Encrypt your DNS with TLS aka DoT
You'll need to SSH into the firewalla and create a new file.
- If you don't want the ipv6 stuff don't include it.
- I've provided the configuration of common DNS providers as an example.
- You should use one of the DNS providers, not a mix.
- For your initial configuration, try cloudflare, test and with success, then modify with the DNS provider of your choice.
sudo vi ~/.firewalla/config/unbound_local/unbound_custom.conf
Once you have created your file, open your firewalla app and go to your DNS services.
Disable DNS over HTTPS, and enable Unbound.
Apply to All Devices or whatever suits your needs.
Test DoT with - https://184.108.40.206/help
You should see: Using DNS over TLS (DoT) Yes
DNSSEC is performed by the upstream DNS provider you choose.
Test with http://www.dnssec-failed.org/ , site should not open, success!
If you make a change to your configuration file, just toggle the Unbound switch in the firewalla app.
Don't like it?
ssh back in and ...
sudo rm ~/.firewalla/config/unbound_local/unbound_custom.conf
Kind of defeats the purpose to use googles DNS and let them collect all the sites you’re going to. That’s why I do nothing but use unbound now.
I also suggest using dnsleaktest.com to see who can observe your DNS queries. The best results, like the example below, are when only you ( your IP address) knows about your DNS queries.
Please sign in to leave a comment.