Use DoH for Firewalla's local dns resolution

Comments

8 comments

  • Avatar
    Firewalla

    The reason for the firewalla system (it only resolves a handful or fewer domains, that's specific to firewalla services) using the default WAN DNS is that, we want firewalla to be always up, regardless of what you configured/filtered. 

    Your network DNS is always sent to what's configured via DoH/unbound, or over LAN

    1
    Comment actions Permalink
  • Avatar
    robcork

    That makes sense but for someone comfortable enough to manage unbound or dnsmasq from terminal, is there a way to force dnsmasq to listen on localhost? I'd prefer my snoopy ISP (Cox) doesn't even see DNS queries for domains that Firewalla is contacting directly.

    0
    Comment actions Permalink
  • Avatar
    1980cyber

    No point running DoH if you setup DNS on your LAN or using DoH/Unbound. Your ISP knowing firewalla is running firewalla services ... likely have no value and they can easily get that from IP headers.

    0
    Comment actions Permalink
  • Avatar
    robcork

    after digging around in terminal trying to figure out how to do this, i figured out i can just go into the firewalla app and set the WAN DNS server to the local ip address of my FWG (ie. 192.168.10.1). Now local firewalla dns requests are directed to dnsmasq which is then using unbound in forwarding mode with DNS of TLS. No more leaking DNS that my ISP can see (which by the way is much more than i would have thought after using tcpdump to watch the outbound dns traffic from the WAN).

    0
    Comment actions Permalink
  • Avatar
    BaZzA_FW

    Hi, wanted to chime in as I have recently been trying to hide my dns lookups myself I am using nextdns as my main resolver not unbound but I have followed Brian & Micheals install script which is great :

    https://github.com/mbierman/Firewalla-NextDNS-CLI-install 

    So I can disable DOH on a LAN and force from OS level reason I took this method was so I could break out the clients for logging on Nextdns otherwise all you see is router looking up with no context. I noticed the firewalla box was looking up github.com as raw lookup as my wan settings had ping tests for link quality checks FW feature also noticed some PTR records flying over in raw format.

    I followed your approach and apply my local FW ip into the primary WAN settings and now everything is secure... very happy with that slightly concerned if NextDNS cli dies on my box I am in a world of pain have you tried to update the secondary wan ip with another dns entree ? was interested if it would be a round robin approach or try on failure... I will give it a try.

    with unbound are you now performing secure lookups to dns root servers ? 

    :) 

    0
    Comment actions Permalink
  • Avatar
    robcork

    It appears to be round robin based on what i see when i use tcpdump to watch the packets on WAN.

    For unbound, i've created a custom unbound configuration that use forwarding mode with DNS-over-TLS instead of recursive resolving as well as adding a rebinding fix for my Plex media server running locally.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    We recommend 'NOT' modifying the WAN DNS configuration and unfiltered. The reason is to ensure the box up and running (in case your custom DNS rules blocks firewalla), and also while firewalla is running, it will query DNS for IP mapping, and block bad sites, if your DNS servers block the query, you will lose IP layer blocking for 'bad sites'.

    0
    Comment actions Permalink
  • Avatar
    robcork

    Well if it's that critical that it always points to an external DNS server, sounds like Firewalla should enforce that in the settings page (or at least pop up a warning message if you set it to an RFC-1918 address)

    0
    Comment actions Permalink

Please sign in to leave a comment.