Tweet
We are pleased to announce a new testing release of IPFire! It brings you our DNS firewall - a feature that so many of you have been waiting for - together with a large toolchain rebase, a wide range of updated package and the usual bunch of various improvements across the entire system.
Hello DNS Firewall
The wait is over. One of the most requested features in IPFire's history is finally here, and it fundamentally changes what your firewall is capable of. The DNS Firewall transforms IPFire from a network gatekeeper into an active threat eliminator — blocking malware, phishing, advertising, and unwanted content before a single byte of malicious data ever touches your network.
For full details, see the DNS Firewall documentation and the DNS Firewall roadmap page.
How it works
Every device on your network resolves domain names through IPFire's DNS proxy. The DNS Firewall sits inside that pipeline and evaluates every query against IPFire DBL — our own curated, continuously updated domain blocklist — before a response ever reaches the client. Blocked domains receive an NXDOMAIN response: to the client, the domain simply does not exist. No connection is attempted, no content is fetched, and no trace of the request leaves your network.
As a first to offer this to a large user-base, blocklist updates are delivered via IXFR — incremental DNS zone transfers directly into the DNS proxy — meaning your lists are refreshed within the hour, automatically, with no manual intervention and minimal bandwidth overhead.
Goodbye URL Filter. Goodbye Pi-hole.
If you have been running the URL Filter, you already understand the frustration: clients need explicit proxy configuration, HTTPS inspection is a minefield, and the entire approach was designed for a web that no longer exists. If you have been running a Pi-hole alongside IPFire to compensate, you have been maintaining a second device, a second software stack, and a second security boundary — all to do something your firewall should have been doing all along.
The DNS Firewall replaces both. It requires no client configuration, no additional hardware, and no compromises. Your firewall is already the single point through which all DNS traffic flows — it has always been the right place for this.
Miscellaneous Improvements
- Intrusion Prevention System It is now possible to configure different recipients for daily, weekly, and monthly IDS reports — useful for teams where different people are responsible for different reporting cadences.
- RISC-V Arne.F has updated the kernel configuration on the experimental build for RISC-V devices.
- Network Installer The installer now allocates more disk space when booting from the network, accommodating the increased size of the ISO download.
- Rust Cleanup Stefan Schantl has removed Rust packages that were no longer needed in the distribution, reducing build overhead and attack surface.
- Web Proxy Firewall Rules Rules are now created with the --wait flag, preventing race conditions during rule insertion.
- Toolchain Update IPFire has been rebased on the latest versions of glibc 2.43 and GNU binutils 2.46.0. These are the fundamental libraries and binary tools that underpin all userspace components inside IPFire. Keeping them current ensures better hardware support, improved security hardening, and a solid foundation for all packages built on top of them.
- The following packages have been updated in this release: asciidoctor 2.0.26, BIND 9.20.20, binutils 2.46.0, ccache 4.12.3, conntrack-tools 1.4.9, coreutils 9.10, dejagnu 1.6.3, expat 2.7.4, fuse 3.18.1, gettext 1.0, glibc 2.43, harfbuzz 12.3.2, hwdata 0.404, intel-microcode 20260210, iptables 1.8.12, jansson 2.15.0, krb5 1.22.1, less 692, libgcrypt 1.12.0, libnetfilter_conntrack 1.1.1, libpng 1.6.55, libtalloc 2.4.4, libuv 1.52.0, libxcrypt 4.5.2, m4 1.4.21, ncurses 6.6, OpenVPN 2.6.19, OpenSSL 3.6.1, p11-kit 0.26.2, PAM 1.7.2, procps 4.0.6, Ruby 4.0.1, suricata-reporter 0.7, vim 9.1.2147, wireless-regdb 2026.02.04, xfsprogs 6.18.0, zlib-ng 2.3.3
Add-ons
- Wireless Access Point
- The description for the Neighbourhood Scan was previously inverted and has been corrected.
- Adolf Belka has contributed a Dutch translation for this package.
- Updated Add-on Packages: ddrescue 1.30, fping 5.5, Git 2.53.0, minicom 2.11, nano 8.7.1, nfs 2.8.5, Postfix 3.10.7, Samba 4.23.5, tshark 4.6.4
- The 7zip package has been removed from the add-on collection. The upstream project is no longer maintained, and continuing to ship unmaintained software is not consistent with IPFire's security posture.
This is a testing release. We encourage all users who are able to run non-production hardware to give it a try and report any issues, particularly around the new DNS Firewall feature. Your feedback at this stage directly shapes the quality of the stable release.
Please report issues on the IPFire community forum or the bug tracker.
More...
