Redirect

Comments

21 comments

  • Avatar
    Firewalla

    It is for sure possible, will log this request down.  For now, best is to use country /region block under rules to do this.  NTP protocol will try the next entry if the previous one was blocked.  

    https://help.firewalla.com/hc/en-us/articles/360035080933-Geo-IP-Filtering

    1
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Great, thanks. I thought you could apply a geo rule to multiple devices but it doesn't seem to allow that. It is either 1 device or all devices is that right?

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    I could think of two scenarios where this might be common. NTP and DNS queries.

    I read another post in this forum where someone pointed out that some devices hardcode their DNS queries, often to Google. It would be great to be able to force all NTP and DNS queries to servers of your choice.

    0
    Comment actions Permalink
  • Avatar
    Melvin Tu

    Firewalla will redirect any DNS requests to the DNS servers configured in Firewalla. So even some devices in the network hard coded DNS server, it will be redirected by Firewalla too.

     

    For NTP queries, we don't have the same type of redirection. It's good to have one. Added to our todo list.

     

     

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Very cool, thank you.

    So how do I enable the DNS override in firewalla? Settings > Advanced > Network Settings? Primary, Secondary? Or both? Does this work in Simple Mode?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Yes, this works in simple mode.  You can configure just a primary, or both.

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Excellent. So what is the order of precedence?

    1. firewalla
    2. router
    3. manual local device configuration 
    4. ISP

    i tried setting the Router DNS to Firewalla’s local IP so that I’d have just one place to set dns but the router didn’t like that.

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    On a related note, what is the best practice?

    1. set clients’ DNS severs to point at public DNS servers like 1.1.1.1  and set Firewalla DNS to the same)

    2. set clients’ DNS servers to point at firewalla’s LAN IP and set Firewalla DNS to public DNS servers like 1.1.1.1?
    3. makes no difference?
    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Most of the time you do not need to do anything just set the default DNS and firewalla should just use it.  The Firewalla DNS settings can be used to override what's already there. 

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Sorry I don’t follow. My router and clients have to have DNS servers set except for clients that hard code their own DNS.

    So my question is, what should I set the router, firewalla, and clients to?

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Just wanted to follow up to see if I could get clarification on the precedence of DNS settings?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Hi

    On your router, you should either leave it blank, then it will be set by your service provider;  If not, then you can pick any of the bigger ones' like 1.1.1.1 or 8.8.8.8  ... 

    Firewalla will pick up this setting and use it. 

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    But my question is what takes precedence? Yes, if I leave it blank on the router, my ISPs will be used. But if I set them on Firewalla does that override that? What if I set them manually on a client? I'd like to know which "wins" :) 

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Ping...can someone clarify DNS prescience?

    0
    Comment actions Permalink
  • Avatar
    Melvin Tu

    Since legacy DNS is clear text,

    Device -> Firewalla -> Router -> ISP -> Internet

     

    Firewalla will intercept DNS requests from device (even if device specify the DNS on its own), and forward to upstream DNS servers. It is possible that router/isp may intercept/poison the DNS requests.

     

    If DoH is used, router/ISP will not able to intercept or poison the request.

     

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Super helpful, thank you. Would pointing DNS at firewalla lan IP directly be the recommended practice regardless of DoH ? Seems like a simple way to configure rather than explaining all that. 

    0
    Comment actions Permalink
  • Avatar
    Melvin Tu

    We don't have to recommend this as it will be automatically redirected. We believe the best experience is zero setup.

     

    Melvin

    1
    Comment actions Permalink
  • Avatar
    Joel Zimmerle

    Is Firewalla able to intercept DNS and redirect it on a client that is using DoH?

    0
    Comment actions Permalink
  • Avatar
    Firewalla

    Firewalla will intercept DNS and redirect it to DoH if you have DoH enabled.  This means you can have everything (or selected) devices in your home/office use DoH automatically without reconfiguring anything.  

    1
    Comment actions Permalink
  • Avatar
    Joel Zimmerle

    Yes, I love that DoH is able to be ran on firewalla now and I have it enabled for all my devices. My question was if a device on my network was using DoH itself, say through the 1.1.1.1 app, would firewalla still be able to intercept and redirect that DNS request? Because it would not be in clear text over port 53 in this situation. Thanks!

    1
    Comment actions Permalink
  • Avatar
    Joel Zimmerle

    From my own testing it appears firewalla can still see the hostname I’m connecting to but cannot intercept and reroute the DNS.

    1
    Comment actions Permalink

Please sign in to leave a comment.

Powered by Zendesk