Stefan and I have been taking last week to add DNS over TLS into IPFire - another step to make DNS more private. Here is what we have done.

Cleaning up some mess

IPFire has multiple places where DNS servers could be configured. If you were using PPP for your Internet connection, you would have set this up with your dialup settings. If you were using a static IP address, then you would have set up the DNS servers with it in the setup. If you were using DHCP, you had a page on the web user interface to go to. This is not only confusing for the user, but also there were the places in the code where those settings were applied.

Now, we have created an entire new page which combines all of it together! You will have a list where you can set all DNS servers and set new settings.

With that, there are a couple more features coming:

For those of you who are running IPFire in a school or at home with children, you can now enable Safe Search for multiple search engines and YouTube. If Safe Search is enabled, all adult and violent content will be filtered in the search results.

This used to be a feature of the web proxy, but since everyone is now using HTTPS everywhere, we can no longer edit the search query being sent to the search engine. Safe Search is now realised by sending the client to a different server which only returns the filtered results and can therefore not be disabled on the client any more.

QNAME Minimisation

To protect your privacy, the DNS proxy inside IPFire strips away any part of the domain name that is not required to resolve the query. That way, the resolver has less of a chance to know what website you are looking for. This will always be enabled, and was in IPFire for a long time, but a new option has been introduced: An ever stricter mode which works according to RFC 7816, but might make some records unresolvable if the upstream name server does not respond according to the standard.

DNS over TLS

Last but not least, we have added that you can choose the protocol used to talk to your DNS servers. UDP is the standard protocol and most compatible with all DNS servers, but some users are in an environment where it cannot be used. Some ISPs have been filtering DNS and TCP simply would work around this.

Even better is TLS. All queries to the DNS servers will be encrypted which makes it impossible for your ISP to eavesdrop on them. DNSSEC already makes sure that nobody can change them. All DNS servers need to have their "TLS hostname" configured to be used with TLS.

Currently DNS over TLS has a slight performance impact, because unbound, the DNS resolver used in IPFire, cannot reuse existing TLS connections, but opens a new one for each query which has a large overhead. This will be solved by the unbound team hopefully soon, so that in some time, this impact will go entirely.

IPFire already supports TLS 1.3 and TCP Fast Open - some further technology to make this secure and fast.

Get ready

This will be release with Core Update 140. Amongst the many new features, we have removed a lot of code that has caused us a lot of trouble in the past and rewritten many things entirely from scratch.

Help us test and please do not forget to donate, so that we can keep things like these coming and make IPFire the best firewall in the world.


Maxmind, a US-based company who is quite well-known for providing their GeoIP database which fires a lot of services that need GeoIP data, has changed their usage policy on this database with effect of the beginning of this year. Unfortunately this makes it unusable for IPFire and we have decided to replace it. Here is how we are going to do it.

IPFire is using geo information for two things: We are showing flags next to DNS servers, firewall hits, etc. and we are using it to block connections from or to certain countries in the firewall.

We, the IPFire developers, have started a side-project to replace the Maxmind GeoIP databases in IPFire over two years ago. We felt that this was necessary because of the quality of the database getting worse and worse. Strict licences as well as changes like this December are very incompatible with the freedom that we want to provide for all IPFire users.

Introducing libloc

The code name is libloc and it is a library written in C which reads from our own location database.

The code is written in a portable way and runs on multiple operating systems so that it can be used by other projects, too. The library is tiny and the code can quickly be audited. Our focus was on easy usability and performance. Because of smart packing of the data into the database and intelligent search algorithms, we are approximately 10 times faster than Maxmind's code. Pages will load faster and libloc can be used in software where location information needs to be present as quickly as possible - for example in the Intrusion Prevention System or in a DNS server that performs load-balancing based on the geographical location of the user. With provided bindings for Python and Perl, it is easy to use in scripting languages, too.

To make sure that you are only using genuine data, the database is cryptographically signed and being automatically updated whenever needed.

It is a really awesome project and many hours of engineering work have been put into it. It is software design at its finest and I had a lot of fun working on the project.

The Changes For Now

Sadly, this project is not yet ready for production and so this is a slightly hurried announcement. Of course you can support us with your donation. Keep watching this blog for any further updates. But so far, here are the most important things:

If you install a new IPFire system with a release version before 2.23 - Core Update 140, you won't be able to use geo blocking. The reason is that Maxmind's database is not being shipped with IPFire because it was unclear if we could do that legally or not. A script regularly updated the database, but this service has now been deactivated by Maxmind.

With Core Update 140 we ship the last version of the database that is available under the old Creative Commons licence. Now, Maxmind requires to sign a new licence which we cannot do for various reasons and therefore we are looking to retire using this database altogether and use libloc.

Those changes will come with one of the following update. The code is already done and in a very good beta stage. What is not yet fully finished, is the actual database. We are writing and optimising scripts that gather the information we need and compile it. This is what we are working on right now and hopefully it won't be long.


It is time for the first release of the year, IPFire 2.23 - Core Update 139. It is packed with improvements, software updates, and many many bug fixes.

Improved Booting & Reconnecting

Dialup scripts have been cleaned up to avoid any unnecessary delays after the system has been handed a DHCP lease from the Internet Service Provider. This allows the system to reconnect quicker after loss of the Internet connection and booting up and connecting to the Internet is quicker, too.

Improvements to the Intrusion Prevention System

Various smaller bug fixes have been applied in this Core Update which makes our IPS a little bit better with every release. To take advantage of deeper analysis of DNS packets, the IPS is now informed about which DNS servers are being used by the system.

TLS

IPFire is configured as securely as possible. At the same time we focus on performance, too. For connections to the web user interface, we do not allow using CBC any more. This cipher mode is begin to crack and the more robust GCM is available.

Whenever an SSL/TLS connection is being established to the firewall, we used to prefer ChaCha20/Poly1305 as a cipher. Since AESNI is becoming and more and more popular even on smaller hardware, it makes sense to prefer AES. A vast majority of client systems support this as well which will allow to communicate faster with IPFire systems and save battery power.

Misc.

  • The microcode for Intel processors has been updated again to mitigate vulnerabilities from the last Core Update
  • PC Engines APU LEDs are now controlled using the ACPI subsystem which is made possible using the latest BIOS version 4.10.0.3
  • Captive Portal: Expired clients are now automatically removed
  • Dynamic DNS: Support for NoIP.com has been fixed in ddns 12
  • Updated packages: Python 2.7.17, bash 5.0, bind 9.11.13, cpio 2.13, libarchive 3.4.0, logwatch 7.5.2, lz4 1.9.2, openvpn 2.4.8, openssh 8.1p1, readline 8.0 (and compat version 6.3), squid 4.9, unbound 1.9.5

Add-Ons

  • clamav has been updated to 0.102.1 which include various security fixes
  • libvirt has been updated to version 5.6.0 for various bug fixes or feature enhancements and support for LVM has been enabled.
  • qemu has been updated to 4.1.0
  • Various others: nano 4.6, postfix 3.4.8, spectre-meltdown-checker 0.42