Improve documentation DNS Forwarder
-
Hi,
I've looked at:
https://docs.netgate.com/pfsense/en/latest/services/dns/forwarder.html
I know should be obvious to guru but not for newbie like me: what's the meaning ot this feature?
I mean: use this feature to allow:
- LAN clients to query pfsense as DNS server ?
- replace requested hostname with custom ?
Please add some network flow diagrams too.
Thanks, BR
-
I won't be surprised that dnsmasq won't be part of pfSense in the near future.
Btw : no need to be a guru. I'm running a hotel.
But you better have your 'DNS act' together, something obvious, IMHO, as soon as you fall for the "let's install pfSense because it's easy to download etc" trap. You'll still be needing an astronomical quantity of your neurons (also free, but you have to fill them with info and nobody can help you here).
Btw : DNS Forwarder : read the first blue note, the first line. That's solid info.
Those who need it, will know why -
@Gertjan I agree, but my mind is following the python zen:
There should be one-- and preferably only one --obvious way to do it.
These day isn't too hard to jump from one topic to another and knowledge of the layers of each topic cannot be the same for all.
@Gertjan said in Improve documentation DNS Forwarder:
Btw : DNS Forwarder : read the first blue note, th
You're right that should be disabled by default.
If I need the ability to tell my LAN clients when you need host giacomino.doesnotexist please look for LAN.LAN.LAN.X I suppose DNS forward will still be the only choice.
-
@Summer said in Improve documentation DNS Forwarder:
You're right that should be disabled by default.
It is.
-
I'm reading:
https://docs.netgate.com/pfsense/en/latest/services/dns/resolution-process.htmlResolver: A DNS server acting as a resolver will accept recursive queries from clients and/or forwarders and perform DNS resolution by making iterative queries to root and authoritative DNS servers in search of an answer. Like a forwarder it will typically cache results for increased performance. A resolver maintains a list of root servers in its “root hints” list. Resolvers will typically ship with a stock list but update it periodically from a trusted source. Forwarder: A forwarder is a type of DNS server which accepts recursive queries from clients and makes its own queries to an upstream DNS server, which could be another forwarder or a resolver. A forwarder will typically cache results so clients get faster responses for frequently resolved queries. Note A forwarder does not perform DNS resolution itself, it passes a query along to another forwarder or resolver unless it has the answer in its cache.
Now:
-
pfBlocker-NG and DNS Resolver are both unbound: Resolver
-
I've disabled DNS Forwarder and enabled DNS Resolver my LAN clients can still use pfsenseLAN as DNS
-
-
@Summer said in Improve documentation DNS Forwarder:
pfBlocker-NG and DNS Resolver are both unbound: Resolver
No.
Unbound is a resolver. See, for example : NLnet Labs - Unbound - About or Unbound (DNS server).
pfBlockerng uses the local 'resolver' (unbound, in this case), add acts like a 'plugin' : it intercepts all DNS request received by unboud, typically from the LAN connected devices, and before unbound executes a 'resolve' for every request, pfBlockerng (the plugin) gets its hands on the request first.
This permits pfBlockerng to compare the request with a big list (the DNSBL feeds) to see if it concerns a 'blocked' domain. If it finds one, it instructs unbound to 'stop the actual resolbing' and say to the client : the IP requested is "0.0.0.0." (so the client can't connect to this IP => the requested domain is blocked).