DNS Forwarder vs DNS Resolver pfSense 2.2
-
The question I've been curious about but haven't bothered to asked yet, and here now seems like maybe as good a time to bring it up as any. Is with DNS resolver mode set to use root server… what is the need, use, etc. of the specified DNS list in System General Setup?
-
For me, none.
-
Another thing is that it is stated in the pfsense FAQ that forwarding mode is necessary for multi-wan configurations. Why is that if unbound will query the list of DNS servers in the general page sequentially anyway?
-
The question I've been curious about but haven't bothered to asked yet, and here now seems like maybe as good a time to bring it up as any. Is with DNS resolver mode set to use root server… what is the need, use, etc. of the specified DNS list in System General Setup?
I think that list still serves as a fallback for pfSense itself, in the event that Unbound crashes or stops responding for some reason. I keep the Google DNS servers in that list just in case… the resolv.conf shows 127.0.0.1, followed by the two Google DNS servers. Of course, the rest of my network still won't have DNS resolution if Unbound were to fail for some reason, but at least pfSense would be able to resolve outside hosts.
-
Yeah I would strongly suggest leaving some known working DNS servers there, independent of the DNS forwarder/resolver in pfSense. Without any DNS available, things just slow down to a crawl when trying to do something in the web GUI.
-
Just incase all of the root DNS servers go down but the rest of the internet is doing fine? haha
-
No, just in case unbound crashes or fails to start… as said above.
-
I've had really unpredictable results with "hedging my bets" when it comes to DNS. Seems like an all or nothing game or else super flakey.
I removed my reliable backup servers from that list precisely because it made things dodgy.
Take with a grain of salt of course since this is just one lone person's perhaps unique experience.
-
Any thoughts on my question above?
-
A DNS forwarder is suppose to forward DNS requests to a resolver. A DNS resolver does the actual name resolution by checking root servers and following the NS chain to the target DNS server that is responsible for the requested hostname/zone.
So it would seem that sequence of the resolvers and such would have no impact because they are irrelevant in this case.
-
A DNS forwarder is suppose to forward DNS requests to a resolver. A DNS resolver does the actual name resolution by checking root servers and following the NS chain to the target DNS server that is responsible for the requested hostname/zone.
So it would seem that sequence of the resolvers and such would have no impact because they are irrelevant in this case.
So do you have both set up ? what port did you use for each, since you can't use the same port for resolver and forwarder. Just trying to figure out how to go about using both
-
It's an either/or, not both thing. The resolver should be faster for most cases as it's serving locally from limited queries to the outside world (first time a name is asked for or when the TTL expires and it rechecks), rather than constantly querying the outside world.
-
ahh i didn't notice till I look at the settings again that the resolver has a button for DNS Query Forwarding …opps that should help speed things up.
-
The resolver should be faster for most cases as it's serving locally from limited queries to the outside world (first time a name is asked for or when the TTL expires and it rechecks), rather than constantly querying the outside world.
Hmmm, I was under the impression that Forwarder also cached requests. The book says, "The DNS Forwarder in pfSense is a caching DNS resolver. " So, is Resolver really going to be faster than Forwarder, since they both cache requests?
On https://doc.pfsense.org/index.php/DNS_Forwarder, it notes, "Important Note: This service should not be exposed publicly. Ensure inbound rules on WANs do not allow connections from the Internet to reach the DNS Forwarder service on the firewall." Is that true also for Resolver? Is that done by blocking (rejecting?) access to port 53 (or whichever port is being used) on the WAN? Or is it preferred to use the "Interfaces" section for the Forwarder service setup ("Network Interfaces" in Resolver) to take care of that?
The context for these questions is a simple home router without running any internet server (at the moment).
BTW, https://doc.pfsense.org/index.php/Unbound_DNS_Resolver implies both can be running at the same time, although I'm not sure why one would do that. They must use different ports.
-
I found the answer to the "exposure" question here:
https://forum.pfsense.org/index.php?topic=90557.msg500907#msg500907 -
i am using my domain controller to resolve the dns request . and pfsense using my domain controller as dns to resolve the request .
using the dns forwarder and dns resolver in pfsense gonna speed things up ?
thank you
