-
Notifications
You must be signed in to change notification settings - Fork 221
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
'Force Clients To Use Router DNS Servers' breaks when using a local DNS server #794
Comments
Just for my understanding, you’re saying that in the case where a local DNS server is used (not on the router, and not somewhere on the WAN side):
Is that the gist? |
Exactly. |
Should the rule still be This would make the rule much simpler. |
Yes, well spotted. |
To be clear, you mean the rules should read:
|
Yes, however in the case of multiple servers, we can comma separate them under the source field. If we don’t do this, we need to do packet marking. I think this rule can be applied at all times, as the source should never be outside the LAN subnet in that table/chain. So this probably simplifies the shell logic also. If you’re in a position to test this, that would be good. |
I’m running the REDIRECT version with just my lone internal DNS right now and it’s working. I’ll test adding external DNS servers with an internal DNS server and just external DNS servers tonight. Thanks for the help. |
Thanks, please let me know outcomes of additional tests. |
So I ran into a problem in my other tests:
I tried adding a new chain just to test:
This worked in all configurations, but I haven't tested extensively. Is this reasonable? |
No, not quite. |
Ah of course. I didn’t realize how dependent I am on my boolean ANDs and
ORs.
…On Thu, Feb 28, 2019 at 10:20 PM Michael ***@***.***> wrote:
No, not quite.
Packers from the second dns server will fail the first set of rules.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub
<#794 (comment)>,
or mute the thread
<https://github.com/notifications/unsubscribe-auth/ACh0tw8vHVdRo4oZq7oNosd02Ev6MFBpks5vSKqhgaJpZM4bV7Np>
.
|
I need to ACCEPT all my port 53 traffic from my dns servers. And then add a rule to REDIRECT the rest of port 53 traffic. How’s that? |
I probably need to flip that order or change to append but that’s the gist. |
Potentially bad, as this causes the packets to finish the chain early. |
Ok, I’ll look at that tomorrow. Thanks for the continued feedback. |
IPSets are a potential solution to this problem, however the ipset kmod is not currently required on all targets (it is a dependency of Tor, which is not installed by default on all targets). |
When using
Force Clients To Use Router DNS Servers
configured with a local DNS server, DNS requests get trapped in a loop per these firewall rules. Is there any appetite to change these rules to something more akin to:Or would adding logic to the shell script to only apply the above rules for local DNS servers and use the
REDIRECT
rules by default be more appropriate?The text was updated successfully, but these errors were encountered: