Redirect NTP Servers
I have a device that is going to an NTP server in Russia. Is it possible to use Firewalla to redirect all NTP queries to a server of my choosing? OR at least this NTP server specifically?
-
It is for sure possible, will log this request down. For now, best is to use country /region block under rules to do this. NTP protocol will try the next entry if the previous one was blocked.
https://help.firewalla.com/hc/en-us/articles/360035080933-Geo-IP-Filtering
-
I could think of two scenarios where this might be common. NTP and DNS queries.
I read another post in this forum where someone pointed out that some devices hardcode their DNS queries, often to Google. It would be great to be able to force all NTP and DNS queries to servers of your choice.
-
Firewalla will redirect any DNS requests to the DNS servers configured in Firewalla. So even some devices in the network hard coded DNS server, it will be redirected by Firewalla too.
For NTP queries, we don't have the same type of redirection. It's good to have one. Added to our todo list.
-
On a related note, what is the best practice?
- set clients’ DNS severs to point at public DNS servers like 1.1.1.1 and set Firewalla DNS to the same)
- set clients’ DNS servers to point at firewalla’s LAN IP and set Firewalla DNS to public DNS servers like 1.1.1.1?
- makes no difference?
- set clients’ DNS severs to point at public DNS servers like 1.1.1.1 and set Firewalla DNS to the same)
-
Since legacy DNS is clear text,
Device -> Firewalla -> Router -> ISP -> Internet
Firewalla will intercept DNS requests from device (even if device specify the DNS on its own), and forward to upstream DNS servers. It is possible that router/isp may intercept/poison the DNS requests.
If DoH is used, router/ISP will not able to intercept or poison the request.
-
Yes, I love that DoH is able to be ran on firewalla now and I have it enabled for all my devices. My question was if a device on my network was using DoH itself, say through the 1.1.1.1 app, would firewalla still be able to intercept and redirect that DNS request? Because it would not be in clear text over port 53 in this situation. Thanks!
Please sign in to leave a comment.
Comments
21 comments