IPFire 2.29 Core Update 203 Brings Knot Resolver and 6 GHz WiFi Support
IPFire 2.29 Core Update 203 has been released for testing. This new update drops a major DNS overhaul and finally brings 6 GHz WiFi to the firewall. The release swaps out the aging Unbound resolver for Knot Resolver, adds encrypted zone syncing, and fixes a stubborn channel width bug in the wireless access point. Getting hands on this test build is worth the effort since the DNS changes touch the core of how traffic gets routed.
IPFire 2.29 Core Update 203 DNS Overhaul
DNS used to be simple, but it now carries encrypted transport handshakes and certificate validation data, so the old resolver was just carrying dead weight. The switch to Knot Resolver brings encrypted upstream forwarding, which forces queries to travel over TLS instead of leaving them wide open on the network. A built in DNS Firewall now blocks malware and ad domains directly at the resolution stage, which saves bandwidth and stops tracking before it even touches the client. Zone updates pull over encrypted connections through a new C based tool called zone sync, so filtering lists cannot be intercepted or tampered with mid transmission. The cache now survives reboots, which means the firewall stops pounding upstream servers every time it boots up. Workers share a single cache state, so multiple CPU cores actually help instead of duplicating work and wasting memory. Anyone who has watched a firewall grind to a halt during a DNS outage knows why a persistent cache matters, since the new setup keeps resolution fast without hammering upstream servers on every reboot. Users should check the DNS forwarding page immediately, since fully qualified domain names no longer work and must be swapped to IP addresses before the next reboot. Conditional forwarding and local overrides still function, but the DHCP module now pushes lease hostnames directly into DNS without the old bridge workaround. The old Unbound DHCP bridge was never particularly elegant, so replacing it with a direct module cut out unnecessary complexity.
IPFire 2.29 Core Update 203 Wireless and Cloud Updates
The wireless access point finally supports the 6 GHz band, which opens up clean spectrum that legacy devices have not clogged yet. More room means wider channels can run without overlapping, so clients get faster throughput and fewer dropouts in crowded neighborhoods. The band also skips radar detection entirely, so the access point boots instantly and never gets kicked off a channel by a weather radar event. A long standing bug that blocked the access point from starting when combining a 40 MHz width with a manually chosen channel has been squashed. AWS deployments can now talk to IMDSv2, which stops the firewall from falling back to the older metadata service that cloud providers are actively deprecating. Intel microcode updates address a newly flagged vulnerability, so server grade hardware gets the patch before the next kernel roll. A Perl UTF 8 encoding bug that broke non ASCII translations in the web interface is fixed, so language packs finally render correctly again. OpenVPN clients with static IP allocations now see the correct subnet name next to the connection entry, and the download icon for configuration files got a clearer design. Sysklogd returns to listening on localhost, which helps chrooted processes send logs without exposing ports unnecessarily. The package list reads like a standard security sweep, with BIND, OpenVPN, strongSwan, GRUB, and core utilities all bumped to recent stable versions. Add on packages like Samba, Postfix, and tshark also receive updates, while the Zabbix Agent gets fixes for OpenVPN status parsing. Testing the DNS firewall rules and 6 GHz channel stability before pushing this to production is the smart move.
The update lands in the test channel for a reason, and the DNS changes alone will force a few config tweaks. Give it a spin on a spare box, watch how the new resolver handles your upstream queries, and drop any weird routing or logging quirks into the tracker. Happy testing.
