As far as I understand, DOT or DOH is optional. Some users prefer to route all traffic via, for example, 1.1.1.1 without encrypting the connection via DOT or DOH.
In my case, I encrypt my traffic via TLS. The real question is, is the correct configuration page under Services>Domain Name System in the GUI? I’ve unchecked the box for “Use ISP-assigned DNS servers.” Does this mean that both DNS traffic is encrypted and all traffic is forwarded via these servers, or do I need to visit a different configuration page to route unencrypted traffic that should also be routed to, for example, 1.1.1.1?
In the most basic sense.
When a PC connects to your network.
It asks for Network details. “Hello I’m here”
IPFire answers with. PC your IP will be 192.168.1.45 subnet 255.255.255.0
your gateway is 192.168.1.1
And your DNS is 192.168.1.1
Now things get fun.
PC says thanks. But I’m going to use DNS 8.8.8.8
IPFire will allow the PC to use that DNS. skipping any IPFire protection.
So forcing them to use IPFire DNS is a important step.
Next block them from port 853 and the real hard one is DoH.
I just used the Example because i am new into this but for now i am satisfied with IPFire. Since I have had quite a bit of experience with Linux in the past, I find that IPFire suits me the best so far.
Ideally, you would want the ipfire’s DNS be the resolver and not an external DNS so no dns queries should go outside the local network and no DNS leakage is possible.
