Unbound in IPFire

I think I am a little confused how Unbound works in IPFire 2.27 (x86_64) - Core-Update 171

I think I incorrectly assumed that it only queries authoritative ROOT nameservers and recursively caches domains

The reason I am asking is because I want to block DoH servers.
Unfortunately, pretty much every DoH server has the same IP as the respective DNS DoT server.

I started blocking DoH servers with the new IPBlocklist

when I checked Network WUI " Domain Name System" and “Check DNS servers” I got 8 errors. I have 8 different DNS servers configured

I’m wondering why Unbound in IPFire needs to query other DNS servers like Cloudflare, Google etc… ?

On the other hand that means @timf IPBlockist works just the way it supposed to:

Please post a screenshot.

When you are in the dns server page and have the error message for the servers just place your mouse pointer over the error message and wait for a few seconds and you will get a pop up window with a message about what has triggered the error. Let us know what that message says and if it is the same for all the dns servers.

You can also go to the System Logs in the WUI and select DNS: Unbound.

Lol , no way I’m going to go back to block public DNS just to take a screenshot.

If you really want to see, it looked something like this:

Mouse over the error says " Timeout: "
System logs don’t say anything, besides something obviously desperately trying to connect:

SERVFAIL exceeded the maximum number of sends

Sounds like DNS is blocked before your IPFire or your IPFire has no internet connectivity at all.

Yes DNS is blocked. That was my original question. I thought Unbound is able to query authoritative ROOT nameservers and recursively cache domains.

I guess I was wrong. only listed DNS servers are availabl to query

Is anyone blocking DoH servers successfully?

I originally wanted to block these using the IPfire IP blocklist. Unfortunately that didn’t work well.

I discovered another possible way using Unbound:

This is a list of DoH servers also VPN , Proxy etc…

Title: HaGeZi’s Enyrypted DNS/VPN/TOR/Proxy Bypass DNS Blocklist
Description: Prevent methods to bypass your DNS, blocks encrypted DNS, VPN, TOR, Proxies.
Note: To ensure the bootstrap is your DNS server: Redirect standard DNS outbound (UDP 53) to an internal server. Block all DoT (TCP 853) outbound.
Homepage: GitHub - hagezi/dns-blocklists: DNS-Blocklists: For a better internet - keep the internet clean!
Issues: Issues · hagezi/dns-blocklists · GitHub
Expires: 7 days

Unfortunately. I see there are some DNS servers on the list that are on IPFire recommended list in the wiki, so it might require a whitelist.

Just wanted to know anyone’s thought’s

Hi @peppetech ! I’m scratching the subject for the moment, and still in a preliminary phase but wondering why you’d want to block DoH? Any concerns/considerations here?
As for the moment I’m willing to make all my DNS’s go trhough DoH so first of all what I’m trying here is besides DNS forward to the desired url as well in unbound diectory (have to go have a look but later I’ll give you the right one) nameserver and 127.0.01 should be deleted and add the DoH url to the Dns. Also DHCP DNS (in the wegui Tab should be blank). But this is the reverse way of what you asking in the post should any warning considerations arise from your point of view!? Supose VPN’s and proxies are meant to bypass firewall rules and encrypt trafficc thus allowing a “secure” (out of the firewall eyes) connection.
Regards
G70P

Edit: are you saying if we encrypt DNS (DoH) firewall wont see DNS requests?
Edit2: Blowing my mind here - shoud a home made VPN server switch between ipfire and gateway be more effective?! Or outgoing firewall to firewall itself is already filtering non VPN connections thus alowing outgoing firewall VPN connections only?

Correct. DNS over HTTPS cannot be differentiated from any pother HTTPS traffic. It all is encrypted and the contents can not be seen without decrypting it.

Many Thanks @bonnietwin just to make sure I checked the issue and this is the most important at the moment to consider. As well give a deep understanding to members and users:
Choosing between a DNS resolver server and using DNS over HTTPS (DoH) depends on your specific requirements and the security considerations you prioritize. Let’s explore both options:

1. DNS Resolver Server:

• Pros: When using a DNS resolver server, you have control over the DNS resolution process within your network. You can implement security measures like DNS filtering, DNSSEC validation, and local caching to enhance security and performance.
• Cons: DNS traffic may not be encrypted, potentially allowing eavesdropping or tampering by malicious actors. DNS resolver servers are subject to potential vulnerabilities and require proper maintenance and security configurations.

2. DNS over HTTPS (DoH):

• Pros: DoH provides encryption for DNS traffic, making it more resistant to eavesdropping and tampering. It can help bypass certain types of network-based filtering or monitoring, enhancing privacy and security. DoH can be used regardless of the DNS resolver you choose, allowing you to leverage the benefits of external DNS services.
• Cons: DoH relies on third-party DNS resolvers, which means you may lose some control over DNS resolution and rely on the security practices of the chosen resolver. It may introduce additional complexity to network configurations and require careful implementation and monitoring.

In terms of security, both options have their own considerations. A DNS resolver server gives you more control and customization options, but it requires proper security configurations and maintenance. DoH enhances privacy and encrypts DNS traffic, but it introduces reliance on third-party resolvers and potentially bypasses certain network-level security measures.

Ultimately, the choice between a DNS resolver server and using DoH depends on your specific security requirements, infrastructure, and the trade-offs you are willing to make. It’s recommended to carefully assess your needs, evaluate the security implications, and consider factors like privacy, control, and the ability to maintain and monitor the chosen solution.

Port 53 it’s the most used for years so might be a consideration to change it to 443 with DoH also remembring DNSSEC and TLS are implemented in unboundconfig.file.
We have to play along with one of these so …
Regards
G70P

A DNS resolver server allows encryption ( by TLS ). In IPFire DNSSEC is mandatory.
The security configuration and maintenance is necessary in both solutions. With DoH you leave this to third-party DNS resolvers, without possibility to check the configuration there.

At one point I was using DNS crypt.
Which from my limited understanding runs a random DoH server so to speak.
And every device is now sharing its DNS information not great.
DoH is a mess for administrators to filter so it will never be the corporate solution.
DoT is on a designated port and is more easily managed. Easy DNS redirect and only router is requesting DNS not every device.
Other option like DoH do not make you more secure or anonymous

There is a lack of options to control and fine-tune DNS requests by devices in the DoH I choosed. This situation hampers the ability to optimize and distress the ipfire system as well. Additionally, the focus should be on enhancing privacy while maintaining security measures, rather than pursuing anonymity. It is essential to improve overall policies to ensure secure browsing experiences. In the past, this device may have been viewed as merely a gaming machine or a tool for occasional use, but we failed to recognize the importance of establishing blackboxes and super-secure infrastructures to protect our sensitive information. It’s worth mentioning that I am currently not using any web proxies or DNS resolver servers. However, I might consider implementing them for time requests and essential functions like NTP or 53 DDNS requests.
G70P

PS Please disregard any kind of advertisement, as that is not the intention.

Hello G7.

I am probably too late to answer your question but in case you are still interested to now. I want to block DoH to Protect network against DNS hijacking

DoH could be easily used to circumvent your DNS security and block known and listed malware command and control servers.

@bonnietwin is right, DoH is impossible to distinguish from other traffic when most of it goes over https.

So my idea was at least block the most popular DoH servers, because they are the ones being documented in almost all reports.

Chinese hackers use DNS-over-HTTPS for Linux malware communication

Originally I thought IP blocklist would be the way to do it.

another idea is to block them using internal DNS server.

I have the instict to thank you for the help. Still haven’t got to the hardening wiki part! But yes a consistent, valid and valuable argue. Better latte then never. Perfect. Rowing to the same goal. Ok a reason to enable web proxies and caching DNS’s. @peppetech
would like to ask if ToH or QoH is also encrypted allowing bypass Intrusion prevention system too?

I think you are asking if DoT and DoH are able to bypassing IPS.

DoT and DoH definitely bypasses IPS, but with DoT you have an idea what type of traffic you are observing -DNS queries only.

You know for sure that the DoT traffic is DNS queries, you could block these with your own malware blocker, or even something like a DNSmasq , pi-hole (dns blocker) and then forward the legitimate DNS queries to Unbound/IPfire and Intrusion prevention.

With DoH, you have no idea what traffic, not even if it is DoH or just legitimate web traffic. So right now all you can do is block all traffic to DoH servers. Obviously not an easy task