How to switch away from ISP's DNS server?


I’ve been having occasional issues (for a long time) when resolving websites – sometimes a website won’t resolve (Server not found); and the next day or few hours later it would resolve.

Being in a country where censorship from regulatory bodies is the norm, I always ignored the issues, and just opened the site in VPN (like Opera’s built-in one) and get on with my day.

Today, I decided to look into it. And after some reading, switched the DNS on my Arch Linux laptop to use Cloudflare’s DNS (using cloudflared).

And with that change, the website that was not resolving few minutes ago, started opening instantly. In fact, all websites feel like they are resolving faster.

Question: configuring all devices in the home like that is not feasible / sane. If there is a way to set-up a 3rd party DNS in IPFire, how can it be done? If there’s a wiki for it already, then my apologies and please point me to it. I’d like to switch to one of these [ - List of Public DNS Servers ] public DNS servers and ditch my ISP’s auto provided DNS.

My set-up is like this:

ISP provided DSL modem => IPFire => Wifi Access point

Thank you,

IPFire comes with a built-in caching DNS resolver called Unbound. Unbound is a DNS resolver that provides various options for speed, security, and privacy. You have the flexibility to configure Unbound to use a third-party DNS server instead of your ISP’s default DNS. You can even choose a more secure protocol, such as DNS over TLS, for enhanced privacy.

When you have configured unbound, to make this change for all devices on your network, you can set up a firewall rule in IPFire to automatically redirect all DNS traffic from LAN hosts to the Unbound resolver. This way, every device that connects to your network will benefit from the DNS settings you’ve configured in Unbound without needing to change the individual settings.

You can find instructions on how to configure Unbound and set up firewall rules for DNS redirection in the IPFire documentation.


Thank you cfusco! Diving in.

Step 1: create a protocol group called DNS:

Next, create a port forward rule to redirect the internal traffic. Choose the source, here Green. You can create a group as well.

You can do the same for the NTP protocol.


@cfusco you are awesome and a gentleman!

I’ve done as you instructed, and it appears to have done the trick. Website that was not working before is resolving now. And DNS resolving is fast now!

If I do dig, the SERVER section near the end is now pointing to the IPFire box.

Thank you so much! :smile:

Also see:

FYI - I am not sure about adding DNS over TLS / port 853 to the DNS group for protocol. I seem to remember that being bad to add to the DNS group above. I’ll see if I can find my notes!

EDIT: It is somewhere in this post! (lots to read!)


Thank you Jon,

Perhaps this article is also slightly relevant on the topic.

[edit] I removed this part I had written in my lack of knowledge:

on how DNS over TLS is not that great.

Thank you @cfusco and @bonnietwin, you are of course right in your posts below. Link here to what cfusco said, and link to what Adolf saidfor future readers.


1 Like

I think I understand why. Indeed, including TLS 853 in the same DNAT rule for DNS traffic may not be appropriate. Port 853 is used for DNS over TLS, which is a secured version of DNS. If I redirect this traffic to a standard DNS resolver that doesn’t support TLS, the connection will fail. It’s better to handle DNS over TLS separately and ensure that the target of the DNAT rule for port 853 is capable of handling DNS over TLS.

1 Like

I disagree, it does exactly what it is designed to do. No scheme can create a trust-less DNS with the current design. By encrypting the message, at least you remove one party from knowing what we are doing. The provider.


You are right.

My excuse is I know very little :slight_smile:

Thank you.

That blog post is not saying that DNS over TLS is not great and should not, by implication, be used.

It is saying that you need to realise that the end point, ie the DNS provider, can still access your data.

So you need to choose carefully who your DNS provider is going to be and figure out for yourself who you will trust and who not.

I don’t use google or cloudflare as they aim to monetise what they provide so if you are not paying money directly for it, you are paying in some other way.

Later in that blog post it says

For any alternative it again makes sense to use DNS over TLS.

So it is not saying don’t use it, but it is saying that you should understand what it is protecting you from and what it is not protecting you from.


Thank you Adolf and @cfusco for the guidance and advise. This is great knowledge and I am thankful to you guys :pray:

Believe me, the depth of my ignorance I REALLY big. So, don’t worry, say whatever you feel important or relevant.

This is how I frame the issue, we learn by error correction, as neural networks do. If I do not acknowledge my ignorance, I cannot correct the error, and a stupid AI model will be more intelligent than I am. I can’t let this happen. So I expose myself to showing my ignorance to the community, and because of this I can learn, see my error and be slightly better than an AI.

This thread is the perfect representation of this dynamic. I gave a wrong suggestion, Jon pointed that out (thanks @jon) and now I know more than before.


How is using FW rules different from setting other DNS servers in the Network / Domain Name System / dialogue?

FW rule is to force users to use FW DNS server.
So user request google DNS.
IPfire intercept DNS
IPfire makes DNS53 or DNST request ( depending on your Domain name system settings)
IPfire returns DNS53 to user pretending to be Google DNS.
User is transparently redirected to IPfire DNS.
No user bypass
Without FW redirected user can directly bypass your Filtered DNS. And request anything.


This is why @jon is working on a system to
Block DNSH. Which I hope makes it into IPfire.

But I do not use Googles DNS.

I do not know what DNS53 or DNST is, I have only read the general reasons stated in many places, like in IPFires Wiki, on why not to use just any DNS but some other provider.

So, if I understand it correctly, regardless of if I tell IPFire to use a specified DNS for all Internet Connections - which I thought was enough by doing in the Domain Name System settings - you still need a FW rule to tell the computers that are connected in my network to do just that?

DNS53 = DNS on port 53

I’m a PC on your network
Turn on PC.
PC network asks for network setup info
IPfire answers back.
Gives you a ip to use (
It also gives you the gatway info.( )
(IPfire is the gatway)
It also tells me to use as my DNS
Now I’m on the network ready to reach the world
What if your a school and I’m a smart kid.
I Change My PC DNS to
Well IPfire let’s you bypass its DNS
And I Can reach the Web without IPfire’s DNS protection and filtering.
So th FW rule is to silently grab the port 53 DNS request and run it through IPfire and send response back as if it was
The only problem is this is only part of the solution.
Blocking DNSH is very hard
Blocking users from DNST easy.


Ah, ok Thanks.

So it is in order to prevent users changing their DNS on their local computers in a network that by default gets the DNS servers set by IPFire, but do not prevent that change of local DNS.

Damn nasty users.

1 Like

@jon Jon I wrote to you on priv, you probably don’t remember :wink:

I read the topic provided and did a simple test using the YogaDNS program.

Below are the results

After adding port 853 to the group


1 Like