Forcing all DNS traffic from the LAN to the firewall

bbitsch · 26 October 2020 11:51

See Arne’s post above.

arne_f · 26 October 2020 12:52

Correct. Add a normal reject rule for port 853 in the CUSTOMFORWARD chain (without the -t nat?) or create a usual Firewall rule that blocks the port from green/blue to any in the gui. (don’t block in the output chain for red)

bbitsch · 26 October 2020 13:10

Done. ( see my edited post )

jon · 26 October 2020 18:55

Just to make sure I am tracking…

Is the DoT (port 853) rule only needed for localdomain devices that send DoT requests (port 853)? I don’t have any of those but maybe other do.
And a new rule (not PREROUTING/CUSTOMPREROUTING) is needed for DoT?

bbitsch · 26 October 2020 20:02

The above mentioned rules in firewall.local do

allow DNS/NTP requests to the local DNS/NTP server on IPFire system
DNS/NTP requests to external servers are redirected to the servers in IPFire system.

This is done as soon as possible ( in iptables chain PREROUTING ).
Thus all (normal) DNS and NTP request are forced to use the local server.

For DNSoverTLS ( DoT ) this isn’t possible, because of not matching certificates.
To deny those requests to external servers one must define a firewall rule which rejects those packets. You can do this from the WUI.

hellfire · 27 October 2020 16:21

So this is the reason why you commented out those lines with port 853, right?

bbitsch · 27 October 2020 17:43

Yes.
But I left them in the file. Maybe there is some solution for the redirected DoT, nobody knows

hellfire · 28 October 2020 11:23

…and in the end, at least as I understand, if clients like Firefox use DoT, I cannot redirect it, but block the requests, correct?

hvacguy · 30 October 2020 21:23

Does this work if you block port 853 on green? FW rule
And ipfire DNS is set to use DoT?
Clients using port 54
Can’t Test DoT at my location

jon · 30 October 2020 21:48

You may want to try Option 2 but substitute port 853 for port 53. And use protocol tcp only (udp isn’t used for DoT),

https://wiki.ipfire.org/configuration/firewall/dns#2-block-all-dns-traffic-except-through-ipfires-dns-proxy

I don’t have anything on my LAN that uses DoT so I’m not sure how to test without doing a little research.

hellfire · 1 November 2020 07:33

I do not have any device here, too, however if one redirects port53 it should be done for port 853, too, just in case.

To my knowledge, Firefox provides a setting for using DoT although it’s disabled by default. As far as I know enabled only in the US: https://support.mozilla.org/en-US/kb/firefox-dns-over-https

Maybe it’s worth a try?

troll-op · 1 November 2020 08:47

DNS over TLS (DoT) ≠ DNS over HTTPS (DoH)

DNS over HTTPS uses port tcp/443, so unless you want to break all HTTPS traffic I would suggest leaving it alone.

hellfire · 1 November 2020 09:09

Ah yes, you are correct of course - misread this article and confused DoT and DoH!

Thanks!

hvacguy · 1 November 2020 11:19

To try and clarify what I’m thinking.
If ipfire DNS system page is set to DoT.
Ipfire is DNS server to Green on port 53.
With pre routing as above on port 53.
Does PC on green requests DNS on green To FW
FW request DNS on red using DoT.
Can’t test DoT Does not work for me.blocked at ISP router.

jon · 2 November 2020 19:20

OK - here is the final version for me. I’ve been using this for the last week and all works A-OK.

This includes DNS and NTP redirects. I removed the port 853 redirects. All of the LOG statements are commented out. Uncomment them if you want to view.

Everything below is for GREEN only. Copy the line and change green0 to blue0 if needed.

Thank you to everyone above for your comments and guidance. I could not of done any of this without your posts! Y’all get 5 gold stars!

Here is my current firewall.local. Make sure you look it over before using. Use this at your OWN RISK.

#!/bin/sh
# Used for private firewall rules
#
# Use this at your OWN RISK.  It is not fully supported!
#	https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512
#
# See how we were called.
case "$1" in
  start)
        ## add your 'start' rules here
        #
        #ACCEPT from the following machine
        #iptables -t nat -A CUSTOMPREROUTING -s 192.168.60.123/32 -p udp --dport 53 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "ACCEPTdr "
        iptables -t nat -A CUSTOMPREROUTING -s 192.168.60.123/32 -p udp --dport 53 -j ACCEPT
        #iptables -t nat -A CUSTOMPREROUTING -s 192.168.60.123/32 -p tcp --dport 53 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "ACCEPTdr "
        iptables -t nat -A CUSTOMPREROUTING -s 192.168.60.123/32 -p tcp --dport 53 -j ACCEPT
        #
        # Force DNS for green to query the firewall, and not an outside DNS server
        # REDIRECT DNS port 53 to FW (and not an outside DNS server)
        #iptables -t nat -A CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "DNSREDIRECT "
        iptables -t nat -A CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j REDIRECT
        #iptables -t nat -A CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "DNSREDIRECT "
        iptables -t nat -A CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j REDIRECT
        # REDIRECT NTP port 123 to FW (and not an outside NTP server)
        #iptables -t nat -A CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "NTPREDIRECT "
        iptables -t nat -A CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j REDIRECT
        ;;
  stop)
        ## add your 'stop' rules here
        #
        #ACCEPT from the following machine
        #iptables -t nat -D CUSTOMPREROUTING -s 192.168.60.123/32 -p udp --dport 53 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "ACCEPTdr "
        iptables -t nat -D CUSTOMPREROUTING -s 192.168.60.123/32 -p udp --dport 53 -j ACCEPT
        #iptables -t nat -D CUSTOMPREROUTING -s 192.168.60.123/32 -p tcp --dport 53 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "ACCEPTdr "
        iptables -t nat -D CUSTOMPREROUTING -s 192.168.60.123/32 -p tcp --dport 53 -j ACCEPT
        #
        #iptables -t nat -D CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "DNSREDIRECT "
        iptables -t nat -D CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j REDIRECT
        #iptables -t nat -D CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "DNSREDIRECT "
        iptables -t nat -D CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j REDIRECT
        #
        #iptables -t nat -D CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "NTPREDIRECT "
        iptables -t nat -D CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j REDIRECT
        ;;
  reload)
        $0 stop
        $0 start
        ## add your 'reload' rules here
        ;;
   flush)
        iptables -t nat -F CUSTOMPREROUTING
        ;;
  *)
        echo "Usage: $0 {start|stop|reload|flush}"
        ;;
esac

EDIT: in the stop section added deletes for missing rules. D’oh!

EDIT2: I deleted the reload when doing the above edit. Ugh! Sorry!. Added reload section.

bbitsch · 2 November 2020 19:26

Ok.
That’s it. You should delete the ACCEPT rules on stop also. Otherwise you double them with each restart.

jon · 2 November 2020 19:33

D’oh! You are right! Good find! (back to testing for me!)

Fixed in above post #65.

bbitsch · 2 November 2020 21:13

Yes!

anon42188109 · 2 November 2020 21:23

does “reload” do something (missing from the case block)?

bbitsch · 2 November 2020 21:38

Nothing special. Jon has just forgotten to publish this part.