Forcing all DNS traffic from the LAN to the firewall

I do not have any device here, too, however if one redirects port53 it should be done for port 853, too, just in case.

To my knowledge, Firefox provides a setting for using DoT although it’s disabled by default. As far as I know enabled only in the US: https://support.mozilla.org/en-US/kb/firefox-dns-over-https

Maybe it’s worth a try?

DNS over TLS (DoT) DNS over HTTPS (DoH)

DNS over HTTPS uses port tcp/443, so unless you want to break all HTTPS traffic I would suggest leaving it alone.

4 Likes

Ah yes, you are correct of course - misread this article and confused DoT and DoH!

Thanks!

To try and clarify what I’m thinking.
If ipfire DNS system page is set to DoT.
Ipfire is DNS server to Green on port 53.
With pre routing as above on port 53.
Does PC on green requests DNS on green To FW
FW request DNS on red using DoT.
Can’t test DoT Does not work for me.blocked at ISP router.

1 Like

OK - here is the final version for me. I’ve been using this for the last week and all works A-OK.

This includes DNS and NTP redirects. I removed the port 853 redirects. All of the LOG statements are commented out. Uncomment them if you want to view.

Everything below is for GREEN only. Copy the line and change green0 to blue0 if needed.

Thank you to everyone above for your comments and guidance. I could not of done any of this without your posts! Y’all get 5 gold stars! :star: :star: :star: :star: :star:

Here is my current firewall.local. Make sure you look it over before using. Use this at your OWN RISK.

#!/bin/sh
# Used for private firewall rules
#
# Use this at your OWN RISK.  It is not fully supported!
#	https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512
#
# See how we were called.
case "$1" in
  start)
        ## add your 'start' rules here
        #
        #ACCEPT from the following machine
        #iptables -t nat -A CUSTOMPREROUTING -s 192.168.60.123/32 -p udp --dport 53 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "ACCEPTdr "
        iptables -t nat -A CUSTOMPREROUTING -s 192.168.60.123/32 -p udp --dport 53 -j ACCEPT
        #iptables -t nat -A CUSTOMPREROUTING -s 192.168.60.123/32 -p tcp --dport 53 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "ACCEPTdr "
        iptables -t nat -A CUSTOMPREROUTING -s 192.168.60.123/32 -p tcp --dport 53 -j ACCEPT
        #
        # Force DNS for green to query the firewall, and not an outside DNS server
        # REDIRECT DNS port 53 to FW (and not an outside DNS server)
        #iptables -t nat -A CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "DNSREDIRECT "
        iptables -t nat -A CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j REDIRECT
        #iptables -t nat -A CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "DNSREDIRECT "
        iptables -t nat -A CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j REDIRECT
        # REDIRECT NTP port 123 to FW (and not an outside NTP server)
        #iptables -t nat -A CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "NTPREDIRECT "
        iptables -t nat -A CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j REDIRECT
        ;;
  stop)
        ## add your 'stop' rules here
        #
        #ACCEPT from the following machine
        #iptables -t nat -D CUSTOMPREROUTING -s 192.168.60.123/32 -p udp --dport 53 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "ACCEPTdr "
        iptables -t nat -D CUSTOMPREROUTING -s 192.168.60.123/32 -p udp --dport 53 -j ACCEPT
        #iptables -t nat -D CUSTOMPREROUTING -s 192.168.60.123/32 -p tcp --dport 53 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "ACCEPTdr "
        iptables -t nat -D CUSTOMPREROUTING -s 192.168.60.123/32 -p tcp --dport 53 -j ACCEPT
        #
        #iptables -t nat -D CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "DNSREDIRECT "
        iptables -t nat -D CUSTOMPREROUTING -i green0 -p udp -m udp --dport 53 -j REDIRECT
        #iptables -t nat -D CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "DNSREDIRECT "
        iptables -t nat -D CUSTOMPREROUTING -i green0 -p tcp -m tcp --dport 53 -j REDIRECT
        #
        #iptables -t nat -D CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "NTPREDIRECT "
        iptables -t nat -D CUSTOMPREROUTING -i green0 -p udp -m udp --dport 123 -j REDIRECT
        ;;
  reload)
        $0 stop
        $0 start
        ## add your 'reload' rules here
        ;;
   flush)
        iptables -t nat -F CUSTOMPREROUTING
        ;;
  *)
        echo "Usage: $0 {start|stop|reload|flush}"
        ;;
esac

EDIT: in the stop section added deletes for missing rules. D’oh!

EDIT2: I deleted the reload when doing the above edit. Ugh! Sorry!. Added reload section.

Ok.
That’s it. You should delete the ACCEPT rules on stop also. Otherwise you double them with each restart.

D’oh! You are right! Good find! (back to testing for me!)

Fixed in above post #65.

1 Like

Yes! :+1: :+1: :slight_smile:

does “reload” do something (missing from the case block)?

1 Like

Nothing special. Jon has just forgotten to publish this part. :wink:

Paul - Thank you!

I must have dain bramage! :stuck_out_tongue_winking_eye:

reload) added in above post #65.

I hope you all appreciate how much I worked on the above two tests! Just to make sure everyone was paying attention! Yes, it really was a test. I swear!

4 Likes

Thank you Jon! It is a great job.

Regards, Pierre

2 Likes

Hi - back from vacation. (*sigh*)

@Jon: Well done! Great job. :+1: I’ll have to test this…

After you have discussed and worked this out so extensively, I’m almost a little bit insecure about my settings. But nevertheless - here we go.

@Jon, @troll-op:
This is my current firewall.local since the cited Comment #6. Simple. No magic. I did some modifications since then. It still seems to work, though (hints and corrections are welcome :wink:):

#!/bin/sh
# Used for private firewall rules

# Read variables
eval $(/usr/local/bin/readhash /var/ipfire/ethernet/settings)

# See how we were called.
case "$1" in

  start)
        ## add your 'start' rules here

# Prevent DNS hijacking - BEGIN
iptables -t nat -A CUSTOMPREROUTING -i green0 -p tcp --dport 53 -j DNAT --to ${GREEN_ADDRESS}:53
iptables -t nat -A CUSTOMPREROUTING -i green0 -p udp --dport 53 -j DNAT --to ${GREEN_ADDRESS}:53
iptables -t nat -A CUSTOMPREROUTING -i blue0 -p tcp --dport 53 -j DNAT --to ${BLUE_ADDRESS}:53
iptables -t nat -A CUSTOMPREROUTING -i blue0 -p udp --dport 53 -j DNAT --to ${BLUE_ADDRESS}:53
# Prevent DNS hijacking - END

# NTP Redirect - BEGIN
iptables -t nat -A CUSTOMPREROUTING ! -o orange0 -p udp --destination-port 123 -j REDIRECT --to-ports 123
# NTP Redirect - END
        ;;

  stop)
        ## add your 'stop' rules here

# Delete: NTP Redirect - BEGIN
iptables -t nat -D CUSTOMPREROUTING ! -o orange0 -p udp --destination-port 123 -j REDIRECT --to-ports 123
# Delete: NTP Redirect - END

# Delete: Prevent DNS hijacking - BEGIN
iptables -t nat -D CUSTOMPREROUTING -i green0 -p tcp --dport 53 -j DNAT --to ${GREEN_ADDRESS}:53
iptables -t nat -D CUSTOMPREROUTING -i green0 -p udp --dport 53 -j DNAT --to ${GREEN_ADDRESS}:53
iptables -t nat -D CUSTOMPREROUTING -i blue0 -p tcp --dport 53 -j DNAT --to ${BLUE_ADDRESS}:53
iptables -t nat -D CUSTOMPREROUTING -i blue0 -p udp --dport 53 -j DNAT --to ${BLUE_ADDRESS}:53
# Delete: Prevent DNS hijacking - END
        ;;

  reload)
        $0 stop
        $0 start
        ## add your 'reload' rules here
        ;;
  *)
        echo "Usage: $0 {start|stop|reload}"
        ;;
esac

Furthermore, I added some REJECT rules via GUI, allowing DNS access only to IPFire, not external:

NAT table:

DNS GUI showed no problems:

For testing, I set DNS server to 1.2.3.4 on one of my PCs and did some nslookups.

The connection table looked as expected and the PC was working without any seen problems:

Results for some nslookups:

DOS_nslookup_8_8_8_8

DOS_nslookup_google

That’s all - I did no more. I can put any DNS or NTP-IP on my machines: all DNS queries are sent through IPFire. The main thing was that these rules seemed to work properly. I can’t remember why I choosed DNAT rules, probably it was the first thought I had. And the advantages or disadvantages of my and your version are unfortunately not quite clear to me either.

Therefore - as always! - hints and suggestions are welcome. :slightly_smiling_face:

Best,
Matthias

1 Like

Sorry about the vacation ending! There will always be another!

I am way more insecure about my settings then your settings!

I can’t comment on the REDIRECT vs DNAT since I barely understand the REDIRECT.

One of my goals was to try and keep the rule in one place (all in the firewall.local or all in the WebGUI). I was worried if it was split it would be more confusing to enable or disable in two places.

I think it was decided that -o did not work with PREROUTING / CUSTOMPREROUTING.

Here are the references:

EDIT: For your Incoming Firewall Access rules. For the GREEN sources, can you do a screenshot of the whole rule? I think I have the first rule wrong… And maybe the second…

EDIT2:
Here is my guess of your two GREEN source rules pulled out of the iptables. I did not add anything for port 853 (and did not add anything for blue).

# GREEN => 53 (did not add 853)
-A INPUTFW -s 192.168.60.0/24 -d 192.168.60.1/32 -i green0 -p tcp -m tcp --dport 53 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "INPUTFW "
-A INPUTFW -s 192.168.60.0/24 -d 192.168.60.1/32 -i green0 -p tcp -m tcp --dport 53 -j ACCEPT
-A INPUTFW -s 192.168.60.0/24 -d 192.168.60.1/32 -i green0 -p udp -m udp --dport 53 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "INPUTFW "
-A INPUTFW -s 192.168.60.0/24 -d 192.168.60.1/32 -i green0 -p udp -m udp --dport 53 -j ACCEPT

# GREEN !=> 53 (did not add 853)
-A INPUTFW -s 192.168.60.0/24 -d 24.x.x.x/32 -i green0 -p tcp -m tcp --dport 53 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "INPUTFW "
-A INPUTFW -s 192.168.60.0/24 -d 24.x.x.x/32 -i green0 -p tcp -m tcp --dport 53 -j DROP
-A INPUTFW -s 192.168.60.0/24 -d 24.x.x.x/32 -i green0 -p udp -m udp --dport 53 -m limit --limit 10/sec --limit-burst 20 -j LOG --log-prefix "INPUTFW "
-A INPUTFW -s 192.168.60.0/24 -d 24.x.x.x/32 -i green0 -p udp -m udp --dport 53 -j DROP

Hi,

Really!? Ok. We’ll see. I’m not so sure about DNAT v.s REDIRECT too. We still can test and compare…

Yep. +1

I also wanted to make sure that no external DNS could be used. So I added the GUI rules.

And yes - while reading this thread I became aware of the -o-Problem in my NTP rules. Just changed them - thanks for reminding me. :wink:

FYI, the GUI rules look like this (please note - I changed the respective colors of DROP and ACCEPT!):

DNS service group:

53, 853 UDP/TCP accepted on BLUE:

53, 853 UDP/TCP accepted on GREEN:

53, 853 UDP/TCP rejected on BLUE:

53, 853 UDP/TCP rejected on GREEN:

IPTables - INPUTFW:

I hope there are no serious errors in this.

Best,
Matthias

EDIT 1: Just thought it over - I think the NTP rule for BLUE isn’t necessary!?
EDIT 2: Correction - The NTP rule IS necassary, I just tested it:

I hope that all of your postings here will finally result in one or two wiki pages?

Right now I’m lost in your conversation, although some of your suggestions are set up already in my IPFire configuration for a long time, but now started to doubt that all runs well here on my side. OTH, I do not have any DSN issues here at the moment…

4 Likes

Same here, I’m following along and appreciate the effort put in by everyone else, but hope that in the end there will be a “final” version added to the Wiki.

1 Like

Hi,

M2c: that’s the goal.

EDIT: Considerations:

By the way, I’m not sure anyway, if these adjustments can be used for ALL thinkable/possible configurations. And if they can/should stay in firewall.local. We’ll see.

But at first we should find something suitable that works. I hope, we’re close to this. In the end, I’d like to keep it as simple as possible.

As always, we (would) need (more) testers and feedback… :wink:

Best,
Matthias

1 Like

I’m going to stick to just GREEN for now just to keep things simpler for me!

Thank you for the firewall details pics, that helps me big time! So for the 53, 853 UDP/TCP accepted on GREEN: and 53, 853 UDP/TCP rejected on GREEN: Do you see packets/bytes in the IPTables - INPUTFW??

It is all zeros in the pic above but I thought maybe something was reset/rebooted…

My main question is: why is the rejected / allow rules in the GUI needed if the DNAT (redirect) is in the firewall.local? Belt and suspenders?


I’ve done a little reading on DNAT and REDIRECT. To me REDIRECT looks like a shorten (local only?) version on DNAT.

So to me (and I am probably wrong!) these are the same:

... -j DNAT --to ${GREEN_ADDRESS}:53
-equals-
... -j REDIRECT --to-ports 53

And these are the same:
--destination-port 53 -j REDIRECT --to-ports 53
-and-
--destination-port 53 -j REDIRECT

Disclaimer: I am just learning iptables. Don’t hurt me!

1 Like