DNS over HTTPS (DoH) is a protocol for performing remote Domain Name System (DNS) resolution via the HTTPS protocol. It is more secure than traditional DNS and helps protect user privacy.
You can learn more about Firewalla DNS Services here: DNS Services Introduction.
How does DoH work?
When you type a web address or domain name into your address bar, your browser sends a request over the Internet to look up the IP address for that website. Traditionally, this request is sent to servers over a plain text connection. This connection is not encrypted, making it easy for third parties to see what website you’re about to access.
DNS over HTTPS (DoH) works differently. It sends the domain name you typed to a DoH-compatible DNS server using an encrypted HTTPS connection instead of a plain text one. This prevents third parties from seeing what websites you are trying to access.
If DNS over HTTPS is enabled on Firewalla, your device will use the DoH server even if it has its own DNS server configured.
- DoH can be slower than traditional DNS queries due to the encryption.
- DoH will encrypt your DNS entries. If you have network security devices beyond Firewalla, they will not be able to see your DNS requests.
- If your router maps a domain name to a local IP address, you won't be able to resolve the domain name when DoH is on.
- DoH only encrypts the DNS query. The destination IP address in packet headers can still expose which servers you are talking to.
- Remember, DoH will only hide your queries from ISPs, not DoH providers.
- Some DoH services are not as stable as normal DNS servers. If you encounter problems while DoH is on, please try to change your DoH provider or turn DoH off and test again.
How do I enable DoH?
Tap on the "More" button on your Firewalla's main page, or go to "Settings" and tap on "Features". Tap on the "DNS Service" feature. DoH is disabled by default.
To enable DoH, toggle it on. You can select which devices to apply DoH to, and which server (Cloudflare, Google, Quad9, OpenDNS) will handle the DoH queries.
How do I check that DoH is working?
To test DoH, set your DoH settings to Cloudflare only (turn other servers off), then visit https://22.214.171.124/help. You should see something like this:
If you see something different, please check the following:
- Double-check that only Cloudflare is enabled– the test above is made by Cloudflare and only works if you are using the Cloudflare server. You can turn on other servers after the test.
- Be sure the device you're running the test on is being monitored by Firewalla and that you have included it in the DoH "Apply To" list.
- Double-check that DNS Booster is on (if you don't know what DNS Booster is, please disregard it).
Can I use DoH with other DNS services?
Firewalla also supports Unbound, which is a validating, recursive, caching DNS resolver that is installed locally on your box. Unbound prevents a single public DNS server from having all your DNS records, which helps increase your online privacy and security.
While you can't run DoH and Unbound at the same time on one device, you can enable both DoH and Unbound at the same time on different devices. For example, you can run DoH for your laptop while running Unbound for your tablet.
How to use Custom DoH Servers
You can also add customized DoH endpoints if you want to use a provider other than the defaults provided in the app. For example, in addition to simple, unfiltered DoH service, Cloudflare offers DoH with Filters for Malware and another for Malware and Pornography. You can add them by tapping "Servers", then tapping "Add Server." Give your new server a name, enter in the endpoint URL or stamp, then tap Save.
The same approach will work with OpenDNS' FamilyShield, using the following URL:
Dependencies with other features
- Family Protect in 3rd-Party mode may not work if DoH is on. This is because 3rd-Party Family Protect uses DNS services to filter out offensive content, which is incompatible with DoH. To be able to use Family Protect and DoH concurrently, you must use Family Protect Native, which blocks content directly from your Firewalla box. You can turn on Family Protect Native by tapping "Family" on your box's main page, then tapping on Family Protect. It should be in Native by default, but you can switch between 3rd-Party and Native by tapping "Mode".
- DNS Booster must be turned on for DoH to work.
Any plans to select a custom DoH server? So Users could for example use nextdns with own configuration.
Unlikely we will be supporting "any" DoH server. But supporting this one is on the roadmap for sure.
How does DoH work if you have a pihole running on the firewalla? How does it work if you have a pihole on the network (not on the firewalla)?
It won't work. DoH will encrypt all DNS traffic via HTTPS, pihole is not going to see these DNS requests.
it might be worth mentioning that DoH is categorized as "Proxy/Anonymizer" by various DNS providers and enabling DoH can conflict with some DNS filtering...
-> that's what happened to us since proxy/Anonymizer were filtered out from our OpenDNS profile... so all the requests over https to google/cloudlfare would get flagged by opendns.
Any update on NextDNS or how to configure the NextDNS CLI on the Firewalla Gold?
Ditto! PLEASE add NextDNS support. The limitations of an upstream PiHole are a real deal breaker. If youre not going to add NextDNS, please improve your built in adblocker.
It's a pity custom DoH endpoints won't be supported. CloudFlare teams is currently working over DNS and currently the only option is to use non encrypted DNS with firewalla.
Indeed, we ran into this issue as well when we realized that we can't use cloudflare team anymore with firewalla as the main gateway...
however, one can still bypass firewalla completely and just point the warp client to the team doh subdomain and the org team.
When multiple providers are selected in DOH settings, are they used in a round-robin rotation or is there a priority order?
Is there a specific recommendation for using just one vs more than one one at a time?
In terms of recommending one vs another...
until clouddlare team is properly supported, you might want o look into opendns as they allow you to customize rules and (unlike cloudflare which require infividual urls) the mapping between your network and their rule is based on your public facing IP address which you can update through a classic ddns client.
The rules allow to whitelist/blacklist themes (adult, violence, p2p...) or individual domains. They offer their service for free for non-profits and individuals.
Is there any update for NextDNS to be added to DoH? Or has this idea been abondened?
We are going to make DoH configurable. likely in 1.972 or 1.973
It sure would be handy to assign individual DOH servers to networks/devices. I know I asked about it in the past, but was curious if any headway had been made?
DoH configurable for multiple device groups would be great (instead of only one)
Is it still an issue with Family Protect not working if DOH is enabled?
It is still an issue, since DoH will divert DNS away from the one used in Family Protect. But likely in the future, we will completely move family protect local, so it will be work with DoH
Some of us are still hopeful for assigning individual DOH to networks/devices/vlans....
IOT gets its own set, Kids have their own... Work, etc. The workaround for me has been a multihomed dns server on each vlan to get around Firewalla's magic, but its obviously not ideal.
Please sign in to leave a comment.