Unbound not working
-
"Well, if the pfsense firewall can query outbound at 8.8.8.8 and 8.8.4.4 doesn't that mean it is allowed in my work lan?"
No not necessarily.. What that means is 53 is open to 8.8.8.8, .4.4 - does not mean that 53 is open to
. 517311 IN NS a.root-servers.net.
. 517311 IN NS b.root-servers.net.
. 517311 IN NS c.root-servers.net.
. 517311 IN NS d.root-servers.net.
. 517311 IN NS e.root-servers.net.
. 517311 IN NS f.root-servers.net.
. 517311 IN NS g.root-servers.net.
. 517311 IN NS h.root-servers.net.
. 517311 IN NS i.root-servers.net.
. 517311 IN NS j.root-servers.net.
. 517311 IN NS k.root-servers.net.
. 517311 IN NS l.root-servers.net.
. 517311 IN NS m.root-servers.net.or
;; ANSWER SECTION:
com. 172800 IN NS j.gtld-servers.net.
com. 172800 IN NS b.gtld-servers.net.
com. 172800 IN NS d.gtld-servers.net.
com. 172800 IN NS c.gtld-servers.net.
com. 172800 IN NS a.gtld-servers.net.
com. 172800 IN NS h.gtld-servers.net.
com. 172800 IN NS l.gtld-servers.net.
com. 172800 IN NS m.gtld-servers.net.
com. 172800 IN NS k.gtld-servers.net.
com. 172800 IN NS i.gtld-servers.net.
com. 172800 IN NS f.gtld-servers.net.
com. 172800 IN NS e.gtld-servers.net.
com. 172800 IN NS g.gtld-servers.net.And then every single authoritative ns on the planet.. This is the different between a forwarder and a resolver - a forwarder would forward to say 8.8.8.8
What I would suggest is you use the forwarder, you have no need of the resolver function to look up shit ;)
As to it defaulting to ALL for interfaces.. It has to default to something.. But ALL is normally not going to be the correct setting for either of those.. Its rare you would listen for dns queries on wan, and its rare that you would talk to an authoritative ns out your lan for example..
I would suggest you leave it disabled and just use the forwarder pointing to 8.8.8.8, until such time that you actually require a resolver vs a forwarder.
Got it. You mean my work lan can allow outbound port 53 to known DNS servers like Google but not to root server, right?
And if I understand correctly, dnsmasq does recursive queries to where it forwards to and unbound does an iteritative lookup, right? In that case, what situation would I best use unbound and why it is kept enabled for fresh installations if it can produce some issues with certain ISPs?
Your unbound can also work just fine as a forwarder as long as what you are forwarding from allows that DNSSEC - Google dns does. Your ISP may not. Whatever is on your pfsense wan may not also. In other words, when using unbound as a forwarder, you may not be able to use dnssec. Just depends on your dns server you tell it to forward from.
So, lets say you don't allow your ISP to over rider you DNS settings on the WAN AND you also use 8.8.8.8 and 8.8.4.4 AND you also use DNSSEC in unbound DNS resolver with forwarder mode enabled, there is some advantage. Whoever is between you and google DNS will have a hell of a time spoofing your DNS replies.
Your work guys may try? I don't know. Admins can be mischievous.
I understand. If forwarding is enabled in unbound though, what would its difference be with dnsmasq?
-
In forwarder mode it support dnssec - while dnsmasq does not, etc..
As to why they have unbound enabled out of the box? While sure it could have issues with some connections.. Have to ask them, I didn't notice if it was in forwarder mode with dnssec enable or not? To be honest though you would HOPE that someone wanting to use pfsense would have the basic understanding of the this sort of stuff to figure it out ;) While many users are jumping on the bandwagon of pfsense - many of them should just stick to their off the shelf soho routers that they turn on and forget about… hehehehehe
The layer 8 problems are becoming very common on the board...
-
Honestly, I seriously doubt that the root server IPs are being blocked while google's are being allowed UNLESS they are white-listing.
-
In forwarder mode it support dnssec - while dnsmasq does not, etc..
As to why they have unbound enabled out of the box? While sure it could have issues with some connections.. Have to ask them, I didn't notice if it was in forwarder mode with dnssec enable or not? To be honest though you would HOPE that someone wanting to use pfsense would have the basic understanding of the this sort of stuff to figure it out ;) While many users are jumping on the bandwagon of pfsense - many of them should just stick to their off the shelf soho routers that they turn on and forget about… hehehehehe
The layer 8 problems are becoming very common on the board...
We all start somewhere, and that's why the pfsense community is here. I'm not at all clueless when it comes to DNS but I'll admit that I'm not an expert. What's basic for you may not be basic for others.
Honestly, I seriously doubt that the root server IPs are being blocked while google's are being allowed UNLESS they are white-listing.
That's what I thought. I forgot to mention though that I have two pfsense firewalls in my setup, a front end and a back end firewall. I experimented and enabled unbound on just the front end while keeping dnsmasq enabled on the back end and that fixed my problem. Does this mean that it is not recommended to enabled unbound on both firewalls?
-
I'd think that means you have some issue with your pfsense setup on the back end. I see no reason why it shouldn't work on the front and back end unless something is not correctly configured elsewhere. You can break it with block rules and things like that. Doing relay from your front end should be no problem though. Thats perfectly valid and should work very well - It just shouldn't be required.
-
Another clarification on my mind: is it accurate that when you enable forwarding with Unbound, it will never use the root hints?
-
Lets say you are forwarding from 8.8.8.8 or your ISP's DNS - No, it would be using the root DNS servers.
-
Lets say you are forwarding from 8.8.8.8 or your ISP's DNS - No, it would be using the root DNS servers.
Is that a "from" or a "to" 8.8.8.8 or my ISP's DNS server? In any case, if you enable forwarding, regardless of what IP address you are forwarding to, it still disables the root hints, right?
-
Forwarding mode should forward all requests to the designated upstream DNS server/s.
Thus there will be no reason for Unbound to ever consult the root servers, because it never does a recursive resolve when in forwarding mode.
That is the theory. Of course there might be "bugs/features" in the code that result in some talking to root servers even when forwarding mode is on - you would have to audit the code and test to really know that :) -
Forwarding mode should forward all requests to the designated upstream DNS server/s.
Thus there will be no reason for Unbound to ever consult the root servers, because it never does a recursive resolve when in forwarding mode.
That is the theory. Of course there might be "bugs/features" in the code that result in some talking to root servers even when forwarding mode is on - you would have to audit the code and test to really know that :)Got it! I was just thinking that it's like the DNS server in Windows Server wherein there's a checkbox for "use root hints if no forwarders are available" under the forwarders tab.
And by the way, can you guys help me out in another thread? I decided to separate it here: https://forum.pfsense.org/index.php?topic=88164.msg486107#msg486107
Thanks.
