Open-source IPFire DNS Firewall blocks malware and phishing at the resolver

The IPFire project shipped Core Update 201 for its 2.29 release line, bringing DNS-layer domain blocking into the open-source firewall distribution. The update replaces two components that many IPFire operators had paired with the system for years, the built-in URL Filter and external Pi-hole deployments, by handling blocklist enforcement directly inside the firewall’s DNS proxy.

How the DNS Firewall handles queries

Every DNS query from a client on an IPFire-protected network passes through the firewall’s resolver. With Core Update 201, each query is checked against the IPFire Domain Block List, known as IPFire DBL, before any upstream lookup completes. Domains on the list receive an NXDOMAIN response, meaning the client is told the name does not exist. No connection attempt follows, and no record of the blocked request leaves the network.

The project maintains IPFire DBL itself, with categories covering malware, phishing, advertising, and unwanted content.

Incremental zone transfers for list delivery

Blocklist updates reach deployed firewalls through IXFR, the incremental DNS zone transfer mechanism defined in RFC 1995. Only the changes between list versions move across the wire, and the refresh cycle runs automatically within the hour.

Michael Tremer, IPFire’s lead developer, told Help Net Security that bandwidth was the deciding factor. “Some lists are rather large (for example malware and pornography which are also quite popular lists at the same time) and repeated downloads just because a hand full of domains have been added or removed is completely unwarranted,” he said. “It will cost a lot of bandwidth for us and also the user. Some IPFire users are behind cellular connections or are living in places where they simply cannot afford to download gigabytes of data on a regular basis.”

Tremer said a full download of the malware and phishing lists would run to roughly 100 MiB per update, making daily or weekly HTTP-based refreshes impractical for the phishing category in particular.

He described the collaboration behind the phishing feed. “For the phishing list we are working together with a couple of organisations that have a whole team that is analysing honeypot data and reports that are being sent to them by their customers. They identify any phishing domains and report them to us. Adding them to the list immediately and updating all clients around the world within less than an hour is crucial because a lot of phishing sites are only online for a few days, sometimes even a few hours.”

Changes are batched and pushed every five minutes across all categories, according to Tremer.

Migration for URL Filter and Pi-hole users

Operators running the URL Filter or a separate Pi-hole device will need to move their configurations by hand. Custom block and allow lists do not transfer automatically between the URL Filter and the new DNS Firewall interface.

“We don’t migrate any custom block/allow lists from URL Filter automatically, but the user can simply copy and paste them from one page on the web UI into the other,” Tremer said. “The format and managing the lists is super simple and a text box that takes all domains.”

The DNS Firewall requires no client configuration, no additional hardware, and no HTTPS inspection, removing the proxy setup and certificate handling that the URL Filter depended on.

Other changes in Core Update 201

The Intrusion Prevention System now supports different recipient configurations for daily, weekly, and monthly IDS reports, allowing teams to route each cadence to the people responsible for that review interval.

An experimental build for RISC-V devices ships with this update, with kernel configuration work contributed by developer Arne F. The network installer allocates more disk space when booting from the network, accommodating the larger ISO.

Stefan Schantl removed Rust packages no longer required by the distribution, cutting build overhead and attack surface. Web Proxy Firewall Rules are now created with the --wait flag to prevent race conditions during rule insertion.

The toolchain has been rebased on glibc 2.43 and GNU binutils 2.46.0. Updated packages in the release include BIND 9.20.20, OpenSSL 3.6.1, OpenVPN 2.6.19, Ruby 4.0.1, Samba 4.23.5, suricata-reporter 0.7, vim 9.1.2147, and wireless-regdb 2026.02.04, among others.

On the add-on side, the Neighbourhood Scan description in the Wireless Access Point add-on has been corrected after it was found to be inverted. Adolf Belka contributed a Dutch translation for the package. Updated add-ons include ddrescue 1.30, fping 5.5, Git 2.53.0, minicom 2.11, nano 8.7.1, nfs 2.8.5, Postfix 3.10.7, Samba 4.23.5, and tshark 4.6.4.

The 7zip add-on has been removed from the collection. The upstream project is no longer maintained, and the IPFire developers cited security posture as the reason for dropping it.

Existing IPFire installations can apply the update through Pakfire. The project recommends a reboot after installation to ensure every component runs the new versions.