1. DNS Overview
What is DNS?
DNS, or Domain Name Systems, translate domain names such as firewalla.com to one or more IP addresses such as 220.127.116.11.
Why can DNS be a security issue?
DNS can be modified by DNS servers. For example, when you query firewalla.com, a DNS server might return a malicious address instead of 18.104.22.168. This could allow someone to redirect requests to a spoofed website in order to collect information such as login credentials, credit cards, or other Personally Identifiable Information.
Why can DNS be a privacy issue?
Since raw DNS protocols are plain text, your intermediate ISP (or VPN) may be able to see which sites you're going to and even track you if they want to.
DNS Servers/Providers always know where you're going and may also track you if they want to.
Why can DNS be a performance issue?
Since nearly every Internet request starts with a DNS lookup, a poorly performing DNS provider can make responses sluggish. Also, your Firewalla uses DNS lookups to test the quality of your connection. If your DNS provider is down or has a lot of packet loss, you may see network events that reflect spotty connectivity.
2. Firewalla-Managed DNS Services Explained
Firewalla provides various DNS services, including Unbound, DNS over HTTPS (DoH), and Family Protect, in addition to traditional unencrypted DNS. These services help you protect your privacy, secure your data, and filter content.
Two-Stage DNS Services
All of your DNS queries will go through two stages. The first stage is local DNS filtering. In this stage, your DNS queries are entirely local to your Firewalla and have not left your network. The features included in local DNS filtering are:
- Basic Rules (domain-based blocks)
- Ad Block
- Family Protect (Native Mode)
- Safe Search
- Custom DNS Rules
- Firewalla's IP layer blocks, done via Active Protect
After this stage, your box will check to see if you have an active VPN Client session, and if so, whether you have DNS over VPN enabled. These features allow you to send traffic and your DNS requests over a VPN connection. If neither of these features is active, you can then configure your DNS queries to be handled by a range of DNS Services, including:
For any given device, device groups, or networks, DNS Services are mutually exclusive, which means they can be switched on for different entities at the same time but cannot be applied to the same entities at the same time. You can read more about DNS Services restrictions below.
Rules can block or allow access to domains, IP addresses, or the Internet. Rules are close to the front of the line in Firewalla's decision tree when a device makes a DNS request. If you have a rule that blocks a domain and a device asks for that domain, Firewalla will block it immediately. If you block an IP address, then Firewalla may do a DNS lookup to learn how to find the server for that domain. Then, if the domain matches the IP address, Firewalla will block it. Either way, this happens nearly instantly. For simplicity, the flow chart shows things as a linear path, but in reality, it is more complex.
See Manage Rules to understand how Rules are prioritized.
2.2 Ad Block
Ad Block limits portions of a web page or app rather than blocking things entirely. Nevertheless, the process is the same for every URL your device requests—from a webpage to an image or video.
See Ad Block for a full understanding of what it does.
2.3 Family Protect (Native Mode)
Family Protect (Native Mode) helps you filter unwanted content from the Internet. Unlike Family Protect 3rd Party Mode, Native Mode blocks content locally, meaning it doesn't rely on an external service. Native Mode can block porn, gambling, VPN sites, and more by leveraging Firewalla blocking features right on your box. It won't conflict with other DNS services.
2.4 Safe Search
Safe Search is a bit different from other DNS services because rather than blocking things outright, it conveys to search engines that results should be limited—usually for children.
See Safe Search for complete information on this feature.
2.5 Custom DNS Rules
You can add Custom DNS Entry Rules via the app.
On the box's main screen, tap DNS Service -> Custom DNS Rules, tap Add Custom DNS Rule, enter the domain and an IP address you want it to be resolved to, then save the rule to confirm.
Custom DNS rules are basically local rules that no DNS provider could answer because they refer to devices on your own network or, in some cases, different ways of calling devices external to your network. They can be used for many things, such as having multiple names for the same NAS server or a way to point to virtual IP addresses. This feature is often used by customers with more complex networks. Think of this as a local address book.
2.6 VPN Client & DNS Over VPN
Firewalla's VPN Client allows you to send traffic over a third-party VPN. For example, you could send traffic to your office over a VPN or all traffic to a streaming service over a VPN. In addition, you can choose to force DNS over your VPN as well.
- If Force DNS over VPN is ON, DNS requests will be forwarded to the VPN server. Unbound, DNS over HTTPS, and Family Protect (3rd-party Mode) will not work on devices connected to VPN Client. While these DNS protocols won't take effect, other functions will still work, e.g., Blocking Rules, Ad Block, Safe Search, and Custom DNS Rules.
- If Force DNS over VPN is OFF, DNS requests will work as if there were no VPN connection, but traffic to the requested destinations will go over VPN. This means all your DNS traffic will be intercepted and protected by Firewalla. DNS traffic will NOT go through VPN.
2.7 DNS Services
You can use the following DNS protocols simultaneously on Firewalla, however, for any given device, Group, or network, they are mutually exclusive. The same hierarchies as Rules applies to DNS: devices/Group settings take precedence over Networks; Networks take precidence over DNS settings for All Devices.
Remember, just as with rules, once a device is added to a group, it will follow the group's configurations.
For example, if you had a network set to use DoH, but a device on that network is set to use Unbound, the device would use Unbound but any other devices on the same network would use DoH.
Unbound is a validating, recursive, caching DNS resolver installed locally on the Firewalla box. It can help increase your online privacy and security. To keep your DNS lookup history private, Unbound can be used to replace the DNS servers from upstream ISPs as a more trustworthy alternative.
- Unbound is a DNS server, so there's no need to specify 3rd party DNS servers
- Unbound uses DNSSec to protect anyone from modifying the query results
- It always goes directly to the source, so no one DNS server fully knows where you are going
- DNS queries are still clear text, so they are visible to your ISP.
If the last bullet point concerns you, as of the 1.52 app release, you can now send DNS requests over VPN instead of through your ISP to protect your privacy using Unbound over VPN. To use this feature, you must have a third-party VPN Client connection configured on your Firewalla. Watch a video tutorial or read more about this feature in our 1.52 App Release Notes.
Note that this is different than DNS Over VPN, which is part of Firewalla VPN Client. For Unbound over VPN, all your DNS requests will be sent over the VPN Client of your choosing, but all of your content will still go directly over your ISP connection. With Firewalla VPN Client you are sending content over your VPN and optionally DNS as well.
2.7.2 DNS over HTTPS
DNS over HTTPS (DoH) is a transport protocol for performing remote DNS resolution via the HTTPS protocol. It is more secure than traditional DNS and helps protect user privacy.
- DoH is an encrypted transport, so you still need to choose and configure a DNS server
- Due to the extra encryption, DoH can be a little slower than unencrypted DNS
- Your DNS server may alter your returned results (e.g. filtering for ads or adult content)
2.7.3 Family Protect (3rd-Party Mode)
The Family Protect feature filters out violent and adult material. Our original Family Protect 3rd-Party Mode forwards requests to a trusted DNS provider that provides the Family Mode service. When using 3rd-Party Mode, there may be some conflict with other DNS services.
Please be aware that due to how Internet domain names are designed, this type of content blocking can never be perfect.
2.7.4 Traditional DNS: Router Mode
LAN DNS & WAN DNS:
If none of Firewalla's DNS services are enabled, Firewalla will first use the DNS servers configured in the LAN DNS setting.
This defaults to the IPs of the LAN itself, though it can be customized to point to an external DNS provider. For example, you could have one DNS provider serve one LAN and a different provider for another LAN or VLAN. Please note that if a device has another DNS protocol (DoH/Family Protect/Unbound) enabled in the Firewalla app, Firewalla will no longer send that device's DNS requests to the configured DNS server– the other protocols take precedence.
If the LAN DNS points to the LAN IP, and none of the other protocols are active on the device asking to look something up, your WAN DNS will handle DNS requests. The default for WAN DNS comes from your ISP. For WAN DNS, we recommend using a highly reliable DNS provider that does not do any filtering.
Using a Local Device as the DNS server
If you're using a local device as the DNS server, we generally recommend turning DNS Booster off on that device to prevent unexpected DNS loops. In case you forget to turn it off, there is a piece of loop detection code running in the background that should automatically disable DNS Booster for that device within 5 minutes. However, if the device you're using as the DNS server has another upstream DNS service enabled in the Firewalla app, the loop detection code will not turn DNS Booster off because DNS loops should not happen.
2.7.5 Traditional DNS: Bridge Mode
Traditional DNS in Bridge Mode is similar to what happens in Router Mode, but with a DNS setting on the bridge. If none of Firewalla's DNS services are enabled, Firewalla will use the DNS servers configured in the bridge DNS setting first. For the initial bridge, this defaults to your router IP, though it can be customized to point to an external DNS provider.
If the bridge DNS points to the router, and none of the other protocols are active on the device asking to look something up, the DNS specified by the router will be used for DNS.
The default DNS server for most routers comes from your ISP. It is recommended that Firewalla's Bridge DNS be set to a reliable, non-filtering DNS provider. If you point at the router, make sure that the router is configured that way.
3. A Comparison of all DNS Services
With so many choices, customers often ask for help choosing the best option.
Reduce Tracking (ISP)
|Prevent DNS modifications
|DNS over HTTPS (DoH)
|Firewalla + OpenDNS
1DNS queries can be sent over to the VPN provider of your choosing.
How to Choose Your DNS Strategy
- If you have NO concerns at all, just use traditional DNS from your ISP or configure some public DNS for your LAN networks if you like.
- If you just need simple filtering to protect your network from unwanted online content, choose Native Family Protect. Native Family Protect won't conflict with other DNS services.
- If you do not trust any single DNS server other than the root and authoritative DNS server, choose Unbound.
- If you trust your DNS service provider but don't trust your ISP, choose DNS over HTTPS.
- If you do not want any DNS queries getting changed or filtered, use Unbound.
- If you do not want any DNS queries getting changed or filtered and want to add a layer of encryption so that your ISP can't see your DNS requests, use Unbound over VPN.
Remember, DoH, Unbound, or Family Protect are mutually exclusive for a network or device/device group. So if a network is configured to use DoH, it can't also use Unbound at the same time.
Like Rules, there is a hierarchy. Device/Group DNS services take priority over the network DNS services. So you can configure a network to use DoH, but specify that a certain device on that network should use Unbound instead.
What is the difference between DoH and Unbond? Why can't Unbound and DoH be used together?
In essence, DoH is a protocol for encrypting DNS traffic between the client (like a web browser) and the DNS resolver, whereas Unbound is a type of DNS resolver that can make use of different protocols, including DoH and DoT, for secure DNS resolution. Unbound is more about the server-side operation of processing DNS queries, while DoH is a method of securely transmitting those queries from the client to the server.
If Unbound is a supermarket, then DoH is the road you use to get to it.
How do I configure specific DNS servers?
If you want to change the DNS servers used by your network, the best place to configure them is under the LAN network segment. Any devices accessing the network on the LAN segment will use the configured DNS server(s).
If your DNS server is external to your network, simply set the DNS on the LAN to the IP of the DNS server. Each LAN can be pointed at a different server as required.
If you want to run your own DNS server, we recommend putting the DNS server on a different LAN or VLAN from other devcies. For each network that you want to direct to your own DNS server, use the IP of the device.
Then set the DNS of the DNS LAN/VLAN to be either an external DNS provider or the VLAN IP itself. So if the VLAN is 192.168.22.1, use that for the DNS of the VLAN as well.
Please note that if a device has another DNS protocol (DoH/Family Protect/Unbound) enabled in the Firewalla app, Firewalla will no longer send that device's DNS requests to the configured DNS server– the other protocols take precedence.
Additionally, If you're using a local device as a DNS server, we generally recommend turning DNS Booster off on that device to prevent unexpected DNS loops. In case you forget to turn it off, there is a piece of loop detection code running in the background that should automatically disable DNS Booster for that device within 5 minutes. However, if the device you're using as the DNS server has another upstream DNS protocol enabled in the Firewalla app, the loop detection code will not turn DNS Booster off because DNS loops should not happen.
When Force DNS over VPN is enabled, will Firewalla still be able to block DNS requests?
When Force DNS over VPN is on, DNS blocks will not take effect as Firewalla will no longer be able to see your DNS requests. However, other blocks will still work (e.g. TLS, IP).
Does Firewalla intercept DNS requests?
With DNS Booster on (it is on by default), Firewalla will intercept DNS requests by default. For example, if someone sets a device's DNS to 22.214.171.124, and the LAN DNS is 126.96.36.199, all DNS requests will go to 188.8.131.52. This generally ensures that your DNS settings are enforced and prevents devices from circumventing the rules and policies you put in place.
However, there are some additional steps you can take to ensure that users don't circumvent the Rules that you put in place on your network. See the following for additional articles on securing your network:
- Dealing DNS over HTTPS and DNS over TLS on your network
While optional, parents and other Firewalla administrators who want to make sure their rules are followed as intended should review these recommendations.
What is DNS Booster?
DNS Booster is Firewalla's DNS cache and should be left active on most devices. There are some exceptions to this rule, but disabling DNS Booster will deactivate other Firewalla features and is strongly not recommended.