DNS over HTTPS (DoH)

Follow

Comments

18 comments

  • Avatar
    Alex

    Any plans to select a custom DoH server? So Users could for example use nextdns with own configuration.

    4
    Comment actions Permalink
  • Avatar
    Firewalla

    Unlikely we will be supporting "any" DoH server.     But supporting this one is on the roadmap for sure.  

    2
    Comment actions Permalink
  • Avatar
    @3rm@k

    How does DoH work if you have a pihole running on the firewalla? How does it work if you have a pihole on the network (not on the firewalla)?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    It won't work.  DoH will encrypt all DNS traffic via HTTPS,  pihole is not going to see these DNS requests.

    0
    Comment actions Permalink
  • Avatar
    FF

    it might be worth mentioning that DoH is categorized as "Proxy/Anonymizer" by various DNS providers and enabling DoH can conflict with some DNS filtering...

    -> that's what happened to us since proxy/Anonymizer were filtered out from our OpenDNS profile... so all the requests over https to google/cloudlfare would get flagged by opendns.

     

     

    0
    Comment actions Permalink
  • Avatar
    Dave Kellermanns

    Any update on NextDNS or how to configure the NextDNS CLI on the Firewalla Gold?

    4
    Comment actions Permalink
  • Avatar
    Jay Carter

    Ditto! PLEASE add NextDNS support. The limitations of an upstream PiHole are a real deal breaker. If youre not going to add NextDNS, please improve your built in adblocker.

    3
    Comment actions Permalink
  • Avatar
    TiPoK

    It's a pity custom DoH endpoints won't be supported. CloudFlare teams is currently working over DNS and currently the only option is to use non encrypted DNS with firewalla.

    1
    Comment actions Permalink
  • Avatar
    FF

    Indeed, we ran into this issue as well when we realized that we can't use cloudflare team anymore with firewalla as the main gateway...

     

    however, one can still bypass firewalla completely and just point the warp client to the team doh subdomain and the org team.

    0
    Comment actions Permalink
  • Avatar
    Leonid Makarov

    When multiple providers are selected in DOH settings, are they used in a round-robin rotation or is there a priority order?

    Is there a specific recommendation for using just one vs more than one one at a time?

    0
    Comment actions Permalink
  • Avatar
    FF

    In terms of recommending one vs another... 

    until clouddlare team is properly supported, you might want o look into opendns as they allow you to customize rules and (unlike cloudflare which require infividual urls) the mapping between your network and their rule is based on your public facing IP address which you can update through a classic ddns client. 

    The rules allow to whitelist/blacklist themes (adult, violence, p2p...) or individual domains. They offer their service for free for non-profits and individuals.

    0
    Comment actions Permalink
  • Avatar
    Abbas Jaffar Ali

    Is there any update for NextDNS to be added to DoH? Or has this idea been abondened?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    We are going to make DoH configurable.  likely in 1.972 or 1.973

    1
    Comment actions Permalink
  • Avatar
    Hoby Brenner

    It sure would be handy to assign individual DOH servers to networks/devices.  I know I asked about it in the past, but was curious if any headway had been made?

    0
    Comment actions Permalink
  • Avatar
    PotatoHead

    DoH configurable for multiple device groups would be great (instead of only one)

    1
    Comment actions Permalink
  • Avatar
    Shimmy

    Is it still an issue with Family Protect not working if DOH is enabled?

    bks

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    It is still an issue, since DoH will divert DNS away from the one used in Family Protect. But likely in the future, we will completely move family protect local, so it will be work with DoH

    0
    Comment actions Permalink
  • Avatar
    Hoby Brenner

    Some of us are still hopeful for assigning individual DOH to networks/devices/vlans.... 

    IOT gets its own set, Kids have their own... Work, etc.  The workaround for me has been a multihomed dns server on each vlan to get around Firewalla's magic, but its obviously not ideal.

    1
    Comment actions Permalink

Please sign in to leave a comment.