This documentation is about an experimental feature which has not been released, yet
The IPFire DNS Firewall is a DNS-based filtering subsystem that evaluates each DNS query against configurable blocklists and policy rules to prevent resolution of prohibited domains. The blocklists are coming from IPFire DBL.
Lists
The Lists section presents a set of predefined domain categories that can be enabled or disabled individually using the checkbox next to each entry. Each category targets a specific class of domain, such as malware distribution, phishing, advertising, or adult content. Enabling a category causes all domains within that list to be blocked for DNS resolution and a log message to be generated.
Using the pencil icon, a custom access control list (ACL) can be defined so that only certain network zones or hosts will be filtered by that list. By default, activated lists are enabled globally.
Custom Block And Allow Lists
The Custom Block And Allow List section allows administrators to define domain-specific exceptions independent of the predefined categories. Domains entered in the Blocked domains field will be denied resolution unconditionally, while domains entered in the Allowed domains field will be permitted regardless of any active category lists.
Enter one domain per line in each field, then click Save to apply the changes.
How Blocking Works
When a DNS query is made for a domain that matches an active blocklist or a custom blocked domain entry, the DNS Firewall returns an NXDOMAIN response, indicating to the client that the domain does not exist. No connection to the destination is attempted, and no content is fetched. This response is indistinguishable from a genuinely non-existent domain, ensuring consistent behaviour across all client applications.
False Positives
If a domain is being blocked incorrectly, it can be reported to the IPFire project for review at IPFire DBL. Blocklists are updated hourly, and clients will receive the correction within an hour of it being published.
See Also
The DNS Firewall operates at the DNS query layer and does not inspect or filter traffic at the protocol or application layer. For more comprehensive coverage, the following features are recommended in conjunction with the DNS Firewall:
- URL Filter — provides HTTP-level domain filtering, allowing policy enforcement on web traffic by category or custom rule.
- Intrusion Prevention System (IPS) — when configured with the IPFire DBL, the IPS can block malicious domains carried over UDP, TLS, HTTP, and QUIC, covering traffic that may bypass DNS-based filtering entirely.