First off, thanks much for ipfire. I’ve been using ipfire for a couple of years now and I’d been helpful – but I still feel basically like a newbie. I’ve spent some time on the wiki and been patient with the UI but a couple of things still aren’t working right. I’m running IPFire 2.25 (x86_64) - Core Update 152.
The DNS proxy does not seem to work with my verizon DNS servers. Google’s 8.8.8.8 and 8.8.4.4 sort of work (see next bullet), but if I check off the “Use ISP-assigned DNS servers” then no names resolve. I can do a dig @71.243.0.12google.com when I’ve logged into my ipfire router via ssh but the forwards don’t work. I’ve tried UDP and TCP and I don’t have any firewall rules that should stop it.
When I click on check DNS servers it says “broken” which I guess is the issue. If there is some sanity check issue with the servers, is there some way that the UI can show that they are somehow not worthy? Maybe a checkbox that says “yeah use them anyway”?
Even with Google’s 8.8.8.8 and 8.8.4.4 configured into the name server list, I can’t resolve (for example community.ipfire.org. Other domains seem to work fine but some smallish subset doesn’t. Again, a dig @8.8.8.8 of those domains from the server works fine.
When I load the /cgi-bin/dns.cgi URL on my server, it takes good ~7 seconds to render. My network and the router are not loaded. Is it trying to mine some bitcoin or something?
Not sure I can help.
Could you post your Domain name system setup.
I see post similar to this now and then.
Have you tried DNS over TCP.
I have Verizon and and their router DMZ blocks DOT!
For the short term, please go to the Intrusion Prevention System (menu Firewall > Intrusion Prevention System) and make sure it is set to STOPPED. It can be enable/started when we get things working.
Please include a screenshot of the Domain Name System webpage (menu Network > Domain Name System).
I tried the 71.243.0.12 DNS server and I get an error. Maybe it doesn’t like me since I am not on the Verizon network (I can ping the address). So for now, let’s stick with the Google DNS.
[root@ipfire ~]# dig +dnssec ipfire.org @71.243.0.12
; <<>> DiG 9.11.21 <<>> +dnssec ipfire.org @71.243.0.12
;; global options: +cmd
;; connection timed out; no servers could be reached
[root@ipfire ~]# dig ipfire.org @71.243.0.12
; <<>> DiG 9.11.21 <<>> ipfire.org @71.243.0.12
;; global options: +cmd
;; connection timed out; no servers could be reached
My DNS page take about the same (8-9 seconds). It may be dependent on how many servers added. I have twelve added.
No bitcoin mining. I’d be pretty pissed unhappy if that was true!
; <<>> DiG 9.10.6 <<>> @10.0.1.1community.ipfire.org
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached
Ok. This is interesting. As you recommended, I disabled intrusion detection and it did resolve the DNS issues. On that page I noticed that the ruleset had not been updated since 2018. I did not see a button for “Update ruleset now” but pressing save that it should still update weekly (I was already et to that) seems to have updated it to now. When I turn intrusion detection back on, it now seems to be working. Hrmmmmm.
Ok. More interesting stuff. When I disable intrusion detection, the Domain Name System page loads tons faster and now I see the rDNS responses. So ipfire is getting in the way of itself there.
When I then test the verizon nameservers they are still coming back as “broken” and the Google 2 are the only ones that seem to work.
I ran into the exact same things. My old rules did not work with the new ISP (Suricata). And my DNS stopped working. I went thru the high level rules, one by one, to find the main category that did not work. I am guessing (and the key word is guess) that the rule I turned off was emerging-policy.rules.