DNS - Removing Service Provider Defauits

Derelict

That's great, but there is a lot more to it than that.

Is the resolver in resolver or forwarding mode?

If it is in resolver mode, then your selected DNS servers will not be used in any capacity other than for queries made by the firewall itself.

Client queries to your resolver will start at the roots and work down to resolve all names not already in its cache.

CaladorGCS

@Derelict:

That's great, but there is a lot more to it than that.

Is the resolver in resolver or forwarding mode?

If it is in resolver mode, then your selected DNS servers will not be used in any capacity other than for queries made by the firewall itself.

Client queries to your resolver will start at the roots and work down to resolve all names not already in its cache.

Under - System > General Setup> DNS Server Settings
DNS Server Override is checked
Disable DNS Forwarder is unchecked

Under - Services > DNS Forwarder > General DNS Forwarder Options
Enable DNS forwarder is unchecked

Under - Services > DNS Resolver > General Settings > General DNS Resolver Options
Enable DNS forwarder is checked

Derelict

One more piece. What DNS servers are you telling your inside clients to use? This is in the DHCP servers or static client configurations.

Bottom line is if you are using the Resolver you might as well just give up trying to use "highest-performing" DNS servers. The resolver will use what the internet tells it to use. If you are using either DNS resolver or forwarder, once something is in the cache it will be given to inside clients nearly-instantaneously anyway. This probably falls into the "don't overthink it" category.

CaladorGCS

@Derelict:

One more piece. What DNS servers are you telling your inside clients to use? This is in the DHCP servers or static client configurations.

Bottom line is if you are using the Resolver you might as well just give up trying to use "highest-performing" DNS servers. The resolver will use what the internet tells it to use. If you are using either DNS resolver or forwarder, once something is in the cache it will be given to inside clients nearly-instantaneously anyway. This probably falls into the "don't overthink it" category.

I didn't input any DNS servers on that list, just left them all blank.

CaladorGCS

1st image -    System > General Setup > DNS Server Settings

2nd image -  Services > DHCP Server > LAN > Server

ptt

Just "Uncheck"  Allow DNS server list to be overridden by DHCP/PPP on WAN

Derelict

It is up to you how to design your DNS. What is it you are looking for? What are you looking to accomplish?

CaladorGCS

Nice, that definitely took care of them!
DNS server(s)

127.0.0.1
  63.251.129.1
  68.105.28.11
  156.154.71.22
  8.8.8.8

Mostly just trying to get as secure as possible without affecting the speed I love so much.

Thank you so much! For your time and patience!

CaladorGCS

@Derelict:

It is up to you how to design your DNS. What is it you are looking for? What are you looking to accomplish?

I need to read up more on the different DNS setups so I can really figure that out. "Secure as possible without affecting the speed" sounds too general for what your asking.

TS_b

https://calomel.org/unbound_dns.html

CaladorGCS

@TS_b:

https://calomel.org/unbound_dns.html

Thank you!