Supported on Firewalla Gold, Purple, and Blue Plus.
In addition to DNS over HTTPS, Firewalla now supports another DNS service: Unbound. It is a validating, recursive, caching DNS resolver installed locally on the Firewalla box, which increases your online privacy and security.
You can learn more about Firewalla's other DNS Services here: DNS Services Introduction.
How does Unbound work?
Unbound uses DNSSec to validate DNS results and prevent man-in-the-middle attacks. Because Unbound itself is a DNS resolver, it will connect to different DNS servers for different domains. No single public DNS server will have all your DNS records, thus protecting your privacy.
Please note:
- Unbound doesn't encrypt DNS traffic. For DNS traffic encryption, you will need to use DNS over HTTPS.
- Unbound and DNS over HTTPS can't be used on the same device at the same time, but you can use Unbound on some devices and DoH on others.
- If you enable Unbound over VPN, all your DNS requests will be sent over the VPN Client of your choosing, but all of your content will still go directly over your ISP connection.
How do I enable Unbound?
To apply Unbound to your devices, tap Services on your box's main page, toggle Unbound on, and then select the devices, groups, or networks to apply it to.
You can also go to the detail page of any device, tap "…" on the control button panel, tap "DNS Service", and select Unbound.
You can also send DNS requests over VPN instead of your ISP to protect your privacy further. To enable Unbound over VPN, you must have a VPN Client connection configured on your Firewalla and be using Unbound. Watch our video tutorial for more details.
How do I check that Unbound is working?
Open your browser and visit https://dnsleaktest.com/.
Run a standard test. If the IP in your test result is your public IP, it means Unbound is successfully enabled– DNS requests are being queried directly from the Firewalla Box to dnsleaktest's DNS server.
How to configure a custom DNS service
Some Unbound servers will exclude private IP results. A workaround is to manually map the private IP on Firewalla. To do this, you can follow the method in this guide, or you can add a Custom DNS Entry Rule via the app. Watch our video tutorial for more details
For users who are using Unraid or working with private domains, you can add your configuration manually on box version 1.975 and above. In the included file under ~/.firewalla/config/unbound_local/, add:
server: private-domain: "myunraid.net"
then restart your Unbound server:
sudo systemctl restart unbound
For users who are using Plex, you can configure your box to allow plex.direct to be resolved to private IP addresses. For example, add the following to a file ~/.firewalla/config/unbound_local/plex.direct:
server: private-domain: "plex.direct"
If you're using both Unraid and Plex, you can add both mappings in the same file:
server: private-domain: "myunraid.net"
private-domain: "plex.direct"
Remember to restart your Unbound server after making and saving any edits.
Dependencies with other features
While you can't run two different DNS services at the same time on one device, you can enable different DNS services at the same time on different devices. For example, you can run DoH for your laptop while running Unbound for your tablet.
DNS Booster must be turned on for any of Firewalla's DNS services to work.
- DNS over HTTPS (DoH) is a protocol for encrypting DNS requests via the HTTPS protocol. It is more secure than traditional DNS and helps protect user privacy.
- Family Protect in 3rd-Party mode uses DNS services to filter out offensive content, which is incompatible with DoH. To be able to use Family Protect and DoH concurrently, you must use Family Protect Native, which blocks content directly from your Firewalla box. You can turn on Family Protect Native by tapping Family on your box's main page, and then tapping on Family Protect. It should be in Native Mode by default, but you can switch between 3rd-Party and Native by tapping Mode.
- If your device is connected to a VPN with DNS over VPN enabled, any DNS features including Unbound will not work.
When a device has multiple DNS services configured, the priority of different configurations is device-level > group-level > network-level > global.
Comments
34 comments
Can we use Unbound together with Pi-Hole?
Or do we need to use a container that combines both and *not* use the embedded Unbound implementation?
Thanks in advance!
@Alex
It can't. The idea of unbound is not having any upstream DNS resolver between unbound and authoritative nameservers.
@Support Team: thanks for the swift response, I was rather thinking / hoping for a setup like this:
clients -> firewalla -> pi-hole -> unbound
where pi-hole uses unbound as DNS resolver (and indeed not the other way round).
I used to run this setup before, with pi-hole and unbound on separate raspberry pi devices, but would much rather have it all integrated on my FWP now, if possible at all, to ensure all FW functionality can be used.
Guess that only leaves the possibility not to use the Unbound that is now 'embedded' in Firewalla and use a container that contains both Pi-Hole and Unbound?
If so, could you please provide some support on how to do this? (another FW user started this topic: https://help.firewalla.com/hc/en-us/community/posts/1500001172701-Pihole-and-Unbound )
@Alex
Correct.
We have not tried PiHole + Unbound on Firewalla, I think it's better to leave it to the community to support it.
PiHole should already have good docs on how to work with unbound. There may already have docker containers out there supporting it.
Are you going to support setting custom forward-zones with DoH or DoT? Says you get DoH or Unbound but unbound supports DoH.
Does the Firewalla implementation of Unbound not support DoH? It seems like Unbound natively supports DoH as of 2020: https://medium.com/nlnetlabs/dns-over-https-in-unbound-c7a407e8480#:~:text=Using%20DNS%2Dover%2DHTTPS%20in%20Unbound&text=The%20port%20that%20Unbound%20will,the%20https%2Dport%20configuration%20option.&text=Queries%20to%20other%20paths%20will,the%20http%2Dendpoint%20configuration%20option.
DoH and Unbound are completely different things. DoH is the transport going to Unbound (a DNS server). Since unbound in your case is local, you don't need to use DoH to talk to it.
We're talking about forward-zones, using DoH upstream. Not client to Unbound.
@Robert,
May I know why you want this feature? Do you have a private zone?
For the same reason you offer DoH directly in Firewalla. Privacy and Security. I don't care if my internal clients use standard DNS but leaving my network I want encryption. By default Unbound uses the root servers and works its way from there, you don't need to specify a DNS server to forward requests to. Your DNS requests will hit unbound then get forwarded randomly to a DNS service on the internet. Unbound lets you specify forward-zones, including DoH and DoT. So if I wanted to combine Unbound and DoH I would just add a DoH forward-zone to Quad9 or Cloudflare. I'm really surprised this didn't occur to anyone. Especially since it was called out that you can not combine Unbound with DoH. You absolutely can, Firewalla just hasn't implemented it.
Then why not just use DoH feature in Firewalla app? It's the same as unbound + DoH forwarding.
Either query DNS from different authoritative servers (unbound with no forwarding): DNS requests are not encrypted, but no single DNS server has full access of DNS requests.
Or query DNS from DoH servers (DoH): DNS requests are encrypted, but quad9/cloudflare can have full history of your DNS requests.
None of them is perfect.
Just a couple of possible reasons:
(this is the main reason run Unbound and Pi-Hole in Docker on my FWP)
Hope this helps :)
Just my 2 cents. Unbound will prevent DNS servers to have full access of ALL (history) DNS requests, and DoH will encrypt DNS requests. It seems good in terms of security to me...
I currently use DoH, and love that feature. I would also love to limit the # of DNS requests to remote servers (and use a local network cache instead, such as the one used with Unbound feature) not only for security reasons, but also for the protection of the environment, limiting bandwidth use, and thus power consumption.
Hope this helps also :-)
Is there a way to see a resultant set of policy? For example, if I have rules set on a device, groups, networks and globally, how can I easily see what is being applied based on certain scenarios.
For example, it would be great to be able to specify a device, a target of some sorts (domain, for example) and see what is applied to traffic and why. I.e. if it's a rule on the device, the device group or globally.
Something similar to RSOP for Active Directory Group Policy - hence using that terminology.
@Darren
Thanks for the feedback, will forward to dev team to do some research on this.
Have Purple on Simple Mode (no DHCP server on Purple) - will turning on Unbound intercept all port 53 DNS requests, i.e., set and forget (no client setup needed)?
Currently have PiHole + Unbound on an RPi with some of the network traffic going through NextDNS and ControlD via DoH. With Unbound on FW (blocking all external DNS requests), I can turn off the one on the RPi.
@Rom, this is correct. No client setup is required.
Uncovered some very unexpected behavior with unbound enabled on my gold in router mode. I am a unix sysadmin and support our DNS infrastructure, and was in process of moving authoritative zone from one hosting provider to another. I built a test zone on the new hosting provider and attempted to test dns resolution using the command "dig @204.128.x.x test.testzone.com and low and behold... my dns request was intercepted by firewalla and directed to the existing hosting provider.
Why is firewalla intercepting a dns query directed to a specific name server ip? I could see this working differently if unbound was attempting to resolve a glue record, but why intercept a request generated by IP?
Firewalla will always intercept DNS requests and forward them to the DNS server you set. This is to prevent 'things' (like kids) from bypassing control via a different DNS server/service.
If you do want to try dig without this type of forward, what you can do is go inside the firewalla (via ssh and do your testing), and the other is to temporarily disable dnsbooster (gears->advanced->configurations)
@Firewalla : would you consider enabling the following:
- running Firewalla's 'embedded' Unbound but not setting it as FW's direct DNS server (see below)
- allowing Pi-Hole in a docker to use FW's Unbound as its upstream DNS resolver (so in the FW app, we would configure the Pi-Hole IP address as DNS server), and in Pi-Hole we would define something along the lines of 172.16.0.1#5335 as Pi-Hole's upstream DNS server
And as a next possibility, if you would consider the above (which would be awesome :) ), would you then consider adding an additional, adjustable conf file for Unbound to further finetune Unbound's config? (so you would keep the standard unbound.conf file, and enable an additional file that a user can modify) See the last line in this unbound.conf on how to do it: you just refer to a location where custom additional config files can be found, the original config will always be used as the starting point.
"Supported on Firewalla Gold, Purple, and Blue Plus"
Actually i'm lucky to have a firewalla blue and a firewalla red for my parents home. But actually i should not be lucky, because lots of great features are not supported on the baby firewalla's.
Seems i should switch to a "real" firewall of another brand. To not get "unlucky" of features i can't use. Isn't it?
Where does Unbound get its results from? The reason for asking is that things like Google DNS are unusable here (a non-US country) because they return results for US hosts for things like CDNs for which access ranges from very slow to blocked entirely, rather than local hosts. Unless they've fixed it recently, using Google's DNS rather than the ISPs one results in breakage for a number of widely-used sites. Thus my question about where does Unbound get its results from, if it's from out-of-country DNS servers then it could result in the same breakage as Google's DNS.
Unbound will get it's results from the authoritative dns server. Each time you ask unbound, it'll check, which DNS-Server is authoritative for the asked url. So there's no single upstream dns-server.
i'm using unbound running beside pihole on my pi. Actually i would be happy to use unbound within firewalla blue and red, because so i can use unbound functionallity also in places where i don't use pihole but i use firewalla.
I have Unbound enabled. No local DNS resolution is happening. Investigating using dig shows that Firewalla is forwarding local name resolution requests (e.g. computername.lan) to root servers on the internet... and, of course, local names are not getting resolved.
Is there some special configuration that needs to be done to make sure local machines can resolve each other using their hostnames?
You need to look at https://help.firewalla.com/hc/en-us/articles/1500002445242-Difference-between-Search-Domain-Local-Domain
Here you can setup different domains to be resolved locally
So if I use Unbound, I get that my DNS requests go to a local Unbound server on the Firewalla. I get that by distributing DNS queries it increases difficulty for any one DNS provider to associate site visits to me. I get that DNS requests between devices on my local network and Ubound server on Firewalla don’t need to be encrypted (unless you don’t want someone on local network to see DNS request).
My BIG question is are the DNS queries from the Unbound local server on Firewalla to Root/authoritative DNS servers (which uses DNSSec) out on the internet (the up/down arrows in the diagram) encrypted? If not, then aren’t all the DNS requests exposed to ISP?
I get benefit of DNSSec and how it helps defeat bogus DNS query results. I think what creates a lot of confusion is the statement on Firewalla pages like this one “Please be aware that unbound doesn't encrypt DNS traffic.” makes it sound like my DNS queries when using Unbound can be seen by ISP…why would I want tot do that?
Your ISP won’t be resolving the request, that’s the only benefit. Even with encrypted DNS you’ll still be visiting the resolved address using your ISP anyway, so DNS or not, your ISP is likely to know where you’re visiting.
I use wireguard VPN client for that. Right now I have "Force DNS over VPN" selected (configured with AdGuard Ad Blocker). While that work fairly well, it means I can't use filtering features of Firewalla.
I decided to do some more digging. Looking at the Unbound docs (https://unbound.docs.nlnetlabs.nl/en/latest/use-cases/home-resolver.html), it seems that the most basic config for Unbound is as a local dns cache. Additional features like DNSSEC and encryption need to be configured. You can do DoH and DoT between local clients and the Unbound server, but not sure of the benefit of this on your local LAN (unless you're worried someone on your LAN might be sniffing your DNS traffic). Less obvious from that site is the fact you can encrypt upstream traffic. I ended up finding some info in the docs for the unbound.conf file https://unbound.docs.nlnetlabs.nl/en/latest/manpages/unbound.conf.html which does discuss the options for TLS for upstream.
I also found a couple of what look like decent blogs
These both describe encrypting the upstream. The nurdletech link also includes some good references at the end including https://www.ctrl.blog/entry/unbound-tls-forwarding.html.
No I have not tried to set any of that up so not sure what if any technical hurdles there might be to implementing on Firewalla.
Speaking of Firewalla, I did a little digging on the Firewalla itself, and I found /home/pi/.firewalla/run/unbound/unbound.conf. As it stands I don't see anything that would indicate that upstream traffic is currently encrypted, but it does appear that DNSSEC is configured (auto-trust-anchor-file).
I was confused until I reached out to support, and they did update the article to reflect what they told me to do for Plex. However, I think it could use an additional update for clarification. The example for Unraid suggests there's already a file in ~/.firewalla/config/unbound_local/ that needs to be edited, and the example for Plex suggests creating file called plex.direct.
Per u/firewalla in the Firewalla subreddit, you can create a single file named unbound_custom.conf with all private domains you need in it (though I suspect other filenames will work as well):
Source - https://www.reddit.com/r/firewalla/comments/1610c2q/comment/jxprsoh/?utm_source=share&utm_medium=web2x&context=3
Do Firewalla filters like Family Protect work when you do Unbound over VPN?
Please sign in to leave a comment.