Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Resolver vs DNS Forwarder vs Rule to OpenDNS or Quad9?

    Scheduled Pinned Locked Moved DHCP and DNS
    2 Posts 2 Posters 744 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      Velcro
      last edited by

      I am experimenting with different ways to secure DNS queries and while I suspect this is a hugely debated topic, what is the best way to secure your DNS queries?

      DNS resolver where pfsense does the resolving.

      DNS Forwarder using OpenDNS, Quad9 or other.

      Creating a rule to allow access to Quad 9 or OpenDNS(using alias as destination) only and turning off Resolver and Forwarder.

      Assumption:
      Using a reputable VPN…lets assume this is trusted. Pushing all DNS quesries thru VPN

      My thoughts are:

      DNS resolver where pfsense does the resolving.
      Pro-            DNSEC support, Control
      Con-            More complex, potential leaky DNS, more complexity=less security?

      DNS Forwarder using OpenDNS, Quad9 or other.
      Pro-            ??
      Con-            ??

      Creating a rule to allow access to Quad 9 or OpenDNS only and turning off Resolver and Forwarder.

      Pro-            Simplicity
      Con-            Less features, rely on 3rd party to resolve, additional service to trust

      What are the pros and cons of these approaches with regards to security?

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        You forgot the CON on your last option that you will not be able to resolve anything local.

        Your going to have to be specific on what your "secure your DNS queries" is in regard too…

        Not all of us have our tinfoil hats on so tight that we are worried about our ISP sniffing our traffic to find our dns queries out.  Nor are we worried about the authoritative NS for a domain, or the roots knowing what IP we are asking for some FQDN from, etc.

        So when you want to discuss "secure" your dns your going to need to spell it out so we know what your wanting to "secure" it from..

        Out of the box pfsense resolves and uses dnssec.. This should be optimal configuration for typical use that the person has not cut off the blood flow to their brain with how tight their tin foil hat is ;)

        Using something like opendns or quad9 have feature that resolving your own does not support and that is filtering out bad domains per some listing.  Now you could do this your self in unbound or with pfblocker and still resolve.  So vs handing over everything to some 3rd party company that says hey we have these lists of bad sites and wont resolve them for you.  You could do that yourself on pfsense and never send the query out in the first place.

        If you do not want roots to know your looking for say www.domain.tld, you can turn on a setting to only send roots .tld and second level roots domain.tld and not send... But from my experience that are many domains that this is broken for.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.