Hi, I followed the IPFire documentation to create a rule to redirect DNS traffic to IPFire. www.ipfire.org - Force clients to use IPFire DNS Server
However, this only works when using DNS servers that are not on the Green network. I think I would need to exclude the IPFire Green IP from the rule. I could manually create hosts for all IPs of my subnet and create a group with these, but this seems quite cumbersome. Is there an easier way to do this?
I donāt use DNS on green
Perhaps try modifying the rule by setting
Source ā Any
Destination ā Your DNS IP
Remember to update the Primary DNS
And check the Enable DNS Update (RFC2136) Check box
To disable unbound on IPFire
If youāre using IPFire DHCP
I tried your suggestion, but it doesnāt seem to work at all.
When using a third party dns, resolution still works, but no packets reach my dns server.
I also tried to use green for source, but it wouldnāt let me because āSource and destination IP addresses are from the same subnet.std_net_srcGREENcust_host_tgtPiholeā, which doesnāt make sense to me. It should work just fine when using src nat in my understanding.
This is the rule
This redirect is to redirect traffic to IPFire.
I would make 2 firewall rules.
1 source any, NAT ? ,block DNS
2 source āPIHOLEā, NAT, allow DNS
block all DNS except from PIHOLE.
Does not work as well. Also using Source ā Any would open my dns to the internet right?
This would make devices with hardcoded dns servers no longer work
Youāre right.
Sorry, I donāt have any other leads.
But searching for āPihole DNSā in the community might help you.
https://community.ipfire.org/search?q=pihole%20dns%20order%3Alatest
Block rule should probably be
Source green block DNS
The second rule not sure if it would work to redirect.
have you tried source Green in the rule posted at 3?
Have you tried to set destination to your internal DNS server ( PIHole )?
The redirect rule should send all DNS traffic to the specified DNS server, from devices with hard coded DNS server also.
But your internal DNS server, not IPFire, needs unredirected access to global DNS servers. Therefore you need a second rule to allow this deviceās DNS requests. This rule must have a rule number less than the redirect rule number.
Yes, i tried that, but get the following error āSource and destination IP addresses are from the same subnet.std_net_srcGREENcust_host_tgtPiholeā
Yes i have, but i get the following error āSource and destination IP addresses are from the same subnet.std_net_srcGREENcust_host_tgtPiholeā and canāt create the rule.
Yeah sure, but i was replying to Shauns suggestion.
My DNS Server on green uses DNSCrypt, which uses port 443. A second Rule is not necessary in my case when redirecting directly to my DNS Server. A second Rule is needed when redirecting to IPFire DNS that uses my internal DNS, but that does not work as well, because it seems like Incoming Firewall Access Rules are processed before Outgoing Firewall Access rules.
I think it would work if I create a Group that contains all of my Subnet but IpFire and use that as source. But creating such a Group would require creating hosts for all Ips of my subnet first, which seems cumbersome.
I think it would help much, if you could specify your implementation more in detail.
How is your āDNS deviceā implemented?
How are the other devices configured to use your internal DNS server?
How does the DNS server get its name information?
Is the IPFire DNS server ( unbound ) active?
Which rules exactly did try to implement?
This is an issue in IPF. Generally that is quit a good validation check, but sometimes the rule can be correct. The only way round it is to apply a custom rule manually.
I just created a Group for my Subnet without the Green IPF IP and used that as source instead of the whole Green Network. It works now.
Would be nice if it were possible to create Groups for IP ranges or subnets trough the web interface in the future.
Thanks to everyone trying to help.
I needed a group for green without IPF IP though.
