IPFire: New DNS firewall to replace URL filter and Pi-hole

With Core Update 201, IPFire 2.29 receives a DNS firewall and updates central system components. The new function compares DNS requests against a proprietary blocklist and, according to the developers, blocks domains for malware, phishing, and advertising, among others, before a connection is even established. The project itself calls it the biggest expansion in years.

IPFire is a firewall distribution that sits as a central protection instance in front of the network and routes DNS traffic through its proxy. This is precisely where the DNS firewall comes in: it is intended to work network-wide without administrators having to configure individual clients or operate additional systems.

DNS Requests Against Blocklist

Technically, IPFire checks every DNS request against the in-house Blocklist IPFire DBL. If a request matches a blocked entry, the system responds with NXDOMAIN – for the client, the domain then appears as if it doesn't exist. It doesn't receive an IP address in the first place, and a connection attempt doesn't take place. For example, if a web browser accesses a known phishing domain, it fails at the name resolution stage.

IPFire distributes updates for the blocklists via IXFR (Incremental Zone Transfer) directly into the DNS proxy. The server transmits only changes to a DNS zone instead of the entire list every time. According to the project, new entries are thus automatically added to the system within an hour, with low bandwidth load.

With the DNS firewall, IPFire also aims to replace older approaches, such as the previous URL filter and separately operated DNS blockers in the network. The project sees advantages primarily in the fact that neither client configuration nor additional hardware is required.

Detailed System Changes

In addition, there are several detailed changes: For the Intrusion Prevention System, daily, weekly, and monthly reports can be sent to different recipients – practical if different people need to evaluate the respective reports. The Network Installer reserves more space for the grown ISO when booting from the network. IPFire now creates firewall rules for the web proxy with the --wait switch to avoid race conditions during insertion. Unnecessary Rust packages have been removed from the distribution, which is intended to reduce build effort and the attack surface. For the experimental RISC-V builds, the developers have revised the kernel configuration.

In the add-ons, the maintainers have corrected the description of the Neighbourhood Scan in the Wireless Access Point package and added a Dutch translation. Several additional packages have also been updated, including ddrescue, Git, Postfix, Samba, and tshark. The 7-Zip package, on the other hand, has disappeared from the add-on collection: the upstream project is no longer maintained and therefore no longer fits IPFire's security orientation, the developers explain the move.

The update can be installed as usual via Pakfire. Afterward, the project recommends a reboot so that all components run in the new versions. Further details can be found in the Release Notes on the IPFire website.

(fo)