**Note**: The Force clients to use IPFire DNS Server has a new home here.
The IPFire DNS Firewall is a DNS-based filtering subsystem that evaluates each DNS query against configurable blocklists and policy rules to prevent resolution of prohibited domains. The blocklists are coming from IPFire DBL.
Lists
The Lists section presents a set of predefined domain categories that can be enabled or disabled individually using the checkbox next to each entry. Each category targets a specific class of domain, such as malware distribution, phishing, advertising, or adult content. Enabling a category causes all domains within that list to be blocked for DNS resolution and a log message to be generated.
Using the pencil icon, a custom access control list (ACL) can be defined so that only certain network zones or hosts will be filtered by that list. By default, activated lists are enabled globally.
Custom Block And Allow Lists
The Custom Block And Allow List section allows administrators to define domain-specific exceptions independent of the predefined categories. Domains entered in the Blocked domains field will be denied resolution unconditionally, while domains entered in the Allowed domains field will be permitted regardless of any active category lists.
Enter one domain per line in each field, then click Save to apply the changes.
Note: TLD(s) are not (yet) accepted in allow or block list(s)
List restriction
If you click the Pencil icon for a list, you can restrict the blocking:
- To one or more network zones (click on zone for select, Ctrl+Click for deselect)
- To one or more subnets or addresses
If you select one or more zones (Green, Blue, Orange) for a list and you’re using a proxy,
the blocking for this list doesn’t work for clients that go through the proxy.
If you select none (unselect all) the blocking for that list work for all clients, including those who use a proxy.
How Blocking Works
When a DNS query is made for a domain that matches an active blocklist or a custom blocked domain entry, the DNS Firewall returns an NXDOMAIN response, indicating to the client that the domain does not exist. No connection to the destination is attempted, and no content is fetched. This response is indistinguishable from a genuinely non-existent domain, ensuring consistent behaviour across all client applications.
False Positives
If a domain is being blocked incorrectly, it can be reported to the IPFire project for review at IPFire DBL. Blocklists are updated hourly, and clients will receive the correction within an hour of it being published.
Memory Consumption
The lists will be loaded into memory of the DNS resolver and are optimised for fast search. Enabling all lists will consume about 4 GiB of memory. If the system runs out of memory, the entire DNS resolver might get killed and will have to be restarted manually.
See Also
The DNS Firewall operates at the DNS query layer and does not inspect or filter traffic at the protocol or application layer. For more comprehensive coverage, the following features are recommended in conjunction with the DNS Firewall:
- URL Filter — provides HTTP-level domain filtering, allowing policy enforcement on web traffic by category or custom rule.
- Intrusion Prevention System (IPS) — when configured with the IPFire DBL, the IPS can block malicious domains carried over UDP, TLS, HTTP, and QUIC, covering traffic that may bypass DNS-based filtering entirely.