Resolvolving LAN hosts names - help
-
-
Use a domain with a tld vs just a tld… put something on the end of that domain, say whatever.lan or whatever.something
Don't waste your time putting in dns that would never get asked since out of the box pfsense resolves.
How is it in this day and age people so worried about dns leaks don't understand the difference between a forwarder and a resolver? Google it!!!
Are you pointing your clients to something other than pfsense for dns? There is no reason to put something into dhcp server unless your going to point to something other than pfsense lan IP for your clients. Since if you leave it blank it auto hands out pfsense IP on that interface.. It says so right there in the note.
-
ok removed values from DNS/General and Resolver
I am not using DNS Forwarder, but will read more about it vs Resolver
Wondering why "single label domain - bad idea" ?
Thx !
-
From a DNS point of view its not a good idea..
This is a windows based reason list
https://support.microsoft.com/en-us/help/300684/deployment-and-operation-of-active-directory-domains-that-are-configur
There just is no point to it.. Any devices should have a fqdn, this would include the host, the second level domain and the top level domain… With just using single label like that, that is not possible for your host names.
-
I've made changes you suggested and everything seems working fine
Specifically:
Domain as 'something.lan'
no DNS servers set in System/General Setup and DNS Server Override
no DNS set in Services/DHCP Server/LANWhere pfSense getting DNS now ? From my ISP ?
Thx
-
"Where pfSense getting DNS now ? From my ISP ?"
So you didn't look up the difference of forwarder and resolver ;)
A resolver walks down from the root servers to the authoritative name server for the domain you are wanting to know the resource from.
Your looking for www.domain.com it asks one of the root servers - google those ;)
Hey root server who is the nameserver for .com domains, ok thanks
Hey .com nameserver who is nameserver for domain.com, ok thanks
Hey domain.com NS who what is the A record for www.domain.com, ok thanksYour ISP has nothing to do with this other than connectivity to the internet to allow you to talk to the authoritative NS.
edit: Since you prob wont google it https://en.wikipedia.org/wiki/Root_name_server
-
"Where pfSense getting DNS now ? From my ISP ?"
So you didn't look up the difference of forwarder and resolver ;)
A resolver walks down from the root servers to the authoritative name server for the domain you are wanting to know the resource from.
Your looking for www.domain.com it asks one of the root servers - google those ;)
Hey root server who is the nameserver for .com domains, ok thanks
Hey .com nameserver who is nameserver for domain.com, ok thanks
Hey domain.com NS who what is the A record for www.domain.com, ok thanksYour ISP has nothing to do with this other than connectivity to the internet to allow you to talk to the authoritative NS.
edit: Since you prob wont google it https://en.wikipedia.org/wiki/Root_name_server
I won't lie to you that "oh yeah I knew all of this" :)
This is something I had no clue about and why I started using pfSense last year.
I can't say that I get all of this but it makes sense now.Thanks a million for explaining and patience!
-
I think the last question here is - do you think that using DNS names in System/General Setup may/will improve performance ?
And if yes, how do you suggest doing this?
I tried running benchmark and selecting best performing servers, but found that sometime when DBS server got slow or unavailable all system is slow (as expected) and was not sure how to solve this issue without manual intervention.
-
There is ZERO reason to put anything into general dns.. ZERO… Unless your going to turn off resolver and user forwarder mode. And unless your on some HIGH latency ISP, like sat or something. Or your isp filters dns and only lets you use them or specific ones then there is ZERO Reason to do anything other than resolve.
This is why it is the default out of the box - this is what everyone should be doing unless there is a specific reason why you can not.
-
There is ZERO reason to put anything into general dns.. ZERO… Unless your going to turn off resolver and user forwarder mode. And unless your on some HIGH latency ISP, like sat or something. Or your isp filters dns and only lets you use them or specific ones then there is ZERO Reason to do anything other than resolve.
This is why it is the default out of the box - this is what everyone should be doing unless there is a specific reason why you can not.
Very clear, thx !
I guess people doing what I was doing is because when started they look for available resources, I used youtube and apparently not all of them trustworthy, which is as expected.
-
There is ZERO reason to put anything into general dns.. ZERO… Unless your going to turn off resolver and user forwarder mode. And unless your on some HIGH latency ISP, like sat or something. Or your isp filters dns and only lets you use them or specific ones then there is ZERO Reason to do anything other than resolve.
This is why it is the default out of the box - this is what everyone should be doing unless there is a specific reason why you can not.
@johnpoz I followed your suggestions and happy so far.
However I see some DNS quires to IPs addressed that I can not explain https://pastebin.com/zwa92uZe, can you help me understand this ?
I wonder if I have something mis-configured.
Thx!
-
However I see some DNS quires to IPs addressed that I can not explain https://pastebin.com/zwa92uZe, can you help me understand this ?
You're not the only one that uses Youtube as a manual. Inspect the devices on your LAN(s).
PC's and other devices could have 'static' DSN addresses set up, so they will contact for example "8.8.8.8", bypassing completely the local DNS authority (your pfSense).
That explains also why local resolution, like "Resolvolving LAN hosts names" doesn't work any more. 8.8.8.8 doesn't know nothing about that network printer in your pool house.Leave the network settings of any device you unpack with its original settings, and all will work just fine.
Handing over all your requests to 6.6.6… sorry 8.8.8.8 is ok, but first make up the full list with consequences ...
8.8.8.8 and Youtube are the same house ;)Note : I'm not against 8.8.8.8. But why should I learn to use that one if my pfSense already does everything I need ?
Also : some devices, some software have DNS hard coded - you can't do anything about that, except blocking all outgoing DNS request, forcing the device to use pfSense, or have it shut up.
-
PC's and other devices could have 'static' DSN addresses set up, so they will contact for example "8.8.8.8", bypassing completely the local DNS authority (your pfSense).
That makes sense and explains those queries, thx!
Also : some devices, some software have DNS hard coded - you can't do anything about that, except blocking all outgoing DNS request, forcing the device to use pfSense, or have it shut up.
I do force all DNS requests to use pfsense only!
