Use IPFire to protect you from DNSChanger

by Michael Tremer, July 10, 2012, Updated February 18, 2019

Do you like what you are reading? Subscribe to our newsletter and don't miss out on the latest...   Join Now

Because this has been asked very often recently:

Systems that are infected with DNSChanger you a different DNS server to lookup names from the DNS system. An attacker could use this to redirect people to phishing sites, do man-in-the-middle attacks and many things more.

IPFire can force every DNS query to go through the internal DNS proxy. This can be done with a single command that adds a new iptables rule:

iptables -t nat -A CUSTOMPREROUTING ! -o orange0 -p udp --destination-port 53 -j REDIRECT --to-ports 53

This will take every single DNS query and will send it to the internet DNS proxy (dnsmasq) which will then process the request. It does not matter to what DNS server the query was originally sent to.

To make this change permanent, you can add it to the start section of /etc/sysconfig/firewall.local.