This is the official release announcement for IPFire 2.19 – Core Update 106 which comes with a number of exciting new features, many bug fixes and a few security improvements.
dnsmasq as DNS proxy before which is now replaced by
unbound. The latter is in contrast to the former software that is specifically designed as an DNS forwarding proxy or DNS recursor and implemented DNSSEC from early on.
Because of our decision to enable DNSSEC by default and various problems in
dnsmasq we have been toying with the idea of replacing it for a very long time. Unfortunately development resources are tight and because of this being a substantial part of the system and hooked into many other things, this was a very time-consuming project.
Finally, this new solution should now bring various advantages:
unbound is multi-threaded and IPFire will start one thread per CPU core that is available. That will allow execution of multiple queries in parallel which should increase responsiveness and throughput.
The cache size is adjusted based on memory available on the system. Bigger systems will have a significantly bigger DNS cache which will speed up browsing especially in larger environments like universities with a large number of clients.
DNSSEC is enabled by default (as it was before). However,
unbound does not rely on the upstream servers being validating resolvers, too. This will bring DNSSEC to many more users. DNS servers are now tested before being passed on for use and any malfunctioning DNS servers won’t be used. Status of this can be seen on the user web interface.
Please see this list of various DNS services on the Internet for more details.
If none of the DNS servers configured or received from the provider can be used, unbound will fall back to full recursor mode.
With the next key rollover of the DNS root zone, IPFire will automatically download and validate the new key according to RFC5011.
DHCP leases will be published into the local DNS zone as before. Static leases are imported as well which is a new feature. Everything IP address will resolve to its hostname by publishing PTR records.
sambaadd-on enables SMBv2 by default
This update installs a large number of updated packages:
openssl1.0.2j which fixes some implementation errors and DoS introduced in the 1.0.2i update
strongswanhas been updated to version 5.5.0
We are currently crowdfunding a Captive Portal for IPFire and would like you to ask to check it out and support us!
Please help us to support the work on IPFire Project with your donation.
Published by Michael Tremer, November 1, 2016 at 8:30 pm