Supported on Firewalla Gold, Purple, and Blue Plus.
In addition to DNS over HTTPS, Firewalla now supports another DNS service: Unbound. It is a validating, recursive, caching DNS resolver installed locally on the Firewalla box, which increases your online privacy and security.
You can learn more about Firewalla's other DNS Services here: DNS Services Introduction.
How does Unbound work?
Unbound uses DNSSec to validate DNS results and prevent man-in-the-middle attacks. Because Unbound itself is a DNS resolver, it will connect to different DNS servers for different domains. No single public DNS server will have all your DNS records, thus protecting your privacy.
Please note:
- Unbound doesn't encrypt DNS traffic. For DNS traffic encryption, you will need to use DNS over HTTPS.
- Unbound and DNS over HTTPS can't be used on the same device at the same time, but you can use Unbound on some devices and DoH on others.
- If you enable Unbound over VPN, all your DNS requests will be sent over the VPN Client of your choosing, but all of your content will still go directly over your ISP connection.
How do I enable Unbound?
To apply Unbound to your devices, tap Services on your box's main page, toggle Unbound on, and then select the devices, groups, or networks to apply it to.
You can also go to the detail page of any device, tap "…" on the control button panel, tap "DNS Service", and select Unbound.
You can also send DNS requests over VPN instead of your ISP to protect your privacy further. To enable Unbound over VPN, you must have a VPN Client connection configured on your Firewalla and be using Unbound. Watch our video tutorial for more details.
How do I check that Unbound is working?
Open your browser and visit https://dnsleaktest.com/.
Run a standard test. If the IP in your test result is your public IP, it means Unbound is successfully enabled– DNS requests are being queried directly from the Firewalla Box to dnsleaktest's DNS server.
Known issue
- Unbound over VPN doesn't work on NordVPN. NordVPN server will respond REFUSED for unbound query.
How to configure a custom DNS service
Some Unbound servers will exclude private IP results. A workaround is to manually map the private IP on Firewalla. To do this, you can follow the method in this guide, or you can add a Custom DNS Entry Rule via the app. Watch our video tutorial for more details
For users who are using Unraid or working with private domains, you can add your configuration manually on box version 1.975 and above. In the included file under ~/.firewalla/config/unbound_local/, add:
server:
private-domain: "myunraid.net"
then restart your Unbound server:
sudo systemctl restart unbound
For users who are using Plex, you can configure your box to allow plex.direct to be resolved to private IP addresses. For example, add the following to a file ~/.firewalla/config/unbound_local/plex.direct:
server:
private-domain: "plex.direct"
If you're using both Unraid and Plex, you can add both mappings in the same file:
server:
private-domain: "myunraid.net"
private-domain: "plex.direct"
Remember to restart your Unbound server after making and saving any edits.
Dependencies with other features
While you can't run two different DNS services at the same time on one device, you can enable different DNS services at the same time on different devices. For example, you can run DoH for your laptop while running Unbound for your tablet.
DNS Booster must be turned on for any of Firewalla's DNS services to work.
- DNS over HTTPS (DoH) is a protocol for encrypting DNS requests via the HTTPS protocol. It is more secure than traditional DNS and helps protect user privacy.
-
Family Protect in 3rd-Party mode uses DNS services to filter out offensive content, which is incompatible with DoH. To be able to use Family Protect and DoH concurrently, you must use Family Protect Native, which blocks content directly from your Firewalla box. You can turn on Family Protect Native by tapping Family on your box's main page, and then tapping on Family Protect. It should be in Native Mode by default, but you can switch between 3rd-Party and Native by tapping Mode.
- If your device is connected to a VPN with DNS over VPN enabled, any DNS features including Unbound will not work.
When a device has multiple DNS services configured, the priority of different configurations is device-level > group-level > network-level > global.
Comments
34 comments
Yes. the native family protect will work if you do unbound over VPN. see https://help.firewalla.com/hc/en-us/articles/360008214094-Activity-and-Parental-Control
Unless I just missed it, I think you should highly recommend using DNS over VPN when using Unbound because without it, it creates a DNS leak.
I tested it with and without while also using VPN Client. With DNS over VPN with the VPN client, no issues there as DNS is handled by the VPN DNS server, but this bypasses the Firewalla filters, which Unboud does not.
However, when not using DNS over VPN within the Unbound DNS, tests had my hometown, ISP name and Firewalla IP exposed. When DNS over VPN in Unbound is turned on, it just shows the VPN server IP address.
@geotrouvetout67, please check out this https://help.firewalla.com/hc/en-us/articles/360048962953-Privacy-Protection which has a nice chart that talks about the different layers of privacy protection.
Just want to say it's amazing these features are baked into this consumer router. Thank you for continuing to make thisnproduct better.
In response to bucweat's comments, and in general there is some confusion in the comments about DoH and Unbound.
When you use unbound, it is using qname minimization and dnssec to directly communicate with the root servers. The root servers themselves do not support TLS or encryption. The DoT options with unbound only apply between the clients and the local unbound server. When you use DoH, you are picking a 3rd party (cloudflare, Google, openDNS) to talk to the root servers for you (i.e. the 3rd party acts like unbound, to put it simply).
So you can't use unbound and DoH, because unbound is doing the same (similar, not exact) thing locally that the DoH 3rd party provider is doing - talking to the root servers directly without encryption.
Please sign in to leave a comment.