Although it is one of the oldest protocols that is still used on the Internet, DNS is far from "old". It has been changed and updated many times and many applications are now relying on it that didn't in the first place. Without DNS we would not find the servers that serve us the websites that we want, emails won't reach the right server and we now even use it to distribute key material with DANE.

Those applications have all not been foreseen by the designers of the Internet, but additions like DNSSEC allow us to use DNS in a more flexible way. What hasn't been foreseen in those times was that the whole Internet will be using HTTPS.

Search Safe

How does it work?

Safe Search used to work as follows. When a HTTP request was being sent to the search engine, the IPFire proxy would have added a flag that tells the search engine to filter adult and violent content. Since everyone is using HTTPS now, we no longer can intercept that HTTP request and change it without breaking the encryption.

That is why DNS has now a new responsibility: Divert those DNS requests to servers that only serve the filtered content. For Google that would be forcesafesearch.google.com instead of google.com. So when a request is being sent to google.com, it would instead be sent to a different server that already knows that it is responsible for Safe Search. That way, the request itself no longer has to be modified.

Currently this is supported for:

  • Google
  • Bing
  • DuckDuckGo
  • Yandex
  • YouTube

At the time of writing, those websites are the only ones that I am aware of that support it.

Who is it for?

If you are running IPFire in a school, you can now filter adult content, violent, criminal and other websites that are not suitable for children or teenagers from the search results. Videos just won't play either. Because it is being implement using DNS, there are no additional settings needed on the devices. That means even when you are running BYOD in your school, your network won't allow to view such content.

Downsides

A large downside is that it cannot be controlled what is being blocked. That is all up to the operators of those websites. If you have a class about sex education, some results that you might want may be filtered. However, you can still browse those websites directly, because Safe Search only changes the search results.

For better protection, you will still have to deploy the URL filter and force your devices to use the proxy in order to filter direct access to unsuitable websites.

Credits

This feature has been developed and tested in close partnership with Brecht-Schule Hamburg, Germany for who it is very important to protect their students, but who are also very interested in trying new things and improving IPFire for their own use.


Stefan and I have been taking last week to add DNS over TLS into IPFire - another step to make DNS more private. Here is what we have done.

Cleaning up some mess

IPFire has multiple places where DNS servers could be configured. If you were using PPP for your Internet connection, you would have set this up with your dialup settings. If you were using a static IP address, then you would have set up the DNS servers with it in the setup. If you were using DHCP, you had a page on the web user interface to go to. This is not only confusing for the user, but also there were the places in the code where those settings were applied.

Now, we have created an entire new page which combines all of it together! You will have a list where you can set all DNS servers and set new settings.

With that, there are a couple more features coming:

For those of you who are running IPFire in a school or at home with children, you can now enable Safe Search for multiple search engines and YouTube. If Safe Search is enabled, all adult and violent content will be filtered in the search results.

This used to be a feature of the web proxy, but since everyone is now using HTTPS everywhere, we can no longer edit the search query being sent to the search engine. Safe Search is now realised by sending the client to a different server which only returns the filtered results and can therefore not be disabled on the client any more.

QNAME Minimisation

To protect your privacy, the DNS proxy inside IPFire strips away any part of the domain name that is not required to resolve the query. That way, the resolver has less of a chance to know what website you are looking for. This will always be enabled, and was in IPFire for a long time, but a new option has been introduced: An ever stricter mode which works according to RFC 7816, but might make some records unresolvable if the upstream name server does not respond according to the standard.

DNS over TLS

Last but not least, we have added that you can choose the protocol used to talk to your DNS servers. UDP is the standard protocol and most compatible with all DNS servers, but some users are in an environment where it cannot be used. Some ISPs have been filtering DNS and TCP simply would work around this.

Even better is TLS. All queries to the DNS servers will be encrypted which makes it impossible for your ISP to eavesdrop on them. DNSSEC already makes sure that nobody can change them. All DNS servers need to have their "TLS hostname" configured to be used with TLS.

Currently DNS over TLS has a slight performance impact, because unbound, the DNS resolver used in IPFire, cannot reuse existing TLS connections, but opens a new one for each query which has a large overhead. This will be solved by the unbound team hopefully soon, so that in some time, this impact will go entirely.

IPFire already supports TLS 1.3 and TCP Fast Open - some further technology to make this secure and fast.

Get ready

This will be release with Core Update 140. Amongst the many new features, we have removed a lot of code that has caused us a lot of trouble in the past and rewritten many things entirely from scratch.

Help us test and please do not forget to donate, so that we can keep things like these coming and make IPFire the best firewall in the world.


Maxmind, a US-based company who is quite well-known for providing their GeoIP database which fires a lot of services that need GeoIP data, has changed their usage policy on this database with effect of the beginning of this year. Unfortunately this makes it unusable for IPFire and we have decided to replace it. Here is how we are going to do it.

IPFire is using geo information for two things: We are showing flags next to DNS servers, firewall hits, etc. and we are using it to block connections from or to certain countries in the firewall.

We, the IPFire developers, have started a side-project to replace the Maxmind GeoIP databases in IPFire over two years ago. We felt that this was necessary because of the quality of the database getting worse and worse. Strict licences as well as changes like this December are very incompatible with the freedom that we want to provide for all IPFire users.

Introducing libloc

The code name is libloc and it is a library written in C which reads from our own location database.

The code is written in a portable way and runs on multiple operating systems so that it can be used by other projects, too. The library is tiny and the code can quickly be audited. Our focus was on easy usability and performance. Because of smart packing of the data into the database and intelligent search algorithms, we are approximately 10 times faster than Maxmind's code. Pages will load faster and libloc can be used in software where location information needs to be present as quickly as possible - for example in the Intrusion Prevention System or in a DNS server that performs load-balancing based on the geographical location of the user. With provided bindings for Python and Perl, it is easy to use in scripting languages, too.

To make sure that you are only using genuine data, the database is cryptographically signed and being automatically updated whenever needed.

It is a really awesome project and many hours of engineering work have been put into it. It is software design at its finest and I had a lot of fun working on the project.

The Changes For Now

Sadly, this project is not yet ready for production and so this is a slightly hurried announcement. Of course you can support us with your donation. Keep watching this blog for any further updates. But so far, here are the most important things:

If you install a new IPFire system with a release version before 2.23 - Core Update 140, you won't be able to use geo blocking. The reason is that Maxmind's database is not being shipped with IPFire because it was unclear if we could do that legally or not. A script regularly updated the database, but this service has now been deactivated by Maxmind.

With Core Update 140 we ship the last version of the database that is available under the old Creative Commons licence. Now, Maxmind requires to sign a new licence which we cannot do for various reasons and therefore we are looking to retire using this database altogether and use libloc.

Those changes will come with one of the following update. The code is already done and in a very good beta stage. What is not yet fully finished, is the actual database. We are writing and optimising scripts that gather the information we need and compile it. This is what we are working on right now and hopefully it won't be long.