Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Difference between DNS Resolver and DNS Forwarder

    Scheduled Pinned Locked Moved DHCP and DNS
    16 Posts 10 Posters 79.3k Views 7 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      ast
      last edited by

      Hi!

      Sorry for asking a newbie question, but I just want to know in layman's term, what is the difference between DNS resolver and DNS forwarder?

      My Pfsense box is working properly with DNS forwarder, and Squid.  Just want to have additional knowledge about networking that's why i asked ;)

      TIA!

      1 Reply Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator
        last edited by

        google not good enough?

        Its in the name - a forwarder forwards, a resolver resolves.

        Forwarder just forwards you question somewhere.. Be it just another forwarder or an actual resolver.  But at some point a resolver has to be asked..

        A resolver, walks down from roots to find the authoritative nameserver for the domain in question.

        Hey root servers who is NS for .com
        Hey .com NS who is NS for domain.com
        Hey domain.com NS what is IP of www.domain.com

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

        J 1 Reply Last reply Reply Quote 1
        • GertjanG Offline
          Gertjan
          last edited by

          @johnpoz:

          google not good enough?

          I guess he did, but Google's first link is - oh,  :) : https://www.reddit.com/r/PFSENSE/comments/51x20p/dns_resolver_vs_dns_forwarder/

          Btw : While I was there : DNS resolver frowarder

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          1 Reply Last reply Reply Quote 2
          • johnpozJ Offline
            johnpoz LAYER 8 Global Moderator
            last edited by

            Hmmm - it does seem to be a bit difficult to google a straight answer for this basic question.

            Might be a good idea to put a sticky in the dns section or wiki article.  This question does seem to come up quite a bit.  My last attempt at putting in a wiki article got shot down that was not appropriate for wiki ;)  I thought it was a good idea, just simple common notes for someone new to pfsense.  But the powers that be thought not good for the wiki, and a forum post was more appropriate.. Which I can see both sides.  Maybe I will put together a post about it if can not find a good link that describes the difference for the layperson and maybe it can be added as a sticky..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

            1 Reply Last reply Reply Quote 1
            • P Offline
              pfBasic Banned
              last edited by

              https://youtu.be/2ZUxoi7YNgs

              DNS Resolver in 2 minutes.

              Forwarder asks a server that has already cached much of the content.

              Unbound Resolver will do what that video depicts and cache results for the duration of the TTL, along with providing quite a few other features.

              1 Reply Last reply Reply Quote 0
              • johnpozJ Offline
                johnpoz LAYER 8 Global Moderator
                last edited by

                Oh my Fing Gawd that was HORRIBLE!!!  2 minutes never get back and sum'd up in this

                Hey root servers who is NS for .com
                Hey .com NS who is NS for domain.com
                Hey domain.com NS what is IP of www.domain.com

                That takes 2 seconds to read.. And doesn't touch on the difference between forwarder and resolver.

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                1 Reply Last reply Reply Quote 0
                • S Offline
                  Soyokaze
                  last edited by

                  @pfBasic:

                  Forwarder asks a server that has already cached much of the content.

                  No, difference in forwarder and resolver has nothing to do with cache.

                  Need full pfSense in a cloud? PM for details!

                  1 Reply Last reply Reply Quote 0
                  • S Offline
                    Soyokaze
                    last edited by

                    @ast:

                    I just want to know in layman's term, what is the difference between DNS resolver and DNS forwarder?

                    Forwarder is small program which relies on some RESOLVER to process conversion between DNS name to corresponding IP address. Typically you point your forwarder to DNS resolvers* of your ISP, or use some public accessible resolvers, such as Google Public DNS or OpenDNS.
                    Pro: small, extremly easily configurable
                    Cons: if your ISP DNS resolvers is offline (and your forwarder is pointed to them) - you have "no internet", because you can't resolve any DNS name to IP address

                    Resolver is a little bigger program which can handle process of conversion from DNS name to IP address (ie resolve it) all by itself. Resolver doesn't need your ISP's (or public) resolvers to work, it queries DNS infrastructure servers directly.
                    Pro: does not depend on public resolvers
                    Cons: usually more complex configuration (but in pfSense works "just from the box").

                    Need full pfSense in a cloud? PM for details!

                    1 Reply Last reply Reply Quote 5
                    • V Offline
                      voxmagna1
                      last edited by

                      I didn't think this was a stupid question to ask. If the OP is using addon package features, filtering and a VPN service requiring DNS to establish the tunnel, would the answers be any different?

                      I've had similar experience using Google and Reddit getting back conflicting answers. The OP is a newbie like me and learning wrong things is bad for all of us. In this seemingly complex work of networking built on layers of added complexity and some who have become experts, it is hard to get up to speed. What I have learned is if you use an ISP router it lacks features and speed of a pfsense box but generally has all the security blocks already set up and works 'out of the box'. With a pfsense box you have seemingly unlimited configurations and I've learned not to trust anything until I've run my own tests to prove it's doing what I expect.

                      I don't know if it's here already, but a software tool to help carry out simple tests hosted on the pfsense site without having to dive into pfsense logs and route configurations would be very helpful. For example, if I've configured Squid proxy I  want to know if its cacheing, responding to my black/white lists, AV and ad blocking/tracking is actually working for both  HTTP/HTTPS and there are no proxy leaks, except those I choose to ignore.

                      Just my beginners perspective.

                      There's nothing worse than thinking you have security when due to a pfsense configuration error it's not actually there.

                      1 Reply Last reply Reply Quote 8
                      • T Offline
                        tobiasm
                        last edited by tobiasm

                        I find it somewhat ironic that this page is now the first hit on google for "pfsense dns resolver vs forwarder," and the main advice seems to be "just google it."

                        I agree with others who've said it's a valid question to ask -- especially because the pfSense DNS Resolver includes an option to "Enable Forwarding Mode"...

                        1 Reply Last reply Reply Quote 13
                        • GertjanG Offline
                          Gertjan
                          last edited by

                          For historical reason, pfSense used dnsmasq for DNS resolving. It behaved as many SOHO routers : it centralized DNS request from LAN clients, and if dnsmasq can't resolve direcly, it passes them to the DNS server upstream, often the one or two proposed by the ISP.
                          Some time ago, unbound became more popular. unbound behaves differently : it will question the 13 (?) main DNS Internet root servers, who will give the top level DNS server (like dot com), and these will pass the actual name resolution servers. A name server will actually translate de domaine.tld to an IP and hand you over the result to unbound, who will hand it over to the client.

                          One of the advantages of unbound is that it is compatible with DNSSEC.

                          These two DNS tools, unbound and dnsmasq, are mutual exclusive, you can use only one of them.

                          No "help me" PM's please. Use the forum, the community will thank you.
                          Edit : and where are the logs ??

                          T 1 Reply Last reply Reply Quote 7
                          • johnpozJ Offline
                            johnpoz LAYER 8 Global Moderator
                            last edited by johnpoz

                            To be honest I think the problem comes down to people not even grasping what dns is in the first place ;) If they did - simple name, forwarder or resolver would tell them the difference.

                            At some point there HAS to be a RESOLVER.. This is how dns works...

                            So do you want to open the phone book - might be old school for some searching this out.. Look up on your smart phones what a phone book is ;) And look up the number for Billy Bob.. Or do you want ask Karen for Billy's number..

                            So a resolver does the work of looking in the book and getting the number from the actual source.. In our analogy this is the phone book... The authoritative NS (nameserver) for any "domain" is the source... To get to that source you have to look up where that source is... This is root servers, which really only point to the authoritative name servers for the TLD.. ie .com, .net, .org, etc.. So as stated way up at the start of the thread a resolver comes down to

                            Hey root servers who is NS for .com
                            Hey .com NS who is NS for domain.com
                            Hey domain.com NS what is IP of www.domain.com

                            In a forwarder your just asking Karen for Billy's number... So maybe she knows it (cached) or maybe she doesn't know it - if she doesn't know it, she might ask Susan.. If Susan doesn't know it then she might ask Sally... At some point if none of the NS in a line of forwarders know it they are going to have to ask a "RESOLVER" which is what unbound does default out of the box on current versions of pfsense..

                            This Resolver is the one that will do
                            Hey root servers who is NS for .com
                            Hey .com NS who is NS for domain.com
                            Hey domain.com NS what is IP of www.domain.com

                            So you can resolve and always get your info from the authoritative name server for the domain your looking for.. Or you can just ask Karen for the IP... Problem is Karen can tell you whatever she wants is the number - you have no idea your trusting Karen... Might be good, might be bad - you just trust Karen to give your the right number.. This bitch Karen might just be asking Sally anyway, etc. etc.. And maybe Sally is a lying bitch.. .Or maybe Karen got confused and is not asking Sally but is actually asking Sabrina, etc... How do you know you just forwarding your request and hoping it comes back with the number you want..

                            Now Maybe you trust Karen so much that if you ask for something BAD... She won't tell you.. Maybe... That might be one reason to use a forwarder vs resolver.. I don't like that idea - tell you what I will just keep my own list of bad things that souldn't be looked up.. And run my queries through that list before I even attempt to resolve.. Most browsers do this on their own even.. Or you could use pfblocker or pihole, etc.. This sort of function has little to do with the method of finding that IP that is the address of the fqdn your wanting to go to.. So you can do this yourself or just trust Karen to do it all for you ;)

                            Other nonsense is people think forwarders are faster.. Just not true unless your talking about the initial lookup vs getting back what Karen already knew... That might be a few ms faster sure - how far away is Karen? Did she have it cached or does she have to ask Sally, etc. etc. Keep in mind if she had look it up some time ago.. the TTL is only going to be what is left so you might have to ask her yet again few seconds from now..

                            With a resolver, it caches the NS for .tld and it caches the ns for domainX.. So even when the TTL expires for host.domainx.tld the resolver will just go ask the the NS for domainx.tld for the IP of host.. Which for all you know might even be closer to you than Karen ;)

                            In the big picture a resolver is going to give you more control, better results and yes can use dnssec to validate that your talking to the real shit and not some poser wanting to give you the wrong answer.. That is if the owner of the domain took the time to actually setup dnssec.. The roots and .tld NS have (most of the .tlds have) Some of the new oddball ones might not as of yet..

                            What most people should do is not worry about it - and just let pfsense do what it does out of the box which is resolve and use dnssec.. If you have come to the point on wanting to understand this - then you really should grab a dns book and do your own research on how this fascinating protocol works.. I highly recommend DNS and BIND, google it - the book now in its 5th edition will be the first hit.. That is what is meant by google it ;) hehe It will change your life - when it comes to understanding DNS.. Vs oh my idiot buddy says I should use TLS and forward to xyz... Just what you want to speed up your dns queries <rolleyes>..

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

                            1 Reply Last reply Reply Quote 15
                            • jimpJ Offline
                              jimp Rebel Alliance Developer Netgate
                              last edited by

                              I went over this in detail in a hangout not too long ago:

                              https://www.netgate.com/resources/videos/local-dns-with-pfsense-24.html

                              Slides that go with it:

                              https://www.slideshare.net/NetgateUSA/local-dns-with-pfsense-24-pfsense-hangout-april-2018

                              Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

                              Need help fast? Netgate Global Support!

                              Do not Chat/PM for help!

                              1 Reply Last reply Reply Quote 1
                              • T Offline
                                tobiasm @Gertjan
                                last edited by

                                @gertjan said in Difference between DNS Resolver and DNS Forwarder:

                                For historical reason, pfSense used dnsmasq for DNS resolving. It behaved as many SOHO routers : it centralized DNS request from LAN clients, and if dnsmasq can't resolve direcly, it passes them to the DNS server upstream, often the one or two proposed by the ISP.
                                Some time ago, unbound became more popular. unbound behaves differently : it will question the 13 (?) main DNS Internet root servers, who will give the top level DNS server (like dot com), and these will pass the actual name resolution servers. A name server will actually translate de domaine.tld to an IP and hand you over the result to unbound, who will hand it over to the client.

                                One of the advantages of unbound is that it is compatible with DNSSEC.

                                These two DNS tools, unbound and dnsmasq, are mutual exclusive, you can use only one of them.

                                Thanks! This is very helpful. The slides by @jimp are great, too.

                                1 Reply Last reply Reply Quote 2
                                • C Offline
                                  caigeliu
                                  last edited by

                                  This post is a good post and asked a question that is also in my mind for years. Now I am more clear that in pfSense, you can either use DNS forwarder ( dnsmasq) or DNS resolver (unbound, DNSSEC). Because these two are mutual exclusive.

                                  1 Reply Last reply Reply Quote 2
                                  • J Offline
                                    jrsmiley @johnpoz
                                    last edited by

                                    This post is deleted!
                                    1 Reply Last reply Reply Quote 0
                                    • First post
                                      Last post
                                    Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.