I use ipfire’s unbound as DNS for green network. How to redirect green clients DNS requests to 1.1.1.1:443 (DOH) to ipfire’s unbound port 53?
Hi,
you can try following
You would just have to add DOH and DoT to this group accordingly, then DNS querys should be redirected to the ipfire.
I hope it helps you
Hi!
I think it is not possible so simply, because DOH/DOT uses destination port 443 and not 53. In such a case, the traffic analyzer must distinguish when it should be forwarded (web request to 443) to destination or rerouted (DNS DOH/DOT request to 443) to local DNS server. Also, if for example queries to 1.1.1.1:443 were redirected in your mentioned way to 192.168.0.254:53 (my ipfire DNS), will ipfire understand that this is a DNS request (because it is encoded with SSL) and know how to respond to it?
svētd., 2024. g. 10. nov., plkst. 16:24 — lietotājs Mum Pitz via IPFire Community (<no-reply@community.ipfire.org>) rakstīja:
1 Like
This would be your best option.
next might be the IPS as a second option
1 Like
Hi!
I already have some RPZ blocking DOH on my ipfire organized and that works, but, as i said, i need not blocking, but redirecting to local ipfire DNS (inbound). This is not because it is necessary to limit local clients to external DNS servers, but because there are several domains and subdomains in the internal network DMZ zone which are defined only in internal (ipfire) DNS and not known by world’s DNS servers, and is not open to access from internet. I must find some method to feed local domain names to chromium based browsers using secure DNS.
pirmd., 2024. g. 11. nov., plkst. 02:27 — lietotājs Shaun HVAC via IPFire Community (<no-reply@community.ipfire.org>) rakstīja:
If you onnly need loacal DNS, why you need encryted DNS ?
You can set host names and local domains in Ipfire and you can point the clients DNS on ipfire and configure DNS Server for Ipfire over TLC or TCP encrypted into internet
2 Likes
I not need encrypted DNS. I have local DNS on port 53. I have a hosts file. But hundreds of Windows PCs in my school LAN (green) have chromium browsers (edge, chrome, firefox) with secure DNS enabled (as per default), and they ignore my windows system DNS settings (forced by DHCP) and bypass local DNS and therefore cannot get IP addresses for internal domains served by DMZ (orange), say database.localdomain.
But in external DNS I cannot store records pointing to my internal addresses. Many computers are portable and must allowed also from teachers home, so I cannot force them to disable secure DNS.
It is possible to store all domains on outside DNS pointing to school public IP where haproxy routes to subdomains in orange, and not use local DNS, but in that case ipfire is unnecessary routing all traffic from green to orange thorough red interface instead of sending it directly from green to orange.
pirmd., 2024. g. 11. nov., plkst. 17:11 — lietotājs Mum Pitz via IPFire Community (<no-reply@community.ipfire.org>) rakstīja:
I don’t really have a clue, but that doesn’t really make sense to me.
The Orange network as DMZ in Ipfire is intended for servers/services that are accessible from the Internet, but can also be accessed directly from the Green (LAN) network.
So far so good,but the forced encrypted network for DNS bypass ipfire and that access from the road must force this encrypted DNS confuses me a little,too.
I’ll ask you two questions whether this is conceivable for you, because otherwise I’m really not qualified to help you.
Why don’t you enforce the Squid web proxy for Green (LAN) possibly with user login and let IPfire take over the DNS in internal for orange and to the Internet.
Secondly, for portable clients set up a VPN server on the IPfire where you can also access the Orange /Green/Red network via the squid web proxy.
You would then have an encrypted connection for portable clients and would not have to fix them to DOH in the browser and DHCP.
With the user login, only authorized users can access the network and Ipfire can unfold all its security options and possibilities if the routing and DNS are managed via ipfire.
If that doesn’t make sense to you, then your question exceeds my competencies, then I’m sorry, but there are certainly people here who are up to it, maybe information is still missing where the experts need an approach.
1 Like
It’s not possible because DOH is encrypted (HTTPS) and signed. So even if you redirect such traffic the signature of the server will not match and the connection rejected by the client.
2 Likes
I known that, and I consider it a security threat to the local network that anyone can connect wherever they want. Also, illegal content can no longer be blocked normally because HTTPS is used.
DOH uses an HTTPS access to a DOH server, lets name it doh.server.com .
To establish this connection a name resolution request is sent to the DNS server.
This server can block the DOH request. Search for @jon’s RPZ project.
1 Like