1
24.1 Production Series / Re: Configuring a failover mechanism (firewall rules) in case my Pi-hole goes down
« on: April 26, 2024, 07:58:49 am »
DNS is not a security enforcement technique. It exists because wetware cannot remember IP addresses
Firewall (policy) sits in level-3 of your network - that means that everything is by IP address. If you want to restrict higher up in the stack, you need a proxy (like Squid for web access)
As a service to make life easier for your users, it's great. A dedicated user (e.g. a teenager) can by-pass your restrictions by SOCKS, DOH, VPN, etc. Since malware isn't (yet) at that level, you can reduce its impact with a filtering DNS server (like pi-hole).
Concentrate on making DNS fast (local) and available (resilience). DNS on your firewall is for your firewall to use. Give your users the servers they need by DHCP and allow those servers to resolve.
Remember the KISS principle
Bart...
Firewall (policy) sits in level-3 of your network - that means that everything is by IP address. If you want to restrict higher up in the stack, you need a proxy (like Squid for web access)
As a service to make life easier for your users, it's great. A dedicated user (e.g. a teenager) can by-pass your restrictions by SOCKS, DOH, VPN, etc. Since malware isn't (yet) at that level, you can reduce its impact with a filtering DNS server (like pi-hole).
Concentrate on making DNS fast (local) and available (resilience). DNS on your firewall is for your firewall to use. Give your users the servers they need by DHCP and allow those servers to resolve.
Remember the KISS principle
Bart...