Encrypt your DNS with TLS aka DoT

theDude

March 28, 2023 23:14

You'll need to SSH into the firewalla and create a new file.

If you don't want the ipv6 stuff don't include it.
I've provided the configuration of common DNS providers as an example.
You should use one of the DNS providers, not a mix.
For your initial configuration, try cloudflare, test and with success, then modify with the DNS provider of your choice.

sudo vi ~/.firewalla/config/unbound_local/unbound_custom.conf

server:
    tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"

forward-zone:
    name: "."
    forward-tls-upstream: yes
    forward-addr: 1.1.1.1@853#cloudflare-dns.com
    forward-addr: 1.0.0.1@853#cloudflare-dns.com
    forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
    forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
    
    forward-addr: 8.8.8.8@853#dns.google
    forward-addr: 8.8.4.4@853#dns.google
    forward-addr: 2001:4860:4860::8888@853#dns.google
    forward-addr: 2001:4860:4860::8844@853#dns.google

    forward-addr: 9.9.9.9@853#dns.quad9.net
    forward-addr: 149.112.112.112@853#dns.quad9.net
    forward-addr: 2620:fe::fe@853#dns.quad9.net
    forward-addr: 2620:fe::9@853#dns.quad9.net

Once you have created your file, open your firewalla app and go to your DNS services.
Disable DNS over HTTPS, and enable Unbound.
Apply to All Devices or whatever suits your needs.

Test DoT with - https://1.1.1.1/help
You should see: Using DNS over TLS (DoT) Yes

DNSSEC is performed by the upstream DNS provider you choose.
Test with http://www.dnssec-failed.org/ , site should not open, success!

If you make a change to your configuration file, just toggle the Unbound switch in the firewalla app.

Don't like it?
ssh back in and ...
sudo rm ~/.firewalla/config/unbound_local/unbound_custom.conf

Enjoy!

Comments

7 comments

Chris Hewitt

March 29, 2023 23:43

Edited
Kind of defeats the purpose to use googles DNS and let them collect all the sites you’re going to. That’s why I do nothing but use unbound now.

I also suggest using dnsleaktest.com to see who can observe your DNS queries. The best results, like the example below, are when only you ( your IP address) knows about your DNS queries.
0

Comment actions Permalink
JD Brookins

November 18, 2023 19:27

Edited
Very interesting. Kinda of getting the best of both worlds here being that quad9 uses unbound. How will this affect firewalla's other features?
0

Comment actions Permalink
Chris Hewitt

November 19, 2023 12:49

Edited
Three years not a single negative effect. I also monitor my Gold Plus with bpytop.
0

Comment actions Permalink
JD Brookins

November 19, 2023 17:07
That's good to know. Thanks!
0

Comment actions Permalink
JD Brookins

November 19, 2023 18:09
Now that I'm at my box. I can't seem to write the file. I get a "E212: Can’t open file for writing" error. I put sudo before the command. Am I missing something?
0

Comment actions Permalink
AZ

August 30, 2025 10:25
JD Brookins you do need sudo there. Make sure you are in the right directory. Without sudo vi will throw those errors.

Also just FYI theDude you can use 3 or even more DNS resolvers in the conf file. Unbound will do some combination of randomly picking one plus some load balancing/favoring faster responding resolvers. So having at least 2 will get rid of any chance that the one DNS you are relying on is totally down. (which, admittedly, is a very very tiny chance)
0

Comment actions Permalink
theDude

August 30, 2025 15:54
Glad you guys are finding this useful... Initially I was coming from a pfsense setup, and I wanted to replicate my DNS config to the firewalla. I was also hoping that firewalla would eventually just make DNS over TLS a toggle switch option within the app.
There are definitely numerous use case scenarios, hopefully this guide either provided exactly what you needed, or at least gave you a very good start.
0

Comment actions Permalink

Please sign in to leave a comment.

Comments

Didn't find what you were looking for?