DNS for DMZ servers

Dear Ipfire users/authors. Can someone tell me exactly how/where to allow the ipfire DMZ zone access to a DNS server located on the Internet (eg 8.8.8.8). The default firewall rules seems do not allow this. And in the forum, this question has not been answered precisely anywhere, or it has been vaguely explained. DMZ servers cannot get updates without DNS.

There are two options.

1)The first is to define all machines on the DMZ (Orange zone) with a static IP. How that is done depends on the machines that you have on the DMZ.

I can’t help with windows machines but if you have a Linux machine then the way I have done it is installed the dhcpcd package and added the following lines to the dhcpcd.conf file

interface enu1u1
static ip_address=192.168.128.20/24
static routers=192.168.128.254
static domain_name_servers=81.3.27.54 5.9.164.112

The first line defines the interface on the Linux Machine
The second is the static IP that you have decided to assign to that machine.
The third line is the IP Address of the Orange nic on your IPFire.
The fourth line is where you define the DNS servers that you want that machine to use. In this case I defined two DNS servers but you can assign as many or few as you want. They just need to be space separated IP octets.

These lines are additional to the default entries that are in the dhcpcd.conf file as installed. You can do an internet search for dhcpcd static ip to get more info.

Then you do the above on every other machine that you have in the DMZ.
If any of those are windows machines then someone familiar with windows machines will need to help with where to place the static Ip and the DNS server info.

2)The second option is to do the same as option 1) on a first machine and then install a dhcp server on that machine that will provide the fixed or dynamic IP’s to all other machines in the DMZ. This dhcp server can also then supply the dns server info to the machines as well as their IP’s.

This is what I have done on my orange DMZ network. My raspberry pi running Arch Linux acts as my dhcp server to my DMZ machines and also supplies the DNS info that I specified.

The simplest approach for yourself is probably to define a static IP on each machine in the DMZ and include in that the DNS servers that you want to use.

2 Likes

Hi, Adolf!
Thanks for your answer… All my DMZ machines are virtual Linux (debian and Ubuntu) machines on Proxmox server. All DMZ machines have static IPs and gateways and DNS servers defined as you wrote in option 1, but I am not sure that they are defined through the DHCPd service. Does it matter?

Are you referring to the IPFire DHCP service at menu Network > DHCP Server ??

The IPFire DHCP service has nothing to do with DHCP.

See: https://wiki.ipfire.org/configuration/firewall/rules/dmz-setup#notes

I’m referring to Debian or ubuntu DHCPd service. Static IP addresses to servers can assigned in different ways, hence the question. My DMZ is configured well and works well, all servers/services is accessible both from the outside and from the internal (green) network. Only one problem - despite the fact that The DNS for each DMZ client is set to an external DNS server. 8.8.8.8 and 1.1.1.1, DNS queries from DMZ to internet is somewhere blocked by ipfire configured with default firewall policies and rules. Green network and ipfire itself access such servers without problems.

ceturtd., 2023. g. 28. dec., plkst. 23:07 — lietotājs Jon via IPFire Community (<no-reply@community.ipfire.org>) rakstīja:

Do you see anything related to the device and/or google DNS in the firewall logs (menu Logs > Firewall Logs)? That should show you blocked items.

How about anything related to the device and/or google DNS in the Firewall Rules? (I am guessing maybe not)

For DMZ I am running it all in default and I can access DNS servers A-OK.

1 Like

For my DMZ the DNS access just worked. No rules were needed to make it work. The default rules for Orange to Red is that it is Open so any server or machine in the orange zone can automatically access the outside world but the outside world is blocked from accessing Orange unless a Port Forward has been created.

So I am puzzled why your system should be preventing the DNS queries going out.

What command are you using for the DNS queries to the internet and what response/error message are you getting back?

1 Like

One way to set DNS for debian (and many other distros) when using static IP is at /etc/resolv.conf. → debian wiki

If you want to use TLS it can be done with systemd-resolved service, it’s not installed by default. You can install it with apt install systemd-resolved

DNS.SB wiki have example how to setup. → How to set DNS over TLS on Linux - DNS.SB

2 Likes