Hi,
Btw, I disabled all clients and I still got entries. I believe this is IPFire itself.
this may be due to DNS prefecting in order to reduce query delays after cached records have expired. In order to determine the exact query, you can enable logging DNS queries within the unbound configuration. Make sure you disable it afterwards, as it is a huge information leak if those DNS logs fall into wrong hands.
If you remove all entries in the “Domain Name System” section, IPFire panics and tries to constantly contact root dns servers.
This works as designed. If none of the configured DNS servers can be used, IPFire falls back into the so-called “recursor mode”. Anyway, it won’t solve your problem - and since the IPS rule triggers for generic DNS queries to .biz, I am not sure if there is even a problem.
I strongly recommend to read the IPS documentation in general and the IPS rule selection documentation in particular, and review your current IPS rule selection afterwards.
As they say, a false sense of security is worse than no security at all. In my humble opinion, this applies to IPS rule selection as well - if it does not match your needs, it might create more problems than it aims to solve.
Thanks, and best regards,
Peter Müller