I’m using a headless computer to use it as router with manjaro because ipfire kernel looks too weak against some attacks.
I’m trying to use dhcpd on manjaro to attribute ip addresses to my client subnet.
Actually I can access ip site through router but DNS resolution doesn’t work.
I need help to configure DNS access. Actually I don’t know where to start…
I’m developer and I understand iptables rules and background but system configuration about DHCP & DNS is not my favorite work and I don’t understand it well.
I can use shell too and I know using man pages but sometimes it’s hard to understand without example…
Actually I’m using dchpd & dhcpcd services to get network configuration. It look like working not bad…
My network is a classic red (eth1) green (eth2) blue(wifi) configuration as you can found in ipfire…
Please is someone can help me in step by step mode for DNS configuration ?
And you disabled NetworkManager, right? Because these are in conflict then. NetworkManager is the default on Manjaro.
Usually the IP of the DNS is retrieved when running a dhcp request (usually NetworkManager) and written into /etc/resolv.conf. Thus it is the task of IPfire in your case and not part of Manjaro, since it is in general very common that the request just works.
# Generated by NetworkManager <- yes I know... I think it's not changed since I stopped the service...
search home
nameserver 192.168.1.254
The problem is that the kernel get broken a couple of times…
I can stabilize the kernel only with manjaro actually. I ipfire and other firewall/ids but all wont resists my attackers.
I used manjaro and it works enough time for I finalize the firewall configuration (iptables rules).
I don’t know why I can reach externals IP but the DNS doesn’t propagate to the PPOE router… I access the PPOE router via ip (outside the manjaro router) but dns don’t go to google…
It sounds really obscure and esoteric when you read it
Just note, there can only be one dhcp server exist in a local network, at least both must be separated. Your router has most likley such a server and ipfire also… so: probably a conflict?
At the moment you used the DNS server of the router,
but to be behind the firewall, you need to disable the dhcp server of the router and use the dhcp server of ipfire. Ipfire should connect statically to the router.
computer → dhcp → ipfire → static → router
Now it looks like (just my guessing):
ipfire → dhcp → router
computer → dhcp → router
I’m on external hacker attack. how I know I’m under attack ? Because I saw my windows desktop graphic card glitching only on some hours plage. something like 8h continuous then after, nothing while hours to it start again. Later when I sniff my network trafic I saw arp flood packets from my connected tv… surely a mit attack attempt.
So I buyed a nuc i7 pc where I try to install ipfire. Ipfire kernel don’t resist the smurf attack of the attacker.
So I override installed manjaro on the nuc i7 pc and ruled netfilter manualy. Now I only have the orange PPPOE router (that is used as master DHCP & DNS) and my nuc i7 pc that protect the green zone where my (client) computer are connected.
I just want the nuc i7 recurse (not forward, nat protection plz) DNS ask from green zone to red zone orange PPPOE Router main DNS (192.168.1.254)
I see bind was not installed on the nuc i7 pc so I installed it. I took a look on the config file but I didn’t understood nothing (I’m french sorry, english is not my maternal language)
Is someone could help me showing me how to create zone in named.conf please (stay easy) for I can recurse green zone DNS requests to red zone PPPOE server through the nuc i7 pc ?
thank you, I know and as I said I reinstalled the nuc i7 pc (manjaro router) so there is no ipfire no more.
my actual configuration is :
[ green computers (dhcp)]==greenzone==eth1[191.168.1.254 nuc i7 pc / manjaro 192.168.1.17(dhcp)]eth0==redzone==ethlan[192.168.1.254 Orange PPPOE ROUTER main DNS&DHCP]ethwan====internet
Actualy I can access ip (192.168.1.254) site web of the orange router from greenzone computers, so I think there is just only the DNS that don’t resolve names such as “google”…
how to configure named service (named.conf) on manjaro to get DNS resolution on greenzone computers ?
headless pc ==> PC without screen or keyboard in production (lame, IoT kind box, industrial pc, etc…)
to use it as a router … what the problem ?
with manjaro … what the problem ?
because ipfire kernel looks too weak against some attacks… what the problem ? I tried ipfire but the kernel goes down because the smurf attack was apparently too hard for ipfire firewall…
Ah for ipfire producters, a standard netfilter rules in military systems is
iptables -F
iptables -X
iptables -P INPUT DROP
iptables -P FORWARD DROP
iptables -P OUTPUT DROP #< this achieve black hole firewall configuration.
# here accept rules for specific usages such as "iptables -A INPUT -i $rediface -p tcp -s 192.168.1.0/24 -d $redip --sport 80 -m conntrack --ctstate ESTABLISHED,RELATED -j ACCEPT" or "iptables -a OUTPUT -o $rediface -p tcp -s $redip -d 192.168.1.0/24 --dport 80 -m conntrack --ctstate NEW,ESTABLISHED,RELATED -j ACCEPT"
So there is a television, a smart TV, that is connected to the Internet with WLAN or Ethernet. This device is said to have been hacked or infected and is now carrying out an ARP flood attack on the local network?
Just try to understand the problem.
Does it stop, when you disconnect the TV?
Bad idea. Use a linux distro which is made for such scenario’s. https://opnsense.org/ https://www.pfsense.org/ https://www.ipfire.org/
Anyhow, commonly a router has a builtin NAT. There is no real reason to use PPPOE instead; only if you want to have a separated Firewall/NAT which is pretty common in big companies.
and yes since I implemented the firewall on the nuc i7 pc my computer (in greenzone) is safe…
and I continue to see icmp packets incomming from the TV IP but now they fall on the firewall drop logs
opnsense can’t undestand it (I tryed) there is no common command on this system such as iptables or ifconfig.
pfsense at my knowledge (as I can see) must pay… thank you but, no, thank you…
ipfire as I said too weak last version 179 I think there is something in the kernel of manjaro that lock something that the old kernel version of ipfire doesn’t lock.
As I see, the rooter doesn’t nat it’s lan network correctly … since my TV is compromised and my priority are my computers…
manjaro is a friendly system to me. Since I handle iptables easily and it have some friendly tools as iptables service, iptables-save & restore commands and this distro is compiled, it’s really a good choice to my point of view…
So how to configure bind (named) service on manjaro to recurse DNS request from greenzone to redzone ?
It’s nothing personal and I’m certainly not going to make it personal. Your support request is a classic XY problem that is not intended to solve the actual problem, but rather the problem with the user’s solution approach. This simply leads to a waste of time and resources. At the end it doesn’t solve anything.
Disconnect your TV from the network and the problem solved. No tinkering, no stress. Ask yourself: Do you really need the TV connected to the network? Why does it make problems now (since it is old, it had to work well for a long time)? Is there feature on the TV which produces such a behavior? - That is what an Administrator would ask and do. Solve the root cause, don’t create a second level problem.
It’s what I do with my new router/firewall. I can’t change my old TV because I like it so I isolate it from the rest of my network.
Actually my network is wired and the DHCP work correctly. As I said I’m an IT developper and I know plugging an Ethernet wire and I know how to address a network. Actually I can access the configuration web page of the Orange PPOE Router (in redzone) from greenzone computers writing 192.168.1.254 in the navigation bar ( TCP/IP Ok; DHCP Ok;).
I just have a problem with “bind” (named) service that don’t recurse DNS requests… I can’t access google from it’s url…( DNS Ok)
here my /etc/named.conf
options {
directory "/var/named";
pid-file "/run/named/named.pid";
// Uncomment these to enable IPv6 connections support
// IPv4 will still work:
listen-on-v6 { none; };
// Add this for no IPv4:
listen-on port 53 { 192.168.1.254; };
recursion yes;
allow-query { 191.168.1.254; };
allow-recursion { 191.168.1.254; };
forwarders { 192.168.1.254; };
dnssec-validation auto;
allow-transfer { none; };
allow-update { none; };
version none;
hostname none;
server-id none;
};
There is so many things which needs to be in place.
You need some kind of forwarder address(es)
Most commonly your ISP nameservers are used or google ns or …
# examples
forwarders {
8.8.8.8;
8.8.1.1;
};
The problem with your issue is - there is no one-size-fits all - which is why the community is - I am - reluctant to be specific …
bind is second to none - one of the best nameserver implementations - but it is hard to configure - there is so many places it can go wrong - especially if you don’t understand the concept - and you have repeatedly told us - you don’t …
TCP/IP Ok; 
DNS Ok)