Demystifying Firewalla’s DNS Configurations

Comments

14 comments

  • Avatar
    Jao van de Lagemaat

    This can indeed use a good explainer. I think there are a few subtleties we should add. Note this is all for router mode on FWG but is probably also valid for DHCP mode.

    1. In the WAN DNS field if you leave it blank it uses whatever the ISP gives as their choice of DNS. This is usually not a very good choice as almost all ISPs nowadays do DNS poisoning. This is where you get a messy looking search result if you mistype a URL instead of just a not found error. I abhor this practice but many ISPs don't even allow you to turn this off, so better to enter here the addresses for cloud flare DNS, google's DNS, etc, or better enable DoH which uses whatever server responds fastest.  

    2. I think that for your local networks, you should almost always including if you use DoH, specify the router's internal address (i.e. if you have a subnet with addresses in 192.168.32.x addresses for example then you specify 192.168.32.1 as the DNS for that subnet always even if you enable DoH. This is why this is the default when you create a new LAN or VLAN and simplifies. This allows for you to use the DNS cache on the firewalla to speed up DNS requests. The actual DNS request, if not in the firewalls cache will go to whatever you specify in the WAN DNS fields or to the servers specified in the DoH setup.

    3. Indeed

    4. I don't think this is true. I think the firewalla still sees all your DNS requests when you enable DoH but that could be something for the firewalla folks to comment on. This is why it works even for clients that do not natively support DoH (most don't). Basically all DNS requests get intercepted by the firewalla and forwarded over DoH to DoH severs (if not available in local cache)

    3
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Thanks, @Jao.

    1. I think you are right unless one of the other settings are in place. But yes, if you basically make all of your settings noops then the ISP DNS would prevail.

    2. Good point on DNS caching. 
    4. Exactly. Devices always use standard DNS to firewalla and Firewalla uses DoH, if configured. 

    1
    Comment actions Permalink
  • Avatar
    IHaveABigNetwork

    I'm not sure I agree with needing to set anything other than your DOH provider.  If you set your DOH provider, no requests go to your ISP, I've done a lot of testing and have never seen a single request from my 130+ devices NOT go to the DOH provider (which isn't my ISP or anything common).

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    It isn’t possible to create a LAN/VLAN (local network) without a DNS setting. The default Primary DNS is the IP of that segment and the secondary is empty. So it will always be set to something. I'm just going through all the use cases so that one can understand where the default values come from and what happens if you override them. 

    0
    Comment actions Permalink
  • Avatar
    Support Team

    @Michael,

    Regarding to priority, it's the same as rules. Device > Group > Network.

    So if you have DoH enabled for a group, then the group will use the DoH servers, no matter what DNS servers are configured for the network. If you don't see behaviors like this, it could be a bug.

     

    For default DNS settings for LAN networks, eventually it should always be set to something, otherwise your devices will not be able to surf the internet. In Firewall app, by default it's set to Firewalla's LAN IP. It's actually a placeholder that Firewalla will automatically use the DNS configuration from the related WAN interface.

    And no matter what DNS servers you configured in the app, the Firewalla DNS filtering always takes effect, ONLY EXCEPT VPN/DoH is enabled on your devices.

     

    0
    Comment actions Permalink
  • Avatar
    Chris Thomas

    @Michael,

      Have you found the DNS Loop Prevention mechanism?

      I am forwarding home.lan to a pair of internal name servers, my internal name servers were using opendns as their forwarders.  Out of the blue, NS1 stops resolving requests.  Apparently they have implemented a Loop Prevention mechanism that is turning off DNS Booster and blocking queries from my internal name server to the Firewalla itself.  Thus, I can't resolve any of the hostname records held by Firewalla, only home.lan and external records, but, only on the first server defined, my second name server works just fine.

    ...ct

    0
    Comment actions Permalink
  • Avatar
    Rbishop

    @Michael, if using PiHole where would you set DNS?  Example would you set WAN to point at internal PiHole or would it be under LAN DNS?

    0
    Comment actions Permalink
  • Avatar
    Andy brown

    Your LANS/VLANS point to you Pihole Address, then your Pihole has an upstream connection to the DNS provider you choose from the list, or one you choose.  I have mine pointing to DOH on cloudflared on another docker image.  I have just left the WAN from the ISP as its now not used. 

    0
    Comment actions Permalink
  • Avatar
    Rbishop

    @Andy, that's how I currently have it set and figure was best practice.  I am running into an issue with any- connect VPN as that my devices are unable to resolve DNS being routed through it.  If I set my device to use FWG as DNS then I am able to resolve names going through any-connect. 

    0
    Comment actions Permalink
  • Avatar
    Andy brown

    On mine I force my DNS over the VPN and let the provider resolve any dns queries, however I only use OpenVPN and wireguard.  So if yours is not working it’s probably something in the 3rd party configuration.  Not very helpful I know…

    0
    Comment actions Permalink
  • Avatar
    Im Ghost

    Hello Michael Bierman,

    I hope that you can help me, im a new FWG user.

    I want to use 1.1.1.1 as my DNS

    and I just discovered that Firewalla is using my ISP's DNS if I'm not mistaken?

    i saw that under; Network -> ISP1 -> Primary DNS Server & Secondary DNS Server

    do i put 1.1.1.1 at this path? or do i put it under my LAN 1 segment?

     

    is it here that I put in 1.1.1.1? or is it under my LAN?

    Another question is, i discovered under my LAN 1, that it is set to 192.168.1.1? should I change this one too?

    or do I only change it on the WAN?

     

     

    0
    Comment actions Permalink
  • Avatar
    Im Ghost

    @Michael Bierman 

    @ Michael Bierman

    0
    Comment actions Permalink
  • Avatar
    Michael Bierman

    Hi @AhmadCh

    Here is a good typical setup:

    • Network Manager > [WAN name] -> Primary DNS Server & Secondary DNS Server: set these to whatever you want the default to be. 1.1.1.1 is fine. 
    • Network Manager > [LAN name] -> Primary DNS Server: set to that LAN. So if the LAN is 192.168.0.1/24 set it to 192.168.0.1. if the LAN is 192.168.1.1/24, set it to 192.168.1.1 Do not set a secondary.

    What this does, is tell Firewalla, "anything on this LAN should look to Firewalla for DNS and then all LANs will go to the WAN default. 

    If you use DoH or Unbound, that overrides the WAN DNS. 

    1
    Comment actions Permalink
  • Avatar
    Im Ghost

    @Michael Bierman

    Thank you very much, i have now set it up!

    1
    Comment actions Permalink

Please sign in to leave a comment.