DNS Resolver Infrastructure Cache Stats
-
@Antibiotic to be honest when you forward, there is little reason to forward to more than 1 ip.. I mean these dns providers are anycast networks.. So its not like 8.8.8.8 is 1 server or cluster of servers in one DC... They are most likely thousands of "servers" on the anycast network all over the globe..
The likelihood that 8.8.8.8 is down while 8.8.4.4 up is highly unlikely.. I mean these major players have spent lots of money to setup robust dns services.. Could it happen sure I guess.. but it would be so rare.. When was the last time you heard of a major players dns service going down? I mean they do happen now and then.. But not like it happens every month or for that matter every year. And even if it did or does, switching over to forward to a different provider is simple click.
And forwarding to 1 service and also a different services runs into the problem maybe 1 services filters X and another filters Y.. so which one will you talk to? You have problem talking to X now, but couple of minutes later you don't - is it because there was an issue with site, or dns or did you just happen to query the dns service where that was filtered, but not filtered on the other service.
If you really have some ocd reason to put in more than 1, then they should be the same service so your assured that responses from them will be consistent.
One of the advantages of resolving vs fowarding is, if the root servers are down - the internet is down for everyone on the planet, not just some dns service provider.. If some NS for domain XYZ is down, again its down for everyone on the planet be it your trying to resolve or your forwarding and asking them to resolve it for you.
-
More is always better.
Just keep in mind that if you forward to a.a.a.a, b.b.b.b and c.c.c.c (etc) and they have different operating policies (also known as "they decide what you can access") then you can get randomly failing DNS requests. Like : it works one moment, and not the next moment, etc.
And guess who gets blamed ? => unbound of course ....
( because the admin decided to ditch the mode Netgate has chosen : Resolving, and went for the DNS rabbit hole called forwarding )So my real answer would be : none ! Don't forward, resolve. Get your DNS answers from the source, not from "some other intermediate"
.Ok, ok, I admit, I'm biased. We all forwarded in the past, as we had no choice. It was the ISP DNS, and that's it.
These days, we have a resolver in our own router
edit : and just saw the johnpoz reply.
True, big players have the anycast, many points of presence and so on. So using just one doesn't really introduce a single point of failure.
They don't break often, very true, because, as said :@johnpoz said in DNS Resolver Infrastructure Cache Stats:
these major players have spent lots of money to setup robust dns services
.... and doesn't this make you wonder why ? What's in it for them ? (
)
I mean, I saw (own eyes, I was privileged) "8.8.8.8" in Europe, it's 'hidden' right in here](https://maps.app.goo.gl/FyPLtJBN2R6GkGLK7).
And look just to the right of there buidling, a couple of 100 m or so : everything is windmill driven : green power !
There is big sign at the entrance :" No households are using any green energy here, as we (Google) bought it all to serve your mail, DNS and storage ^^". I've a photo somewhere ...And whatever happens in the future, the original Internet DNS system will always exist, as the big players are actually ... resolvers.
So, yeah, I'm pushing hard hard, I know, but why would you need a external resolver if you have a resolver ?No "help me" PM's please. Use the forum, the community will thank you.
Edit : and where are the logs ?? -
@Gertjan exactly - the days of isp provided dns, and even recall where they wouldn't even let you query another NS that wasn't theirs.. The vpn services are trying to put that in place now.. Look at all the shenanigans going on with nord where they are high jacking your dns queries.
Now that you can resolve yourself - I just don't get why everyone doesn't just resolve, you couldn't get me to go back to forwarding ever..
-
@Gertjan said in DNS Resolver Infrastructure Cache Stats:
So, my real answer would be: none! Don't forward, resolve
I agree, better to resolve, the reason me forwarding, that my ISP filtering DNS request and in resolve mode I cannot get some sites even with VPN!
-
@johnpoz said in DNS Resolver Infrastructure Cache Stats:
Now that you can resolve yourself - I just don't get why everyone doesn't just resolve, you couldn't get me to go back to forwarding ever.
The main reason, that my ISP filter DNS, cannot get some sites
pfSense plus 24.11 on Topton mini PC
CPU: Intel N100
NIC: Intel i-226v 4 pcs
RAM : 16 GB DDR5
Disk: 128 GB NVMe
Brgds, Archi -
@Antibiotic said in DNS Resolver Infrastructure Cache Stats:
The main reason, that my ISP filter DNS, cannot get some sites
I get it.
I'm not all against forwarding. Reasons exist, and its always better to have a choice.Public resolving will never (not in a near future) happens over TLS, your port 853, as this will make every DNS request "a thousand" time more expensive (resources needed) a creating TLS connection for small very temporary connections is a bad thing.
See my edited post above about Google in Europe.You could still resolve, but then you need to VPN out all your traffic.
Or only VPN out your DNS requests (dono if that can be done, I 'think' you could) ? -
@Gertjan said in DNS Resolver Infrastructure Cache Stats:
You could still resolve, but then you need to VPN out all your traffic.
Or only VPN out your DNS requests (dono if that can be done, I 'think' you could) ?Yes, I tried but without success, could you please get 2 firewalls examples. how to make this. For first option and for me I think preferable second option. VPN out your DNS requests , this is my dream to make,
pfSense plus 24.11 on Topton mini PC
CPU: Intel N100
NIC: Intel i-226v 4 pcs
RAM : 16 GB DDR5
Disk: 128 GB NVMe
Brgds, Archi -
@Antibiotic how would your isp stop you from going to site xyz if you were running your dns also through the vpn. Unless of course your vpn was also filtering your dns like nord.
It is unlikely your isp is filtering dns in that they prevent looking up xyz, but what they could be doing is hijacking and redirecting your dns which can break resolving.
I mean if an isp doesn't want their user base going to xyz site, its pretty lame attempt at stopping the users to just break dns, and not actually block the traffic to that sites IPs as well.
If I found out my isp was doing anything weird with my dns first thing I would be doing would be looking for a new isp. Which is not always possible sure. Next best option prob find vpn service that doesn't mess with dns either..But would prob just spin up a vpn on a vms somewhere - you can run a vps for a couple of bucks a month. I have one that is like 20 a year I can route traffic through, be more than capable of running a dns resolver for me.
I have little desire to send my dns to these dns providers - they are not providing dns out of the goodness of their hearts, there is profit in it for them, in one form or another or they wouldn't be doing it.
A simple smoking gun test to see if your isp or vpn is hijacking dns is simple directed dig to 1.2.3.4 for something.. If you get an answer then your dns is being redirected, either you are doing it yourself on pfsense or its happening up stream. But 1.2.3.4 does not answer dns, so if you got an answer its a smoking gun that you have been redirected.
dig @1.2.3.4 www.google.com
That should just time out, if you get a response your dns has been hijacked/redirected that is a fact jack ;)
-
@johnpoz said in DNS Resolver Infrastructure Cache Stats:
how would your isp stop you from going to site xyz if you were running your dns also through the vpn. Unless of course your vpn was also filtering your dns like nord.
It is unlikely your isp is filtering dns in that they prevent looking up xyz, but what they could be doing is hijacking and redirecting your dns which can break resolving.
I mean if an isp doesn't want their user base going to xyz site, its pretty lame attempt at stopping the users to just break dns, and not actually block the traffic to that sites IPs as well.
Sorry, I'm not expert in this. Try to explain, when set Unbound to resolver mode and using VPN , LAN rule here:
I cannot get some sites.
-
@Antibiotic where in those rules do you have pfsense dns route through your vpn? That routes your clients traffic over a vpn via policy route. What your client asks for something.domain.tld of pfsense resolver.. Does your resolver query route out the vpn? If not then no it would just be out your isp.
-
@johnpoz said in DNS Resolver Infrastructure Cache Stats:
Does your resolver query route out the vpn?
Could you please give a firewall rule example for this? If yes, regarding my settings where better to arrange this rule, I mean by rules order on this interface?
-
@Antibiotic wouldn't be a firewall rule, it would be a setting in your resolver on what outbound interface to use. Or it would be the default route in pfsense to send all traffic out the vpn.
-
@Antibiotic said in DNS Resolver Infrastructure Cache Stats:
could you please get 2 firewalls examples. how to make this. For first option and for me I think preferable second option.
Long story short : I can't.
I use a (just one now) pfSense, and that's the one used by the company I work for.
Experimenting with that setup, and my boss knows that it is me messing around (again), and I already lost all my "who broke the Internet to credit points" for this year.If I have DNS issues with my ISP, I terminate the contract with them.
I prefer by far keeping my pfSense setup as simple (for me) as possible. And we all know it, we use pfSense, so it won't be simple, that why we use pfSense.
-
@johnpoz said in DNS Resolver Infrastructure Cache Stats:
it would be a setting in your resolver on what outbound interface
Actually, I tried to do like you tell now. But anyway, cannot get some sites.
Could be make restart?
pfSense plus 24.11 on Topton mini PC
CPU: Intel N100
NIC: Intel i-226v 4 pcs
RAM : 16 GB DDR5
Disk: 128 GB NVMe
Brgds, Archi -
@Gertjan said in DNS Resolver Infrastructure Cache Stats:
Long story short : I can't.
I use a (just one now) pfSense, and that's the one used by the company I work for.
Experimenting with that setup, and my boss knows that it is me messing around (again), and I already lost all my "who broke the Internet to credit points" for this yearNo problem, buddy, anyaway thank you
-
@Antibiotic not sure how that is suppose to work at all, unless your redirecting dns.. you have unbound only listening on localhost.. which is 127.0.0.1, how would your clients actually ask pfsense for anything for dns..
unless you have it listening on interfaces your now showing?
-
@Gertjan said in DNS Resolver Infrastructure Cache Stats:
If I have DNS issues with my ISP, I terminate the contract with them.
Than I have to go out of Europe))) Where freedom exist in internet)))But where exist?)))
-
@johnpoz said in DNS Resolver Infrastructure Cache Stats:
you have unbound only listening on localhost
No , its listening on pfSense interfaces as well:
-
@johnpoz said in DNS Resolver Infrastructure Cache Stats:
But would prob just spin up a vpn on a vms somewhere - you can run a vps for a couple of bucks a month. I have one that is like 20 a year I can route traffic through, be more than capable of running a dns resolver for me.
What is VPS, so cheap do you use?
-
@Antibiotic A vps (virtual private server) is just an instance you run on the internet somewhere.
Its just a vm, so a full OS that you can really pretty much do anything you want on, just like some vm or server you would setup locally but its hosted somewhere on the internet.
If your looking for a lowcost vps, check out https://lowendbox.com they have all sorts of links to deals.
I show one on there currently at racknerd for like $10 a year.
check out for a few different $1 a month deals
https://lowendbox.com/blog/1-vps-1-usd-vps-per-month/
I use to have bunch of different ones in different locations, west cost, east cost, Chicago, EU (NL) - but I trimmed back and currently only one I have active is with https://buyvm.net/ which is 2$ a month currently.. Price has gone up over the years ;) I do have another server currently in NL.. But its not really a lowend box, and is more like $10 month vs a year.
The one I have currently still have, I first got back in 2016, it was $15 a year then. Now its 24.. not really bad price increases, since over the years they have increased what you got for the money.. I might have to spin up one of these 10 a year guys to just kick the ties on it. Might switch over and save myself $15 a year ;) hehehe
If I needed one in a specific location for something I was testing, the great things about these is you can have them spun up and active normally in a few minutes.
