Use DoH for Firewalla's local dns resolution
It appears that the firewalla device itself uses my ISPs dns servers for dns resolution instead of DoH or Unbound. I confirmed that dnsmasq is not listening on 127.0.0.1 and when i try to resolve some local hostnames that i've created with custom dns rules from an ssh session, the hostnames are not resolved. Using nslookup from the firewalla device itself also confirms the dns server responding to the query is my ISPs dns.
I've enabled Unbound and also modified the unbound.conf to use DNS over TLS and i'd prefer to have all DNs queries, including any resolution the firewalla device is doing itself to be encrypted and not use my ISPs dns servers.
It looks like i can edit /etc/dnsmasq.conf to add "listen-address=127.0.0.1" but that file does not exist on FWG in /etc. Is there another dnsmasq.conf that i can edit to do the same thing?
-
The reason for the firewalla system (it only resolves a handful or fewer domains, that's specific to firewalla services) using the default WAN DNS is that, we want firewalla to be always up, regardless of what you configured/filtered.
Your network DNS is always sent to what's configured via DoH/unbound, or over LAN
-
after digging around in terminal trying to figure out how to do this, i figured out i can just go into the firewalla app and set the WAN DNS server to the local ip address of my FWG (ie. 192.168.10.1). Now local firewalla dns requests are directed to dnsmasq which is then using unbound in forwarding mode with DNS of TLS. No more leaking DNS that my ISP can see (which by the way is much more than i would have thought after using tcpdump to watch the outbound dns traffic from the WAN).
-
Hi, wanted to chime in as I have recently been trying to hide my dns lookups myself I am using nextdns as my main resolver not unbound but I have followed Brian & Micheals install script which is great :
https://github.com/mbierman/Firewalla-NextDNS-CLI-install
So I can disable DOH on a LAN and force from OS level reason I took this method was so I could break out the clients for logging on Nextdns otherwise all you see is router looking up with no context. I noticed the firewalla box was looking up github.com as raw lookup as my wan settings had ping tests for link quality checks FW feature also noticed some PTR records flying over in raw format.
I followed your approach and apply my local FW ip into the primary WAN settings and now everything is secure... very happy with that slightly concerned if NextDNS cli dies on my box I am in a world of pain have you tried to update the secondary wan ip with another dns entree ? was interested if it would be a round robin approach or try on failure... I will give it a try.
with unbound are you now performing secure lookups to dns root servers ?
:)
-
It appears to be round robin based on what i see when i use tcpdump to watch the packets on WAN.
For unbound, i've created a custom unbound configuration that use forwarding mode with DNS-over-TLS instead of recursive resolving as well as adding a rebinding fix for my Plex media server running locally.
-
We recommend 'NOT' modifying the WAN DNS configuration and unfiltered. The reason is to ensure the box up and running (in case your custom DNS rules blocks firewalla), and also while firewalla is running, it will query DNS for IP mapping, and block bad sites, if your DNS servers block the query, you will lose IP layer blocking for 'bad sites'.
Please sign in to leave a comment.
Comments
8 comments