Stop DNS Tunneling

Hi,

Just got informed that IPfire can be misused to allow DNS tunneling. This may be already known https://forum.ipfire.org/viewtopic.php?f=17&t=971&p=5797, but can this prevented somehow?

A know person just showed this to me in my home LAN with IPFire. I already locked down the LAN for DNS spoofing by redirecting each DNS request to IPFire but obviously this does not prevent DNS tunneling.

Ok, by using this tunnel, the performance is somehow limited but anyway you could send and receive information to and from the WAN. This technic is used by messenger Signal for example to bypass local authorities’ blockage.

So is there anything can prevent tunneling. FWIW the person who did it in my private LAN just used his Android smartphone.

Michael

Hey,

no this cannot really be prevented, but you can limit the number of connections/packets to limit it and make it at last somewhat unusable.

It will still be enough for Signal I would assume, but not enough for file sharing, etc.

We use it in the captive portal where DNS has to be open but we limit it:

https://git.ipfire.org/?p=ipfire-2.x.git;a=blob;f=src/misc-progs/captivectrl.c;h=56dd78db0542e48c2df7b880904485430b51a7a7;hb=HEAD#l145