DNS and DNS Resolver questions
-
Okay, I see. You're using the root servers, not your ISP's DNS, not anyone else's.
Are you using the root name servers by turning off "enable forwarding mode" on the DNS Resolver page? (In an earlier message you made it sound like you were using DNS Forwarder because you felt it was more robust).
Again, thanks for the info you've provided. I'm very new at this…my last router was an Apple Airport Extreme. ;-)
-
Okay, I see. You're using the root servers, not your ISP's DNS, not anyone else's.
Are you using the root name servers by turning off "enable forwarding mode" on the DNS Resolver page? (In an earlier message you made it sound like you were using DNS Forwarder because you felt it was more robust).
Again, thanks for the info you've provided. I'm very new at this…my last router was an Apple Airport Extreme. ;-)
Lets try from a different angle:
If you are using pfSense as a RESOLVER:
pfSense will tell your machines to ask it for all DNS lookups. If it has the address already it will hadn it back, if not it will go ask the root nameservers what the address is, and then return with an authoritative answer to your machine
If you are using pfSense as a forwarder :
pfSense will tell your machine to go ask your ISP's (or google or..) DNS servers for the address. They will either have it, or go ask other servers
It seems you may be unclear what the benefits of using pfSense as a resolver are?
-
Lets try from a different angle:
If you are using pfSense as a RESOLVER:
pfSense will tell your machines to ask it for all DNS lookups. If it has the address already it will hadn it back, if not it will go ask the root nameservers what the address is, and then return with an authoritative answer to your machine
If you are using pfSense as a forwarder :
pfSense will tell your machine to go ask your ISP's (or google or..) DNS servers for the address. They will either have it, or go ask other servers
It seems you may be unclear what the benefits of using pfSense as a resolver are?Yes…the differences between Forwarder and Resolver weren't clear to me. Your explanation is perfect. Thanks!
-
Glad it helped though I think I made a couple errors in terminology (I don't think the answer you get back when pfSense is a DNS resolver is authoritative for example- sorry johnpoz can hopefully correct me) but hopefully it helps you decide on if you want pfSense to be a DNS Resolver or a forwarder and why johnpoz was on his line of questioning.
-
"if not it will go ask the root nameservers what the address is, and then return with an authoritative answer to your machine"
This is not actually how it works.. I already went over how a resolver works..
The resolver will ask roots, hey what is NS for .com, thanks
Hey NS for .com what is NS (name server) for domain.com
Hey NS for domain.com what is the IP of www.domain.comThe only thing that is asked of "roots" is what are the name servers for the TLD, you then walk down the tree asking in turn each authoritative NS for their portion of the FQDN..
But if you think you understand it now, we can all rest easy ;)
So are you using the resolver or forwarder - what do you want to do now that you understand the difference?
-
"if not it will go ask the root nameservers what the address is, and then return with an authoritative answer to your machine"
This is not actually how it works.. I already went over how a resolver works..
The resolver will ask roots, hey what is NS for .com, thanks
Hey NS for .com what is NS (name server) for domain.com
Hey NS for domain.com what is the IP of www.domain.comThe only thing that is asked of "roots" is what are the name servers for the TLD, you then walk down the tree asking in turn each authoritative NS for their portion of the FQDN..
But if you think you understand it now, we can all rest easy ;)
So are you using the resolver or forwarder - what do you want to do now that you understand the difference?
Thank you for correcting me I certainly poorly shortened the process of the lookup and misrepresented what happens when it's set as a resolver in an attempt to shorten the understanding to "This block of work will either be handled by pfSense or your chosen external DNS servers (google etc)".
johnpoz, would you mind listing a few pros/cons to resolving vs forwarding as you see it? Perhaps caching, DNSSEC? I think many home users or those of us not as savy in the DNS world would appreciate it. I use pfSense as a resolver assuming it takes away other resolver's propensity to filter /alter requests as well as for caching but perhaps I could simplify and just forward. I think this may be the crux of DeltaOne's discussion - I think understanding in what scenarios one might chose to resolve vs forward could be helpful…
-
So are you using the resolver or forwarder - what do you want to do now that you understand the difference?
Currently using resolver. The last few posts, plus some other reading, make me think the forwarder is a better choice for me. I hope to have some time this weekend to switch from resolver to forwarder.
-
johnpoz, would you mind listing a few pros/cons to resolving vs forwarding as you see it? Perhaps caching, DNSSEC? I think many home users or those of us not as savy in the DNS world would appreciate it. I use pfSense as a resolver assuming it takes away other resolver's propensity to filter /alter requests as well as for caching but perhaps I could simplify and just forward. I think this may be the crux of DeltaOne's discussion - I think understanding in what scenarios one might chose to resolve vs forward could be helpful…
My goal was to solve a subtle delay I was seeing. I guessed the delay was DNS related. (For the record, the delay was VERY subtle…and maybe was all in my perception? I don't know...)
Some research led me to pfSense's forwarder and resolver. And that led to my initial post ten days ago.
I think, now, my goal is even simpler...the best way to configure pfSense for using either OpenDNS or Google's DNS. Pretty simple set up here...two computers, 3 iPhones, 3 iPads, a few Apple TVs, a few TiVo's. That's about it.
-
"the best way to configure pfSense for using either OpenDNS or Google's DNS"
If you say so - I wouldn't ever do it that way… But sure if you think forwarder is faster better, have fun..
Me I would rather be using dnssec and know for a FACT I got the info direct from the authoritative server for what I am looking up via some cached info that quite possible could be poisoned.. Couple of ms longer in looking a up a record is never going to be an issue. And that is only if the record is not already cached..
A resolver is always going to be a better choice vs forwarding from a security point of view, and once you have cached an entry and you use prepop, and let your resolver look up a record when it has 10% of the ttl left your clients queries for common stuff you look up should always be only 1 or 2 ms away.. vs having to go ask googledns again which is prob 30+ ms away anyway every time the ttl expires for something.
If you were on a very high latency connection, sat for example. Or the domains you like to frequent NS were on the other side of the planet from you. Then might be better to ask a local forwarder.. But that would rarely be the case - this is why pfsense using the resolver out of the box..
-
A resolver is always going to be a better choice vs forwarding from a security point of view, and once you have cached an entry and you use prepop, and let your resolver look up a record when it has 10% of the ttl left your clients queries for common stuff you look up should always be only 1 or 2 ms away.. vs having to go ask googledns again which is prob 30+ ms away anyway every time the ttl expires for something.
You've made a convincing argument, I'll stick with the Resolver.
I do have a few more questions:
-
I'm nearly certain, 11 days ago when this became an issue for me, I found both the Resolver and Forwarder disabled (unchecked). Everything was working. Was DNS working solely from the settings on pfSense's System / General Setup page?
-
If I'm right that the Resolver was unchecked…I wonder why. I don't remember making any changes in this area.
-
Is the Forwarder going to be removed from the next major release of pfSense? Just curious, I think I read this somewhere.
Finally, thanks again for your help. Much appreciated!
-