Demystifying Firewalla’s DNS Configurations
I really like understanding exactly how things work and I could not find a detailed write up of Firewalla DNS anywhere. Firewalla has sophisticated capabilities. I knew others have questions too, so I thought I’d try to map out how it all works.
Thanks to @firewalla and several other community members for clarifications and patience with me.
Updated
DNS Settings in Firewalla
DNS priority works like Rules: Device > Group > Network > WAN (set on the Firewalla side).
So a Group assigned to DoH on a LAN in Firewalla takes precedence over the LAN setting (e.g. Unbound).
Firewalla generally takes precedence over DNS on your devices if you have DNS Booster turned on for that device. The exception is if a user uses DoH on their own device. To get around that, you can use a Target List rule to block DoH on clients which will force them to use Firewalla.
With DNS Booster on, Firewalla will intercept and filter/redirect to the DNS server you configured per the rules below providing network control. For example, children cannot bypass Family Protect by changing the DNS under their phone settings (not without using a VPN anyway). Note some applications (e.g. nslookup) may show DNS settings applied on the device itself but that is an artifact of how they check DNS settings and is not applicable on a Firewalla controlled network.
- Network Manager > WAN connection. These DNS settings are optional. If left blank, they will default to your ISP's DNS servers but they will be superseded by the local network DNS or DoH.
- Network Manager > LAN/VLAN DNS is required here. By default a Firewalla local network has the primary DNS set to the local network IP and secondary DNS is blank. This allows Firewalla’s DNS cache to be maximized and avoid DNS leaks.
- DNS over HTTPS: can be applied to individual local networks, or groups. If DoH is active, it overrides other DNS settings that would otherwise apply.
- DoH takes place between Firewalla and your chosen DoH server(s), not between your device(s) and Firewalla. Devices use unencrypted DNS over you LAN/VLANs to Firewalla and Firewalla uses DoH over the WAN to the DNS provider, if configured to do so. With DoH active, Firewalla will detect all DNS requests so any blocking rules you have created still work with DoH.
- Currently you can configure multiple DoH servers with Firewalla. Firewalla will pick which to use based on a performance evaluation. It is not currently possible to have different DoH providers for different local networks though there has been talk that may be added in a future Firewalla release.
- If DoH is active on a LAN/VLAN (local network), use the default local network DNS settings.
- If DoH is inactive for a local network, the local network DNS should be set to your preferred DNS server and a second DNS server is fine. Each local network can have different DNS servers if you like. For example, you could choose additional filters for a local network for children by using 1.1.1.2 instead of 1.1.1.1 which is unfiltered.
- If DoH is inactive for a local network, you could alternatively leave the local network’s DNS set to the default and set the WAN DNS which will override the the ISP's DNS. This will apply the WAN DNS to all local networks that aren't using DoH.
- To use your ISP’s default DNS server, turn DoH off for that local network, set the local network’s DNS to the local network’s IP with no secondary DNS and set the WAN DNS blank.
- When making DNS changes it may take some time for the changes to take effect and you may need to make sure your device cache is cleared and you may want to clear the Settings > Advaced > Cache > DNS Booster Settings.
Defaults
Here is a good typical setup:
- Network Manager > [WAN name] -> Primary DNS Server & Secondary DNS Server: set these to whatever you want the default to be. 1.1.1.1 is fine.
- Network Manager > [LAN name] -> Primary DNS Server: set to that LAN. So if the LAN is 192.168.0.1/24 set it to 192.168.0.1. if the LAN is 192.168.1.1/24, set it to 192.168.1.1 Do not set a secondary.
What this does, is tell Firewalla, "anything on this LAN should look to Firewalla for DNS and then all LANs will go to the WAN default.
If you use DoH or Unbound, that overrides the WAN DNS.
-
This can indeed use a good explainer. I think there are a few subtleties we should add. Note this is all for router mode on FWG but is probably also valid for DHCP mode.
1. In the WAN DNS field if you leave it blank it uses whatever the ISP gives as their choice of DNS. This is usually not a very good choice as almost all ISPs nowadays do DNS poisoning. This is where you get a messy looking search result if you mistype a URL instead of just a not found error. I abhor this practice but many ISPs don't even allow you to turn this off, so better to enter here the addresses for cloud flare DNS, google's DNS, etc, or better enable DoH which uses whatever server responds fastest.
2. I think that for your local networks, you should almost always including if you use DoH, specify the router's internal address (i.e. if you have a subnet with addresses in 192.168.32.x addresses for example then you specify 192.168.32.1 as the DNS for that subnet always even if you enable DoH. This is why this is the default when you create a new LAN or VLAN and simplifies. This allows for you to use the DNS cache on the firewalla to speed up DNS requests. The actual DNS request, if not in the firewalls cache will go to whatever you specify in the WAN DNS fields or to the servers specified in the DoH setup.
3. Indeed
4. I don't think this is true. I think the firewalla still sees all your DNS requests when you enable DoH but that could be something for the firewalla folks to comment on. This is why it works even for clients that do not natively support DoH (most don't). Basically all DNS requests get intercepted by the firewalla and forwarded over DoH to DoH severs (if not available in local cache)
-
Thanks, @Jao.
1. I think you are right unless one of the other settings are in place. But yes, if you basically make all of your settings noops then the ISP DNS would prevail.
2. Good point on DNS caching.
4. Exactly. Devices always use standard DNS to firewalla and Firewalla uses DoH, if configured. -
I'm not sure I agree with needing to set anything other than your DOH provider. If you set your DOH provider, no requests go to your ISP, I've done a lot of testing and have never seen a single request from my 130+ devices NOT go to the DOH provider (which isn't my ISP or anything common).
-
It isn’t possible to create a LAN/VLAN (local network) without a DNS setting. The default Primary DNS is the IP of that segment and the secondary is empty. So it will always be set to something. I'm just going through all the use cases so that one can understand where the default values come from and what happens if you override them.
-
@Michael,
Regarding to priority, it's the same as rules. Device > Group > Network.
So if you have DoH enabled for a group, then the group will use the DoH servers, no matter what DNS servers are configured for the network. If you don't see behaviors like this, it could be a bug.
For default DNS settings for LAN networks, eventually it should always be set to something, otherwise your devices will not be able to surf the internet. In Firewall app, by default it's set to Firewalla's LAN IP. It's actually a placeholder that Firewalla will automatically use the DNS configuration from the related WAN interface.
And no matter what DNS servers you configured in the app, the Firewalla DNS filtering always takes effect, ONLY EXCEPT VPN/DoH is enabled on your devices.
-
@Michael,
Have you found the DNS Loop Prevention mechanism?
I am forwarding home.lan to a pair of internal name servers, my internal name servers were using opendns as their forwarders. Out of the blue, NS1 stops resolving requests. Apparently they have implemented a Loop Prevention mechanism that is turning off DNS Booster and blocking queries from my internal name server to the Firewalla itself. Thus, I can't resolve any of the hostname records held by Firewalla, only home.lan and external records, but, only on the first server defined, my second name server works just fine.
...ct
-
@Andy, that's how I currently have it set and figure was best practice. I am running into an issue with any- connect VPN as that my devices are unable to resolve DNS being routed through it. If I set my device to use FWG as DNS then I am able to resolve names going through any-connect.
-
Hello Michael Bierman,
I hope that you can help me, im a new FWG user.
I want to use 1.1.1.1 as my DNS
and I just discovered that Firewalla is using my ISP's DNS if I'm not mistaken?
i saw that under; Network -> ISP1 -> Primary DNS Server & Secondary DNS Server
do i put 1.1.1.1 at this path? or do i put it under my LAN 1 segment?
is it here that I put in 1.1.1.1? or is it under my LAN?
Another question is, i discovered under my LAN 1, that it is set to 192.168.1.1? should I change this one too?
or do I only change it on the WAN?
-
Hi @AhmadCh
Here is a good typical setup:
- Network Manager > [WAN name] -> Primary DNS Server & Secondary DNS Server: set these to whatever you want the default to be. 1.1.1.1 is fine.
- Network Manager > [LAN name] -> Primary DNS Server: set to that LAN. So if the LAN is 192.168.0.1/24 set it to 192.168.0.1. if the LAN is 192.168.1.1/24, set it to 192.168.1.1 Do not set a secondary.
What this does, is tell Firewalla, "anything on this LAN should look to Firewalla for DNS and then all LANs will go to the WAN default.
If you use DoH or Unbound, that overrides the WAN DNS.
Please sign in to leave a comment.
Comments
14 comments