Tweet
Last week we introduced IPFire DBL—our community-driven domain blocking solution. Today, we're diving into something that sets IPFire apart from DNS-only filtering solutions: the ability to block threats that bypass DNS entirely.
DNS-based blocking solutions like Pi-hole are excellent at what they do: they prevent your devices from resolving malicious domain names. But here's the problem: DNS filtering only works if the malware or threat actually uses your configured DNS resolver.
Increasingly, threats are bypassing DNS filtering altogether:
- Malware using DNS-over-TLS (DoT) or DNS-over-HTTPS (DoH) to tunnel queries outside your network
- Applications with hardcoded IP addresses that never touch your DNS resolver
- Fast-flux networks where DNS records change faster than blocklists update
Even when DNS blocking works, you only know a query was blocked - you don't know if a device on your network is already infected and actively trying to communicate with command-and-control servers.
This is where involving the Intrusion Prevention System changes everything.
How IPFire DBL + IPS Works
Suricata is an open-source intrusion detection and prevention system (IDS/IPS) that can inspect network traffic at the packet level. When combined with IPFire DBL, it becomes a powerful multi-protocol filtering engine.
Even when connections are encrypted with TLS or QUIC, there is a critical piece of information sent in plaintext during the handshake: the Server Name Indication (SNI). SNI tells the server which hostname the client wants to connect to - and crucially for us, Suricata can read this before the encryption begins. This means even if malware bypasses your DNS resolver entirely and connects directly to an IP address, if it establishes a TLS or QUIC connection, we can see exactly which domain it is trying to reach.
IPFire DBL + Suricata inspects:
- DNS queries - Traditional DNS traffic on port 53
- Host headers in (unencrypted) HTTP requests
- SNI in TLS/QUIC connections
This multi-protocol approach means there are virtually no loopholes. If a connection uses standard protocols to reach a malicious domain, we catch it.
Suricata Datasets: Efficient at Scale
Suricata implements domain matching using datasets - highly optimised data structures designed for fast lookups against large lists. This is critical because IPFire DBL contains millions of domains across multiple categories.
When a connection is established, Suricata checks the hostname against the relevant datasets in real-time. The performance impact is negligible - Suricata's dataset implementation is specifically built for this kind of high-speed matching. (For more technical details on Suricata datasets, see Suricata's dataset documentation)
What Happens on a Match?
When Suricata detects a connection to a domain in your selected IPFire DBL categories, the connection is immediately dropped, an alert is generated with full details of the blocked connection, and the event is logged for visibility and reporting.
Here's where IPFire's firewall-based approach delivers something DNS-only solutions simply cannot: complete visibility into what's happening on your network.
This isn't just blocking - it is threat intelligence. If you see malware connection attempts from a device on your network, you now know that device may be compromised and needs investigation.
IPFire's recently added PDF reports include detailed information about blocked connections, including the actual hostnames involved. Over time, this builds a picture of threat activity on your network. Which devices are most frequently attempting malicious connections? What types of threats are you seeing? (Malware? Phishing? Tracking?) Are there patterns that suggest a compromised device or insider threat?
Why IPFire Goes Further Than Pi-hole and DNS-Only Solutions
Pi-hole and similar DNS-based blockers are fantastic tools - they are lightweight, effective, and have built vibrant communities. But they're fundamentally limited by what they can see: DNS queries only.
IPFire, as a full firewall solution, sees every packet that traverses your network. This positional advantage enables capabilities that DNS-only solutions simply cannot provide.
This isn't about Pi-hole being inadequate - it is about understanding that firewalls and DNS resolvers solve different problems. Pi-hole is excellent for network-wide ad blocking and basic malware filtering at the DNS layer. IPFire is a security-focused firewall with deep packet inspection capabilities.
If you want comprehensive threat detection, visibility into encrypted traffic, and alerts when devices on your network attempt malicious connections, you need firewall-level inspection. That's what IPFire delivers.
Enabling IPFire DBL in Suricata
If you're running IPFire Core Update 200 (currently in testing), enabling IPFire DBL filtering through Suricata is straightforward.
- Navigate to the IPS page in the Firewall section of your IPFire web interface
- Add IPFire DBL as a rule provider - You'll see IPFire DBL listed as an available rule source
- Select your categories - Choose which IPFire DBL categories you want Suricata to enforce: Malware, Phishing, Advertising, Pornography, Gambling, Games, and more
You may customise the ruleset to only enable some of the protocols, but most users will want to enable all four protocols for maximum coverage.
Apply changes - Suricata will download the latest IPFire DBL rules and begin enforcement.
If you are not running IPFire, I would first of all recommend that you should. But you can still use IPFire DBL as it is described in the How To Use? section on the IPFire DBL website.
The Future of Network Security
IPFire DBL + Suricata represents a fundamental shift in how we think about domain-based filtering. This isn't just about blocking websites - it is about detecting threats, gaining visibility, and protecting your network across every protocol.
DNS filtering has its place, and it is effective for what it does. But as threats evolve and increasingly bypass DNS through encrypted channels, hardcoded IPs, and alternative protocols, we need solutions that evolve with them.
IPFire gives you that evolution: a firewall that sees everything, inspects what matters, and tells you when something is wrong.
Get Started Today
Core Update 200 is in testing now and will be released in the coming weeks. Keep an eye on the update notifications, and be ready to enable this powerful new capability.
This is network security done right. This is IPFire.
More...
