Supported on Firewalla Gold, Purple, and Blue Plus.
In addition to DNS over HTTPS, Firewalla now supports another DNS service: Unbound. It is a validating, recursive, caching DNS resolver, it is installed locally on the Firewalla box, which helps increase your online privacy and security.
To learn more about Firewalla DNS Services, here is a detailed guide: DNS Services Introduction.
How does it work?
Unbound uses DNSSec to validate DNS result and prevent it from man-in-the-middle attacks. Because Unbound itself is a DNS resolver, it will connect to different DNS servers for different domains. No single public DNS server will have all your DNS records, thus it protects your privacy at a certain level.
- Please be aware that unbound doesn't encrypt DNS traffic. For DNS traffic encryption, you will need to use DNS over HTTPS.
- Unbound and DNS over HTTPS can't be used together on the same devices.
- You can use Unbound on some devices and DoH on others.
How to enable Unbound?
Unbound is part of the DNS Service feature. To apply Unbound to your devices:
- Tap the DNS Service button at the bottom of the main page, turn on Unbound and select the devices/groups/networks to apply to. Please note that any specific device/group/network can only be applied with one of the DNS services at a time.
- You can also go to the detail page of any device, tap "…" on the control button panel, tap DNS service, and select Unbound.
In the 1.52 app release, you can also now send DNS requests over VPN instead of your ISP to protect your privacy further by enabling Unbound over VPN. To use this feature, you must have a VPN Client connection configured on your Firewalla and be using Unbound. Read more about this feature in our 1.52 App Release Notes.
Can I use Unbound and DoH together?
For any given devices/groups/networks, these services are mutually exclusive. Just like rules, when there is conflict, the priority of different levels is device > group > network > global.
For example, in the screens below, if you applied Unbound to all devices, and applied DoH to the device group - IoT. It means:
- On the IoT devices, Doh will take precedence over Unbound.
- All the newly joined devices will be applied with Unbound automatically.
How to test Unbound?
Open the browser, visit https://dnsleaktest.com/
Run a standard test, if the IP in the test result is your public IP, it means unbound is enabled. (DNS is queried directly from the Firewalla Box to dnsleaktest.com's DNS server.)
Customize DNS service
Some Unbound servers will exclude private IP results. A workaround is to manually add the mapping on Firewalla. Guide: How to customize Firewalla DNS service
For users who are using Unraid or working with private domains, on box version 1.975 and above, you can add your configuration manually as a workaround.
In the included file under ~/.firewalla/config/unbound_local/, add:
server: private-domain: "myunraid.net"
then restart your unbound server:
sudo systemctl restart unbound
Dependencies with other features
- DNS Booster must be turned on for Unbound to work.
- Any specific device/group/network can only be applied with one of the DNS services at a time, including Unbound, DNS over HTTPS, and Family Protect. When there is a conflict, the priority of different levels is device > group > network > global.
- If your device is connected to a VPN with DNS over VPN enabled, any DNS features including Unbound will not work.