IPFire on APU2 - DNS broken

I tried IPFire on my APU2 and I can’t get around a broken DNS problem.

The setup:
ISP <- FritzBox <- APU2 <- managed switch

IPFire is installed on APU2. IPFire is connected on LAN interface 1 of FritzBox. That’s the red interface. The red interface automatically gets an IP from FritzBox (DHCP).
Next is the green interface. It’s connected to a managed switch so that my devices connected to the switch will hopefully get internet access. IPFire manages a DHCP for the green interface. That should be alright.

I installed IPFire the proper way like this instruction: IPFire installation and configuration for APU2 - asciinema but without the blue interface. My APU2 runs with latest Coreboot firmware.

I just don’t know how to get DNS running. I tried disabling ISP DNS and added some DNS from https://www.opennicproject.org but it also did not work. Also tried UDP, TLS and TCP on each DNS. Everything was the out of the box install so I did no firewall changes at all.
Red and green are both “Normal”. No bridge at all.


If you change the DNS server to (google DNS), does the DNS start working?

I am guessing the IP name server address in your image above (192.168.xxx.xxx) is the issue.

EDIT: Here is a list of usable DNS servers:

1 Like

192.168.xxx.xxx is the IP adress of the FritzBox, thus provider DNS. Thanks I’ll try some more DNS servers. But why does pfSense run out of the box with ISP DNS and IPFire can’t?

For IPFire, maybe the ISP DNS doesn’t support DNSSEC.

I know little to nothing about pfSense (I tried it for ~6 months). Maybe pfSense was not configured for DNSSEC?!?


It’s working with alternative DNS servers! Thanks.

“I would once again strongly consider to avoid sending your whole browser history to the big ones that are guaranteed to use it again you. Stay away from Google, Cloudflare, etc.” (from blog.ipfire.org - What you can do with the new DNS features in IPFire)

Well, I can only use Digitalcourage and others in UDP-mode. If I try TLS, then the status says “broken”. I filled the hostnames so I don’t know how to make TLS work.

Let’s go back to google dns for a moment. It is not the best pick and not one I would recommend, but it is good for testing.

If you change the DNS server to (google DNS), does the DNS start working with TLS?

If you change the DNS server to (Quad9 DNS), does the DNS start working with TLS?

No never, this can not work…

Btw. my deepest opinion is that you should stopping motivate people again and again to use/try such bulls*t companies.

Sorry, I do not like google DNS either, but the is an IP which should work.
I have brought up my DNS system after some misconfiguration with it, too.
If DNS works, one should disable google, that’s right. But why shouldn’t one use such a tool for the minimal time necessary.

1 Like

Thats true but the recommendation is to use it together with TLS… Seems you both dont use TLS :wink: (hint for the blinds: there is some important part missing…) :stuck_out_tongue:

This depends on what your opinion is about this. It makes no difference to me personally how long I use something. I use it or I don’t use it. If I think it’s bullsh**t, I definitely don’t use it, no matter if just a short time or longer… And use only short time doesn’t make this company better :wink:

As i said its my deepest opinion it must not yours or anyone else :wink:

Can you name a basic TLS DNS server, which should surely work?
If yes, we all can use that for proof of functioning. :wink:

BTW, I use TLS. So your argument is also the b* word. :wink:

Let us start from start a little bit structured now :wink:

Few things what catch my eyes from the very beginning

Well you choose a video (outdated) and wonder why you was not able to proper run DNS

At this stage it seems you still dont have RTFM anything :frowning:

Maybe some light :wink:

So i have a few questions now:

  • Do you have now full RTFM how you proper configure DNS in our wiki?
  • Can you please so kind provide a screenshot how your DNS settings looks like at the moment?
  • Can you provide a screenshot from the Zones?
  • Do you have DoT configured in your Fritzbox? If yes do it works?
  • Do you have anything denied in your Fritzbox?


If you change the DNS server to (Quad9 DNS), does the DNS start working with TLS?

Bro, chill. I have.

It does work there. Tested both Digitalcourage and *Schweiz

Nothing is restricted by the Fritzbox.

Please don’t bite me because of google. :joy:


I don’t bite i only bark when i think it helps for security/privacy :wink:

I don’t see anything suspicious in your provided screenshots that would indicate why it’s not working. With a default installation this should work. What kind of error message do you get when hovering over errors(Fehler) after pressing check servers?

1 Like

Hi Dude,
I did read your issue and it did remember on my previous configuration with my former FritzBox (7490) and the IPFire (APU4).

Three further comments from my experience:

  • Did you configure the LAN interface as “Exposed Port” within the FritzBox? The Exposed Port is de-facto a DMZ port within the FritzBox. I assume that your IPFire act as own router for the green network.
  • To avoid any issues with the DHCP from the FritzBox, configure your Red Interface with an static IP (from your FritzBox’s IP range) and don’t forget to add the gateway IP from the FritzBox within the setup of the IPFire.
  • Start the DNS server without DoT from the FritzBox. The DoT service from the FritzBox has currently some issues and AVM is aware to fix.
    Good luck
1 Like

  • I don’t think it’s set as “exposed port” Just unchanged standard mode meant for a LAN device.
  • Maybe I’ll try to do a static IP approach.
  • I only tested DoT on the Fritzbox and after successful testing I configured into DNSSEC. I am aware of the DoT bugs of the Fritzbox.

DNSSEC runs on my IPFire without problems. Only TLS doesn’t want to yet.

Hi @whypenguinsquint,

To get more information on the “can’t connect” error message you are seeing try the following dig command from the console. The example is for the dns2.digitalcourage.de server. There is a part for the ip address at the start and part for the hostname at the end of the command. You need to change both if you want to use it to test another server.

kdig @ +dnssec +bufsize=1232 +tls-ca=/etc/ssl/certs/ca-bundle.crt +tls-hostname=dns2.digitalcourage.de -d

Here is the result I got back from that command, in this case with no problems. If you are having problems then there will be error messages indicating in which part of the process the failure is occurring.

;; DEBUG: Querying for owner(.), class(1), type(2), server(, port(853), protocol(TCP)
;; DEBUG: TLS, imported 138 certificates from '/etc/ssl/certs/ca-bundle.crt'
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG:  #1, CN=dns2.digitalcourage.de
;; DEBUG:      SHA-256 PIN: v7rm6OtQQD3x/wbsdHDZjiDg+utMZvnoX3jq3Vi8tGU=
;; DEBUG:  #2, C=US,O=Let's Encrypt,CN=R3
;; DEBUG:      SHA-256 PIN: jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted. 
;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 27048
;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 14; AUTHORITY: 0; ADDITIONAL: 1

;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: NOERROR

;; .                   		IN	NS

.                   	84994	IN	NS	h.root-servers.net.
.                   	84994	IN	NS	i.root-servers.net.
.                   	84994	IN	NS	j.root-servers.net.
.                   	84994	IN	NS	k.root-servers.net.
.                   	84994	IN	NS	l.root-servers.net.
.                   	84994	IN	NS	m.root-servers.net.
.                   	84994	IN	NS	a.root-servers.net.
.                   	84994	IN	NS	b.root-servers.net.
.                   	84994	IN	NS	c.root-servers.net.
.                   	84994	IN	NS	d.root-servers.net.
.                   	84994	IN	NS	e.root-servers.net.
.                   	84994	IN	NS	f.root-servers.net.
.                   	84994	IN	NS	g.root-servers.net.
.                   	84994	IN	RRSIG	NS 8 0 518400 20210126050000 20210113040000 42351 .     M25AUq1YZn/gZfvMnhwR1JVgAYPjePhz+Dhae2N6T6Banz/JcSDGJurCWtikMO6hzo6QmTAqb49cCA6+XLtDglY7GfOizJsHSGqWdmYLTayrVm7dhdVu2Pox4jhCYNqxt8tqK4iSTBAIB4F3HHHAPwbQkLLH5ymruvhQ1pfjCtbrlDptGOXd00lnui6OhxzzkkIykmfFFiX2IvwfzghEIQX5w+XSoQ7VQs/fmb0m+zW5YWQT/R0LPpuyYfr9LaLejoWv8ibpElyv9l4jFxm7TJHmc2MpXrYYJMczM47bHkPbwfXyfcF3nfBWdlAIO4N7RPqjB7r/CStyScHZdmTskA==

;; Received 525 B
;; Time 2021-01-13 15:09:51 CET
;; From in 177.8 ms
1 Like