November 2025 Devlog

November brought DNS over HTTPS support, a major Swift upgrade for Apple platforms, significant Linux client improvements, and enhanced Gateway connection reliability.

DNS over HTTPS Support

Clients now support DNS over HTTPS (DoH) for encrypted DNS resolution.¹ This feature enables administrators to configure secure DNS providers directly from the portal, with options for system resolvers, secure DNS providers, or custom DNS servers.² The implementation includes a dedicated HTTP/2 client with pluggable sockets³ and handles the complexities of DoH server bootstrapping, where the DoH server's domain must first be resolved using system DNS resolvers before encrypted queries can begin.

Swift 6.2 Upgrade

The Apple clients underwent a substantial upgrade from Swift 5 to Swift 6.2 with full strict concurrency checking enabled.⁴ This migration eliminates entire classes of data race bugs that were previously only caught through testing or production crashes. Swift 6.2's "Approachable Concurrency" features were enabled to further improve code safety,⁵ and the IPC client was converted from an actor to a stateless enum for better performance.⁶ Unsafe code instances were systematically removed from the codebase.⁷⁸

Linux Client Improvements

The GUI client now uses the Wayland rendering backend on Linux, enabling compatibility with newer distributions like Fedora 43 where Wayland is the only available compositor.⁹ This required implementing custom client-side decorations including a minimalistic title bar.

Device identification now derives from /etc/machine-id on systems with systemd, eliminating startup failures when the user hasn't yet joined the firezone-client group.¹⁰ The installer also automatically adds users to this group during installation.¹¹

Debian/Ubuntu Deployment

A new Debian/Ubuntu tab in the portal provides streamlined Gateway deployment instructions for APT-based systems.¹² Preview packages are automatically promoted to stable on release.¹³ This complements the native Debian packaging introduced in October.

Gateway Connection Reliability

ICE timeout values were extended to reduce false-positive disconnects where a Gateway incorrectly believes a Client has departed.¹⁴ The DNS resource NAT table now tracks last inbound/outbound packet times along with FIN and RST flags, enabling proper observation of TCP shutdowns and faster cleanup of unconfirmed entries.¹⁵ A fix prevents outbound ICMP errors from being incorrectly routed through the tunnel.¹⁶

DNS Resolution Improvements

Several fixes improve DNS reliability. The portal hostname is now re-resolved on WebSocket connection failures, handling cases where the local IP stack or DNS records change during operation.¹⁷ Tunnelled DNS queries are now indexed by source socket in addition to server address and query ID, fixing issues where macOS sends queries with identical IDs from different sockets.¹⁸ DNS server ordering from the system configuration is now preserved.¹⁹

Apple MDM Enhancements

A new hideResourceList configuration option, accessible via MDM provisioning profiles, allows administrators to hide the resource list from end users who don't need visibility into available resources.²⁰

---

Footnotes

1. feat(connlib): support DoH ↩

2. feat(portal): extend DNS settings to allow for DoH providers ↩

3. feat(connlib): add HTTP2 client with pluggable sockets ↩

4. refactor(apple): Upgrade to Swift 6.2 with concurrency checks ↩

5. chore(apple): Enable Swift 6.2 Approachable Concurrency features ↩

6. refactor(apple): Convert IPCClient from actor to stateless enum ↩

7. refactor(apple): remove unsafe code instance ↩

8. refactor(apple): remove unsafe from Token ↩

9. fix(gui-client): use Wayland rendering backend on Linux ↩

10. feat(linux): compute device ID from /etc/machine-id ↩

11. feat(linux): automatically add user to firezone-client group ↩

12. feat(portal): add Debian/Ubuntu deployment tab ↩

13. ci: promote preview .deb to stable on release ↩

14. feat(gateway): extend ICE timeout ↩

15. feat(gateway): improve state tracking of DNS resource NAT ↩

16. fix(gateway): don't route outbound ICMP errors ↩

17. fix(connlib): re-resolve portal host on WS hiccup ↩

18. fix(connlib): index tunnelled DNS queries by source socket ↩

19. fix(connlib): retain order of system/upstream DNS servers ↩

20. feat(apple): config to hide resource list ↩