What is resolving DNS ?
-
Hi
I have DNS Resolver installed and running, I don't have DNS Forwarder enabled.
My dashboard shows:DNS server(s)
127.0.0.1
212.159.6.10
212.159.6.9
8.8.8.8
8.8.4.4In Diagnostics I have done a DNS lookup to google.com, I get:
127.0.0.1 0 msec
212.159.6.10 15 msec
212.159.6.9 11 msec
8.8.8.8 14 msec
8.8.4.4 13 msecDoes that suggest that DNS Resolver in pfSense isn't looking up the DNS and the external servers are used ?
is it better for pfSense to resolve or rely on the external servers ?Thanks
-
Does that suggest that DNS Resolver in pfSense isn't looking up the DNS and the external servers are used ?
Yes. pfSense uses whatever you provide under System - General Setup - DNS Server Settings for its own lookups. Resolver is used to service clients DNS requests.
-
It's basically the same for every operating system, every system autonomously queries the DNS resolvers it is configured to use for its own DNS resolution. In case of just about every UNIX/UNIX-like system the resolvers are set in /etc/resolv.conf and no other resolvers are used. In case you have a DNS resolver running on the system but it's not in /etc/resolv.conf (usually a 127.0.0.1 entry) there has to be one or more upstream resolvers in /etc/resolv.conf for DNS resolution to work locally.
-
if your running the resolver then these are pointless
212.159.6.10
212.159.6.9
8.8.8.8
8.8.4.4If your running the resolver then really the only thing you should have listed in pfsense for dns is the loopback address 127.0.0.1
-
if your running the resolver then these are pointless
212.159.6.10
212.159.6.9
8.8.8.8
8.8.4.4If your running the resolver then really the only thing you should have listed in pfsense for dns is the loopback address 127.0.0.1
Ok, just when you think you have it sussed - you realise you don't… :-\
So how does the DNS resolver know where to look to resolve DNS queries then? I mean - if you don't specify an external DNS server - where's it looking to resolve external addresses? (Is this the "root" dns servers that i see mentioned, and wouldnt this be less secure than say a VPN's DNS servers?)
If you set System - General Setup - DNS Server Settings to 127.0.0.1 your telling pfSense to use itself for DNS aren't you?
What if you wanted to use a specific DNS server for lookups?
-
if your running the resolver then these are pointless
212.159.6.10
212.159.6.9
8.8.8.8
8.8.4.4If your running the resolver then really the only thing you should have listed in pfsense for dns is the loopback address 127.0.0.1
Ok, just when you think you have it sussed - you realise you don't… :-\
So how does the DNS resolver know where to look to resolve DNS queries then? I mean - if you don't specify an external DNS server - where's it looking to resolve external addresses? (Is this the "root" dns servers that i see mentioned, and wouldnt this be less secure than say a VPN's DNS servers?)
If you set System - General Setup - DNS Server Settings to 127.0.0.1 your telling pfSense to use itself for DNS aren't you?
What if you wanted to use a specific DNS server for lookups?
Local DNS resolution and a DNS resolver are two completely separate things, don't mix them up. For the local DNS resolution only the resolvers listed /etc/resolv.conf are used, that's all there is. For a resolver you have two choises, forwarding mode and a non-forwarding mode. In a forwarding mode (with Unbound in pfSense set the forwarding mode option) the resolver is configured to forward all of the queries to upstream resolvers, for example 8.8.8.8 and 8.8.4.4, and the resolver does not need to contact the root servers at all. In a non-forwarding mode the resolver will "walk the tree" for every query starting from root servers and proceeding down the hierarchy until it comes down to an authoritative nameserver for the full domain part of the FQDN it is trying to resolve.
If you want to use a specific DNS server for lookups you need to use a resolver in forwarding mode. For local resolution you're already doing this regardless of what you have in /etc/resolv.conf. the local resolver can only forward to a forwarder.
What might confuse you slightly is that the forwarders set at System->General Setup are actually used for both local resolution set in /etc/resolv.conf and also for the unbound resolver (and for the other resolver dnsmasq if used) if it's used in forwarding mode. It is documented in the GUI but you might miss it:
Enter IP addresses to be used by the system for DNS resolution. These are also used for the DHCP service, DNS forwarder and for PPTP VPN clients. In addition, optionally select the gateway for each DNS server. When using multiple WAN connections there should be at least one unique DNS server per gateway. -
@kpa:
Local DNS resolution and a DNS resolver are two completely separate things, don't mix them up. For the local DNS resolution only the resolvers listed /etc/resolv.conf are used, that's all there is. For a resolver you have two choises, forwarding mode and a non-forwarding mode. In a forwarding mode (with Unbound in pfSense set the forwarding mode option) the resolver is configured to forward all of the queries to upstream resolvers, for example 8.8.8.8 and 8.8.4.4, and the resolver does not need to contact the root servers at all. In a non-forwarding mode the resolver will "walk the tree" for every query starting from root servers and proceeding down the hierarchy until it comes down to an authoritative nameserver for the full domain part of the FQDN it is trying to resolve.
If you want to use a specific DNS server for lookups you need to use a resolver in forwarding mode. For local resolution you're already doing this regardless of what you have in /etc/resolv.conf. the local resolver can only forward to a forwarder.
What might confuse you slightly is that the forwarders set at System->General Setup are actually used for both local resolution set in /etc/resolv.conf and also for the unbound resolver (and for the other resolver dnsmasq if used) if it's used in forwarding mode. It is documented in the GUI but you might miss it:
Enter IP addresses to be used by the system for DNS resolution. These are also used for the DHCP service, DNS forwarder and for PPTP VPN clients. In addition, optionally select the gateway for each DNS server. When using multiple WAN connections there should be at least one unique DNS server per gateway.Ok,
That's not far off my understanding then by the sound of it and thanks for the info.In the resolver if i have the forwarding mode checked then it will use the System - General Setup - DNS Server Settings for its lookups to resolve external DNS queries like google.com etc.
If i don't have that checked (and this is the bit i didnt understand) the resolver will instead "walk the tree" for every query starting from root servers. Which i assume are the internet root servers.
Therefore, contrary to what johnpoz said above, if i WANTED to use a VPN provided DNS server then i would want to configure it under System - General Setup - DNS Server Settings and i would check the forwarding mode within DNS resolver.
I do just wonder now why it would be recommended by someone as knowledgeable as johnpoz to use root servers over a specific DNS server, like a VPN provided DNS. (From a security point of view).
-
Using the root servers is always more secure because you're getting the answers straight from the authoritative servers, with any forwarder you have an additional question to answer and that is if you trust forwarder to give you trustworthy answers.
-
"if i WANTED to use a VPN provided DNS server then i would want to configure it under System"
You can have your resolver use the vpn connection to "walk the tree down from roots" Which is always better as mentioned. I fail to understand this fascination with forwarding dns queries to something specific.. It is not any more secure, and now your just for sure handing off all your dns queries to who ever runs that forwarder. So if your tinfoil hat is that tight.. Why would you forward all queries to your vpn provided dns??
-
"if i WANTED to use a VPN provided DNS server then i would want to configure it under System"
You can have your resolver use the vpn connection to "walk the tree down from roots" Which is always better as mentioned. I fail to understand this fascination with forwarding dns queries to something specific.. It is not any more secure, and now your just for sure handing off all your dns queries to who ever runs that forwarder. So if your tinfoil hat is that tight.. Why would you forward all queries to your vpn provided dns??
Maybe because we dont know any better and we are trying to learn by trying… :D
But the reason i went down the DNS forwarding path was that when I
Disable DNS forwarding
Select my VPN Gateway and localhost as the Outgoing Network Interfaces in DNS Resolver
System Domain Local Zone Type - Static
DNSSEC - Checked
Register DHCP leases in the DNS Resolver - Checked
&
Register DHCP static mappings in the DNS Resolver - CheckedWhen i use a DNS leak test its going to both my VPN and my ISP's DNS servers if i try a test like https://www.grc.com/dns/dns.htm
I see my WAN address appear in the results as a DNS server... Is this because my WAN address is "my router" as far as my browser sees it?
(Nothing is configured under System / General / DNS when this is configured either.)
-
I am all for learning.. First step is not to freak out with these hype words like dns leak. Think about the big picture here.. You provide more personal information when you go to the store and use your CC than any possible dns leak ;)
So unless your only using CASH, and wearing a mask whenever you go outside, and also using body type alteration clothing.. And for that matter changing up how you walk even - you provide so much information about your self all the time.. Why are you worried if your ISP knows you did a query to go to amazon.com or pfsense.com??
How many camera's a day do you think see your face? Do you have automatic tolling where you live.. The black helicopters know exactly when I drive through every toll booth. They can track you from your phone where your at pretty much every minute of every day. But for some reason, using your ISP for dns is some sort of security issue??? Just freaking blows my mind…
Do you have allow dhcp to override your dns?
-
I am all for learning.. First step is not to freak out with these hype words like dns leak. Think about the big picture here.. You provide more personal information when you go to the store and use your CC than any possible dns leak ;)
So unless your only using CASH, and wearing a mask whenever you go outside, and also using body type alteration clothing.. And for that matter changing up how you walk even - you provide so much information about your self all the time.. Why are you worried if your ISP knows you did a query to go to amazon.com or pfsense.com??
How many camera's a day do you think see your face? Do you have automatic tolling where you live.. The black helicopters know exactly when I drive through every toll booth. They can track you from your phone where your at pretty much every minute of every day. But for some reason, using your ISP for dns is some sort of security issue??? Just freaking blows my mind…
Do you have allow dhcp to override your dns?
No freak out's occuring mate - its more that i want to understand why what i am doing is not having the results i expected it to have - nothing more - like i said - learning is what its all about.
Do you have allow dhcp to override your dns? - Thats a no.
Just to clarify - i made an mistake above and was changing it with it with an edit - when you posted.
I meant to say :-
When i use a DNS leak test it shows 2 results, both my VPN and my ISP's gateways (not DNS Server as i had earlier) if i try a test like https://www.grc.com/dns/dns.htm
Specifically, I see my WAN address appear in the results as a DNS server… Is this because my WAN address is "my router" as far as my browser sees it?
I didnt expect to see my WAN address there - only the VPN one.
-
Thanks for the replies.
"Yes. pfSense uses whatever you provide under System - General Setup - DNS Server Settings for its own lookups. Resolver is used to service clients DNS requests."
Does this mean clients using my pfSense as the DNS server will be using DNS Resolver, which is doing the lookup or is it using the servers listed. ?
I don't have forwarding mode enabled.Thanks
-
"I see my WAN address appear in the results as a DNS server.."
You see your wan IP here is because as a resolver this is what did the query to the authoritative dns server for the domain they are using in the test to see where the query comes from..
If you had your resolver setup to only use your vpn connection for the outgoing queries then that is the IP you would of seen ad the dns server because that is what their dns would of seen the query come from when it hit there dns server.. Also keep in mind they are asking the machine you are running the test from.. So do you have more than just pfsense listed as your dns on this computer you ran the test from?
These so called dns leak tests are nothing more than telling the client to query something specific that would not be cached, and then looking to where the query came from on the authoritative server for that record. Since you are resolving and walking down the tree from roots to find that authoritative ns for what your looking for - yes your wan IP would be the source of that query.
If you want to have it use your vpn connection.. Then set the resolvers outbound interface to your vpn interface.. So for example here I ran the dns test you linked too.. Notice first test shows my actual wan IP.. Oh noes I replied to a ping ;) Really this is such scare tactics..
I then changed the resolver to use my vpn connection I have to one of my many vps I run.. This one happens to also be an authoritative NS for one of my domains I use for testing signing dnssec, etc. and other related stuff to dns. I normally would not suggest anyone run their own public dns.. But this is only a test domain that I use for playing with setting up dnssec - be amazed how few registrar actually support it. From my understanding its a requirement to be accredited registrar.. Real shame really - if they made it easier to setup maybe more domains would be using it.
Anyhoo - I then ran the test again and you can see it now shows my dns is my vpn IP.. And now it complains that my IP that I was coming from rejected their dns queries - well yeah it did they sure didn't do a query for something its authoritative for ;)
