forum.ipfire.org

Dann brauche ich nun wirklich mehr Details... Einen DNS-Trace oder sowas um zu sehen wo es hängt...

Hi, this will be my last response in this thread: There is no way to make IPFire intercept HTTPS. The world is rolling out TLS 1.3. Say goodbye to SSL interception. You can (and should) use the proxy to match against blacklists if you want to filter access - for whatever reason. Apart from it becomi...

I think that I have made this very clear on a number of occasions: * DNS forwarding is for split-horizon DNS setups where you have a local DNS zone that overlays a public one. Often those zones are not signed and that is why this can now be disabled. * Disabling DNSSEC globally is a very bad idea. I...

tikok974 wrote: ↑

April 18th, 2019, 10:48 am

I don't have a procedure to apply that works since it's not documented anywhere

It is not meant to be disabled.

So... the "DNSSEC disable" option in the "DNS Forwarding" menu is useless ... because the fact of having activated it does not allow me to use the DNS of DNSfilter provider (which does not have the DNSSEC function activated) since Unbound rejects them despite the activated option ! This does someth...

Hi, OK...so in fact...if I understand correctly...it's our Ipfire that is our main DNS server... but the requests are not slower in this mode ? No, why? Could this be because we are in "transparent proxy" mode and in our Squid configuration (file /etc/squid/squid.conf), the addresses of our DNS prov...

The recursor mode will query the global authoritative DNS servers. If you want to resolve "ipfire.org" it will go to the root zone first, find out which servers are responsible for "org", the go to the "org" servers, find out who is responsible for "ipfire.org" and then ask the "ipfire.org" servers....

Hi,

you don't need a proxy for this. Just firewall rules. Did you configure "Access on BLUE"?

Hey,

I guess this script is no longer relevant, because you export this type of configuration from the Web UI for some time now.

Hat es bei Dir noch nicht mal für eine freundliche Antwort gereicht ? Für Hilfe bei meiner Testumgebung hatte ich etliche Wochen gebettelt, dass mir einer vom Forum helfen könnte, aber dabei hattest gerade DU Deinen Schnabel gehalten und gehofft, dass Andere helfen würden. ;-) Die Arbeit mit letsen...

Yeah that should be okay, but the upload functionality might be broken - because this forum software is a bit.. err.. buggy.

You can use the no paste service and link your attachment: https://nopaste.ipfire.org

My "/etc/sysconfig/unbound" is empty and in the Ipfire GUI.... on the home page, in front of DNS Server, I have the mention " Local Recursor " which appears instead of the @IP of DNSfilter ! However, in my Dashboard at DNSFilter I can still see that requests are coming in...despite the attention me...

You got any more logs and configuration?

Did you try this viewtopic.php?f=27&t=20478#p115078?

I have no idea what the point of the patch is. It does not make sense that the test on the DNS servers is performed and then the result is thrown away. This patch has never been submitted to the IPFire developers.

I am not really sure how I can make this any clearer why this is such a bad idea. When you suggest to disable DNSSEC that sounds similar to "let's disable the firewall stuff, because it is all easier when we don't have to configure rules". This is fundamentally bad. DNSSEC is a globally accepted and...