Supported on Firewalla Gold and Purple. Coming to Blue+ in 1.974.
In addition to DNS over HTTPS, Firewalla now supports another DNS service: Unbound. It is a validating, recursive, caching DNS resolver, it is installed locally on the Firewalla box, which helps increase your online privacy and security.
To learn more about Firewalla DNS Services, here is a detailed guide: DNS Services Introduction.
How does it work?
Unbound uses DNSSec to validate DNS result and prevent it from man-in-the-middle attacks. Because Unbound itself is a DNS resolver, it will connect to different DNS servers for different domains. No single public DNS server will have all your DNS records, thus it protects your privacy at a certain level.
Note:
- Please be aware that unbound doesn't encrypt DNS traffic. For DNS traffic encryption, you will need to use DNS over HTTPS.
- Unbound and DNS over HTTPS can't be used together.
How to enable Unbound?
Unbound is part of the DNS Service feature. To apply Unbound to your devices:
- Tap the DNS Service button at the bottom of the main page, turn on Unbound and select the devices/groups/networks to apply to. Please note that any specific device/group/network can only be applied with one of the DNS services at a time.
- You can also go to the detail page of any device, tap "…" on the control button panel, tap DNS service, and select Unbound.
How to test Unbound?
Open the browser, visit https://dnsleaktest.com/
Run a standard test, if the IP in the test result is your public IP, it means unbound is enabled. (DNS is queried directly from the Firewalla Box to dnsleaktest.com's DNS server.)
Dependencies with other features:
- DNS Booster must be turned on for Unbound to work.
- Any specific device/group/network can only be applied with one of the DNS services at a time, including Unbound, DNS over HTTPS, and Family Protect. When there is a conflict, the priority of different levels is device > group > network > global.
- If your device is connected to a VPN with DNS over VPN enabled, any DNS features including Unbound will not work.
Comments
17 comments
Can we use Unbound together with Pi-Hole?
Or do we need to use a container that combines both and *not* use the embedded Unbound implementation?
Thanks in advance!
@Alex
It can't. The idea of unbound is not having any upstream DNS resolver between unbound and authoritative nameservers.
@Support Team: thanks for the swift response, I was rather thinking / hoping for a setup like this:
clients -> firewalla -> pi-hole -> unbound
where pi-hole uses unbound as DNS resolver (and indeed not the other way round).
I used to run this setup before, with pi-hole and unbound on separate raspberry pi devices, but would much rather have it all integrated on my FWP now, if possible at all, to ensure all FW functionality can be used.
Guess that only leaves the possibility not to use the Unbound that is now 'embedded' in Firewalla and use a container that contains both Pi-Hole and Unbound?
If so, could you please provide some support on how to do this? (another FW user started this topic: https://help.firewalla.com/hc/en-us/community/posts/1500001172701-Pihole-and-Unbound )
@Alex
Correct.
We have not tried PiHole + Unbound on Firewalla, I think it's better to leave it to the community to support it.
PiHole should already have good docs on how to work with unbound. There may already have docker containers out there supporting it.
Are you going to support setting custom forward-zones with DoH or DoT? Says you get DoH or Unbound but unbound supports DoH.
Does the Firewalla implementation of Unbound not support DoH? It seems like Unbound natively supports DoH as of 2020: https://medium.com/nlnetlabs/dns-over-https-in-unbound-c7a407e8480#:~:text=Using%20DNS%2Dover%2DHTTPS%20in%20Unbound&text=The%20port%20that%20Unbound%20will,the%20https%2Dport%20configuration%20option.&text=Queries%20to%20other%20paths%20will,the%20http%2Dendpoint%20configuration%20option.
DoH and Unbound are completely different things. DoH is the transport going to Unbound (a DNS server). Since unbound in your case is local, you don't need to use DoH to talk to it.
We're talking about forward-zones, using DoH upstream. Not client to Unbound.
@Robert,
May I know why you want this feature? Do you have a private zone?
For the same reason you offer DoH directly in Firewalla. Privacy and Security. I don't care if my internal clients use standard DNS but leaving my network I want encryption. By default Unbound uses the root servers and works its way from there, you don't need to specify a DNS server to forward requests to. Your DNS requests will hit unbound then get forwarded randomly to a DNS service on the internet. Unbound lets you specify forward-zones, including DoH and DoT. So if I wanted to combine Unbound and DoH I would just add a DoH forward-zone to Quad9 or Cloudflare. I'm really surprised this didn't occur to anyone. Especially since it was called out that you can not combine Unbound with DoH. You absolutely can, Firewalla just hasn't implemented it.
Then why not just use DoH feature in Firewalla app? It's the same as unbound + DoH forwarding.
Either query DNS from different authoritative servers (unbound with no forwarding): DNS requests are not encrypted, but no single DNS server has full access of DNS requests.
Or query DNS from DoH servers (DoH): DNS requests are encrypted, but quad9/cloudflare can have full history of your DNS requests.
None of them is perfect.
Just a couple of possible reasons:
(this is the main reason run Unbound and Pi-Hole in Docker on my FWP)
Hope this helps :)
Just my 2 cents. Unbound will prevent DNS servers to have full access of ALL (history) DNS requests, and DoH will encrypt DNS requests. It seems good in terms of security to me...
I currently use DoH, and love that feature. I would also love to limit the # of DNS requests to remote servers (and use a local network cache instead, such as the one used with Unbound feature) not only for security reasons, but also for the protection of the environment, limiting bandwidth use, and thus power consumption.
Hope this helps also :-)
Is there a way to see a resultant set of policy? For example, if I have rules set on a device, groups, networks and globally, how can I easily see what is being applied based on certain scenarios.
For example, it would be great to be able to specify a device, a target of some sorts (domain, for example) and see what is applied to traffic and why. I.e. if it's a rule on the device, the device group or globally.
Something similar to RSOP for Active Directory Group Policy - hence using that terminology.
@Darren
Thanks for the feedback, will forward to dev team to do some research on this.
Have Purple on Simple Mode (no DHCP server on Purple) - will turning on Unbound intercept all port 53 DNS requests, i.e., set and forget (no client setup needed)?
Currently have PiHole + Unbound on an RPi with some of the network traffic going through NextDNS and ControlD via DoH. With Unbound on FW (blocking all external DNS requests), I can turn off the one on the RPi.
@Rom, this is correct. No client setup is required.
Please sign in to leave a comment.