When you are in the dns server page and have the error message for the servers just place your mouse pointer over the error message and wait for a few seconds and you will get a pop up window with a message about what has triggered the error. Let us know what that message says and if it is the same for all the dns servers.
You can also go to the System Logs in the WUI and select DNS: Unbound.
Hi @peppetech ! I’m scratching the subject for the moment, and still in a preliminary phase but wondering why you’d want to block DoH? Any concerns/considerations here?
As for the moment I’m willing to make all my DNS’s go trhough DoH so first of all what I’m trying here is besides DNS forward to the desired url as well in unbound diectory (have to go have a look but later I’ll give you the right one) nameserver and 127.0.01 should be deleted and add the DoH url to the Dns. Also DHCP DNS (in the wegui Tab should be blank). But this is the reverse way of what you asking in the post should any warning considerations arise from your point of view!? Supose VPN’s and proxies are meant to bypass firewall rules and encrypt trafficc thus allowing a “secure” (out of the firewall eyes) connection.
Edit: are you saying if we encrypt DNS (DoH) firewall wont see DNS requests?
Edit2: Blowing my mind here - shoud a home made VPN server switch between ipfire and gateway be more effective?! Or outgoing firewall to firewall itself is already filtering non VPN connections thus alowing outgoing firewall VPN connections only?
Many Thanks @bonnietwin just to make sure I checked the issue and this is the most important at the moment to consider. As well give a deep understanding to members and users:
Choosing between a DNS resolver server and using DNS over HTTPS (DoH) depends on your specific requirements and the security considerations you prioritize. Let’s explore both options:
DNS Resolver Server:
Pros: When using a DNS resolver server, you have control over the DNS resolution process within your network. You can implement security measures like DNS filtering, DNSSEC validation, and local caching to enhance security and performance.
Cons: DNS traffic may not be encrypted, potentially allowing eavesdropping or tampering by malicious actors. DNS resolver servers are subject to potential vulnerabilities and require proper maintenance and security configurations.
DNS over HTTPS (DoH):
Pros: DoH provides encryption for DNS traffic, making it more resistant to eavesdropping and tampering. It can help bypass certain types of network-based filtering or monitoring, enhancing privacy and security. DoH can be used regardless of the DNS resolver you choose, allowing you to leverage the benefits of external DNS services.
Cons: DoH relies on third-party DNS resolvers, which means you may lose some control over DNS resolution and rely on the security practices of the chosen resolver. It may introduce additional complexity to network configurations and require careful implementation and monitoring.
In terms of security, both options have their own considerations. A DNS resolver server gives you more control and customization options, but it requires proper security configurations and maintenance. DoH enhances privacy and encrypts DNS traffic, but it introduces reliance on third-party resolvers and potentially bypasses certain network-level security measures.
Ultimately, the choice between a DNS resolver server and using DoH depends on your specific security requirements, infrastructure, and the trade-offs you are willing to make. It’s recommended to carefully assess your needs, evaluate the security implications, and consider factors like privacy, control, and the ability to maintain and monitor the chosen solution.
Port 53 it’s the most used for years so might be a consideration to change it to 443 with DoH also remembring DNSSEC and TLS are implemented in unboundconfig.file.
We have to play along with one of these so …
A DNS resolver server allows encryption ( by TLS ). In IPFire DNSSEC is mandatory.
The security configuration and maintenance is necessary in both solutions. With DoH you leave this to third-party DNS resolvers, without possibility to check the configuration there.
At one point I was using DNS crypt.
Which from my limited understanding runs a random DoH server so to speak.
And every device is now sharing its DNS information not great.
DoH is a mess for administrators to filter so it will never be the corporate solution.
DoT is on a designated port and is more easily managed. Easy DNS redirect and only router is requesting DNS not every device.
Other option like DoH do not make you more secure or anonymous
There is a lack of options to control and fine-tune DNS requests by devices in the DoH I choosed. This situation hampers the ability to optimize and distress the ipfire system as well. Additionally, the focus should be on enhancing privacy while maintaining security measures, rather than pursuing anonymity. It is essential to improve overall policies to ensure secure browsing experiences. In the past, this device may have been viewed as merely a gaming machine or a tool for occasional use, but we failed to recognize the importance of establishing blackboxes and super-secure infrastructures to protect our sensitive information. It’s worth mentioning that I am currently not using any web proxies or DNS resolver servers. However, I might consider implementing them for time requests and essential functions like NTP or 53 DDNS requests.
PS Please disregard any kind of advertisement, as that is not the intention.
I have the instict to thank you for the help. Still haven’t got to the hardening wiki part! But yes a consistent, valid and valuable argue. Better latte then never. Perfect. Rowing to the same goal. Ok a reason to enable web proxies and caching DNS’s. @peppetech
would like to ask if ToH or QoH is also encrypted allowing bypass Intrusion prevention system too?
I think you are asking if DoT and DoH are able to bypassing IPS.
DoT and DoH definitely bypasses IPS, but with DoT you have an idea what type of traffic you are observing -DNS queries only.
You know for sure that the DoT traffic is DNS queries, you could block these with your own malware blocker, or even something like a DNSmasq , pi-hole (dns blocker) and then forward the legitimate DNS queries to Unbound/IPfire and Intrusion prevention.
With DoH, you have no idea what traffic, not even if it is DoH or just legitimate web traffic. So right now all you can do is block all traffic to DoH servers. Obviously not an easy task