Project

General

Profile

Feature #10166

Add DNS-over-TLS as option to source/destination port range when creating a firewall rule

Added by Logan Marchione about 2 months ago. Updated about 2 months ago.

Status:
Resolved
Priority:
Low
Assignee:
Category:
Rules / NAT
Target version:
Start date:
01/06/2020
Due date:
% Done:

100%

Estimated time:

Description

With the recent attention around DNS-over-TLS and DNS-over-HTTPS, would it be possible add these two entries as pre-populated items in the firewall source/destination ranges?

For example, right now, it only shows

DNS (53)
.

DNS-over-TLS (DoT) uses 853/tcp.
[[https://tools.ietf.org/html/rfc7858]]

DNS-over-HTTPS (DoH) uses 443/tcp.
[[https://tools.ietf.org/html/rfc8484]]

Associated revisions

Revision d2c6e89c (diff)
Added by Jim Pingle about 2 months ago

Add a few more common ports to list. Fixes #10166

Revision 4861bddb (diff)
Added by Jim Pingle about 2 months ago

Add a few more common ports to list. Fixes #10166

(cherry picked from commit d2c6e89c40b1bff2deb1f0a8847a5199b317ba0f)

History

#1 Updated by Jim Pingle about 2 months ago

DNS over TLS may be OK, but adding DoH would give the false impression that it would match only DoH traffic. Plus there is already a choice for 443 (HTTPS). When the page loads with a port value of 443 it would jump to whichever entry was first in the list, not what the user selected.

#2 Updated by Logan Marchione about 2 months ago

Jim Pingle wrote:

DNS over TLS may be OK, but adding DoH would give the false impression that it would match only DoH traffic. Plus there is already a choice for 443 (HTTPS). When the page loads with a port value of 443 it would jump to whichever entry was first in the list, not what the user selected.

Ah, derp, good point with 443. That makes sense.

#3 Updated by Jim Pingle about 2 months ago

  • Category changed from Web Interface to Rules / NAT
  • Status changed from New to In Progress
  • Assignee set to Jim Pingle

#4 Updated by Jim Pingle about 2 months ago

  • Target version set to 2.4.5

#5 Updated by Jim Pingle about 2 months ago

  • Status changed from In Progress to Feedback
  • % Done changed from 0 to 100

#6 Updated by Viktor Gurov about 2 months ago

  • Status changed from Feedback to Resolved

Jim Pingle wrote:

Applied in changeset d2c6e89c40b1bff2deb1f0a8847a5199b317ba0f.

tested on 2.4.5.a.20200107.1903

Also available in: Atom PDF