DNS Firewall

What is it?

Blocking content of any kind is what a firewall should do. Why only look at headers of IP packets? With more data being tunnelled and encrypted, there is less visibility for the firewall. When it comes to blocking access to certain websites, historically admins used to set up a web proxy. This is a concept that has however fallen out of time, and new methods would be required.

This project will create a DNS Firewall for IPFire. With data from IPFire DBL, we will filter advertising, block access to porn websites and much more. Extending the IPFire DNS Proxy by using Request Policy Zones, we will implement this in a modern fashion allowing us to block and unblock new threats within minutes.

Who is working on it?

Current Status

This feature is currently in the planning and early experimentation phase.

  • Targeted Release: Core Update 202+
  • Tracker Bug: None, yet

Description

We will create a new UI that allows users to enable categories from IPFire DBL for blocking. Although generally enabled for everyone by default, there will the the option to set ACLs in case users would like to only apply filtering to a subnet of hosts on their networks or specific zones.

In the background, we will efficiently fetch the list data over AXFR. That way, no complicated HTTP download is required and Unbound will be able to ingest the zone in a native format. Furthermore, we will provide updates using IXFR for up to several days, so that clients will be able to update list data without performing a full retransfer of the entire zone as this would blow up bandwidth usage and limit our updates to keep zones on client systems up to date within the hour. This will happen entirely under the hood and we will have to host a the necessary server infrastructure.

Benefits to IPFire

Since the web proxy/URL filter is falling out of time and has not been used much any more, we will bring IPFire up to date on common blocking technologies. This should eliminate the need for external solutions like Pi-Hole for a large amount of our user base making their network neater and easier to administrate.

Impact

Since there currently is not such a feature, the feature is standalone, there won't be any impact on other parts of IPFire.

Feedback

There has been a high demand from the community to realise this feature.

Dependencies

This feature relies on IPFire DBL which is currently in a stage where it becomes feasible to take this next step.

Release Notes

TODO

Edit Page ‐ Yes, you can edit!
Last changed by Michael Tremer, yesterday View Older Revisions