Two observations:
1) there are some PC viruses that change the DNS server addresses on the PC
so that they can intercept a lookup and return their own reply. So, when you
go to www.my-bank.com you actually are pointed to a malicious server.
In my rules, I redirect all DNS queries to my own server that is running on
the
firewall:
?SECTION NEW
# =============================================================================
# ========================== Local Restrictions ===============================
# =============================================================================
?COMMENT domain
REDIRECT lan domain tcp,udp domain # use this server
for DNS
REDIRECT dmz domain tcp,udp domain # use this server
for DNS
This way I can insure no query is hijacked. I implemented these rules when
we
found a PC that was getting its lease info (address, gateway, DNS servers,
etc)
from our own DHCP, but was using two unknown DNS servers.
2) With multiple ISPs, it is best to do the DNS lookup thru the same provider
that the
actual traffic will go. Many content delivery networks (CDN) will have
multiple
servers and the DNS query response will return an answer with the least
hops.
I know predicting the actual ISP for traffic may be a difficult task, but
your efforts
here would be better that random.
HTH,
Bill
On 9/29/2017 4:54 PM, Vieri Di Paola via Shorewall-users wrote:
________________________________
From: Tom Eastep <[email protected]>
It is the *next to the last* rule that is causing the problem.
OK, so my problem is that I wrote the following in my mangle file:
MARK(1-3):P 0.0.0.0/0 0.0.0.0/0 tcp,udp 53
and it translated to:
Chain tcpre
[...]
7784 6738K MARK all -- * * 0.0.0.0/0 0.0.0.0/0
statistic mode nth every 3 MARK xset 0x1/0xff
7783 6764K MARK all -- * * 0.0.0.0/0 0.0.0.0/0
statistic mode nth every 3 packet 1 MARK xset 0x2/0xff
7783 6623K MARK all -- * * 0.0.0.0/0 0.0.0.0/0
statistic mode nth every 3 packet 2 MARK xset 0x3/0xff
I erroneously thought that I could "balance" DNS traffic among the first 3
providers.
It can't be done here, right?
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
------------------------------------------------------------------------------
Check out the vibrant tech community on one of the world's most
engaging tech sites, Slashdot.org! http://sdm.link/slashdot
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
