Fully recursive DNS resolver for IPfire?

Networking DNS
1

IPfire can only connect to public or ISP DNS resolver. It uses unbound but that unbound cannot be switched to “standalone mode”, it is configured as DNS forwarder.

I see you have some recommendations/policy for public DNS servers and even well known public DNS services like OpenDNS or Quad9 are on “banned” list.

Maybe, the best recommendation could be to run Unbound on IPfire in standalone mode as recursive resolver. Why is this option not supported in IPfire?

2

Petr !!!
Finally someone else understand what I was trying to ask a while ago :smile:

3

@pslpsl Hi, if you run a DMZ directly from the Internet provider modem/router, you should be able to bypass ISP DNS restrictions, This if the ISP modem router doesn’t allow the change!. For me worked that way when once in a very difficult DNS bypass by ISP.
Regards G70P

4

IPfire can run unbound in standalone mode! When all DNS forwarders are disabled, unbound operates as recursive DNS resolver.

All DNS forwarders are disabled (dns.cgi):

[root@ipfire ~]# cat /etc/unbound/forward.conf 
# This file is automatically generated and any changes
# will be overwritten. DO NOT EDIT!

then you can verify with tcpdump that unbound works as DNS recursive resolver, that it contacts DNS root servers

[root@ipfire ~]# tcpdump -i ppp0 port 53 | grep " > [a-z].root-servers.net.domain: "

or reverse lookup servers:

[root@ipfire ~]# tcpdump -i ppp0 port 53 | grep " > [a-z].in-addr-servers.arpa.domain: "

I believe that it is just good idea to connect over TLS to some public DNS resolver. The standalone mode is good when something is broken or if someone wants to do DNS resolving in the old way…

I assume that DNS recursive mode will not work in the case that ISP uses DNS hijacking; to protect inexperienced users from malware attack or to enforce government rules for censorship…

5

Lynis warns about standalone features that must be take into attention and be fixed for a safe use. If it works well then just missing the TLS control pepe was talking in other post. But I’m not a programmer and better be safe then sorry. so no touching standalone as I do not know what that will break. Yep Snowden problem is everywhere :smiley: