This wiki is a community-maintained resource about everything there is to know about IPFire. Join us and help us improving it!
Use the search and find answers to everything about IPFire. If you cannot find what you are looking for, join our community and talk to fellow IPFire users, developers and everybody else involved in the project.
Since IPFire 2.15 Core Update 80, IPFire comes with DNSSEC enabled by default. That means that all DNS responses are verified so that DNS spoofing is not possible any more.
Before IPFire 2.19 - Core Update 106, this required that the DNS servers the IPFire DNS proxy forwards queries to also must verify DNS responses. Because dnsmasq did not recursively resolve DNS queries, it needs to know if the domain supports DNSSEC and will then execute a verification for the requested DNS record. This limitation was removed after replacing dnsmasq with unbound.
Check out this great YouTube video that explains how DNSSEC validation works: https://www.youtube.com/watch?v=uPVezN4SBBo
In order to find out if your system properly works with DNSSEC, check out the DNSSEC resolver test from Universität Duisburg-Essen.
There is also a neat browser plugin for various web browsers that add a small icon to the address bar that shows you if a web site uses DNSSEC.