(my first) error: DNS

Here, I don’t get the ISP-supplied DNS servers into working with ipfire. Very strange. It works with any other system, but the two DNSes here just pop up as Error on the ‘Domain Name System’ pull-down. I have retried, rebooted, no chance. When adding Google’s DNS, everything works, and the status shows ‘Status: Working’.
I have tried a dig @, and of course they work.

(hoping the image upload works)

If you hover over the word ‘Error’, you’ll see the error message.
Just my two cents, that it reads ‘DNS server doesn’t support DNSSEC’.


You can hover over the “Error” and see what actually goes wrong.

I ought to have added: I ‘Check DNS Servers’-ed the page as well.

and the hoovering didn’t actually help me. Then I added Google’s little helper manually.

Why would it time out?

$ dig @ www.ipfire.org

; <<>> DiG 9.16.1-Ubuntu <<>> @ www.ipfire.org
; (1 server found)
;www.ipfire.org. IN A
www.ipfire.org. 16948 IN CNAME fw01.ipfire.org.
fw01.ipfire.org. 8296 IN A
;; Query time: 19 msec
;; WHEN: Mo Aug 09 14:48:38 CEST 2021
;; MSG SIZE rcvd: 106

from a client behind that box. Strange.

Your client can question other servers besides IPFire, I suppose. :wink:
Did you check this?

Sure. I tried others before, and just made this attempt with a :wink: to you guys.

They are the same ISP-provided NSes that I get with any other client; be it firewall or PC. Vodafone.

This is a request without DNSSEC. IPFire validates DNSSEC.

This looks like this:

ms@rice-oxley ~ % dig @ www.ipfire.org +dnssec
;; Truncated, retrying in TCP mode.
;; Connection to for www.ipfire.org failed: timed out.
;; Connection to for www.ipfire.org failed: timed out.

This DNS servers tells the client to come back using TCP but it does not seem to have TCP configured. It is simply broken and I would recommend using a DNS server from the list on the wiki:


All well and understandable. But I see no reason for a network appliance that doesn’t do what all other clients do. Gold-plating? Vodafone isn’t just any ISP on the next corner. And when connecting to a less secure DNS, it would be great to point out the vulnerability. Not just not resolve, sorry.
Or adding an option ‘Query less secure DNS servers’ would be most appreciated.

IPFire uses unbound with DNSSEC. Period.
This was decided by the core devs. Period.

If you want to know about the background, read the various blog articles and forum threads about this theme.

1 Like

It is called security. IPFire is a firewall. It does other things than a desktop operating system. That should be very obvious.

And they cannot have any bugs? You can report this to your ISP.

This doesn’t have anything to do with DNSSEC even. It is just that your ISP cannot respond to DNS queries with large responses. This applies to many record types.

There is a very big “Error” sign which shows you that it cannot reach the DNS server. It could not be more obvious than that.

No, there is no need for this. There is also no button to “disable the firewall”. You do not have a button to disable seatbelts in your car either.


I agree. It was some misconception on my side. I just have to switch my perspective to another philosophy. And of course, the core devs decide on the way to implement security.
My years have simply made me see Linux as ‘open’, and hardened later. While e.g. OpenBSD doesn’t do anything out of the box. Therefore I had in mind to just explore the system from home, step by step. And hardening later, according to needs.

I’ll probably start again from scratch, with a picture of Theo de Raadt in mind … .

May I ask, what the target of your exploration is?
You want to compare IPFire to other Linux systems or to other dedicated “internet access systems with firewall” ?
This a two different cases. In comparison to other Linux systems IPfire lacks a GUI totally ( the part many users identify with the OS ).
BTW: the basics are described in

Yep. I’m evaluating some alternatives for my new standard firewall application for my uses. That’s all.