All DNS Servers not being queried

stealthmode

Hi,

I have entered 4 DNS servers in System > General Setup - first 2 belonging to NextDNS and next 2 belonging to Umbrella.

I have configured my pfSense in DNS Resolver mode.

I don't see the pfsense querying Umbrella at all since it appears all the DNS queries are being sent to the 1st 2 servers only. Further, under Status > DNS Resolver, I see only the nextDNS servers. How do I rectify this such that pfSense replicates the DNS queries to multiple servers?

Thank you,

bmeeks

You have a basic misunderstanding of how multiple configured DNS servers in a client work.

When you give a client (pfSense in your case) the option of using more than one DNS server, that client randomly picks one from the list (or some clients may intentionally pick the first one in the list). They send queries to that server. If that server responds, the client never asks any other server in the list. It will continue to use the one that replied initially. So, unbound on pfSense is going to use the NextDNS server until it fails to reply at all. Only then would it try one of the Umbrella DNS servers.

Only if that server fails and does not respond at all (as in the server is not accessible on the network) will the client try another DNS server from the list. See, the list provides the "backup servers" that can be tried if a server does not respond at all. It's not designed to represent a "round robin list" of servers that are queried sequentially. That's not how unbound operates. It is true that the older DNS Forwarder (dnsmasq) offered an optional mode where it would query the configured DNS servers simultaneously and take the answer of the first one to come back. But the default mode for dnsmasq is the same as for unbound: only one server from the list is used unless and until that server fails to respond at all. Only then is another server from the list tried.

A common misconception that new admins have is they think if the first server in the list responds that the queried host does not exist or can't be found, the client then tries the next server in the list hoping it can find the host. That's not how DNS works. If a server responds with NXDOMAIN, which means that domain or host does not exist, then that is the official "answer" and no other DNS server is asked. The client will never check another server in the configured list unless the server it was using fails to respond at all (that is, it is unreachable on the network).

The configuration you have is actually bad for another reason. When you use two totally different DNS providers, it is possible they will not return the same answer for a given host. That can lead to a situation where sometimes a DNS lookup succeeds and other times it fails -- all depending on which DNS server from the configured list gets chosen as the forwarder. You should use either two NextDNS servers or two Umbrella servers, but not both vendors at the same time. It's okay to have a pair of NextDNS servers as that way if one fails to respond hopefully the other is still online. And since both are NextDNS, they are highly likely to give the same answer. This gets really critical if you are using the filtering options provided by some DNS providers.

stealthmode

@bmeeks thank you for your highly detailed reply. I truly appreciate it. I was under the wrong assumption that the client would query all the DNS servers at the same time.

Is there a way that I can replicate DNS queries to Umbrella in this case? I am using nextDNS as my primary provider however I want to monitor for malicious DNS traffic via Umbrella.

Should I edit the custom DNS options and add the Umbrella address as forwarder address there?

bmeeks

@stealthmode said in All DNS Servers not being queried:

@bmeeks thank you for your highly detailed reply. I truly appreciate it. I was under the wrong assumption that the client would query all the DNS servers at the same time.

Is there a way that I can replicate DNS queries to Umbrella in this case? I am using nextDNS as my primary provider however I want to monitor for malicious DNS traffic via Umbrella.

Should I edit the custom DNS options and add the Umbrella address as forwarder address there?

You can't achieve both objectives -- forwarding to NextDNS and filtering for malicious traffic with Umbrella. The DNS Resolver does not "double-send" queries. It does not matter if you listed 100 alternate forwarder servers in the Custom Options, unbound is only going to ask the one in the list it chooses forever until that single server fails to respond. Only then would unbound try another from the list. And it will never ask them all at once.

The DNS Forwarder (dnsmasq) will ask all the configured servers at once, and will as I said earlier, use whichever one replies the quickest. That still will not achieve what you want. For example, if NextDNS replied first, then that response would be sent to the requesting client. The client would never see the Umbrella reply. Conversely, if Umbrella happened to reply first, the client would be sent that reply and never see the NextDNS reply.

Plus, I'm not sure how you would expect this to work with your network clients. They are going to forward their DNS queries to your pfSense firewall, then pfSense will resolve or forward (depending on how you set it up), and then return an answer to the client. If NextDNS responds with the answer, the client will use that answer and proceed to the IP address. How would the Umbrella response be expected to fit into this scenario even if you could send responses to both NextDNS and Umbrella?

What you want is just not how DNS operates. You could use ONLY the Umbrella DNS servers and that would filter for malicious content, but ALL queries would have to go there. There is no way currently to send the queries to both NextDNS and Umbrella at the same time with unbound. You can't even really arrange for the queries to be sent separately or sequentially. DNS is just not structured/designed to work like that. Which reply would unbound be expected to return to your network client" The reply from NextDNS or the reply from Umbrella? How would unbound know what to do in each case?

If you want Umbrella screening your DNS queries for malicious domains, then you need to use only the Umbrella DNS servers and forget about NextDNS.

stealthmode

@bmeeks sorry, I should’ve been clear. I understand your point that traffic can’t be filtered via umbrella in this case. This is a lab, and I want to send a “ SPAN” of the DNS queries to Umbrella transparently. Whether it causes blocks or not is fine, all I want is visibility.

bmeeks

@stealthmode said in All DNS Servers not being queried:

This is a lab, and I want to send a “ SPAN” of the DNS queries to Umbrella transparently. Whether it causes blocks or not is fine, all I want is visibility.

I know of no way to accomplish that with the DNS Resolver in pfSense. As I mentioned previously, if you switch to the older DNS Forwarder and disable the DNS Resolver, it does send the DNS queries out to all the configured DNS forwarding servers simultaneously. The screen option refers to that as "in parallel" if I recall correctly. That would achieve your goal of sending the replies out to Umbrella and NextDNS both, but even in that case you would still have no control over which provider's reply (NextDNS or Umbrella) was returned to your network client. Remember that in that scenario it's simply whichever DNS server replies the fastest. That one's reply is returned to the client.

If you truly are that interested in using Umbrella for monitoring the traffic, why not just use them exclusively?

stealthmode

@bmeeks I did try that previously but I found the latency to from nextdns to be better, thank you for all your inputs, I will look into this further for some other alternatives