DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution via the HTTPS protocol. It uses HTTPS to encrypt the data between the DoH client and the DoH-based DNS resolver, preventing eavesdropping and manipulation of DNS data through man-in-the-middle attacks. It is more secure than the traditional DNS and helps protect user privacy.
When you type a web address or domain name into your address bar, your browser sends a request over the Internet to look up the IP address for that website. Traditionally, this request is sent to servers over a plain text connection. This connection is not encrypted, making it easy for third-parties to see what website you’re about to access.
DNS over HTTPS (DoH) works differently. It sends the domain name you typed to a DoH-compatible DNS server using an encrypted HTTPS connection instead of a plain text one. This prevents third-parties from seeing what websites you are trying to access.
Firewalla implementation will enable devices under Firewalla monitoring (or connected to the overlay network) to use DoH, even the client uses a different DNS server.
A few important things to note:
- DoH can be slower than traditional DNS queries. (Due to encryption)
- DoH will encrypt your DNS entries. If you have network security devices beyond Firewalla, it will not be able to see the DNS requests.
- If your router maps a domain name to a local IP address, you won't be able to resolve the domain name when DoH is on.
- DNS over HTTPS is not perfect, although it may be a bit difficult, the destination IP address can also expose which server/s you are talking to.
- Remember, DNS over HTTPS will only hide your queries from ISPs but NOT the DNS over HTTPS provider.
- We have seen some DoH services are not stable as normal DNS servers, if you encounter problems, please try to change DoH provider or turn off the service and test again.
How to enable DoH?
Tap on the "More" button on the main page of Firewalla Box, or go to "Settings" -> "Features", you'll find the "DNS over HTTPS" feature. This feature is disabled by default.
To enable "DNS over HTTPS", tap on the feature, switch on the feature button. You'll have to select which devices to apply to, and which server (CloudFlare, Google, Quad9, OpenDNS) to handle the DoH queries.
How to check DoH?
To test DNS over HTTPS, please set DNS over HTTPS "settings" to Cloudflare only (turn others off), then visit https://1.1.1.1/help
If you see problems with the test page, please check following
- Double-check DoH settings, and make sure only Cloudflare is checked. This test is made by Cloudflare. You can turn on other sources after the test.
- Double-check DNS booster is on. (if you don't know what this is, please ignore)
- Make sure the device doing the test is being "monitored" by firewalla.
Dependencies with other features:
- Family mode may not work if DoH is on.
- DNS Booster must be turned on for DoH to work.
Comments
11 comments
Any plans to select a custom DoH server? So Users could for example use nextdns with own configuration.
Unlikely we will be supporting "any" DoH server. But supporting this one is on the roadmap for sure.
How does DoH work if you have a pihole running on the firewalla? How does it work if you have a pihole on the network (not on the firewalla)?
It won't work. DoH will encrypt all DNS traffic via HTTPS, pihole is not going to see these DNS requests.
it might be worth mentioning that DoH is categorized as "Proxy/Anonymizer" by various DNS providers and enabling DoH can conflict with some DNS filtering...
-> that's what happened to us since proxy/Anonymizer were filtered out from our OpenDNS profile... so all the requests over https to google/cloudlfare would get flagged by opendns.
Any update on NextDNS or how to configure the NextDNS CLI on the Firewalla Gold?
Ditto! PLEASE add NextDNS support. The limitations of an upstream PiHole are a real deal breaker. If youre not going to add NextDNS, please improve your built in adblocker.
It's a pity custom DoH endpoints won't be supported. CloudFlare teams is currently working over DNS and currently the only option is to use non encrypted DNS with firewalla.
Indeed, we ran into this issue as well when we realized that we can't use cloudflare team anymore with firewalla as the main gateway...
however, one can still bypass firewalla completely and just point the warp client to the team doh subdomain and the org team.
When multiple providers are selected in DOH settings, are they used in a round-robin rotation or is there a priority order?
Is there a specific recommendation for using just one vs more than one one at a time?
In terms of recommending one vs another...
until clouddlare team is properly supported, you might want o look into opendns as they allow you to customize rules and (unlike cloudflare which require infividual urls) the mapping between your network and their rule is based on your public facing IP address which you can update through a classic ddns client.
The rules allow to whitelist/blacklist themes (adult, violence, p2p...) or individual domains. They offer their service for free for non-profits and individuals.
Please sign in to leave a comment.