Encrypt your DNS with TLS aka DoT
You'll need to SSH into the firewalla and create a new file.
- If you don't want the ipv6 stuff don't include it.
- I've provided the configuration of common DNS providers as an example.
- You should use one of the DNS providers, not a mix.
- For your initial configuration, try cloudflare, test and with success, then modify with the DNS provider of your choice.
sudo vi ~/.firewalla/config/unbound_local/unbound_custom.conf
server:
tls-cert-bundle: "/etc/ssl/certs/ca-certificates.crt"
forward-zone:
name: "."
forward-tls-upstream: yes
forward-addr: 1.1.1.1@853#cloudflare-dns.com
forward-addr: 1.0.0.1@853#cloudflare-dns.com
forward-addr: 2606:4700:4700::1111@853#cloudflare-dns.com
forward-addr: 2606:4700:4700::1001@853#cloudflare-dns.com
forward-addr: 8.8.8.8@853#dns.google
forward-addr: 8.8.4.4@853#dns.google
forward-addr: 2001:4860:4860::8888@853#dns.google
forward-addr: 2001:4860:4860::8844@853#dns.google
forward-addr: 9.9.9.9@853#dns.quad9.net
forward-addr: 149.112.112.112@853#dns.quad9.net
forward-addr: 2620:fe::fe@853#dns.quad9.net
forward-addr: 2620:fe::9@853#dns.quad9.net
Once you have created your file, open your firewalla app and go to your DNS services.
Disable DNS over HTTPS, and enable Unbound.
Apply to All Devices or whatever suits your needs.
Test DoT with - https://1.1.1.1/help
You should see: Using DNS over TLS (DoT) Yes
DNSSEC is performed by the upstream DNS provider you choose.
Test with http://www.dnssec-failed.org/ , site should not open, success!
If you make a change to your configuration file, just toggle the Unbound switch in the firewalla app.
Don't like it?
ssh back in and ...
sudo rm ~/.firewalla/config/unbound_local/unbound_custom.conf
Enjoy!
-
Kind of defeats the purpose to use googles DNS and let them collect all the sites you’re going to. That’s why I do nothing but use unbound now.
I also suggest using dnsleaktest.com to see who can observe your DNS queries. The best results, like the example below, are when only you ( your IP address) knows about your DNS queries.
-
JD Brookins you do need sudo there. Make sure you are in the right directory. Without sudo vi will throw those errors.
Also just FYI theDude you can use 3 or even more DNS resolvers in the conf file. Unbound will do some combination of randomly picking one plus some load balancing/favoring faster responding resolvers. So having at least 2 will get rid of any chance that the one DNS you are relying on is totally down. (which, admittedly, is a very very tiny chance)
-
Glad you guys are finding this useful... Initially I was coming from a pfsense setup, and I wanted to replicate my DNS config to the firewalla. I was also hoping that firewalla would eventually just make DNS over TLS a toggle switch option within the app.
There are definitely numerous use case scenarios, hopefully this guide either provided exactly what you needed, or at least gave you a very good start. -
The Guy AZ
First of all thank you for posting this!
I assume this DoT w/ UnBound is preferred over just DoH and/or just Unbound as I read you can not do both (but it does allow me to turn both on)? The more I read the more I'm undecided. lol
Also in Firewalla "DNS over VPN" looks to be connected to UnBound section in the app. And it allows VPN to be turned on.
I assume this all works together with UnBound (and DoT w/ UnBound) WITH VPN and would make it even more secure/better/hidden?
Though I'm a little confused about what takes priority and/or what the difference is if I use Proton as a 3rd party VPN in Firewalla for some devices (There is also an option under the VPN to also use DNS over VPN).I pay for Proton and therefore have a good VPN so might be an option to use this on things I don't do full VPN?
PS - AZ how do we add a 2nd or 3even rd DNS entry like you mentioned? Eg. Quad9 and maybe Cloudflare
Just another set of the whole 7 lines of the "forward-zone" or?
Thanks!!! -
Chris Hewitt Thanks for reply!
I just went down a rabbit hole and have been experimenting with trying the various Firewalla options and testing the results in:
https://dnscheck.tools/
https://ipleak.net/
https://dnsleaktest.com/
DNS over HTTPS only
UnBound only
UnBound with DNS over VPN
UnBound with DoT (as discussed in this thread)
UnBound with DoT and DNS over VPN
But was curious how you have it. From what I very little I learned it only sounds possible with some type of internal DNS like Pi-Hole or AdGuard setup.
Thanks!
PS - I have IPv6 turned off on my FWGpro but I did keep the IPv6 Quad9 entries in this DoT post instructions JIC? -
Chris Hewitt
I found out why I wasn't getting my local IP.
That was because I was using the above conf with Quad9 and/or Cloudflare not the default recursive Unbound. I deleted the conf and tested it and got my own IP.
TEM theDude
Does this new .conf need to be recreate every time the Firewalla updates?
I assume not but wanted to double check.
Thanks again!
Please sign in to leave a comment.
Comments
14 comments