Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    How best to set DNS servers/unbound/VPN

    Scheduled Pinned Locked Moved DHCP and DNS
    16 Posts 3 Posters 1.8k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hspindel @SteveITS
      last edited by

      @SteveITS I have two gateways - one for the VPN and one for the WAN. The VPN uses a private DNS server while the WAN uses a public server.

      Forwarding is unchecked.

      Here is the network topology:

      All clients are configured to use bind running on a local Linux server for DNS.
      Bind is configured to forward to any one of three piholes.
      Every pihole is configured the same to forward to pfSense.

      So pfSense has to be making the DNS requests specified in General Settings. The clients have no other path to non-local DNS.

      V 1 Reply Last reply Reply Quote 0
      • V
        viragomann @hspindel
        last edited by

        @hspindel said in How best to set DNS servers/unbound/VPN:

        So pfSense has to be making the DNS requests specified in General Settings.

        Again, without query forwarding, this servers are only used for pfSense itself!
        If you want to use them for you local devices go into the Resolver settings and enable query forwarding and state the proper gateways for the servers in General Settings, as mentioned above.

        H 1 Reply Last reply Reply Quote 0
        • H
          hspindel @viragomann
          last edited by

          @viragomann said in How best to set DNS servers/unbound/VPN:

          @hspindel said in How best to set DNS servers/unbound/VPN:

          So pfSense has to be making the DNS requests specified in General Settings.

          Again, without query forwarding, this servers are only used for pfSense itself!
          If you want to use them for you local devices go into the Resolver settings and enable query forwarding and state the proper gateways for the servers in General Settings, as mentioned above.

          I don't understand this. View my topology above. If pfSense were not forwarding to the servers listed in General Settings, none of my local devices could have DNS.

          S V 2 Replies Last reply Reply Quote 0
          • S
            SteveITS Galactic Empire @hspindel
            last edited by

            @hspindel said in How best to set DNS servers/unbound/VPN:

            If pfSense were not forwarding to the servers listed in General Settings, none of my local devices could have DNS.

            you wrote above, "DNS is not operating in forwarding mode." Ergo, it's not forwarding. It either forwards, or resolves against the DNS root servers. The servers listed in General Settings are only relevant for clients, if the option for forwarding is checked.

            Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
            When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
            Upvote 👍 helpful posts!

            H 1 Reply Last reply Reply Quote 0
            • V
              viragomann @hspindel
              last edited by

              @hspindel said in How best to set DNS servers/unbound/VPN:

              View my topology above.

              Your topology seems strange to me, however, this doesn't change the behavior of the DNS Resolver on pfSense at all.

              I'm wondering, why you need three local DNS servers. I think, all you need could also be done with only the Piholes or at least by them and a second DNS.

              H 1 Reply Last reply Reply Quote 0
              • H
                hspindel @SteveITS
                last edited by

                @SteveITS said in How best to set DNS servers/unbound/VPN:

                @hspindel said in How best to set DNS servers/unbound/VPN:

                If pfSense were not forwarding to the servers listed in General Settings, none of my local devices could have DNS.

                you wrote above, "DNS is not operating in forwarding mode." Ergo, it's not forwarding. It either forwards, or resolves against the DNS root servers. The servers listed in General Settings are only relevant for clients, if the option for forwarding is checked.

                Then please explain how my system could be working at all.

                V 1 Reply Last reply Reply Quote 0
                • H
                  hspindel @viragomann
                  last edited by

                  Your topology seems strange to me, however, this doesn't change the behavior of the DNS Resolver on pfSense at all.

                  I'm wondering, why you need three local DNS servers. I think, all you need could also be done with only the Piholes or at least by them and a second DNS.

                  Why strange? bind is for local name resolution. piholes are for adblocking. Multiple piholes for redundancy.

                  Yes, I could convert the functions bind is performing to run on the piholes, but it is very convenient for me the way it is. Also, bind has been running for decades and it works well for me. piholes are new.

                  1 Reply Last reply Reply Quote 0
                  • V
                    viragomann @hspindel
                    last edited by

                    @hspindel
                    It doesn't make any difference for your local devices if the DNS Resolver uses the DNS servers in stated in System > General or if it uses Root name server to resolve host names.
                    It's just for the root servers, you cannot state a gateway for going out.

                    H 1 Reply Last reply Reply Quote 0
                    • H
                      hspindel @viragomann
                      last edited by

                      @viragomann said in How best to set DNS servers/unbound/VPN:

                      @hspindel
                      It doesn't make any difference for your local devices if the DNS Resolver uses the DNS servers in stated in System > General or if it uses Root name server to resolve host names.
                      It's just for the root servers, you cannot state a gateway for going out.

                      It does make a difference to me. When the VPN is active, I want DNS requests to go to he VPN's DNS server.

                      The root servers are not currently being contacted. I can see this with a dns leaks test.

                      H 1 Reply Last reply Reply Quote 0
                      • H
                        hspindel @hspindel
                        last edited by

                        @hspindel I reviewed my configuration, and discovered that I actually do have DNS forwarding enabled but not in the way I was looking.

                        DNS forwarding service is NOT enabled.

                        But DNS Resolver service is enabled, and the checkbox for "Enable Forwarding Mode" is checked. Description says if this is checked, then DNS queries are forwarded to the servers set in System/General Setup.

                        So that explains why my current setup is working.

                        I still do not have a solution that chooses one or the other of the DNS services in System/General Setup dependent on whether the Wireguard VPN is enabled or not.

                        1 Reply Last reply Reply Quote 0
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.