Generic question of DNS requests and FW handling/routing

Hello everybody,
I have a simple question regarding “How DNS works” on IpFire?

My config is only red and green interfaces, on the red interface I have a static IP and a gateway IP configured.
But why I do not have to configure a DNS IP, why knows IpFire how to handle a DNS request?

My default FW behavior is block forwarding and and accept outgoing trafic. I have for a very small amount of ports I will use rules in the FW configured, also for DNS. Furtherthrough I have a check at “use applied DNS from ISP” !? But why? I have a Static address and DHCP configured … hm … ?

However, I have no idea how my DNS is working on my FW, which scares me!
But I see that the DNS requests frem green going into the FW (black), and the FW (black) is talking with many servers in the www (red) regarding the DNS request - thst’s what I assume due to dozents of 53 requests listed on page connections.

As info: I swapped from IpCop to Ipfire sinc a week - on the ‘Cop’ I didn’t had this behavior. DNS was forwarded to my DSL-router - that’s it, simple and understandable … for me :wink:

May be someone of the experts can bring me ontrack and explain briefly how it works or where is my flaw in understanding DNS on IpFire?
Ones I have a brief intro I will self study this topic to avoid to stress with basics here :wink:

Many thanks ahead !

BR x11rabbit

Welcome to the IPFire community, x11rabbit!

IPFire has its own DNS proxy ( unbound ). This is configured with the DNS page.
But if do not reject DNS requsets to the wide world, this doesn’t matter for the clients. But it does matter for IPFire itself.
unbound requests DNSSEC aware domain servers outside. Many ISP DNS servers are not DNSSEC compatible, thus the config option to use/not to use ISP servers.

Regarding your question i assume that you have not RTFM. Corresponding information you find

Recursive Resolver

I cant see any question from you, whats not perfectly explained in our wiki.

No, you have to study first and then you can come back for questions! Also if you stack at any step in the wiki, just come back and ask. :wink:

many thanks for that info !
“unbound” I’ve seen volatile ;-), but I skipped further analysis on this topic for the reason “looking for simple old fashion style DNS”.
So, this means I have to stick my into “unbound” to get aware how this proxy interacts with IpFire :wink: .
I haven’t used it on my old FW, but it looks like it is time to adjust to more modern and safe DNS :wink:

many Thanks again and have a nice one

BR x11rabbit


I checked out “”, when I deactivate “use applied DNS from ISP” and hacking the DNS server IPs which are (at this time) stored in my router all DNS request are forwarded to these DNS addresses - so far so good.
But what about these ISP DNS are down? OK, to avoid this I can add 20 or more public DNS IPs manually to avoid this.

I checked “” also before if send my question here.
“DNS protocol” and “Qname” fully understood, “safe search” not … based on what rules, where are rules? Some defaults? Somewhere in URL filter? Doesn’t matter anyway because “safe search” isn’t in use on my IPF.
What I miss in that description is where IPF gets aware about the DNS address from my ISP? Reason for this question: I’ve only configured a static IP for red and a gateway address, no DNS address! on my prev. FW I had to apply an IP for DNS request too. This confuses me!
Ok, now I know about “unbound”, but to me it’s like study FW components and architecture before reading the manual … just an opinion, forgot about …

I read an understood fully “”, I even used/applied it - seems to be necessary to configure iptables default behavior.

No, you have to study first and then you can come back for questions!
Also if you stack at any step in the wiki, just come back and ask.

Let’s see! I run IPF for round about one week and my f… poor jetway J7F4 driven by a more poor Via C3 CPU crashes already 2 times !!! Completely frozen, no GUI access, no network traffic and no reaction on console (hard wired one with phys. keyboard and monitor hocked up) !
One crash happens during GUI access, the other one today via SSH console using mc.
THIS is the most critical point to me to stay here as a long term member :stuck_out_tongue:
I am a ‘COP’ spoiled one (rev. 1.4 and 2.x) and I had over all these years only one (may be two?) of these crashes. I will not give up that fast and give it a try with another “high power consumption” 64bit board before continue using IPF and buying a " ZBOX".

Nevertheless, thanks for your reply!

BR x11rabbit

Your Question gave no sense for me. search. i suggest give a searchengine a try.

You already told us this, and i already provide you the answer in my very first link (including my comment)

No, never, i dont agree.

Iam in no way convinced that you have start RTFM. Please impress me soon :wink:

In case of static IP on RED, you have to config the DNS server(s) in the WUI, as stated in the wiki.

He told us 2 times now he have no DNS configured and wonder why it works anyway. He also told us he have ISP DNS deactivated.

Your answer is not correct, because without any settings in DNS/without ISP DNS, IPFire works in recursor mode. So my posting is correct.

Yes, you’re right! :wink:
But without really RTFM, my statement is also correct.
unbound goes to recursor mode, if no DNS servers are specified. But this is not the behaviour really wanted.
Thus it is true: “DNS server must be configured in WUI for static config on RED”.
This is stated in the installation topics of the wiki also. And this is a difference to IPCop, which used the ‘old’ static config <IP, gateway, DNS server>.

I was not the one who not mentioned RTFM :wink:

That was not the question.

How you configure it anyway, i have also in my first post mentioned.

I am accustomed to concentrate on the questions, in your answers I have missed that a little :stuck_out_tongue:

Because we do not really know the config of the thread opener, all answers are somewhat incorrect or incomplete. :wink:

BTW: the noise remembers me at Shakespeares " Much adoe about Nothing" :slight_smile:

Yes, I will impress you !
You have won!
Make a printout from this thread and hang it at your wall with a comment “I need way less than 24 hours to kick this f…g stupid guy from the board - awesome, yeah”.

If you had described your system a bit more precisely in your opening post, the answers were also more specific. :wink:

To make it short:

  • DNS is done in IPFire by unbound, a DNS proxy.

  • unbound gets it DNS info from the servers configured by DHCP and in the WUI

  • If there are no DNS servers specified, unbound enters ‘recursor mode’ ( getting the info from the top level domains and recurring over lower domains ). Thus it is possible to do a DNS resolution without explicit specification of an upstream DNS server.

Being an user of IPCop for many years ( because IPCop isn’t supported and developped for years), you should be able to find the differences between IPCop and IPFire by studying the wiki.
A good starting point are the links cited by tulpenknicker.


ah, account still works :wink:
Hi Bernhard.
I really appreciate your replies!
I know that my threads are quite unspecific, but this is not a surprise because I started days ago with IPF.
I am also able to take criticism, but I am not looking for a fight - this is not targeting you!

BR x11rabbit

For the records:
The ‘fight’ was mainly between tulpenknicker and me.
Why do you fear to be kicked off? You posed a question, formulated in a manner like many old IPCop users do. We recommended to read the manuals ( with IPFire this the wiki ) to get into the different philosophies of the systems.
IPCop was a system, designed for the quick installation of internet access and easy to configure.
IPFire was an side development of IPCop. But the project has changed to hardened secure firewall appliance, which demands some insight in his functions and knowledge about configuring them.
Maybe your special config isn’t described in the wiki thorougly ( I think most system use a kind of connection-based WAN config, DHCP for example ), but the facts can be found in the wiki.

To answer your main question, look at my last answer.
The definition of the DNS server for static IPs has moved from setup to the WUI because of complexity. Thus there is one place for DNS config for all types of WAN connection.

If you have many crashes, this is not normal. Do have some logs of the moment, when this occurred?


it’s not the fear to be kicked off, I asked for a forum sign off.

Regarding “The ‘fight’ was mainly between tulpenknicker and me.”, I know, but if you enter a pub and you feel wrong location wrong time may leave.

BR x11rabbit

p.s. Many thanks for your support!
I got it more and more, it’s same old, study study study, and for the rest look into the code, or in this case the system configs

1 Like