Comments

13 comments

  • Avatar
    Firewalla

    This definitely will be an issue to network layer control, especially a problem for classification.   Blocking this should not be too hard, and we also likely to add an additional service to divert DNS to over HTTPS (after classification is done)

    1
    Comment actions Permalink
  • Avatar
    Wacey

    Any updates on what currently happens with DoH traffic? What features do we lose?

    I found a couple articles about DNS over HTTPS through pi-hole and I see it's possible to install pi-hole on the Firewalla but haven't looked at the downsides of this.

    https://docs.pi-hole.net/guides/dns-over-https/

    https://visibilityspots.org/dockerized-cloudflared-pi-hole.html

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    We should be able to make DNS over HTTPS available for sure.  So you should have it natively.   Will do a facebook poll and see if people care about it. 

    1
    Comment actions Permalink
  • Avatar
    Firewalla

    BTW, we did a poll on Facebook, so very likely we will be integrating DNS over HTTPS on firewalla very soon.  Thank you for bring up the feature

    0
    Comment actions Permalink
  • Avatar
    audiofreak39

    Can you also consider integrating DNS over TLS on Firewalla as well? I would prefer that protocol instead. Thank you!

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    There are three of them, DNSCrypt, DNS Over TLS, DNS over HTTPS.   And who we pick ... not sure yet :)

    0
    Comment actions Permalink
  • Avatar
    Braedach

    Would DNS over DOT or DOH protect against DNS Poisoning attacks.  Microsoft Windows currently doesn't have either natively (in planning apparently), Android 9 and above does.  Pretty sure Linux doesn't either without reconfiguration, not sure on IOS.

    Since this product is aimed at home users and small business, with the Gold product aimed at medium size business wouldn't this be a good idea.

    All i know is that using Google DNS or Cloudflare doesnt guarantee you are protected from such an attack (I found this out Friday two days after installing my Blue.

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    DOH is out ... https://help.firewalla.com/hc/en-us/articles/360038449734-DNS-over-HTTPS-beta-

    DoH should protect you from the man in the middle (such as firewalla) from changing DNS. 

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Does Firewalla’s DOH work for upstream DNS if you run pi-hole on firewalla?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    if the flow is

    Firewalla --> Pihole --> [upstream]

    Here it doesn't matter where pihole is at, when DOH is on, it will be like

    Firewalla --> [DOH upstream]

    Pi-hole is a DNS server; when DOH is active, it just won't see the traffic. 

     

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    That makes sense. Is it possible to do 
    Pihole -->  Firewalla --> [upstream]

    so that pihole can see what it needs to and request un blacklisted lookups from Firewalla which can do DoH and DNS caching?

    Or am I still confused?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Most people we know if they run pi-hole on a raspberry pi, it will work this way.    We are not sure when pihole is installed on firewalla, that depends on how the dns port is exposed. 

    1
    Comment actions Permalink
  • Avatar
    Firewalla

    The problem is until the community gets big, the probability of the correctness of these "rules" will unlikely to be accurate.   According to the company talking to us, they have people does this for a living ... hence charging $

    0
    Comment actions Permalink

Please sign in to leave a comment.