DNS - Removing Service Provider Defauits
-
Are you using the DNS Forwarder or the DNS Resolver?
You can prevent ISP/DHCP DNS servers from being added to the list of DNS Servers used by the firewall itself and DNS Resolver (In forwarding mode) or the DNS Forwarder by unchecking "DNS Server Override" in System > General Setup.
You have to figure out how you want your DNS to work and can either configure your chosen DNS servers for direct use by the clients (in the DHCP server configuration) or use by the DNS Forwarder (or the Resolver in forwarding mode) (In System > General).
If the clients are set to use pfSense as their DNS server and the Resolver is in Resolver mode, it will query the internet from the root down to fill its cache, but it won't use your configured list of servers.
There are a lot of different ways to configure this and one might be completely wrong for certain circumstances and perfect for others.
-
Are you using the DNS Forwarder or the DNS Resolver?
You can prevent ISP/DHCP DNS servers from being added to the list of DNS Servers used by the firewall itself and DNS Resolver (In forwarding mode) or the DNS Forwarder by unchecking "DNS Server Override" in System > General Setup.
You have to figure out how you want your DNS to work and can either configure your chosen DNS servers for direct use by the clients (in the DHCP server configuration) or use by the DNS Forwarder (or the Resolver in forwarding mode) (In System > General).
If the clients are set to use pfSense as their DNS server and the Resolver is in Resolver mode, it will query the internet from the root down to fill its cache, but it won't use your configured list of servers.
There are a lot of different ways to configure this and one might be completely wrong for certain circumstances and perfect for others.
Thank you this was of great help! And… to answer your question, I'm using the DNS Resolver.
-
That's great, but there is a lot more to it than that.
Is the resolver in resolver or forwarding mode?
If it is in resolver mode, then your selected DNS servers will not be used in any capacity other than for queries made by the firewall itself.
Client queries to your resolver will start at the roots and work down to resolve all names not already in its cache.
-
That's great, but there is a lot more to it than that.
Is the resolver in resolver or forwarding mode?
If it is in resolver mode, then your selected DNS servers will not be used in any capacity other than for queries made by the firewall itself.
Client queries to your resolver will start at the roots and work down to resolve all names not already in its cache.
Under - System > General Setup> DNS Server Settings
DNS Server Override is checked
Disable DNS Forwarder is uncheckedUnder - Services > DNS Forwarder > General DNS Forwarder Options
Enable DNS forwarder is uncheckedUnder - Services > DNS Resolver > General Settings > General DNS Resolver Options
Enable DNS forwarder is checked -
One more piece. What DNS servers are you telling your inside clients to use? This is in the DHCP servers or static client configurations.
Bottom line is if you are using the Resolver you might as well just give up trying to use "highest-performing" DNS servers. The resolver will use what the internet tells it to use. If you are using either DNS resolver or forwarder, once something is in the cache it will be given to inside clients nearly-instantaneously anyway. This probably falls into the "don't overthink it" category.
-
One more piece. What DNS servers are you telling your inside clients to use? This is in the DHCP servers or static client configurations.
Bottom line is if you are using the Resolver you might as well just give up trying to use "highest-performing" DNS servers. The resolver will use what the internet tells it to use. If you are using either DNS resolver or forwarder, once something is in the cache it will be given to inside clients nearly-instantaneously anyway. This probably falls into the "don't overthink it" category.
I didn't input any DNS servers on that list, just left them all blank.
-
1st image - System > General Setup > DNS Server Settings
2nd image - Services > DHCP Server > LAN > Server
-
Just "Uncheck" Allow DNS server list to be overridden by DHCP/PPP on WAN
-
It is up to you how to design your DNS. What is it you are looking for? What are you looking to accomplish?
-
Nice, that definitely took care of them!
DNS server(s)127.0.0.1
63.251.129.1
68.105.28.11
156.154.71.22
8.8.8.8Mostly just trying to get as secure as possible without affecting the speed I love so much.
Thank you so much! For your time and patience!
-
It is up to you how to design your DNS. What is it you are looking for? What are you looking to accomplish?
I need to read up more on the different DNS setups so I can really figure that out. "Secure as possible without affecting the speed" sounds too general for what your asking.
-
-