Alternative DNS Servers - no filter/censorship (buydomains.com problem)
-
I add the DNS Servers to system > general setup and point the computers to pfSense (192.168.0.1)
That's correct, but what is your pfSense pointing to? Probably your gateway which is your cable modem, or IP address(es) supplied by your ISP. Don't use those. Use external 3rd-party DNS from a list such as this:
Free & Public DNS Servers (Updated January 2015)
Provider Primary DNS Secondary DNS
Level3 209.244.0.3 209.244.0.4
Google 8.8.8.8 8.8.4.4
DNS.WATCH 84.200.69.80 84.200.70.40
Comodo Secure DNS 8.26.56.26 8.20.247.20
OpenDNS Home 208.67.222.222 208.67.220.220
DNS Advantage 156.154.70.1 156.154.71.1
Norton ConnectSafe 199.85.126.10 199.85.127.10
GreenTeamDNS 81.218.119.11 209.88.198.133
SafeDNS 195.46.39.39 195.46.39.40
OpenNIC 107.150.40.234 50.116.23.211
SmartViper 208.76.50.50 208.76.51.51
Dyn 216.146.35.35 216.146.36.36
FreeDNS 37.235.1.174 37.235.1.177
censurfridns.dk 89.233.43.71 91.239.100.100
Hurricane Electric 74.82.42.42
puntCAT 109.69.8.51 -
As a side note: DNS hijacking flaw in ZynOS-based routers.
-
My god. Then your settings are super simple.
But that is what i already explained in the beginning.
But i don't get how this makes sure you get the fastest DNS server.
Tutorials say you should pick one near your location and there is:
https://code.google.com/p/namebench/
and
https://www.grc.com/dns/benchmark.htm@KOM:
That's correct, but what is your pfSense pointing to? Probably your gateway which is your cable modem, or IP address(es) supplied by your ISP.
Is that not what you normally do - point your router to the modem?
Some years ago i used Windows Server as router and did it the same way:
Modem (10.0.0.1) <-> Win Server NIC1 WAN (10.0.0.2) - Win Server NIC2 LAN (192.168.0.1)Also it worked that way with my old Asus Router with Tomato firmware.
And thats different from what kejianshi is suggesting.
Are you talking about system -> routing -> gateways (Gateway IP address)?
There you add only one external 3rd-party DNS and in "system > general setup" the others?
Is there something wrong with the https://www.wikileaks.org/wiki/Alternative_DNS list?As a side note: DNS hijacking flaw in ZynOS-based routers.
If my cable modem/router has a problem then why the problem goes away after a pfSense restart?
Also there is nothing i can do about it if the modem has a problem.
You have to wait for the automatic update from the provider.
I only use this device as modem cause DECT and WLAN is bad, not much control and you can't add
your own VoIP numbers. You can use it only with the numbers from the ISP. -
Is that not what you normally do - point your router to the modem?
No, that's what I never ever do. Definitely never ever with any of this completely unmaintained ISP-provided POS (which is ideally dumbed down to a bridge instead if you cannot get rid of it altogether.)
-
"But i don't get how this makes sure you get the fastest DNS server" - It will be super fast. Only the 1st request to a page will require a look at the root servers. The answer to the request will be cached (saved in memory). From then on, the answers will come directly from pfsense. It will take 1ms. If you go into the advanced and enable Prefetch Support and Prefetch DNS Key Support sites you visit often will be kept warm in cache and rechecked and recached often and won't expire. You will have fast fast resolver.
"Is that not what you normally do - point your router to the modem?"
Yes - If you are my grandmother… There is a difference between "simple" and "optimal"
And isn't your DNS getting spoofed with that setting? The answer should be obvious by now. -
Maybe its just me but I would wish people would stop calling devices that are doing NAT modems ;) Its not a "modem" if its doing NAT.. Its a gateway if its doing modem/router functions..
A modem is just dumb device that converts media type.. Modems don't provide dns or dhcp services, etc..
Why would anyone point their fancy pfsense router/firewall running nice dns forwarder or resolver like dnsmasq or ubound to some BS you have no idea what its using/doing of the dns forwarder service running on some isp provided "gateway"
-
Is that not what you normally do - point your router to the modem?
In the context of DNS, yes, this is what most home users do and it used to be perfectly ok. Used to. Now you're better off using an external DNS. I've found that Google is often faster than my local ISP, an dthey aren't fiddling like some ISPs. However, being Google, they're likely tracking and analyzing all the DNS requests. If that bothers you, try another free DNS.
-
Why would anyone point their fancy pfsense router/firewall running nice dns forwarder or resolver like dnsmasq or ubound to some BS you have no idea what its using/doing of the dns forwarder service running on some isp provided "gateway"
To give us carpal tunnel?
-
which is ideally dumbed down to a bridge instead if you cannot get rid of it altogether.
Was trying to do that with hacking but it's not working. You can to that on the DSL Routers from AVM you can buy.
But it does not work on the custom firmware on the provider boxes.All i can do is setting port forward on the NIC to pfSense to "Exposed Host" to bypass NAT.
wish people would stop calling devices that are doing NAT modems
Thats why i wrote modem/router.
So can somebody guide me through the ideal settings please?
There are so many settings in pfSense that its overwhelming and tutorials are rare.
All stuff i was reading some time ago (not pfSense) was doing it the way with pointing the router to the modem. -
:'( - What I told you is default, works well and is secure. Prevents DNS tampering. Sounds pretty ideal.
-
"the ideal settings please?"
Ideal settings for what network? Every network is going to be different. Different people have different priorities, needs/wants. Your ideal setup might be completely different than mine.
What hardware are you working with? Do you only have 1 segment? Do you have wireless - this is quite often broken out on its own segment.. While other users would say that is less than ideal..
What connection do you have cable/dsl - are you pppoe? I would think pretty much everyone in network would agree that doing a double nat like you have is less than ideal.. That is for sure.
What you run for dns going to depend on your desires/requirements. For many forwarder is fine - for others its useless they want do do their own queries to the owning servers and support for dnssec, etc. etc.
-
…
So can somebody guide me through the ideal settings please?
...So, did you try the settings of kejianshi reply #17 ? The results are better or worse than you have/had ?
-
I benchmarked my DNS options using the GRC utility. There were 43 external servers that I was able to access.
For uncached queries, my server was only 50ms slower than the fastest alternative.
For cached queries, there was nothing faster than a 1ms response time, since the server is local. :)For just 1/20th of a second of delay I'd rather know that my DNS results are coming straight from the source rather than potentially poisoned by a third-party DNS server. Like you, I also prefer to not be forwarded to a domain seller or search results if I mistype a web address.
So with these pieces of information, I happily choose Unbound as my DNS option rather than using an external server.
-
Yes - Totally agree ^
I'd still love to hear, is there a downside to hardening glue and hardening DNSSEC.
Seems like a great idea at first glace but not sure if it will cost me anything?
-
What I told you is default, works well and is secure. Prevents DNS tampering. Sounds pretty ideal.
Ok, so no adding some servers like KOM listed?
But what about the the pointing to modem thing (system -> routing -> gateways)?Ideal settings for what network?
For what i want to do: Fast non filtering/censorshiping DNS.
I have two wireless devices with DD-WRT that only act as AP and don't know what segment means. -
Don't mess with the gateways - You will shut yourself out of the internet more than likely if you play with that.
HOWEVER - You really should either get a pure modem with no NAT or figure out how to get your modem into bridged mode (I'd bet this can be done without hacking)
-
Don't mess with the gateways - You will shut yourself out of the internet more than likely if you play with that.
HOWEVER - You really should either get a pure modem with no NAT or figure out how to get your modem into bridged mode (I'd bet this can be done without hacking)
If it's Comcast, spring for the pure modem.
Otherwise, it takes 20 minutes on the phone with them to get it into bridged mode and it'll revert back to a gateway anytime it has a power blip. -
A pure modem is not possible cause this box is the only one where you can
get 3 phone numbers and the numbers only work with this box.
There are only 2 Cable ISPs in Germany and both use this box.bridged mode is not possible - there is a whole thread in the German forum.
Only business customers get it - for private customers it's blocked.
I can be happy that my connection is some years old cause new customers get IPv6 and that is only DS-Lite.So others say don't point to the modem/router and you say don't mess with it and leave it as is?
If it's Comcast, spring for the pure modem.
It's one of the two german cable providers and there is no chance for a modem cause only with this box
you can phone with there numbers and they don't let you bridge. -
If you go into the advanced and enable Prefetch Support and Prefetch DNS Key Support sites you visit often will be kept warm in cache and rechecked and recached often and won't expire.
Doesnt that still generate traffic patterns over and above the normal dns patterns, creating what some would call a needle in a haystack?
-
Not sure what you mean by "Needle in a haystack"
It will simply query the root servers for sites you visit very often instead of allowing them to age off.
Yes, there will be more DNS traffic, but thats not a bad thing in anyway I can think of.
