DNS over TLS with UDP fall back

purplecircle · 23 September 2025 11:44

I just installed IPFire for the first time and absolutely love it. I wanted a security uprgade from my store bought router and everything has worked so easily (except for some small issues where I thought i was on DHCP on WAN not PPPoE).

Today I tried to harden my network a bit more and swap to DNS over TLS which worked well until I discovered it stopped my Eufy cameras sending alerts or being accessible outside of my LAN. I initially thought it was unbound but the problem resolved when I turned DNS back to UDP. Is there a way to set up my DNS so TLS is the default but some devices use UDP or there is a UDP fallback?

My next step will be a openvpn or wireguard set up.

hvacguy · 23 September 2025 20:13

When you did this?

Are you forcing clients to use IPfire DNS? As you should.

I would force clients to use IPfire DNS first. then enable DNS TLS “DoT”

purplecircle · 24 September 2025 11:58

I am not and have not set that up. I will give it a go tomorrow and see what happens. thanks for the tip. The only change I made was changing the protocol in the DNS screen from UDP to TLS and adding a new DNS server incuding the TLS hostname.

Though if making a change to the DNS settings had this impact it means the device is using ipfire for DNS no?

hvacguy · 24 September 2025 19:24

Not if you do not block it from using external sources.

Example. IOT device has hard coded DNS. 8.8.8.8

IPfire will direct it to DNS at 8.8.8.8

Even though IPfire is offering DNS at its own IP.

So I would setup the DNS to force client to use IPfire DNS

purplecircle · 11 December 2025 10:38

i realised I never responded but I did take this advice and set it up. everything is working great now.

hjkl · 11 December 2025 18:11

This will work only for plain DNS and DoT.

In case that some clients use DoH then solution will be to use the unofficial RPZ addon and use it to block DoH servers.

On top of that, in case some IoT have hardcoded DoH servers and try to use them directly then IPS rulesets from Peter Russel can block those (see this post Question about DNS over HTTPS - Networking / DNS - IPFire Community)

hvacguy · 11 December 2025 21:25

I am aware.

And sadly both options above are not feature built into IPfire.

So why Is it so hard for IPfire team to offer us one of these options built in?