Ok so my other question is getting little response so I thought I would start asking little specific questions instead.
This question is about DNS and how I would write the configuration.
I have 2 computers. One running VyOS, the other running Windows and AD with DNS [obviously].
Say my DNS has an IP of 10.40.0.1
Say my Vyos has an interface connecting Vyos to Windows, VyOS end IP 10.30.0.254, Windows end IP 10.30.0.8
How would I configure Vyos such that all DNS is performed by my DNS?
ie no Vyos DNS caching etc.
Obviously my DNS is pointing to other DNS servers [in the web] for any requests it does not know how to resolve itself.
I am NOT using Zone based firewalls.
I am naming my firewall rules using WAN, LAN, IN, OUT and LOCAL.
Default firewall rule is to drop everything.
That would mean I would need to allow DNS traffic from my DNS, from 10.30.0.8 through 10.30.0.254 and out to the web, plus allow the results of the DNS query from the web back into my DNS.
Do I set DNS firewall rules in this chain: WAN->IN, WAN->LOCAL, LAN->LOCAL, LAN->IN?
Or in LAN->IN not WAN->IN if I am performing firewall on LAN incoming rather than WAN incoming.
Do I need firewall rules for LAN->OUT and WAN->OUT for DNS if I am performing egress filtering?
I know that DNS can sometimes use both tcp and udp.
In examples I see only port 53 for DNS but does DNS not also sometimes use another port as well?
By other port I mean for the reply.
What about configuration of LOCAL?
Do I need set system name-server ‘10.40.0.1’?
Also what would I NOT want to set in my Vyos configuration?
ie not set Vyos to cache etc.
I hope this question is specific enough for some guidance/advice.
This is what I currently have for the DNS stuff
set firewall group port-group PG-DNS port '53' set interfaces ethernet eth0 address 'dhcp' set interfaces ethernet eth0 description 'WAN Cable 1' set interfaces ethernet eth1 address '10.30.0.254/24' set interfaces ethernet eth1 description 'LAN' set firewall name LAN-LOCAL rule 1040 action 'accept' set firewall name LAN-LOCAL rule 1040 description 'Allow DNS traffic' set firewall name LAN-LOCAL rule 1040 destination group port-group 'PG-DNS' set firewall name LAN-LOCAL rule 1040 protocol 'tcp_udp' set firewall name LAN-LOCAL rule 1040 state new 'enable' set interfaces ethernet eth0 firewall local name 'WAN-LOCAL' set interfaces ethernet eth0 firewall out name 'WAN-OUT' set interfaces ethernet eth1 firewall in name 'LAN-IN' set interfaces ethernet eth1 firewall local name 'LAN-LOCAL' set interfaces ethernet eth1 firewall out name 'LAN-OUT' set system name-server '10.40.0.1'