DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution via the HTTPS protocol. It is more secure than traditional DNS and helps protect user privacy.
To learn more about Firewalla DNS Services, here is a detailed guide: DNS Services Introduction.
How does it work?
When you type a web address or domain name into your address bar, your browser sends a request over the Internet to look up the IP address for that website. Traditionally, this request is sent to servers over a plain text connection. This connection is not encrypted, making it easy for third parties to see what website you’re about to access.
DNS over HTTPS (DoH) works differently. It sends the domain name you typed to a DoH-compatible DNS server using an encrypted HTTPS connection instead of a plain text one. This prevents third parties from seeing what websites you are trying to access.
If DNS over HTTPS is enabled on Firewalla, your device will use the DoH server even if it has its own DNS server configured.
A few important things to note:
- DoH can be slower than traditional DNS queries due to the encryption.
- DoH will encrypt your DNS entries. If you have network security devices beyond Firewalla, they will not be able to see your DNS requests.
- If your router maps a domain name to a local IP address, you won't be able to resolve the domain name when DoH is on.
- DoH only encrypts the DNS query. The destination IP address in packet headers can still expose which servers you are talking to.
- Remember, DoH will only hide your queries from ISPs, not DoH providers.
- We have seen some DoH services that are not stable as normal DNS servers. If you encounter problems, please try to change the DoH provider or turn off the service and test again.
How to enable DoH?
Tap on the "More" button on the main page of Firewalla Box, or go to "Settings" -> "Features". Tap on the "DNS Service" feature. This feature is disabled by default.
To enable DoH, tap on the feature and toggle it on. You can select which devices to apply DoH to, and which server (Cloudflare, Google, Quad9, OpenDNS) will handle the DoH queries.
How to check DoH?
To test DNS over HTTPS, set your DoH settings to Cloudflare only (turn others off), then visit https://220.127.116.11/help. You should see something like this:
If you see problems with the test page, please check the following:
- Double-check your DoH settings, and make sure only Cloudflare is checked. This test is made by Cloudflare. You can turn on other sources after the test.
- Double-check that the DNS booster is on (if you don't know what this is, please disregard it).
- Be sure the device doing the test is being monitored by Firewalla and that you have included the device in the DoH "Apply To" list.
How to use Custom DoH Servers
You can also add customized DoH endpoints. If you want to use a provider other than the defaults provided in the app, you can use the custom DoH server to add any DoH service you like. For example, in addition to simple, unfiltered DoH service, Cloudflare offers DoH with Filters for Malware and another for Malware and Pornography. You can add them to Firewalla like so:
The same approach will work with OpenDNS' FamilyShield:
Dependencies with other features:
- Family Protect in 3rd-Party mode may not work if DoH is on. This is because Family Protect in 3rd-Party mode uses DNS services to filter out violent and pornographic online content, which is incompatible with DoH. To be able to use Family Protect and DoH concurrently, you must use Family Protect Native, which gives you full control over what to block right on the Firewalla box without going out of the network. Turn on Family Protect Native by tapping Family on your box's main page and tapping on Family Protect. It should be in Native mode by default, but you can switch between 3rd-Party and Native by tapping Mode.
- DNS Booster must be turned on for DoH to work.