Did I read it correct? You set the DNS on Green to the Fritzbox and not IPFire. What is the Fritzbox’s upstream resolver? It sounds like you are bypassing the IPF DNS.
yes you did and i have installed ipfire new.
ip from green is now from 192.168.220.2-192.168.220.50
dns 192.168.220.1 for green.
at the installation i set the static ip for red to 192.168.250.98 and the gateway to 192.168.250.1
is that right ?
the dns should now from ipfire or not ?
The DNS settings are right.
The settings to publish ( and forcing ) these config are done also?
The config of the red interface depends on the settings of the device supplying you with internet access, in your case the fritzbox.
“The settings to publish ( and forcing ) these config are done also?”
hmm, where or how i have to do this ?
in the dhcp konfiguration ? than yes
for blue is there
192.168.240.2 to 192.168.240.20
dns 192.168.240.1
the gateway for the fritzbox is 192.168.250.1
Does Green also have its DHCP server set up? If so, it should be set with 192.168.220.1 as the DNS server handed out by DHCP.
Red is whatever. However, how have you set the upstream DNS (GUI > Network > Domain Name Sysytem) for IPfire itself? Typically this will be you Fritzbox, ISP’s DNS Servers or something like Google (8.8.8.8/8.8.4.4) or Cloudflare (1.1.1.1/1.0.0.1) but can be left unconfigured, in which case it will work in recursive mode. If should not point to anything on IPfire.
Does Green also have its DHCP server set up? If so, it should be set with 192.168.220.1 as the DNS server handed out by DHCP.
it is
Red is whatever. However, how have you set the upstream DNS (GUI > Network > Domain Name Sysytem) for IPfire itself? Typically this will be you Fritzbox, ISP’s DNS Servers or something like Google (8.8.8.8/8.8.4.4) or Cloudflare (1.1.1.1/1.0.0.1) but can be left unconfigured, in which case it will work in recursive mode. If should not point to anything on IPfire.
i set nothing there…default.
in Recursor-Modus
So, with the hosts file set, is it working now?
For ‘misbehaving’ devices this maybe from interest.
The DNS server address is published by DHCP, but a client may decide not to use this local policy.
That link only helps for regular DNS on port 53. Other escape routes are DoH and DoT. You can block DoT by blocking tcp:853. DoH is almost impossible to block, but there is a canary domain you can use to block Firefox’s DoH. I don’t know how you block anyone else’s.
… and then there is DoQ in udp:8553 and DoH3 on udp:443.
DOH can be blocked by means of RPZ of unbound.
no, if i configure the host or not, if i open xxxx.com on the phone with browser or nextcloud app the traffic goes from phone to sbc to red zone and from red to sbc to nextcloud.
if i open on the phone (iphone) 192.168.240.2 than the traffic goes from phone 192.168.220.4 to 192.168.240.2 nextcloud direkt.
This means your phone doesn’t use IPFire’s DNS resolver. See my post about ‘misbehaving’ devices.
If both the browser and the nextcloud app behave same, I suppose they rely on the OS of the phone.
So have a look at the phone’s WiFi connection and see what DNS it is configured to use.
yes, it seems so…
the phone is an iphone and i believe they have configured it on this way.
i will try your link and if i believe that this is important than i will go. now i ask me whre is the problem…
the dns in the phone (wifi settings) show the ipfire green dns 192.168.220.1
i have tried it and the same
Both iOS and Android OS give you the ability to define a DNS server in the settings but they have unfortunately also allowed any app developer to be able to ignore that setting and use the one that the app has decided that you should use. If you are lucky you might have the ability to change the dns server defined in the app. However sometimes app developers put the dns server IP into the app code itself so it cannot be changed by the user.
Similar thing with dns servers has been found on many IoT items.
You can try some packet sniffing and see if you can work out what is going on. Also, earlier in the thread, there were firewall rules to hijack external DNS lookups and force them to IPF, if it is using conventional DNS on port 53.
i have also tried it with an pixel 6a phone with the same result.