Firewalla: Focusing on DNS Services

07 Jun, 2026

In our post "Privacy Tool Spotlight: Firewalla Purple and AP7" we introduced you to the Firewalla Purple and Access Point 7 (AP7). Firewalla is a professional-grade cybersecurity and networking appliance designed for homes, small offices, and small businesses. It aims to make advanced networking accessible to everyday users by simplifying complex setups. Founded by ex-Cisco engineers, it works as a next-generation smart firewall. You can plug it into your existing router or use it to replace your router entirely. It delivers deep visibility into your network, strong intrusion detection and prevention (IDS/IPS), and reliable content filtering.

In our follow-up post, "Firewalla: Focusing on Groups and Users", we showed how easy it is to organize devices into groups, such as smart-home devices, or link them to specific users. Now we move to the next important topic. We are going to explore the real power of Firewalla: DNS Blocklists, DNS Services like Unbound, and VPN Clients.

Right out of the box, Firewalla makes networking much simpler for regular users while giving you strong protection. It helps shield every device on your network from ads, trackers, and malware. It also lets you limit access to certain types of content. Network-level protection matters because your devices do far more than just web browsing. As we explained in our post "Privacy Tool Spotlight: DNS", every device, operating system, app, and service constantly connects to the internet. Beyond showing you what devices are on your network, Firewalla can stop unwanted behavior like constant tracking, ad injections, or even pathways for bad actors. Let's dive in and explore the two most important features.

DNS Booster and DoH Blocking

These two foundational tools make everything else work smoothly when we get into DNS Blocklists. Quick reminder: The Domain Name System (DNS) turns easy-to-remember names like "example.com" into the numerical addresses computers use, such as "1.0.0.1". Controlling DNS for your entire network is the key to making blocklists effective. Here are the core services:

• DNS Booster is Firewalla’s secret weapon. When enabled (it is on by default for each device), it intercepts all DNS queries on your network, even if a device is manually set to use 1.1.1.1, 8.8.8.8, or any other server. It caches results for faster performance and applies your Firewalla rules before any query leaves your home network. Without DNS Booster active, most DNS-based blocking simply does not work.

• DoH Services block list (blocks DNS-over-HTTPS resolvers). This prevents apps and services from bypassing your controls using encrypted DNS. You have two easy ways to turn on this blocking.

Option 1: Family Protect Native Mode

This mode automatically applies the DoH Services block along with many other protections.

1. Open the Firewalla app.
2. Go to the main page → + More → Tap Family.
3. Toggle Family Protect on.
4. Tap Mode and select Native (recommended for local blocking and best compatibility).
5. Find the DoH Services option in the list of categories and toggle it on.
6. Choose which devices, groups, or networks to apply it to.
7. Tap Apply or save the changes.

This option usually turns on related protections such as blocks for Apple Private Relay and VPN Sites.

Option 2: Manual Rule Using Target List (Recommended for More Control)

1. Open the Firewalla app.
2. Go to the main page → + More → Tap Rules.
3. Tap the + to create a new rule.
4. Set Action to Block.
5. For Target, choose Target List → select DoH Services (Firewalla’s built-in curated list).
6. Choose the scope: specific devices, groups, networks, or All.
7. Save and apply the rule.

Both methods achieve the same goal: they stop apps and services from bypassing the blocklists you want to use. Family Protect Native Mode offers a quick way to enable many of the blocks we will cover next. The manual rules approach gives you greater flexibility as you grow more comfortable with Firewalla.

With these basics in place, the stage is set for the next steps!

Target Lists

Target Lists are ready-made blocklists for your entire network. They let you block a wide variety of unwanted content, such as advertising networks, tracking companies, adult sites, gambling sites, or known malicious domains. Many of these lists can be turned on quickly using Family Protect Native Mode by simply selecting the categories you want.

We have borrowed the table below directly from Firewalla’s documentation to show you the built-in Target Lists that ship with the device:

These lists, combined with DNS Booster and DoH Blocking, will remove an amazing amount of unwanted traffic from your network. But what if you wanted to add some specific DNS blocklists from a resource like HaGeZi? We absolutely needed that, especially since there are some great "Native Tracker - Broadband tracker of devices, services and operating systems" at https://github.com/hagezi/dns-blocklists#native. Firewalla made this easy by adding custom list support in their web portal.

Side Quest: Firewalla MSP

Up to this point, everything we've talked about has been through the Firewalla app. Target list management happens in their web portal called Firewalla Managed Security Portal (MSP), which you can find at https://firewalla.net/. They offer a free version for basic management and a subscription version with more capabilities.

To create your own lists, a free account is all you need. The web portal makes it much easier to copy and paste domains into new target lists.

To create a custom target list, log into Firewalla MSP and navigate to Target Lists under the Control section in the left-hand menu. Click the Create Target List button in the upper right.

For this example, we will create a list to block Roku ads and trackers using a HaGeZi list. Click Create Target List, name it "Roku", select "Ads" as the category (optional), then copy the domains from https://cdn.jsdelivr.net/gh/hagezi/dns-blocklists@latest/domains/native.roku.txt and paste them into the Targets box. You can add notes to remember where the list came from. Click Create, and your new list will be ready to use in rules.

You can learn more about the feature at https://help.firewalla.com/hc/en-us/articles/1500005941962-Firewalla-Feature-Target-Lists.

Note on limits: On the free tier of Firewalla MSP, each list is limited to 200 items. For very large blocklists, you may need to split them into several smaller target lists and create a separate rule for each. The paid subscription tier increases this limit to 2000 items per list and also unlocks additional 3rd-party managed lists.

3rd-Party Managed Lists

In addition to higher list item limits, the subscription version of Firewalla MSP offers convenient 3rd-Party Managed Lists that are automatically kept up to date. As of this writing, the available lists include:

• AdGuard Base Filter: Removes ads from English-language websites. https://raw.githubusercontent.com/AdguardTeam/FiltersRegistry/master/filters/filter_2_Base/filter.txt
• AdGuard DNS Filter: A comprehensive DNS-level ad blocking list. https://adguardteam.github.io/AdGuardSDNSFilter/Filters/filter.txt
• AdGuard Mobile Ads Filter: Blocks ads on mobile devices and known mobile ad networks. https://raw.githubusercontent.com/AdguardTeam/FiltersRegistry/master/filters/filter_11_Mobile/filter.txt
• AI Provider List: Blocks known generative AI providers. https://learn.microsoft.com/en-us/purview/ai-microsoft-purview-supported-sites
• Anudeep’s Blacklist for Ads and trackers: Well-maintained list for ads, tracking, cryptomining, and more. https://raw.githubusercontent.com/anudeepND/blacklist/master/adservers.txt
• Block List Project's Everything Blocklist: A broad collection offering more control over what gets blocked. https://blocklistproject.github.io/Lists/everything.txt
• Firewalla’s NSFW AI Blocklist: Keeps children safer by blocking adult-focused AI chatbots. https://github.com/firewalla/fw-public-lists
• GoodbyeAds: Expanded list of hosts used for advertisements, malware, and tracking. https://raw.githubusercontent.com/jerryn70/GoodbyeAds/master/Hosts/GoodbyeAds.txt
• Hagezi's Multi Light: A lighter privacy and ad blocking list. https://github.com/hagezi/dns-blocklists?tab=readme-ov-file#light
• Hagezi's Multi Normal: Balanced cleaning of ads and trackers. https://github.com/hagezi/dns-blocklists?tab=readme-ov-file#normal
• Hagezi's Multi Pro: Strong protection against ads and privacy threats. https://raw.githubusercontent.com/hagezi/dns-blocklists/main/domains/pro.txt
• Hagezi's Multi Pro++: More aggressive version of the Pro list. https://raw.githubusercontent.com/hagezi/dns-blocklists/main/domains/pro.plus.txt
• Hagezi’s Multi ULTIMATE: Very strict protection for maximum cleaning. https://github.com/hagezi/dns-blocklists#ultimate
• Hagezi's Threat Intelligence Feeds: Blocks malware, cryptojacking, scams, spam, and phishing. https://github.com/hagezi/dns-blocklists#tif
• oisd BIG: A reliable, non-breaking blocklist. https://oisd.nl
• Steven Black: Consolidated hosts file with optional categories for porn, social media, and more. https://raw.githubusercontent.com/StevenBlack/hosts/master/data/StevenBlack/hosts
• uBlockOrigin’s Huge AI Blocklist: Curated list of AI-generated content sites. https://github.com/laylavish/uBlockOrigin-HUGE-AI-Blocklist

You can import these lists with a single click using the Import Target List button. They stay updated automatically whenever the original source changes. We've subscribed to the Pro level of Firewalla MSP for the additional features and the extra lists have been a great addition. To be clear, we had been using the free tier for over a year and that worked well for us as well.

Check Point

At this point you have everything you need to dramatically improve your home network security without becoming a networking expert.

With DNS Booster turned on, DoH blocking active, and a few well-chosen Target Lists, Firewalla quietly works in the background to block ads, trackers, malware, and unwanted content across every device in your house. No extra software to install. No per-device configuration. Just set it once and enjoy cleaner, safer internet for the whole family.

This level of protection is already stronger than what most people get from typical routers or even many paid security suites. Many users are happy to stop right here, and that is perfectly fine. Your network is already much more private and secure than it was before.

Taking It Further: Unbound and VPN Clients

If you want to strengthen your security and privacy even more, Firewalla makes two powerful next steps surprisingly easy: running your own local DNS resolver with Unbound, and setting up VPN Clients.

We will walk through both in a way that even non-technical users can follow. As always, these are completely optional. Only turn on what you actually need.

Adding a VPN Client: Protecting Your Whole House

One of the most powerful things you can do with Firewalla is set up a VPN Client. This lets you send all (or some) of your home internet traffic through a commercial VPN service, one that is preferably optimized for streaming and with no-logs like Proton or Mullvad.

Why would you want your entire home network on a VPN?

Here are the main reasons many families choose to do this:

• Your ISP can no longer see the websites you visit or the apps you use. They only see encrypted traffic going to the VPN server.
• Every device in your house is protected automatically. Phones, smart TVs, game consoles, and even devices that cannot run their own VPN apps get full protection. This includes devices that also do not fully protect the device when a VPN is enabled on the device.
• Combined with your DNS blocklists, it gives you strong ad blocking and tracking protection for the whole household while obscuring your location via your IP address.

Firewalla makes this simple. You only set it up once, and it works for everyone at home.

Of course there are trade-offs. A VPN can slow down your speeds a bit, and some services like streaming, banking apps, or certain games may detect the VPN and act up. That is why we recommend a quality, high speed, no-logs VPN provider.

Since we are going to walk through setting up Unbound DNS services in a minute, we are going to prepare for that by setting up two VPN Clients. Firewalla supports forcing DNS services through the VPN where you would rather just use their DNS services. They also support not forcing DNS services through the VPN in case you would rather set up your own DNS services.

We have learned from running Unbound that we are going to need at least one of each. The process for setting up the two clients is the same. Additionally, Firewalla has outlined the entire setup process in there guide at https://help.firewalla.com/hc/en-us/articles/360023379953-Firewalla-VPN-Client

How to Set Up a VPN Client on Firewalla (Using ProtonVPN as an Example)

1. Log into your ProtonVPN account at account.protonvpn.com.

2. Go to the WireGuard section and generate a new WireGuard configuration for a server you want to use.

3. Proton will display a QR code for that configuration.

4. Open the Firewalla app and go to the main page for your box.

5. Tap VPN Client.

6. Tap + Create VPN Connection.

7. Select 3rd-Party VPN.

8. Choose WireGuard as the protocol.

9. Tap the option to Scan QR Code and use your phone's camera to scan the QR code from the ProtonVPN website.

10. Give the connection a clear name (example: "Proton No DNS" or "Proton With DNS").

11. Important setting: Force DNS over VPN

    • Turn this OFF for your first client (the one you will use with Unbound).
    • Turn this ON for your second client (this forces the VPN provider's DNS for apps that have problems with Unbound).

12. Enable the "Internet Kill Switch" option to prevent internet traffic if the VPN is down.

13. Choose which devices, groups, or networks will use this VPN. Since we still have to set up the Unbound server, we are not going to apply it to any devices yet.

14. Tap Save or Apply.

Repeat the steps above to create your second VPN client with the opposite Force DNS over VPN setting.

When you are done, you will have two VPN clients waiting to be put to use. For that we need to set up Unbound DNS services.

Adding Unbound DNS Services

Unbound is a local DNS resolver that runs directly on your Firewalla. Instead of sending every DNS request out to your ISP or a third-party server, Unbound looks up the answers itself from the root DNS servers. This gives you better privacy because no single company sees all your DNS queries. It also adds another layer of security by validating the responses. You can learn more about this feature in their guide at https://help.firewalla.com/hc/en-us/articles/4556423309587-Unbound

Why Use Unbound with Your VPN Clients?

• It works great with the VPN client that has Force DNS OFF (the "Proton No DNS" VPN client).
• You get the speed and privacy benefits of a local resolver while still routing your traffic through the VPN.
• It pairs perfectly with your existing blocklists.

How to Enable Unbound on Firewalla

1. Open the Firewalla app and go to the main page.
2. Tap + More → Services.
3. Toggle Unbound on.
4. In the Unbound settings, select your VPN client that has Force DNS over VPN turned OFF (for example, "Proton No DNS") under the DNS over VPN option.
5. Choose which devices, groups, or networks will use Unbound. We recommend applying it to All now that your VPN clients are ready.
6. Tap Apply or save the changes.

Now go back to your "Proton No DNS" VPN client and enable it for all devices.

Test Unbound by visiting a site like dnsleaktest.com on a few devices. You should see a single DNS server listed, and it should match your current VPN IP address. This confirms Unbound is working and your DNS queries are protected.

Firewalla makes both Unbound and the VPN clients work together smoothly.

Wait, Why the Second VPN Client?

Great question. Not every app or service plays nicely with Unbound. Netflix is a common example. It often hangs or refuses to load when Unbound is active.

For these few problem apps, we use the second VPN client (the one with Force DNS over VPN turned ON). We send just that specific traffic through the "strict" VPN client while everything else continues using Unbound and the general VPN.

How to Create Smart Routes (Using Netflix as an Example)

1. Open the Firewalla app and go to the main page.
2. Tap + More → Routes.
3. Tap Add Route.
4. Tap Set a target → choose App → select Netflix.
5. Tap Set a device → choose All Devices.
6. Tap Select an interface → pick your VPN client that has Force DNS over VPN turned ON (for example, "Proton With DNS").
7. Tap Save.

You can create additional routes for any other apps that have issues with Unbound (such as certain banking apps or games). This gives you the best of both worlds: strong privacy and DNS control for most traffic, with normal performance for the picky services. The easiest way we found is by creating our own target list, as outlined above, and adding the domains to them as necessary. Routes will accept target lists, so we only have two entries on our Routes page: Netflix and "VPN with DNS" target list.

Wrap Up

You have now built a very strong, layered privacy and security system for your entire home network. From simple DNS blocklists to advanced Unbound + dual VPN client setups with smart routing, Firewalla gives you professional-grade protection without requiring expert-level skills.

The best part? You can start small and add features as you get comfortable. Many people stop after the Target Lists and DoH blocking and are already thrilled with the results. Others go all the way with Unbound and VPN routing. There is no wrong answer. Whatever path you choose, your network is now far more private and secure than it was before.

We hope this series has shown how approachable and powerful Firewalla really is for everyday families, and should be considered for your next network upgrade. Your devices stay protected in the background while you enjoy cleaner internet with fewer ads and trackers.

Remember: We may not have anything to hide, but everything to protect.

#DigitalPrivacy #Firewalla #Privacy #PrivacyTool