Your Firewalla has a built-in DNS server. This DNS server can be used to resolve a domain name, such as firewalla.com, to its IP address. You can also use Firewalla's DNS server to resolve a local domain (that's only significant on your network) to a local IP. If you want to access any devices locally, you can use its domain name.
- Each of your devices will have two names. One is a local domain name, and the other is a search domain name. Both of these can be used together.
For example:
## Local domain
% nslookup iphone.lan
Server:192.168.151.1
Address:192.168.151.1#53
Name:iphone.lan
Address: 192.168.151.103
## Search Domain
% nslookup iphone.firewalla
Server:192.168.151.1
Address:192.168.151.1#53
Name:iphone.firewalla
Address: 192.168.151.103
What can a local domain name be used for?
- Easily access your LAN devices by a friendly name. For example: use mynas.lan for a NAS storage unit.
What are some valid domains to use?
Please do not use common domain names like .com or .google.com, .co these will cause issues with your network.
As a reference from https://www.rfc-editor.org/rfc/rfc6762#appendix-G, the following top-level domains can be used on private internal networks:
.intranet .internal .private .corp .home .lan
Local Domain
Local domains are configured globally, meaning you can access them from any network segment. They may look something like iphone.lan, mypad.lan, etc. The domain here is ".lan." The domain is configurable, and you get one per Firewalla box.
- The local domain suffix cannot be changed on Firewalla Red, Blue, and Blue Plus. The default domain name is ".lan"
To see your device's local domain: Devices list -> any Device -> scroll down to find Local Domain -> Domain Name
Search Domain
The search domain is specific to each network segment. You can give different networks different domain names, such as mydevice.iot, mypad.home, etc. For example, you could rename your subdomains to .lan1, .lan2, .lan3, etc.
- Search domain is not supported on Firewalla Red, Blue, and Blue Plus.
To see your device's search domain: Network Manager -> any Local Network -> scroll down to find Search Domain
What's the difference?
- Local domain: All devices share the same local domain name. If you change the local domain name on one device, it will change for all devices.
- Search domain: Different local networks use different search domain names, managed by a DHCP service. Changing the search domain on one local network won't affect devices in other networks, but will affect devices in the same local network.
FAQ:
Why local domain requests are forwarded to upstream DNS?
# replace <lan> below with your own local domain
# 127.0.0.2 is just an IP that is not reachable, any unreachable IP is fine.
echo "local=/lan/127.0.0.2" >> /home/pi/.firewalla/config/dnsmasq_local/no_lan_forward
# use stop and start instead of restart to clean up resource correctly
sudo systemctl stop firerouter_dns
sudo systemctl start firerouter_dns
Comments
10 comments
Glad that you clarified this. I was always confused between the two. Also glad that it's going away in the future
This says to create a file under /home/pi/.firewalla/config/dnsmasq_local but the code says to echo to a folder.... Which is it?
Or should it be:
Does this allow multiple search domains?
@James - you can create any file in /home/pi/.firewalla/config/dnsmsaq_local. You have to add one line per search domain you want to filter.
Example of /home/pi/.firewalla/config/dnsmsaq_local/staylocal
@Firewalla - another related issue is that the Firewalla uses upstream DNS for reverse lookups of local addresses. Any suggestions on how to stop this as well?
I think that it is important to point out that in order for for search and local domain names for devices to be resolved, DNS Booster must be enabled to allow Firewalla to intercept DNS requests and resolve those names.
An example scenario that can come up is if you decide to use Pi-hole as your DNS server and you turn off DNS Booster because you want Pi-hole to log DNS requests from individual clients on your network. This will break the resolution of <device>.lan names. With DNS Booster enabled, all DNS requests go first to Firewalla and Pi-hole only sees one client, Firewalla. You have to choose between those 2 configurations.
I just wanted to let people know that adding this Firewalla DNS configuration setting broke my ecobee4 Alexa voice service functionality.
ecobee4 seems to be making DNS queries to eva.ecobee.com.lan for some reason and they might need to go through to a real DNS server even though the DNS response is NXDOMAIN (invalid domain). Not sure if someone has an explanation about this?
@Alak,
It sounds like you have a DNS problem if your Ecobee is trying to resolve domains with .lan appended as the TLD. I'll have to test this with my Ecobee thermostat, I didn't both creating dnsmasq entries for search domains after I upgraded to 20.04. You should probably open a ticket with support so they can review.
@Matt I do have a support ticket open on this but there doesn't seem to be an explanation.
I would ask that if Firewalla ever implements a feature to block unsupported local search domain requests that there should be a way to disable this either globally or per device to avoid breaking connections with some badly behaving devices like this.
For local domain requests being forwarded to AdGuard Home, the following Custom Rewrite Rule works:
||*.lan^$client=FirewallaIP,dnsrewrite=NXDOMAIN;;
Seems like "will be fixed in a future release" should read "we might be able to fix this somewhere down the road, and will try, but no guarentees" based on the dates of the comments on the article.
Some browsers may have their own dns setting. Took me a while to figure out that Android Chrome dns settings were set on cloud flare, when everywhere else on my phone it was set to Firewalla's. It's probably worth mentioning in the article.
Please sign in to leave a comment.