Firewalla DNS Services

1. DNS Overview
2. Firewalla-Managed DNS Services Explained (with flowchart)
   1. Rules
   2. Ad Block
   3. Family Protect (Native Mode)
   4. Safe Search
   5. Custom DNS Rules
   6. VPN Client & DNS Over VPN
   7. DNS Services
      1. Unbound
      2. DNS over HTTPS
      3. Family Protect (3rd-Party Mode)
      4. Traditional DNS
3. Comparison and Recommendations
4. How to Choose Your DNS Strategy
5. FAQs

 

1. DNS Overview

What is DNS?

DNS, or Domain Name Systems, translate domain names such as firewalla.com to one or more IP addresses such as 23.227.38.32.

 

Why can DNS be a security issue?

DNS can be modified by DNS servers. For example, when you query firewalla.com, a DNS server might return a malicious address instead of 23.227.38.32. This could allow someone to redirect requests to a spoofed website in order to collect information such as login credentials, credit cards, or other Personally Identifiable Information. 

 

Why can DNS be a privacy issue?

Since raw DNS protocols are plain text, your intermediate ISP (or VPN) may be able to see which sites you're going to and even track you if they want to.

DNS Servers/Providers always know where you're going and may also track you if they want to.

 

Why can DNS be a performance issue?

Since nearly every Internet request starts with a DNS lookup, a poorly performing DNS provider can make responses sluggish. Also, your Firewalla uses DNS lookups to test the quality of your connection. If your DNS provider is down or has a lot of packet loss, you may see network events that reflect spotty connectivity. 

 

2. Firewalla-Managed DNS Services Explained

Firewalla provides various DNS services, including Unbound, DNS over HTTPS (DoH), and Family Protect, in addition to traditional unencrypted DNS. These services help you protect your privacy, secure your data, and filter content.

 

Two-Stage DNS Services

All of your DNS queries will go through two stages. The first stage is local DNS filtering. In this stage, your DNS queries are entirely local to your Firewalla and have not left your network. The features included in local DNS filtering are:

• Basic Rules (domain-based blocks)
• Ad Block
• Family Protect (Native Mode)
• Safe Search
• Custom DNS Rules
• Firewalla's IP layer blocks, done via Active Protect

After this stage, your box will check to see if you have an active VPN Client session, and if so, whether you have DNS over VPN enabled. These features allow you to send traffic and your DNS requests over a VPN connection. If neither of these features is active, you can then configure your DNS queries to be handled by a range of DNS Services, including:

• Unbound
• DoH
• Family Protect (3rd Party Mode)
• Traditional DNS

For any given device, device groups, or networks, DNS Services are mutually exclusive, which means they can be switched on for different entities at the same time but cannot be applied to the same entities at the same time. You can read more about DNS Services restrictions below.

 

 

2.1 Rules 

Rules can block or allow access to domains, IP addresses, or the Internet. Rules are close to the front of the line in Firewalla's decision tree when a device makes a DNS request. If you have a rule that blocks a domain and a device asks for that domain, Firewalla will block it immediately. If you block an IP address, then Firewalla may do a DNS lookup to learn how to find the server for that domain. Then, if the domain matches the IP address, Firewalla will block it. Either way, this happens nearly instantly. For simplicity, the flow chart shows things as a linear path, but in reality, it is more complex. 

See Manage Rules to understand how Rules are prioritized.

 

2.2 Ad Block

Ad Block limits portions of a web page or app rather than blocking things entirely. Nevertheless, the process is the same for every URL your device requests—from a webpage to an image or video.

See Ad Block for a full understanding of what it does.

 

2.3 Family Protect (Native Mode)

Family Protect (Native Mode) helps you filter unwanted content from the Internet. Unlike Family Protect 3rd Party Mode, Native Mode blocks content locally, meaning it doesn't rely on an external service. Native Mode can block porn, gambling, VPN sites, and more by leveraging Firewalla blocking features right on your box. It won't conflict with other DNS services. 

 

2.4 Safe Search

Safe Search is a bit different from other DNS services because rather than blocking things outright, it conveys to search engines that results should be limited—usually for children. 

See Safe Search for complete information on this feature.

 

2.5 Custom DNS Rules

You can add Custom DNS Entry Rules via the app.

On the box's main screen, tap Services -> Custom DNS Rules, tap Add Custom DNS Rule, enter the domain and an IP address you want it to be resolved to, then save the rule to confirm.

 

Custom DNS rules are basically local rules that no DNS provider could answer because they refer to devices on your own network or, in some cases, different ways of calling devices external to your network. They can be used for many things, such as having multiple names for the same NAS server or a way to point to virtual IP addresses. This feature is often used by customers with more complex networks. Think of this as a local address book.

• This works on DNS record types 1(A) and 28 (AAAA). Learn more about DNS Record Type

Watch our video tutorial for more information.

 

2.6 VPN Client & DNS Over VPN

Firewalla's VPN Client allows you to send traffic over a third-party VPN. For example, you could send traffic to your office over a VPN or all traffic to a streaming service over a VPN. In addition, you can choose to force DNS over your VPN as well.

• If Force DNS over VPN is ON, DNS requests will be forwarded to the VPN server. Unbound, DNS over HTTPS, and Family Protect (3rd-party Mode) will not work on devices connected to the VPN Client. While these DNS protocols won't take effect, other functions will still work, e.g., Blocking Rules, Ad Block, Safe Search, and Custom DNS Rules.
• If Force DNS over VPN is OFF, DNS requests will work as if there were no VPN connection, but traffic to the requested destinations will go over VPN. This means all your DNS traffic will be intercepted and protected by Firewalla. DNS traffic will NOT go through VPN.

More detail can be found in the VPN Client and DNS over HTTPS sections below.

 

2.7 DNS Services 

You can use the following DNS protocols simultaneously on Firewalla, however, for any given device, Group, or network, they are mutually exclusive. The same hierarchies as Rules applies to DNS: devices/Group settings take precedence over Networks;  Networks take precidence over DNS settings for All Devices.

Remember, just as with rules, once a device is added to a group, it will follow the group's configurations.

For example, if you had a network set to use DoH, but a device on that network is set to use Unbound, the device would use Unbound but any other devices on the same network would use DoH.

 

2.7.1 Unbound

Unbound is a validating, recursive, caching DNS resolver installed locally on the Firewalla box. It can help increase your online privacy and security. To keep your DNS lookup history private, Unbound can be used to replace the DNS servers from upstream ISPs as a more trustworthy alternative.

Pros

• Unbound is a DNS server, so there's no need to specify 3rd party DNS servers
• Unbound uses DNSSec to protect anyone from modifying the query results
• It always goes directly to the source, so no one DNS server fully knows where you are going

Cons

• DNS queries are still clear text, so they are visible to your ISP. 

If the last bullet point concerns you, you can send DNS requests over VPN instead of through your ISP to protect your privacy using DNS over VPN under Unbound. To use this feature, you must have a third-party VPN Client connection configured on your Firewalla. Watch our video tutorial for more details.

Note that this is different from the Force DNS over VPN feature of the Firewalla VPN Client. For the Unbound feature, if you enabled DNS over VPN, all your DNS requests will be sent over the VPN Client of your choosing, but all of your content will still go directly over your ISP connection. With Force DNS over VPN in VPN Client,  you are sending content over your VPN and optionally DNS as well. 

 

2.7.2 DNS over HTTPS

DNS over HTTPS (DoH) is a transport protocol for performing remote DNS resolution via the HTTPS protocol. It is more secure than traditional DNS and helps protect user privacy.

• DoH is an encrypted transport, so you still need to choose and configure a DNS server
• Due to the extra encryption, DoH can be a little slower than unencrypted DNS
• Your DNS server may alter your returned results (e.g. filtering for ads or adult content)

 

2.7.3 Family Protect (3rd-Party Mode)

The Family Protect feature filters out violent and adult material. Our original Family Protect 3rd-Party Mode forwards requests to a trusted DNS provider that provides the Family Mode service. When using 3rd-Party Mode, there may be some conflict with other DNS services.

Family Protect can be used for quick and simple content filtering. For more advanced content filtering, see the section on Rules above or refer to this guide on managing rules.

Please be aware that due to how Internet domain names are designed, this type of content blocking can never be perfect.

 

2.7.4 Traditional DNS: Router Mode

LAN DNS & WAN DNS:

If none of Firewalla's DNS services are enabled, Firewalla will first use the DNS servers configured in the LAN DNS setting.

This defaults to the IP of the LAN itself, though it can be customized to point to an external DNS provider. For example, you could have one DNS provider serve one LAN and a different provider for another LAN or VLAN. Please note that if a device has another DNS protocol (DoH/Family Protect/Unbound) enabled in the Firewalla app, Firewalla will no longer send that device's DNS requests to the configured DNS server– the other protocols take precedence.

If the LAN DNS points to the LAN IP, and none of the other protocols are active on the device, when asked to look something up, your WAN DNS will handle the DNS requests. The default WAN DNS comes from your ISP. For WAN DNS, we recommend using a highly reliable DNS provider that does not do any filtering. 

 

Using a Local Device as the DNS Server

If you're using a local device as the DNS server, we generally recommend turning DNS Booster off on that device to prevent unexpected DNS loops. In case you forget to turn it off, there is a piece of loop detection code running in the background that should automatically disable DNS Booster for that device within 5 minutes. However, if the device you're using as the DNS server has another upstream DNS service enabled in the Firewalla app, the loop detection code will not turn DNS Booster off because DNS loops should not happen.

 

2.7.5 Traditional DNS: Bridge Mode

Traditional DNS in Bridge Mode is similar to what happens in Router Mode, but with a DNS setting on the bridge. If none of Firewalla's DNS services are enabled, Firewalla will use the DNS servers configured in the bridge DNS setting first. For the initial bridge, this defaults to your router IP, though it can be customized to point to an external DNS provider. 

If the bridge DNS points to the router, and none of the other protocols are active on the device, the DNS specified by the router will be used for DNS.

The default DNS server for most routers comes from your ISP. It is recommended that Firewalla's Bridge DNS be set to a reliable, non-filtering DNS provider. If you point at the router, make sure that the router is configured properly. 

 

3. A Comparison of all DNS Services

With so many choices, customers often ask for help choosing the best option.

DNS services	Reduce Tracking (DNS Provider)	Reduce Tracking (ISP)	Prevent DNS modifications	Data Encryption	Content Filtering
Traditional DNS	No	No	No	No	Firewalla
Unbound	Yes	No	Yes	No1	Firewalla
DNS over HTTPS (DoH)	No	Yes	No	Yes	Firewalla
Family Protect (3rd-Party Mode)	No	No	No	No	Firewalla + OpenDNS

¹With DNS over VPN enabled under Unbound, DNS queries can be sent over to the VPN provider of your choosing and be encrypted. 

 

4. How to Choose Your DNS Strategy

• If you have NO concerns at all, just use traditional DNS from your ISP or configure some public DNS for your LAN networks if you like.
• If you need simple filtering to protect your network from unwanted online content, choose Family Protect -> Native mode. It won't conflict with other DNS services. 
• If you trust your DNS service provider but don't trust your ISP, choose DNS over HTTPS.
• If you do not trust any single DNS server other than the root and authoritative DNS server, choose Unbound.
• If you do not want any DNS queries getting changed or filtered, use Unbound.
• If you do not want any DNS queries getting changed or filtered and want to add a layer of encryption so that your ISP can't see your DNS requests, use Unbound and turn on DNS over VPN under it.

Remember, DoH, Unbound, or Family Protect are mutually exclusive for a network or device/device group. So if a network is configured to use DoH, it can't also use Unbound at the same time. 

Like Rules, there is a hierarchy. Device/Group DNS services take priority over the network DNS services. So you can configure a network to use DoH, but specify that a certain device on that network should use Unbound instead. 

 

5. FAQs

What is the difference between DoH and Unbond? Why can't Unbound and DoH be used together?

In essence, DoH is a protocol for encrypting DNS traffic between the client (like a web browser) and the DNS resolver, whereas Unbound is a type of DNS resolver that can make use of different protocols, including DoH and DoT, for secure DNS resolution. Unbound is more about the server-side operation of processing DNS queries, while DoH is a method of securely transmitting those queries from the client to the server.

If Unbound is a supermarket, then DoH is the road you use to get to it. 

 

How do I configure specific DNS servers?

If you want to change the DNS servers used by your network, the best place to configure them is under the LAN network segment. Any devices accessing the network on the LAN segment will use the configured DNS server(s).

If your DNS server is external to your network, simply set the DNS on the LAN to the IP of the DNS server. Each LAN can be pointed at a different server as required. 

If you want to run your own DNS server, we recommend putting the DNS server on a different LAN or VLAN from other devcies. For each network that you want to direct to your own DNS server, use the IP of the device.

Then set the DNS of the DNS LAN/VLAN to be either an external DNS provider or the VLAN IP itself. So if the VLAN is 192.168.22.1, use that for the DNS of the VLAN as well. 

Please note that if a device has another DNS protocol (DoH/Family Protect/Unbound) enabled in the Firewalla app, Firewalla will no longer send that device's DNS requests to the configured DNS server– the other protocols take precedence.

Additionally, If you're using a local device as a DNS server, we generally recommend turning DNS Booster off on that device to prevent unexpected DNS loops. In case you forget to turn it off, there is a piece of loop detection code running in the background that should automatically disable DNS Booster for that device within 5 minutes. However, if the device you're using as the DNS server has another upstream DNS protocol enabled in the Firewalla app, the loop detection code will not turn DNS Booster off because DNS loops should not happen.

 

When Force DNS over VPN is enabled for VPN Client, will Firewalla still be able to block DNS requests?

When Force DNS over VPN is on, Local DNS Filtering still works, which includes blocking rules, Ad block, Native Family mode, Safe Search and etc. If a DNS request is not blocked by any of them, it will be forwarded to the DNS server you connected to.

 

Does Firewalla intercept DNS requests?

With DNS Booster on (it is on by default), Firewalla will intercept DNS requests. For example, if someone sets a device's DNS to 1.1.1.1, and the LAN DNS is 8.8.8.8, all DNS requests will go to 8.8.8.8. This generally ensures that your DNS settings are enforced and prevents devices from circumventing the rules and policies you put in place. 

However, there are some additional steps you can take to ensure that users don't circumvent the Rules that you put in place on your network. See the following for additional articles on securing your network:

• Dealing DNS over HTTPS and DNS over TLS on your network

• Enforcing Your Policies: Cloud Private Relay, DoH, and VPN

While optional, parents and other Firewalla administrators who want to make sure their rules are followed as intended should review these recommendations.

 

What is DNS Booster?

DNS Booster is Firewalla's DNS cache and should be left active on most devices. There are some exceptions to this rule, but disabling DNS Booster will deactivate other Firewalla features and is strongly not recommended.