1. DNS Overview
What is DNS?
DNS or Domain Name System translates domain names such as firewalla.com to an (or multiple) IP address such as 184.108.40.206.
Why DNS can be a security issue?
DNS can be modified by DNS servers such as, while query firewalla.com, instead of returning 220.127.116.11, the DNS server returns a malicious address;
Why DNS can be a privacy issue?
Since the raw DNS protocol is clear text, at times, the intermediate ISP (or VPN) may be able to see which site you are going to and track you if they want to.
DNS Server/Provider always knows where you are going and track you if they want to.
2. Firewalla-managed DNS Services Explained
Firewalla provides various DNS services including Unbound, DNS over HTTPS (DoH), and Family Protect, in addition to the traditional DNS to meet various needs like privacy protection, data security, or content filtering.
For any given devices/groups/networks, these services are mutually exclusive, which means they can be switched on at the same time, but cannot be applied to the same set of devices/ groups/ networks/ global at the same time.
Just like rules, when there is conflict, the priority of different levels is device > group > network > global.
Unbound is a validating, recursive, caching DNS resolver, it is installed locally on the Firewalla box, which helps increase your online privacy and security.
To keep the privacy of DNS lookup history, Unbound can be used to replace the DNS servers from upstream ISP as a more trustworthy alternative.
- Unbound is a DNS server, no need to specify 3rd party DNS servers
- DNSSec to protect anyone from modifying the query results
- Always go to the source, no one DNS server fully knows where you are going
- Query still clear text, visible to ISP.
2.2 DNS over HTTPS
DNS over HTTPS (DoH) is a transport protocol for performing remote Domain Name System (DNS) resolution via the HTTPS protocol. It is more secure than the traditional DNS and helps protect user privacy.
- DoH is an encrypted transport, you still need to talk to and set up a connection to a DNS server
- Due to extra encryption, DoH can be slower.
- DNS server still can alter the returned results
2.3 Family protect
The Family Protect feature will filter out violent and adult material. Due to how internet domain names are designed, this block is not always perfect. Our service is to forward your DNS queries to another server that provides family mode service.
Family Protect is in conflict with other DNS services in Firewalla since it works with another DNS technology as well.
Family Protect can be used if quick and simple content filtering is needed. For more advanced content filtering, please refer to this guide on how to manage rules.
2.4 Traditional DNS
If none of Firewalla's DNS services are enabled, Firewalla will use the DNS servers configured in Firewalla network manager with values from either ISP-provided DNS servers or user-configured ones.
2.5 DNS and VPN
For any VPN connection initiated on Firewalla VPN client,
- If Force DNS over VPN is ON, the DNS traffic will be directed through the VPN connection and No Firewalla DNS services will be involved. In this case, Firewalla DNS-based blocks won't take effect, and other blocks still work, e.g. IP-based, TLS-based and etc.
- If Force DNS over VPN is OFF, the DNS services would just work the same way as if there were no VPN connection, this means all your DNS traffic will be intercepted and protected by Firewalla. However, DNS traffic will NOT go through VPN.
3. A quick comparison of all DNS services
Reduce Tracking (ISP)
|Prevent DNS modifications||Data Encryption||Content Filtering|
|DNS over HTTPS (DoH)||No||Yes||No||Yes||Firewalla|
|Family Protect||No||No||No||No||Firewalla + OpenDNS|
Recommendations on which to pick
- If you do not trust any single DNS server other than the root and authoritative DNS server, choose Unbound,
- If you trust the DNS service provider but don't trust your ISP, choose DNS over HTTPS,
- If just need simple filtering to protect your kids from unwanted online content, choose Family Protect,
- If you have NO concern at all, just use traditional DNS from ISP or configure some public DNS for your LAN networks if you like.
- If you do not want any DNS queries getting changed or filtered, pick Unbound
It is not possible to run DoH, Unbound, or Family Protect together.
Why can't Unbound and DoH be used together?
DoH and Unbound are different technologies. DoH is the transport that your applications use to talk to DNS servers. And Unbound itself is a DNS server. Since you are local, there is no point to use DoH to talk to Unbound.
(For another example, if Unbound is a supermarket, then DoH is the road you use to get to it; When you turn on unbound, you have a supermarket right inside of your house)
How to configure specific DNS servers?
If you want to change the DNS servers used by your network, the best place to configure is under the LAN network segment. Any devices accessing the network on the LAN segment (with the DNS server change) will use the configured DNS servers.
When force DNS to VPN is enabled, will firewalla still be able to block?
When "Force DNS over VPN" is on, DNS blocks will not take effect (firewalla no longer see the DNS request). (Other blocks still work, e.g. TLS, IP)