Michael Tremer

Use IPFire to protect you from DNSChanger
by Michael Tremer, July 10, 2012

Because this has been asked very often recently:

Systems that are infected with DNSChanger you a different DNS server to lookup names from the DNS system. An attacker could use this to redirect people to phishing sites, do man-in-the-middle attacks and many things more.

IPFire can force every DNS query to go through the internal DNS proxy. This can be done with a single command that adds a new iptables rule:

iptables -t nat -A CUSTOMPREROUTING ! -o orange0 -p udp —destination-port 53 -j REDIRECT —to-ports 53

This will take every single DNS query and will send it to the internet DNS proxy (dnsmasq) which will then process the request. It does not matter to what DNS server the query was originally sent to.

To make this change permanent, you can add it to the start section of /etc/sysconfig/firewall.local.

Posted: July 10, 2012 • 1341 views