2. Firewalla-managed DNS Services Explained (with flowchart)
3. Comparison and Recommendations
How to Choose Your DNS Strategy
1. DNS Overview
What is DNS?
DNS or Domain Name System translates domain names such as firewalla.com to an (or multiple) IP address such as 23.227.38.32.
Why DNS can be a security issue?
DNS can be modified by DNS servers such as, while query firewalla.com, instead of returning 23.227.38.32, the DNS server returns a malicious address.
Why DNS can be a privacy issue?
Since the raw DNS protocol is clear text, at times, the intermediate ISP (or VPN) may be able to see which site you are going to and track you if they want to.
DNS Server/Provider always knows where you are going and may track you if they want to.
Why DNS can be a performance issue?
Since nearly every Internet request starts with a DNS lookup, a poorly performing DNS provider can make responses sluggish. Also, your firewalla uses DNS lookups to test the quality of your connection so if your DNS provider is down or having a lot of packet loss you may see Events that reflect spotty connectivity.
2. Firewalla-managed DNS Services Explained
Firewalla provides various DNS services including Unbound, DNS over HTTPS (DoH), and Family Protect, in addition to traditional unencrypted DNS to meet various needs like privacy protection, data security, and content filtering.
For any given device/groups o rnetwork(s), these services are mutually exclusive, which means they can be switched on at the same time, but cannot be applied to the same device/groups, or network(s) at the same time.
Just like rules, when there is conflict, the priority of different levels is device/group > Network > All Devices. Remember, once a device is added to a Group most things fall under the Group, not the device.
2.1 DNS Booster
DNS Booster should be left active on most devices. There are some exceptions to this rule, but disabling DNS Booster will also deactivate other Firewalla features, so it is not recommended.
2.2 Rules
Rules can block or allow access to a range of things, including domains, IP addresses, or the Internet in general. Rules are near the front of the line in Firewalla's decision tree when a device makes a DNS request. If you have a rule that blocks a domain and a device asks for that domain, Firewalla may block it immediately. If you block an IP address then Firewalla may do a DNS lookup to learn how to find the server for that domain, and then the block may happen. Either way, this happens nearly instantly. For simplicity, the flow chart shows things as linear, but in reality, it is more complex.
See Manage Rules to understand how Rules are prioritized.
2.3 Ad Block
Ad Block limits portions of a web page or app rather than blocking things entirely. Nevertheless, the process is the same for every URL your device requests—from a webpage to an image or video.
See Ad Block for a full understanding of what it does.
2.4 Safe Search
Safe search is a bit different because rather than blocking things outright, it conveys to search engines that results should be limited—usually for children.
See Safe Search for complete information on this feature.
2.5 Custom DNS Rules
You can add Custom DNS Entry Rules via the app.
On the box's main screen, tap DNS Service -> Custom DNS Rules, tap Add Custom DNS Rule, enter the domain and an IP address you want it to be resolved to, save the rule, and it's done.
Custom DNS rules are basically local rules that no DNS provider could answer because they refer to devices on your own network or, in some cases, different ways of calling devices external to your network. They can be used for many things, such as having multiple names for the same NAS server or a way to point to virtual IP addresses. This feature is often used by customers with more complex networks. Think of this as a local address book.
Watch a video tutorial or see Custom DNS Entry Rules for more information.
2.6 VPN Client & DNS Over VPN
VPN Client allows you to send traffic you select over a third-party VPN. For example, you could send traffic to work over a VPN or all traffic to a streaming service over a VPN. In addition, you can choose to force DNS over the VPN as well.
- If Force DNS over VPN is ON, DNS requests will be forwarded to the VPN server. Unbound, DNS over HTTPS, and Family Protect (3rd-party Mode) will not work on devices connected to VPN Client. While these DNS protocols won't take effect, other functions still work, e.g., Blocking Rules, Ad Block, Safe Search, and Custom DNS Rules.
- If Force DNS over VPN is OFF, DNS requests will work as if there were no VPN connection, but traffic to the requested destinations will go over VPN. This means all your DNS traffic will be intercepted and protected by Firewalla. DNS traffic will NOT go through VPN.
More detail can be found in VPN Client and DNS over HTTPS below.
2.7 DNS Protocols
You can use the following DNS protocols simultaneously on Firewalla, however, for any given device/Group, or Network they are mutually exclusive. For example, if you had a network set to use DoH, but a device on that network was to use Unbound, the device would use Unbound but any other devices on the same network would use DoH. All devices in a Group must follow the same DNS settings.
2.7.1 Unbound
Unbound is a validating, recursive, caching DNS resolver, it is installed locally on the Firewalla box, which helps increase your online privacy and security.
To keep the privacy of DNS lookup history, Unbound can be used to replace the DNS servers from upstream ISP as a more trustworthy alternative.
Pros
- Unbound is a DNS server, no need to specify 3rd party DNS servers
- DNSSec to protect anyone from modifying the query results
- Always goes directly to the source, no one DNS server fully knows where you are going
Cons
- DNS query is still clear text, so it is visible to your ISP
If the last bullet concerns you, as of the 1.52 app release, you can send DNS requests over a third party VPN instead of through your ISP to protect your privacy using Unbound over VPN. To use this feature, you must have a VPN Client connection configured on your Firewalla and be go to DNS Service > Unbound > DNS over VPN. Watch a video tutorial or read more about this feature in our 1.52 App Release Notes.
Note, this is different than DNS Over VPN described previously. In this case, all of your content (YouTube, Facebook, etc.) will go directly over your ISP connection—no VPN involved, but your DNS will be sent over VPN Client of your choosing for an additional layer of privacy.
2.7.2 DNS over HTTPS
DNS over HTTPS (DoH) is a transport protocol for performing remote DNS resolution via the HTTPS protocol. It is more secure than the traditional DNS and helps protect user privacy.
- DoH is an encrypted transport, you still need to choose and configure a DNS server
- Due to extra encryption, DoH can be a little slower than unencrypted DNS
- The DNS server still can alter the returned results
2.7.3 Family Protect
The Family Protect feature filters out violent and adult material.
Our original Family Protect 3rd-Party Mode forwards requests to a trusted DNS provider that provides family mode service. When using this mode, there may be some conflict with other DNS services in Firewalla since it works with another DNS technology as well.
The Native Mode on the other hand, leverages Firewalla blocking features to give you full control over what to block right on the Firewalla box without going out of the network.
Family Protect can be used for quick and simple content filtering. For more advanced content filtering, see 2.2 Rules above or refer to this guide on how to manage rules.
Please be aware that due to how internet domain names are designed, this type of blocking can never be perfect.
2.7.4 Traditional DNS
If none of Firewalla's DNS services described above are enabled, Firewalla will use the DNS servers configured in the LAN DNS setting first. This defaults to the IPs of the LAN itself, though it can be customized to point to an external DNS provider. For example, you could have one DNS provider serve one LAN and a different provider used for a different LAN or VLAN.
If the LAN DNS points to the LAN IP, and none of the other protocols were active on the device asking to look something up, the DNS specified in the Network Manager will be used for DNS.
The default for WAN DNS comes from your ISP. For WAN DNS, we recommend using a highly reliable DNS provider that does not do any kind of filtering.
3. A Comparison of all DNS Services
With so many choices, customers often ask for help in choosing the best option for them.
DNS services |
Reduce Tracking (DNS Provider) |
Reduce Tracking (ISP) |
Prevent DNS modifications | Data Encryption | Content Filtering |
Traditional DNS |
No |
No |
No | No | Firewalla |
Unbound | Yes | No | Yes | No1 | Firewalla |
DNS over HTTPS (DoH) | No | Yes | No | Yes | Firewalla |
Family Protect (3rd-Party Mode) |
No | No | No | No | Firewalla + OpenDNS |
1DNS queries can be sent over VPN provider of your choosing.
How to Choose Your DNS Strategy
- If you have NO concerns at all, just use traditional DNS from ISP or configure some public DNS for your LAN networks if you like.
- If just need simple filtering to protect your kids from unwanted online content, choose Family Protect. Native Family Protect won't conflict with other DNS services.
- If you do not trust any single DNS server other than the root and authoritative DNS server, choose Unbound.
- If you trust your DNS service provider, but don't trust your ISP, choose DNS over HTTPS.
- If you do not want any DNS queries getting changed or filtered, use Unbound.
- If you do not want any DNS queries getting changed or filtered and want to add a layer of encryption so that your ISP can't see your DNS requests, use Unbound over VPN.
Remember, DoH, Unbound, or Family Protect are mutually exclusive for a network or Group/device. So a if a network is configured to use DoH, it can't also use Unbound at the same time.
Like Rules, there is a precedence. Devices/Groups take priority over the network DNS. So you can say a network uses DoH but a device on that network should use Unbound instead.
FAQ:
Why can't Unbound and DoH be used together?
DoH and Unbound are different technologies. DoH is the transport that your applications use to talk to DNS servers. Unbound itself is a local DNS server so there is no point to use DoH to talk to Unbound.
If that's confusing, an analogy might help. If Unbound is a supermarket, then DoH is the road you use to get to it; When you turn on unbound, you have a supermarket right inside of your house)
How to configure specific DNS servers?
If you want to change the DNS servers used by your network, the best place to configure is under the LAN network segment. Any devices accessing the network on the LAN segment (with the DNS server change) will use the configured DNS servers.
When force DNS to VPN is enabled, will firewalla still be able to block?
When "Force DNS over VPN" is on, DNS blocks will not take effect (firewalla no longer see the DNS request). (Other blocks still work, e.g. TLS, IP)
Does Firewalla intercept DNS requests?
Firewalla with DNS Booster on (it is on by default) will intercept all DNS requests. For example, if a device sets the DNS as 1.1.1.1, and your LAN segment is 8.8.8.8, that request will go to 8.8.8.8. This can help ensure that your DNS settings are enforced and helps prevent circumventing certain rules and policies you put in place.
Comments
2 comments
Nice guide. Where do I make these setting elections?
Great guide. On the "3. A quick comparison of DNS services" I have a suggestion.
For for "Unbound" I believe it makes sense to add the same footnote "1" next to the word "No" in column "Reduce Tracking (ISP)" as you did in the "Data Encryption" column. I believe 'DNS over VPN' will reduce ISP tracking.
Or better yet, It might make sense to add another row called "Unbound w/DNS over VPN" then change the second and forth columns to 'yes'.
Please sign in to leave a comment.