Results 1 to 3 of 3
  1. 08-30-2020, 07:28 PM #1
    mfwade
    mfwade is offline
    Untanglit
    Join Date
    Aug 2016
    Posts
    28

    Default Force / Redirect all DNS queries to Untangle

    Good Evening,

    I am working through the final configuration of my home FW and want to enable or rather force/redirect ALL DNS queries to the Untangle FW. The reason is such that I have several IoT devices along with middle and high school supplied devices that I cannot change DNS entries and want to ensure they aren't going to any rogue servers per se. I have already blocked their ability to hit any other country but the US. DNS is the last piece of the puzzle

    Here is what I have so far and I believe it "should" work but looking for your expert say so on what else needs to be configured, etc.

    Port Forward:
    port-forward_DNS.JPG

    I would also like to be able to see that it is in fact working. In looking at the reports for port forwarded traffic, I don't see the laptop I am on currently that has DNS manually configured for 1.1.1.1 being redirected to 192.168.2.1.

    If I may ask, please upload screenshots as it makes like much easier. I am still trying to grasp the rules functions. It is so much different than the PaloAlto and Checkpoint firewalls that I had previously.

    Thanks again,

    -MW
    Last edited by mfwade; 08-30-2020 at 07:49 PM.
  2. 08-30-2020, 08:10 PM #2
    jcoehoorn
    jcoehoorn is offline
    Untangle Ninja jcoehoorn's Avatar
    Join Date
    Mar 2010
    Location
    York, NE
    Posts
    1,828

    Default

    The DNS service in Untangle supports static entries. You can run a test to prove for yourself whether it's working by overriding the DNS A record normally returned for one domain with a static entry using the IP of another. For example, my system currently reports untangle.com as having IP 104.20.3.248, and watchguard.com as having IP 54.212.248.139. You can create a static entry for watchguard.com to instead return untangle's 104.20.3.248 number.

    Now clear your laptop's DNS cache and try to visit the watchguard.com from your laptop (even just a ping would be enough). Make sure you're not using a browser with DNS over HTTPS turned on (Firefox does this by default now). What happens? After the test, remove the wrong A record.

    So what about DNS over HTTPS? Well, at the moment there's not much you can do about it. Cloudflare's DoH service runs on the same IP as their regular DNS service. I guess you could block port 443 traffic to all known DoH providers, but you can't automatically forward that traffic elsewhere in a way that will work (anyone who is set up to use DoH will just be broken, and again, it's the default now in some situations), and eventually some of them will also have important meaningful services running alongside the DoH, making outright blocks untenable.
    Last edited by jcoehoorn; 08-30-2020 at 08:45 PM.
    Five time Microsoft ASP.Net MVP managing a Lenovo RD330 / E5-2420 / 16GB with Untangle 16.2 to protect 500Mbits for ~450 residential college students and associated staff and faculty
  3. 08-30-2020, 10:22 PM #3
    Jim.Alles
    Jim.Alles is offline
    Untangle Ninja Jim.Alles's Avatar
    Join Date
    Jul 2008
    Location
    Central PA
    Posts
    2,606

    Default

    So many threads, so little time.
    https://forums.untangle.com/tunnel-vpn/39194-dns-leaking.html
    https://forums.untangle.com/off-topic/43131-dns-hijacking.html
    https://forums.untangle.com/networking/43034-using-port-forwarding-capture-rogue-dns-lookups-2.html

    There is an advanced option to log bypassed sessions, but I have also heard that this port forwarding may not be supported. YMMV.
    log blocked.png
« Previous Thread | Next Thread »

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  

Forum Rules


SEO by vBSEO 3.6.0 PL2