Firewalls: DNS Services - "Unbound" : Howto 09.28.2022

HostCheetah · September 28, 2022, 9:55pm

Welcome to Firewalla DNS Services: Unbound

Unbound is a validating, recursive, caching DNS resolver, it is installed locally on the Firewalla box, which helps increase your online privacy and security. It will have two advantages:

Prevent any single DNS upstream server from knowing where you are going. Whereas in traditional DNS queries, the DNS server knows everything.
Since Unbound always asks the root DNS servers for requests, it is nearly impossible to alter DNS.

How does it work?

Unbound uses DNSSec to validate DNS result and prevent it from man-in-the-middle attacks. Because Unbound itself is a DNS resolver, it will connect to different DNS servers for different domains. No single public DNS server will have all your DNS records, thus it protects your privacy at a certain level.

Note:

Please be aware that unbound doesn’t encrypt DNS traffic. For DNS traffic encryption, you will need to use DNS over HTTPS.
Unbound and DNS over HTTPS can’t be used together. (DoH is a transport, the Unbound is a resolver)
You can configure devices to use either DoH (DNS over HTTPS) or Unbound DNS services.

How to enable Unbound?

Unbound is part of the DNS Service feature. To apply Unbound to your devices:

Tap the DNS Service button at the bottom of the main page, turn on Unbound and select the devices/groups/networks to apply to.
You can also go to the detail page of any device, tap “…” on the control button panel, tap DNS service, and select Unbound.

Can I use Unbound and DoH together?

Firewalla provides various DNS services including Unbound, DNS over HTTPS (DoH), and Family Protect.

For any given devices/groups/networks**, these services are mutually exclusive.** Just like rules, when there is conflict, the priority of different levels is device > group > network > global.

For example, in the screens below, if you applied Unbound to all devices, and applied DoH to the device group - IoT. It means: