Your Internet Service Provider (ISP) at home, work, and on your mobile are probably selling your DNS queries to data brokers. Take back your privacy by encrypting it using DNS over HTTPS (DoH)
, block advertisements and trackers, protect against malware, improve network performance, & view insights and control with CloudFlare Zero Trust.
Blocks advertisements and trackers: DNS filtering can block ads, trackers, and other unwanted content at the network level, improving browsing experience and reducing data usage.
Protects against malware: Many DNS filtering solutions maintain blacklists of known malicious domains, helping to prevent devices on your network from connecting to malware, phishing sites, or other threats.
Improves network performance: By blocking data-heavy ads and trackers, DNS filtering can reduce network bandwidth usage and improve overall network performance.
Provides insights and control: DNS filtering tools offer visibility into the domains being accessed on your network, allowing you to identify issues and customize filtering rules.
Enhances privacy:
DNS over HTTPS (DoH)
enhances user privacy by encrypting DNS queries and responses. Unlike traditional DNS, which sends requests in plain text, DoH wraps DNS queries inHTTPS
, making them indistinguishable from other encrypted web traffic. This prevents internet service providers, network administrators, and potential eavesdroppers from easily seeing which websites a user is attempting to access. By obscuring DNS lookups,DoH
helps protect users from tracking, profiling, and censorship based on their browsing habits.
Turnkey DOH w/customizable DNS filtering Link to heading
In the past, I ran Unbound inside my home Kubernetes cluster, which is similar to dnsmasq
, AdGuard
, and Pi-hole
in that it’s not easy for one to set up and configure. I was happy to find that the latest UniFi Network Application 8.2.93 enhanced DNS Shield
to support custom DNS over HTTPS (DoH)
via a DNS Stamp
. We now have a cloud-hosted turnkey solution to provide these benefits.
Requirements Link to heading
- Ubiquiti UniFi DNS Shield: a UniFi Next-Gen Gateway or UniFi Gateway Console with version 3.2 or newer
- UniFi Dream Machine (UDM)
- UniFi Dream Machine Pro (UDM-Pro)
- UniFi Dream Machine Special Edition (UDM-SE)
- UniFi Security Gateway (USG)
- UniFi Security Gateway Pro (USG-Pro)
- UniFi Security Gateway XG (USG-XG)
- UniFi Next-Generation Gateway (UXG-Pro)
DNS Stamp
: A DNS stamp is required for configuring a custom DNS Shield DOH confurigation. It’s a compact, encoded representation of DNS server configuration information.- an Online DNS Stamp calculator is used to calculate this value
- CloudFlare Zero Trust: cloud-hosted customizable DNS filtering
- DNS-based content filtering: Ability to block domains associated with malware, phishing, and other security threats.
- Custom block lists: Option to create and implement user-defined lists of domains to block.
- Allow lists: Capability to allow specific domains, overriding general blocking rules.
- Category-based filtering: Blocking of entire categories of websites (e.g., adult content, gambling, social media).
- DNS query logging: Recording of DNS requests for analysis and troubleshooting.
- Analytics and reporting: Dashboards and reports showing blocked queries, top allowed/blocked domains, etc.
- API access: Programmatic access to configure and manage DNS filtering rules.
- DNSSEC support: Validation of DNS responses to protect against DNS spoofing attacks.
- Block page customization: Ability to customize the page users see when accessing a blocked domain.
- Regex and wildcard support: Advanced pattern matching for more flexible domain blocking rules.
- Time-based rules: Capability to apply different filtering rules based on time of day or day of the week.
- Threat intelligence integration: Regular updates to block lists based on global threat data.
Configuration Link to heading
- CloudFlare Zero Trust
- Create a new account using the free plan.
- Open the Zero Trust Dashboard
- Under
Gateway
,DNS Locations
, Select Add a DNS location- Enable
DNS over HTTPS (DoH)
and leave the other DNS endpoints disabled - After creating the DNS location, copy the URL of
DNS over HTTPS (DoH)
, which will look something likehttps://example7l3.cloudflare-gateway.com/dns-query
- Paste that value in a text editor, removing
/dns-query
, which will look something likehttps://example7l3.cloudflare-gateway.com
- This URL is unique for your CloudFlare Zero Trust account and for this
DNS Location
- Enable
- Online DNS Stamp calculator
- Select
DNS over HTTPS (DoH)
underProtocol
- Paste the value from above under
Host name (vhost+SNI) and optional port number
- Ensure
Path
is/dns-query
- Copy the calculated
DNS Stamp
available under theStamp
- Select
- Ubiquiti Unifi Site Manager
- Select your Network
- Open Settings
- Select
Security
- Select
Custom
underDNS Shield
- Enter
CloudFlare
underServer Name
- Enter the value of
Stamp
from above, which will look something likesdns://AgcAAAAexampleAAAAA9kbnMtcXVlcnk
underDNS Stamp
- Enter
- Select
Apply Changes
CloudFlare Zero Trust Link to heading
After a few minutes, you will receive secure visibility of your DNS queries in the CloudFlare Zero Trust Dashboard:
and any blocks:
Begin customzing by creating DNS policies and reviewing DNS logs
Setting up DNS over HTTPS (DoH)
using Ubiquiti’s UniFi and CloudFlare Zero Trust offers a powerful way to enhance your network’s privacy, security, and performance. By encrypting DNS queries, you protect your online activities from prying eyes, while optionally blocking ads, trackers, and malicious domains keeps your browsing experience smooth and secure. Although the configuration may seem daunting at first, the steps outlined above provide a straightforward guide to getting started. With these tools, you can take control of your network and ensure a safer, more private internet experience for everyone connected. As always, stay informed and keep exploring the latest advancements to continually improve your digital security.