The setup:
ISP <- FritzBox <- APU2 <- managed switch
IPFire is installed on APU2. IPFire is connected on LAN interface 1 of FritzBox. That’s the red interface. The red interface automatically gets an IP from FritzBox (DHCP).
Next is the green interface. It’s connected to a managed switch so that my devices connected to the switch will hopefully get internet access. IPFire manages a DHCP for the green interface. That should be alright.
I just don’t know how to get DNS running. I tried disabling ISP DNS and added some DNS from https://www.opennicproject.org but it also did not work. Also tried UDP, TLS and TCP on each DNS. Everything was the out of the box install so I did no firewall changes at all.
Red and green are both “Normal”. No bridge at all.
192.168.xxx.xxx is the IP adress of the FritzBox, thus provider DNS. Thanks I’ll try some more DNS servers. But why does pfSense run out of the box with ISP DNS and IPFire can’t?
Well, I can only use Digitalcourage and others in UDP-mode. If I try TLS, then the status says “broken”. I filled the hostnames so I don’t know how to make TLS work.
Sorry, I do not like google DNS either, but the 8.8.8.8 is an IP which should work.
I have brought up my DNS system after some misconfiguration with it, too.
If DNS works, one should disable google, that’s right. But why shouldn’t one use such a tool for the minimal time necessary.
Thats true but the recommendation is to use it together with TLS… Seems you both dont use TLS (hint for the blinds: there is some important part missing…)
This depends on what your opinion is about this. It makes no difference to me personally how long I use something. I use it or I don’t use it. If I think it’s bullsh**t, I definitely don’t use it, no matter if just a short time or longer… And use only short time doesn’t make this company better
As i said its my deepest opinion it must not yours or anyone else
I don’t bite i only bark when i think it helps for security/privacy
I don’t see anything suspicious in your provided screenshots that would indicate why it’s not working. With a default installation this should work. What kind of error message do you get when hovering over errors(Fehler) after pressing check servers?
Hi Dude,
I did read your issue and it did remember on my previous configuration with my former FritzBox (7490) and the IPFire (APU4).
Three further comments from my experience:
Did you configure the LAN interface as “Exposed Port” within the FritzBox? The Exposed Port is de-facto a DMZ port within the FritzBox. I assume that your IPFire act as own router for the green network.
To avoid any issues with the DHCP from the FritzBox, configure your Red Interface with an static IP (from your FritzBox’s IP range) and don’t forget to add the gateway IP from the FritzBox within the setup of the IPFire.
Start the DNS server without DoT from the FritzBox. The DoT service from the FritzBox has currently some issues and AVM is aware to fix.
Good luck
To get more information on the “can’t connect” error message you are seeing try the following dig command from the console. The example is for the dns2.digitalcourage.de server. There is a part for the ip address at the start and part for the hostname at the end of the command. You need to change both if you want to use it to test another server.
Here is the result I got back from that command, in this case with no problems. If you are having problems then there will be error messages indicating in which part of the process the failure is occurring.
;; DEBUG: Querying for owner(.), class(1), type(2), server(46.182.19.48), port(853), protocol(TCP)
;; DEBUG: TLS, imported 138 certificates from '/etc/ssl/certs/ca-bundle.crt'
;; DEBUG: TLS, received certificate hierarchy:
;; DEBUG: #1, CN=dns2.digitalcourage.de
;; DEBUG: SHA-256 PIN: v7rm6OtQQD3x/wbsdHDZjiDg+utMZvnoX3jq3Vi8tGU=
;; DEBUG: #2, C=US,O=Let's Encrypt,CN=R3
;; DEBUG: SHA-256 PIN: jQJTbIh0grw0/1TkHSumWb+Fs0Ggogr621gT3PvPKG0=
;; DEBUG: TLS, skipping certificate PIN check
;; DEBUG: TLS, The certificate is trusted.
;; TLS session (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
;; ->>HEADER<<- opcode: QUERY; status: NOERROR; id: 27048
;; Flags: qr rd ra ad; QUERY: 1; ANSWER: 14; AUTHORITY: 0; ADDITIONAL: 1
;; EDNS PSEUDOSECTION:
;; Version: 0; flags: do; UDP size: 1232 B; ext-rcode: NOERROR
;; QUESTION SECTION:
;; . IN NS
;; ANSWER SECTION:
. 84994 IN NS h.root-servers.net.
. 84994 IN NS i.root-servers.net.
. 84994 IN NS j.root-servers.net.
. 84994 IN NS k.root-servers.net.
. 84994 IN NS l.root-servers.net.
. 84994 IN NS m.root-servers.net.
. 84994 IN NS a.root-servers.net.
. 84994 IN NS b.root-servers.net.
. 84994 IN NS c.root-servers.net.
. 84994 IN NS d.root-servers.net.
. 84994 IN NS e.root-servers.net.
. 84994 IN NS f.root-servers.net.
. 84994 IN NS g.root-servers.net.
. 84994 IN RRSIG NS 8 0 518400 20210126050000 20210113040000 42351 . M25AUq1YZn/gZfvMnhwR1JVgAYPjePhz+Dhae2N6T6Banz/JcSDGJurCWtikMO6hzo6QmTAqb49cCA6+XLtDglY7GfOizJsHSGqWdmYLTayrVm7dhdVu2Pox4jhCYNqxt8tqK4iSTBAIB4F3HHHAPwbQkLLH5ymruvhQ1pfjCtbrlDptGOXd00lnui6OhxzzkkIykmfFFiX2IvwfzghEIQX5w+XSoQ7VQs/fmb0m+zW5YWQT/R0LPpuyYfr9LaLejoWv8ibpElyv9l4jFxm7TJHmc2MpXrYYJMczM47bHkPbwfXyfcF3nfBWdlAIO4N7RPqjB7r/CStyScHZdmTskA==
;; Received 525 B
;; Time 2021-01-13 15:09:51 CET
;; From 46.182.19.48@853(TCP) in 177.8 ms
(hint for the blinds: there is some important part missing…) 
