How to get rid of the DNSResolver public DNS connection attempts?
-
In my Lab, Pfsense VMs do not have internet access.
When starting pfsense VMs these hang for a minute at the DNSResolver trying to reach public DNS servers, I see this in my upstream firewall....
Deny <pfSensePublicIp> 192.112.36.4 dns/udp
Deny <pfSensePublicIp> 192.58.128.30 dns/udp
Deny <pfSensePublicIp> 199.7.91.13 dns/udp
Deny <pfSensePublicIp> 192.33.4.12 dns/udp
Deny <pfSensePublicIp> 199.7.83.42 dns/udp
Deny <pfSensePublicIp> 192.5.5.241 dns/udp
Deny <pfSensePublicIp> 199.9.14.201 dns/udp
Deny <pfSensePublicIp> 202.12.27.33 dns/udp
Deny <pfSensePublicIp> 198.97.190.53 dns/udp
Deny <pfSensePublicIp> 193.0.14.129 dns/udp
Deny <pfSensePublicIp> 192.36.148.17 dns/udp
Deny <pfSensePublicIp> 198.41.0.4 dns/udp
...I have tried to turn on 'Forwarding Mode'...
Services > DNS Resolver > DNS Query Forwarding
Enable Forwarding Mode
...but this does not solve the startup issue.So where can I disable the DNSResolver connection attempts at startup?
-
@g-c-s This would most likely be unbound updating the anchor...
You could prob edit the inc file... looks like @Gertjan goes over a method of stopping that.
https://forum.netgate.com/topic/162435/unbound-service-very-slow-to-start-in-offline-setup
I have seen other threads on other boards on getting unbound from talking to roots on startup by disable the anchor service, etc.
If your in forwarding mode, and since wouldn't be doing any dnssec in this mode.. Might be possible to put in an option in the gui for unbound to not bother updating or trying to update when in forwarding mode... But yeah on startup of unbound it would try talking to roots.. That is what Gertjan edits of the inc file is doing, stopping anchor from running.. But those would revert on any sort of update of pfsense, etc.
Might be a good feature request for users just wanting to use unbound in forwarding mode.
What you could do maybe is simple hack and just delete the /usr/local/sbin/unbound-anchor file this is what is called.. If that file is not there don't see how it would talk to roots on startup. But not sure what sort of delays or log entries that might cause.. But that might be a dirty simple "hack" to stop it from talking to roots. Caveat emptor would be in order here if doing either the edits in that thread or just deleting that file..
-
@johnpoz said in How to get rid of the DNSResolver public DNS connection attempts?:
just delete the /usr/local/sbin/unbound-anchor file
Euh ... rename it for easy retrieval ?!
Also : it wouldn't surprise me that unbound primes all the root servers ( 192.112.36.4 ....; 198.41.0.4 are the root servers) to find out upfront the fastest.
If a forwarder is needed : switch to the forwarder - tat is not not unbound running as a forwarder, but dnsmasq. This one : Services > DNS Forwarder
Unbound is a resolver, it needs upstream root servers to work. if not, just don't run/us it.Also : don't forget that using the GUI kicks of some requests that go outside : the OS and package update checking software for example. This has also to be stopped, if possible. As these kick of DNS requests.
So :
@g-c-s said in How to get rid of the DNSResolver public DNS connection attempts?:
So where can I disable the DNSResolver connection attempts at startup?
a) handle the DNSSEC anchor file - see also the other thread.
b) enable DNS detailed query logging, and look what domain is been asked to resolve : this will reveal the source of the request => "disable it". -
@gertjan said in How to get rid of the DNSResolver public DNS connection attempts?:
Euh ... rename it for easy retrieval ?!
Yeah much better suggestion ;) hehehe - its early here and only on first cup of coffee at the time is my only excuse - hehehe
As these kick of DNS requests.
I don't think he is too worried about any requests, I take it he only concerned with the queries to the roots.. If setup in forwarding mode only then pfsense requests should only go to the setup forwarding server(s)..
