I really like understanding exactly how things work and I could not find a detailed write up of Firewalla DNS anywhere. Firewalla has sophisticated capabilities. I knew others have questions too, so I thought I’d try to map out how it all works.
Thanks to @firewalla and several other community members for clarifications and patience with me.
DNS Settings in Firewalla
DNS priority works like Rules: Device > Group > Network > WAN (set on the Firewalla side).
So a Group assigned to DoH on a LAN in Firewalla takes precedence over the LAN setting (e.g. Unbound).
Firewalla generally takes precedence over DNS on your devices if you have DNS Booster turned on for that device. The exception is if a user uses DoH on their own device. To get around that, you can use a Target List rule to block DoH on clients which will force them to use Firewalla.
With DNS Booster on, Firewalla will intercept and filter/redirect to the DNS server you configured per the rules below providing network control. For example, children cannot bypass Family Protect by changing the DNS under their phone settings (not without using a VPN anyway). Note some applications (e.g. nslookup) may show DNS settings applied on the device itself but that is an artifact of how they check DNS settings and is not applicable on a Firewalla controlled network.
- Network Manager > WAN connection. These DNS settings are optional. If left blank, they will default to your ISP's DNS servers but they will be superseded by the local network DNS or DoH.
- Network Manager > LAN/VLAN DNS is required here. By default a Firewalla local network has the primary DNS set to the local network IP and secondary DNS is blank. This allows Firewalla’s DNS cache to be maximized and avoid DNS leaks.
- DNS over HTTPS: can be applied to individual local networks, or groups. If DoH is active, it overrides other DNS settings that would otherwise apply.
- DoH takes place between Firewalla and your chosen DoH server(s), not between your device(s) and Firewalla. Devices use unencrypted DNS over you LAN/VLANs to Firewalla and Firewalla uses DoH over the WAN to the DNS provider, if configured to do so. With DoH active, Firewalla will detect all DNS requests so any blocking rules you have created still work with DoH.
- Currently you can configure multiple DoH servers with Firewalla. Firewalla will pick which to use based on a performance evaluation. It is not currently possible to have different DoH providers for different local networks though there has been talk that may be added in a future Firewalla release.
- If DoH is active on a LAN/VLAN (local network), use the default local network DNS settings.
- If DoH is inactive for a local network, the local network DNS should be set to your preferred DNS server and a second DNS server is fine. Each local network can have different DNS servers if you like. For example, you could choose additional filters for a local network for children by using 22.214.171.124 instead of 126.96.36.199 which is unfiltered.
- If DoH is inactive for a local network, you could alternatively leave the local network’s DNS set to the default and set the WAN DNS which will override the the ISP's DNS. This will apply the WAN DNS to all local networks that aren't using DoH.
- To use your ISP’s default DNS server, turn DoH off for that local network, set the local network’s DNS to the local network’s IP with no secondary DNS and set the WAN DNS blank.
- When making DNS changes it may take some time for the changes to take effect and you may need to make sure your device cache is cleared and you may want to clear the Settings > Advaced > Cache > DNS Booster Settings.
Here is a good typical setup:
- Network Manager > [WAN name] -> Primary DNS Server & Secondary DNS Server: set these to whatever you want the default to be. 188.8.131.52 is fine.
- Network Manager > [LAN name] -> Primary DNS Server: set to that LAN. So if the LAN is 192.168.0.1/24 set it to 192.168.0.1. if the LAN is 192.168.1.1/24, set it to 192.168.1.1 Do not set a secondary.
What this does, is tell Firewalla, "anything on this LAN should look to Firewalla for DNS and then all LANs will go to the WAN default.
If you use DoH or Unbound, that overrides the WAN DNS.
Please sign in to leave a comment.