Demystifying Firewalla’s DNS Configurations

Comments

5 comments

  • Avatar
    Jao van de Lagemaat

    This can indeed use a good explainer. I think there are a few subtleties we should add. Note this is all for router mode on FWG but is probably also valid for DHCP mode.

    1. In the WAN DNS field if you leave it blank it uses whatever the ISP gives as their choice of DNS. This is usually not a very good choice as almost all ISPs nowadays do DNS poisoning. This is where you get a messy looking search result if you mistype a URL instead of just a not found error. I abhor this practice but many ISPs don't even allow you to turn this off, so better to enter here the addresses for cloud flare DNS, google's DNS, etc, or better enable DoH which uses whatever server responds fastest.  

    2. I think that for your local networks, you should almost always including if you use DoH, specify the router's internal address (i.e. if you have a subnet with addresses in 192.168.32.x addresses for example then you specify 192.168.32.1 as the DNS for that subnet always even if you enable DoH. This is why this is the default when you create a new LAN or VLAN and simplifies. This allows for you to use the DNS cache on the firewalla to speed up DNS requests. The actual DNS request, if not in the firewalls cache will go to whatever you specify in the WAN DNS fields or to the servers specified in the DoH setup.

    3. Indeed

    4. I don't think this is true. I think the firewalla still sees all your DNS requests when you enable DoH but that could be something for the firewalla folks to comment on. This is why it works even for clients that do not natively support DoH (most don't). Basically all DNS requests get intercepted by the firewalla and forwarded over DoH to DoH severs (if not available in local cache)

    1
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Thanks, @Jao.

    1. I think you are right unless one of the other settings are in place. But yes, if you basically make all of your settings noops then the ISP DNS would prevail.

    2. Good point on DNS caching. 
    4. Exactly. Devices always use standard DNS to firewalla and Firewalla uses DoH, if configured. 

    0
    Comment actions Permalink
  • Avatar
    IHaveABigNetwork

    I'm not sure I agree with needing to set anything other than your DOH provider.  If you set your DOH provider, no requests go to your ISP, I've done a lot of testing and have never seen a single request from my 130+ devices NOT go to the DOH provider (which isn't my ISP or anything common).

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    It isn’t possible to create a LAN/VLAN (local network) without a DNS setting. The default Primary DNS is the IP of that segment and the secondary is empty. So it will always be set to something. I'm just going through all the use cases so that one can understand where the default values come from and what happens if you override them. 

    0
    Comment actions Permalink
  • Avatar
    Support Team

    @Michael,

    Regarding to priority, it's the same as rules. Device > Group > Network.

    So if you have DoH enabled for a group, then the group will use the DoH servers, no matter what DNS servers are configured for the network. If you don't see behaviors like this, it could be a bug.

     

    For default DNS settings for LAN networks, eventually it should always be set to something, otherwise your devices will not be able to surf the internet. In Firewall app, by default it's set to Firewalla's LAN IP. It's actually a placeholder that Firewalla will automatically use the DNS configuration from the related WAN interface.

    And no matter what DNS servers you configured in the app, the Firewalla DNS filtering always takes effect, ONLY EXCEPT VPN/DoH is enabled on your devices.

     

    0
    Comment actions Permalink

Please sign in to leave a comment.