each time) that are “holed” by AdGuard and the content will not stream until the ad plays. The only way to watch the content is to disable the blocklists in Adguard temporarily until the ad starts playing, then re-enable them.
I forget exactly what the three domains are (and I can’t dig through three days of logs while trying to appear gainfully employed at work), but we’re talking “googleanalytics.com”, and not even “ads.googleanalytics.com”, so permanently whitelisting those domains in AdGuard is not an option I’m willing to accept for my entire network.
So there’s really no way to make a local exception for a particular MAC address to point to a different DNS? No .conf file I can manually edit?
TLS where?
Your network can all use standard DNS.
Ipfire can use TLS / DoT DNS over TLS.
It will respond to your network devices
Over DNS.
I would block green from DoT
And force users to use ipfire DNS.
If this doesn’t work for this device.
You can add a rule befor your DNS block rule to allow it threw.
Just to clarify—if I configure IPFire to use DNS over TLS for queries, my alarm system drops offline. I’d prefer to use TLS, but I’m not entirely sure why this happens. My best guess is that since the alarm has Cloudflare’s DNS hardcoded it attempts to use TLS to communicate with its fallback DNS.
The main point is: I would absolutely prefer to run DNS over TLS, but unless there’s a simple workaround, it doesn’t seem feasible. The only option I see would be setting up a separate network and running a dedicated Cat 5 cable from the router—which just isn’t practical.
It shouldn’t matter which protocol unbound ( IPFire’s DNS server ) uses to gather it’s information.
Local devices just use ‘normal’ DNS protocol to query name information.
If a device uses direct DNS requests to an outside server, there must be no FW rules for DNS redirection, or an allow rule for this device before the redirection rule.
Have you any block rules for Cloudflare ( FW, IP Block list, IPS )?
The concept of forcing uses to use ipfire’s
DNS. Is devices like this are in essence MITM attacked by ipfire.
Your devices should not know any difference. It will think the answer was from cloudfair, google,etc.
Just because ipfire uses DoT doesn’t mean your net work needs to.
Try adding a firewall rule to allow your alarm system to use its DNS.
Source Address: Your Alarm System MAC address
Destination Address: Static DNS used by the alarm
Protocol: DNS Service (UDP)
I think the solution may be to NOT force the alarm system to use IPFire’s DNS (but force it on all other devices).
I hadn’t considered that my TV (mentioned elsewhere in this thread) may have a hard-coded DNS setting - which appears to be the case. Disabling the FW rule mentioned in “www.ipfire.org - Force clients to use IPFire DNS Server” worked for my TV I just need to come up with a rule for the TV and put it ahead of the other rule that hyjacks the DNS requests and forces them to IPFire’s DNS.
Cloudflare 1.1.1.1 & 1.0.0.1 both work with TCP, UDP & DoT (DNS over TLS). How do you know that it is hard coded to Cloudflare?
So if your system is set up with Cloudflare as the DNS system with UDP, TCP or TLS it should just work.
However, I am not sure that will work in your situation as there seems to be something more going on.
You say that the alarm system has it’s DNS server hard coded to something. In that case when it gets an IP from your IPFire dhcp server, it will just ignore the dns server allocation that you have defined in the dhcp WUI page.
Also when it needs to connect to the internet it would just ignore the IPFire DNS server settings and just access the hard coded dns server directly. That should happen irrespective of the protocol setting for the IPFire unbound dns server and it should just bypass the IPFire DNS server.
As it fails to access the internet when the IPFire DNS system is not using the ISP DNS servers then it indicates that the alarm system is using the IPFire DNS system for its requests.
I would look through the IPFire DNS Server logs and, knowing the IP allocated to the alarm system, search for entries with that IP and see what messages are shown in the lines around those entries.
That might give some indication of what it is trying to access, which must be the full url of its website, for which it needs a DNS server to convert into an IP address.
An interesting detail I didn’t mention earlier — I wasn’t even using Cloudflare as my DNS, which is how I realized it was still being used. The alarm shows three DNS entries when connected, and only one of them is mine: the gateway IP.
Also worth noting, the alarm won’t connect via Wi-Fi or Ethernet at all when TLS is enabled. In fact, Wi-Fi connections fail with an error saying either the password is incorrect (it’s not) or there’s no internet connection.
Looking at the logs I personally do not see any errors in Messages. But it would seem the alarm drops when the DHCP lease gets renewed.
I do see this right after the DHCP lease renews:
Jul 24 16:26:26 ipfire kernel: IPv4: martian source 255.255.255.255 from 10.1.1.1, on dev green0
Jul 24 16:26:26 ipfire kernel: ll header: 00000000: ff ff ff ff ff ff 00 1f 54 55 99 cf 08 00
This means your alarm system is keeping its old address.
It doesn’t accept the one assigned by IPFire, and probably neither does DNS.
You should reset it.
