Well will focus on DNS related rules........
In general the Device acting as DNS server has to have access to the internet to get DNS itself.
EVEn a DOH servers needs some unencrypted DNS access to make the initial connection to an encrypted DOH server.
So in general, one has to look at
DNS servers in DHCP Network Server
IP DNS rules
and DSTNAT RULES
and even forward chain rules to ensure users are allowed to go to the DNS server etc..
So looking at it quickly
you use redirect so that any DST NAT attempts by users will go through the router. Okay
You allow access to DNS router services in input chain.... Okay
You allow access to external servers and 1.1.1.1 and 1.0.0.2 are okay and not the problem Okay
You allow access to external server 185.228.168.9 is also okay as it looks to be another DNS service.......
So quickly I see nothing untoward........... What happens when a user uses google in a browser search or google mail or something like that, perhaps eventually a google resolver down the line gets involved ????
In general the Device acting as DNS server has to have access to the internet to get DNS itself.
EVEn a DOH servers needs some unencrypted DNS access to make the initial connection to an encrypted DOH server.
So in general, one has to look at
DNS servers in DHCP Network Server
IP DNS rules
and DSTNAT RULES
and even forward chain rules to ensure users are allowed to go to the DNS server etc..
So looking at it quickly
you use redirect so that any DST NAT attempts by users will go through the router. Okay
You allow access to DNS router services in input chain.... Okay
You allow access to external servers and 1.1.1.1 and 1.0.0.2 are okay and not the problem Okay
You allow access to external server 185.228.168.9 is also okay as it looks to be another DNS service.......
So quickly I see nothing untoward........... What happens when a user uses google in a browser search or google mail or something like that, perhaps eventually a google resolver down the line gets involved ????
Statistics: Posted by anav — Tue Jan 02, 2024 11:04 pm