I’ve been having occasional issues (for a long time) when resolving websites – sometimes a website won’t resolve (Server not found); and the next day or few hours later it would resolve.
Being in a country where censorship from regulatory bodies is the norm, I always ignored the issues, and just opened the site in VPN (like Opera’s built-in one) and get on with my day.
Today, I decided to look into it. And after some reading, switched the DNS on my Arch Linux laptop to use Cloudflare’s DNS (using cloudflared).
And with that change, the website that was not resolving few minutes ago, started opening instantly. In fact, all websites feel like they are resolving faster.
Question: configuring all devices in the home like that is not feasible / sane. If there is a way to set-up a 3rd party DNS in IPFire, how can it be done? If there’s a wiki for it already, then my apologies and please point me to it. I’d like to switch to one of these [ wiki.ipfire.org - List of Public DNS Servers ] public DNS servers and ditch my ISP’s auto provided DNS.
My set-up is like this:
ISP provided DSL modem => IPFire => Wifi Access point
IPFire comes with a built-in caching DNS resolver called Unbound. Unbound is a DNS resolver that provides various options for speed, security, and privacy. You have the flexibility to configure Unbound to use a third-party DNS server instead of your ISP’s default DNS. You can even choose a more secure protocol, such as DNS over TLS, for enhanced privacy.
When you have configured unbound, to make this change for all devices on your network, you can set up a firewall rule in IPFire to automatically redirect all DNS traffic from LAN hosts to the Unbound resolver. This way, every device that connects to your network will benefit from the DNS settings you’ve configured in Unbound without needing to change the individual settings.
I think I understand why. Indeed, including TLS 853 in the same DNAT rule for DNS traffic may not be appropriate. Port 853 is used for DNS over TLS, which is a secured version of DNS. If I redirect this traffic to a standard DNS resolver that doesn’t support TLS, the connection will fail. It’s better to handle DNS over TLS separately and ensure that the target of the DNAT rule for port 853 is capable of handling DNS over TLS.
I disagree, it does exactly what it is designed to do. No scheme can create a trust-less DNS with the current design. By encrypting the message, at least you remove one party from knowing what we are doing. The provider.
Believe me, the depth of my ignorance I REALLY big. So, don’t worry, say whatever you feel important or relevant.
This is how I frame the issue, we learn by error correction, as neural networks do. If I do not acknowledge my ignorance, I cannot correct the error, and a stupid AI model will be more intelligent than I am. I can’t let this happen. So I expose myself to showing my ignorance to the community, and because of this I can learn, see my error and be slightly better than an AI.
This thread is the perfect representation of this dynamic. I gave a wrong suggestion, Jon pointed that out (thanks @jon) and now I know more than before.
FW rule is to force users to use FW DNS server.
So user request google DNS.
IPfire intercept DNS
IPfire makes DNS53 or DNST request ( depending on your Domain name system settings)
IPfire returns DNS53 to user pretending to be Google DNS.
User is transparently redirected to IPfire DNS.
No user bypass
Without FW redirected user can directly bypass your Filtered DNS. And request anything.
I do not know what DNS53 or DNST is, I have only read the general reasons stated in many places, like in IPFires Wiki, on why not to use just any DNS but some other provider.
So, if I understand it correctly, regardless of if I tell IPFire to use a specified DNS for all Internet Connections - which I thought was enough by doing in the Domain Name System settings - you still need a FW rule to tell the computers that are connected in my network to do just that?
DNS53 = DNS on port 53
DNST = DNS over TLS
DNSH = DNS over HTTPS
I’m a PC on your network
Turn on PC.
PC network asks for network setup info
IPfire answers back.
Gives you a ip to use (192.168.1.55)
It also gives you the gatway info.(192.168.1.1 )
(IPfire is the gatway)
It also tells me to use 192.168.1.1 as my DNS
Now I’m on the network ready to reach the world
What if your a school and I’m a smart kid.
I Change My PC DNS to 22.214.171.124
Well IPfire let’s you bypass its DNS
And I Can reach the Web without IPfire’s DNS protection and filtering.
So th FW rule is to silently grab the port 53 DNS request and run it through IPfire and send response back as if it was 126.96.36.199
The only problem is this is only part of the solution.
Blocking DNSH is very hard
Blocking users from DNST easy.