I’ve been having occasional issues (for a long time) when resolving websites – sometimes a website won’t resolve (Server not found); and the next day or few hours later it would resolve.
Being in a country where censorship from regulatory bodies is the norm, I always ignored the issues, and just opened the site in VPN (like Opera’s built-in one) and get on with my day.
Today, I decided to look into it. And after some reading, switched the DNS on my Arch Linux laptop to use Cloudflare’s DNS (using cloudflared).
And with that change, the website that was not resolving few minutes ago, started opening instantly. In fact, all websites feel like they are resolving faster.
Question: configuring all devices in the home like that is not feasible / sane. If there is a way to set-up a 3rd party DNS in IPFire, how can it be done? If there’s a wiki for it already, then my apologies and please point me to it. I’d like to switch to one of these [ wiki.ipfire.org - List of Public DNS Servers ] public DNS servers and ditch my ISP’s auto provided DNS.
My set-up is like this:
ISP provided DSL modem => IPFire => Wifi Access point
IPFire comes with a built-in caching DNS resolver called Unbound. Unbound is a DNS resolver that provides various options for speed, security, and privacy. You have the flexibility to configure Unbound to use a third-party DNS server instead of your ISP’s default DNS. You can even choose a more secure protocol, such as DNS over TLS, for enhanced privacy.
When you have configured unbound, to make this change for all devices on your network, you can set up a firewall rule in IPFire to automatically redirect all DNS traffic from LAN hosts to the Unbound resolver. This way, every device that connects to your network will benefit from the DNS settings you’ve configured in Unbound without needing to change the individual settings.
I’ve done as you instructed, and it appears to have done the trick. Website that was not working before is resolving now. And DNS resolving is fast now!
FYI - I am not sure about adding DNS over TLS / port 853 to the DNS group for protocol. I seem to remember that being bad to add to the DNS group above. I’ll see if I can find my notes!
EDIT: It is somewhere in this post! (lots to read!)
I think I understand why. Indeed, including TLS 853 in the same DNAT rule for DNS traffic may not be appropriate. Port 853 is used for DNS over TLS, which is a secured version of DNS. If I redirect this traffic to a standard DNS resolver that doesn’t support TLS, the connection will fail. It’s better to handle DNS over TLS separately and ensure that the target of the DNAT rule for port 853 is capable of handling DNS over TLS.
I disagree, it does exactly what it is designed to do. No scheme can create a trust-less DNS with the current design. By encrypting the message, at least you remove one party from knowing what we are doing. The provider.
That blog post is not saying that DNS over TLS is not great and should not, by implication, be used.
It is saying that you need to realise that the end point, ie the DNS provider, can still access your data.
So you need to choose carefully who your DNS provider is going to be and figure out for yourself who you will trust and who not.
I don’t use google or cloudflare as they aim to monetise what they provide so if you are not paying money directly for it, you are paying in some other way.
Later in that blog post it says
For any alternative it again makes sense to use DNS over TLS.
So it is not saying don’t use it, but it is saying that you should understand what it is protecting you from and what it is not protecting you from.
Believe me, the depth of my ignorance I REALLY big. So, don’t worry, say whatever you feel important or relevant.
This is how I frame the issue, we learn by error correction, as neural networks do. If I do not acknowledge my ignorance, I cannot correct the error, and a stupid AI model will be more intelligent than I am. I can’t let this happen. So I expose myself to showing my ignorance to the community, and because of this I can learn, see my error and be slightly better than an AI.
This thread is the perfect representation of this dynamic. I gave a wrong suggestion, Jon pointed that out (thanks @jon) and now I know more than before.
FW rule is to force users to use FW DNS server.
So user request google DNS.
IPfire intercept DNS
IPfire makes DNS53 or DNST request ( depending on your Domain name system settings)
IPfire returns DNS53 to user pretending to be Google DNS.
User is transparently redirected to IPfire DNS.
No user bypass
Without FW redirected user can directly bypass your Filtered DNS. And request anything.
I do not know what DNS53 or DNST is, I have only read the general reasons stated in many places, like in IPFires Wiki, on why not to use just any DNS but some other provider.
So, if I understand it correctly, regardless of if I tell IPFire to use a specified DNS for all Internet Connections - which I thought was enough by doing in the Domain Name System settings - you still need a FW rule to tell the computers that are connected in my network to do just that?
DNS53 = DNS on port 53
DNST = DNS over TLS
DNSH = DNS over HTTPS
Example.
I’m a PC on your network
Turn on PC.
PC network asks for network setup info
IPfire answers back.
Gives you a ip to use (192.168.1.55)
It also gives you the gatway info.(192.168.1.1 )
(IPfire is the gatway)
It also tells me to use 192.168.1.1 as my DNS
Now I’m on the network ready to reach the world
But
What if your a school and I’m a smart kid.
I Change My PC DNS to 1.1.1.1
Well IPfire let’s you bypass its DNS
And I Can reach the Web without IPfire’s DNS protection and filtering.
So th FW rule is to silently grab the port 53 DNS request and run it through IPfire and send response back as if it was 1.1.1.1
The only problem is this is only part of the solution.
Blocking DNSH is very hard
Blocking users from DNST easy.
So it is in order to prevent users changing their DNS on their local computers in a network that by default gets the DNS servers set by IPFire, but do not prevent that change of local DNS.
