How best to set DNS servers/unbound/VPN
-
@hspindel
If didn't enable DNS query forwarding in the Resolver settings, the DNS servers in the general setup are used only by pfSense itself, but not for the internal devices.
The Resolver requests DNS root servers by default, which you cannot configure manually.The requests are sent out to the default gateway.
-
@viragomann If what you are telling me is correct, then my system would not be operating the way it does.
All local devices eventually refer DNS requests to pfSense. When my VPN tunnel is up, sometimes DNS requests are sent out through the tunnel and sometimes over the WAN.
-
@hspindel Are you using a public DNS server as a gateway monitoring IP? IIRC that creates a static route for it. But if forwarding is unchecked in Resolver then client queries shouldn’t use those servers.
-
@SteveITS I have two gateways - one for the VPN and one for the WAN. The VPN uses a private DNS server while the WAN uses a public server.
Forwarding is unchecked.
Here is the network topology:
All clients are configured to use bind running on a local Linux server for DNS.
Bind is configured to forward to any one of three piholes.
Every pihole is configured the same to forward to pfSense.So pfSense has to be making the DNS requests specified in General Settings. The clients have no other path to non-local DNS.
-
@hspindel said in How best to set DNS servers/unbound/VPN:
So pfSense has to be making the DNS requests specified in General Settings.
Again, without query forwarding, this servers are only used for pfSense itself!
If you want to use them for you local devices go into the Resolver settings and enable query forwarding and state the proper gateways for the servers in General Settings, as mentioned above. -
@viragomann said in How best to set DNS servers/unbound/VPN:
@hspindel said in How best to set DNS servers/unbound/VPN:
So pfSense has to be making the DNS requests specified in General Settings.
Again, without query forwarding, this servers are only used for pfSense itself!
If you want to use them for you local devices go into the Resolver settings and enable query forwarding and state the proper gateways for the servers in General Settings, as mentioned above.I don't understand this. View my topology above. If pfSense were not forwarding to the servers listed in General Settings, none of my local devices could have DNS.
-
@hspindel said in How best to set DNS servers/unbound/VPN:
If pfSense were not forwarding to the servers listed in General Settings, none of my local devices could have DNS.
you wrote above, "DNS is not operating in forwarding mode." Ergo, it's not forwarding. It either forwards, or resolves against the DNS root servers. The servers listed in General Settings are only relevant for clients, if the option for forwarding is checked.
-
@hspindel said in How best to set DNS servers/unbound/VPN:
View my topology above.
Your topology seems strange to me, however, this doesn't change the behavior of the DNS Resolver on pfSense at all.
I'm wondering, why you need three local DNS servers. I think, all you need could also be done with only the Piholes or at least by them and a second DNS.
-
@SteveITS said in How best to set DNS servers/unbound/VPN:
@hspindel said in How best to set DNS servers/unbound/VPN:
If pfSense were not forwarding to the servers listed in General Settings, none of my local devices could have DNS.
you wrote above, "DNS is not operating in forwarding mode." Ergo, it's not forwarding. It either forwards, or resolves against the DNS root servers. The servers listed in General Settings are only relevant for clients, if the option for forwarding is checked.
Then please explain how my system could be working at all.
-
Your topology seems strange to me, however, this doesn't change the behavior of the DNS Resolver on pfSense at all.
I'm wondering, why you need three local DNS servers. I think, all you need could also be done with only the Piholes or at least by them and a second DNS.
Why strange? bind is for local name resolution. piholes are for adblocking. Multiple piholes for redundancy.
Yes, I could convert the functions bind is performing to run on the piholes, but it is very convenient for me the way it is. Also, bind has been running for decades and it works well for me. piholes are new.
-
@hspindel
It doesn't make any difference for your local devices if the DNS Resolver uses the DNS servers in stated in System > General or if it uses Root name server to resolve host names.
It's just for the root servers, you cannot state a gateway for going out. -
@viragomann said in How best to set DNS servers/unbound/VPN:
@hspindel
It doesn't make any difference for your local devices if the DNS Resolver uses the DNS servers in stated in System > General or if it uses Root name server to resolve host names.
It's just for the root servers, you cannot state a gateway for going out.It does make a difference to me. When the VPN is active, I want DNS requests to go to he VPN's DNS server.
The root servers are not currently being contacted. I can see this with a dns leaks test.
-
@hspindel I reviewed my configuration, and discovered that I actually do have DNS forwarding enabled but not in the way I was looking.
DNS forwarding service is NOT enabled.
But DNS Resolver service is enabled, and the checkbox for "Enable Forwarding Mode" is checked. Description says if this is checked, then DNS queries are forwarded to the servers set in System/General Setup.
So that explains why my current setup is working.
I still do not have a solution that chooses one or the other of the DNS services in System/General Setup dependent on whether the Wireguard VPN is enabled or not.