Firewalla's Custom DNS Rules let you locally override how certain domain names are resolved. Instead of using public DNS results, you can point a domain to a virtual IP address within your local network.
This is is often needed by users with more complex networks, and can be very useful for redirecting traffic to internal services or custom endpoints.
This works on DNS record type 1(A) and 28 (AAAA). Learn more about DNS Record Types
Using Firewalla Custom DNS Rules
To create a Custom DNS Rule:
- On your box's main screen, tap the Services icon.
- Tap Custom DNS Rules > Add Custom DNS Rule.
- Enter a domain and the IP address you want it to resolve to.
- Tap Save.
By default, if you enter a top-level domain (TLD), subdomains will be included automatically. If needed, configure separate Custom DNS Rules for subdomains to point at different IPs.
Watch our video tutorial for more information.
Using the Command Line (For Advanced Users Only)
If you prefer to use the command line to configure your custom DNS configurations, you may use the instructions below.
NOTE:
- This is a technical doc for advanced users.
- This is not officially supported and is not guaranteed to work long term.
1. Create any file under ~/.firewalla/config/dnsmasq_local/
Example:
$ cat ~/.firewalla/config/dnsmasq_local/example
address=/example.com/1.2.3.4
Option: the configuration will be applied globally. To override other upstream DNS server, use server-high instead of server
# Normal Priority
server=/dns-to-resolve.com/1.1.1.1
# High Priority
server-high=/dns-to-resolve.com/1.1.1.1
Likewise, you can alias a CNAME this way:
cname=alias1,alias2,alias3,target.example.comWhere one or more aliases can point to a domain.
2. Restart Firewalla DNS Service
sudo systemctl stop firerouter_dns
sudo systemctl start firerouter_dns
Reference:
https://wiki.archlinux.org/index.php/dnsmasq#Override_addresses
Comments
7 comments
This is exactly what I needed to make my Nginx Proxy Manager configuration work. I need to map the external subdomains internally as aliases to existing devices (I'm not going assign the external domain as the search/local domain).
My only comment is that, be aware that you can repeat the line without having to modify the 'address' key. This is not clear, since the example has a single line. For example:
Be aware that you forward all hosts to a single host (NPM) and then it will take care of forwarding to the right host. This explains the repeated IP address above.
Right now I'm running NPM outside of my Firewalla (one change at a time). But this is essential service and I plan to move it as a docker instance later.
Can someone help me with a suggestion?
I need DNS queries from a particular device on my LAN (known MAC and IP address) to be redirected to a specific DNS server.
How do I do this?
I know it's probably a longshot, but is there anyway to make this work on all vlans/networks on my FWG without allowing it on a specific guest network/Vlan?
I mean technically Guest is off segmented on its own, but you can still do name or reverse lookups on that network and recon internal DNS if your doing forwarding like the example.
Do you mean gust network people can do a random test for devices on the LAN side by guessing the domain name?
I guess ultimately what I am trying to achieve is to prevent guest or isolated work networks from resolving dns of private internal clients or devices. Is there a way to achieve this without assigning those networks external dns servers?
The "note" at the top should really have the changelog notes copy and pasted into this article and suggest HIGHLY that people attempt to use Custom DNS entries in the app BEFORE going the nuclear route of the SSH customizations.
Indeed.
However the app still doesn’t provide cname records editing leaving one with ssh as the only option.
Please sign in to leave a comment.