Difference between DNS Resolver and DNS Forwarder

Gertjan

@johnpoz:

google not good enough?

I guess he did, but Google's first link is - oh,  :) : https://www.reddit.com/r/PFSENSE/comments/51x20p/dns_resolver_vs_dns_forwarder/

Btw : While I was there : DNS resolver frowarder

johnpoz

Hmmm - it does seem to be a bit difficult to google a straight answer for this basic question.

Might be a good idea to put a sticky in the dns section or wiki article.  This question does seem to come up quite a bit.  My last attempt at putting in a wiki article got shot down that was not appropriate for wiki ;)  I thought it was a good idea, just simple common notes for someone new to pfsense.  But the powers that be thought not good for the wiki, and a forum post was more appropriate.. Which I can see both sides.  Maybe I will put together a post about it if can not find a good link that describes the difference for the layperson and maybe it can be added as a sticky..

pfBasic

https://youtu.be/2ZUxoi7YNgs

DNS Resolver in 2 minutes.

Forwarder asks a server that has already cached much of the content.

Unbound Resolver will do what that video depicts and cache results for the duration of the TTL, along with providing quite a few other features.

johnpoz

Oh my Fing Gawd that was HORRIBLE!!!  2 minutes never get back and sum'd up in this

Hey root servers who is NS for .com
Hey .com NS who is NS for domain.com
Hey domain.com NS what is IP of www.domain.com

That takes 2 seconds to read.. And doesn't touch on the difference between forwarder and resolver.

Soyokaze

@pfBasic:

Forwarder asks a server that has already cached much of the content.

No, difference in forwarder and resolver has nothing to do with cache.

Soyokaze

@ast:

I just want to know in layman's term, what is the difference between DNS resolver and DNS forwarder?

Forwarder is small program which relies on some RESOLVER to process conversion between DNS name to corresponding IP address. Typically you point your forwarder to DNS resolvers* of your ISP, or use some public accessible resolvers, such as Google Public DNS or OpenDNS.
Pro: small, extremly easily configurable
Cons: if your ISP DNS resolvers is offline (and your forwarder is pointed to them) - you have "no internet", because you can't resolve any DNS name to IP address

Resolver is a little bigger program which can handle process of conversion from DNS name to IP address (ie resolve it) all by itself. Resolver doesn't need your ISP's (or public) resolvers to work, it queries DNS infrastructure servers directly.
Pro: does not depend on public resolvers
Cons: usually more complex configuration (but in pfSense works "just from the box").

voxmagna1

I didn't think this was a stupid question to ask. If the OP is using addon package features, filtering and a VPN service requiring DNS to establish the tunnel, would the answers be any different?

I've had similar experience using Google and Reddit getting back conflicting answers. The OP is a newbie like me and learning wrong things is bad for all of us. In this seemingly complex work of networking built on layers of added complexity and some who have become experts, it is hard to get up to speed. What I have learned is if you use an ISP router it lacks features and speed of a pfsense box but generally has all the security blocks already set up and works 'out of the box'. With a pfsense box you have seemingly unlimited configurations and I've learned not to trust anything until I've run my own tests to prove it's doing what I expect.

I don't know if it's here already, but a software tool to help carry out simple tests hosted on the pfsense site without having to dive into pfsense logs and route configurations would be very helpful. For example, if I've configured Squid proxy I  want to know if its cacheing, responding to my black/white lists, AV and ad blocking/tracking is actually working for both  HTTP/HTTPS and there are no proxy leaks, except those I choose to ignore.

Just my beginners perspective.

There's nothing worse than thinking you have security when due to a pfsense configuration error it's not actually there.

tobiasm

I find it somewhat ironic that this page is now the first hit on google for "pfsense dns resolver vs forwarder," and the main advice seems to be "just google it."

I agree with others who've said it's a valid question to ask -- especially because the pfSense DNS Resolver includes an option to "Enable Forwarding Mode"...

Gertjan

For historical reason, pfSense used dnsmasq for DNS resolving. It behaved as many SOHO routers : it centralized DNS request from LAN clients, and if dnsmasq can't resolve direcly, it passes them to the DNS server upstream, often the one or two proposed by the ISP.
Some time ago, unbound became more popular. unbound behaves differently : it will question the 13 (?) main DNS Internet root servers, who will give the top level DNS server (like dot com), and these will pass the actual name resolution servers. A name server will actually translate de domaine.tld to an IP and hand you over the result to unbound, who will hand it over to the client.

One of the advantages of unbound is that it is compatible with DNSSEC.

These two DNS tools, unbound and dnsmasq, are mutual exclusive, you can use only one of them.

johnpoz

To be honest I think the problem comes down to people not even grasping what dns is in the first place ;) If they did - simple name, forwarder or resolver would tell them the difference.

At some point there HAS to be a RESOLVER.. This is how dns works...

So do you want to open the phone book - might be old school for some searching this out.. Look up on your smart phones what a phone book is ;) And look up the number for Billy Bob.. Or do you want ask Karen for Billy's number..

So a resolver does the work of looking in the book and getting the number from the actual source.. In our analogy this is the phone book... The authoritative NS (nameserver) for any "domain" is the source... To get to that source you have to look up where that source is... This is root servers, which really only point to the authoritative name servers for the TLD.. ie .com, .net, .org, etc.. So as stated way up at the start of the thread a resolver comes down to

Hey root servers who is NS for .com
Hey .com NS who is NS for domain.com
Hey domain.com NS what is IP of www.domain.com

In a forwarder your just asking Karen for Billy's number... So maybe she knows it (cached) or maybe she doesn't know it - if she doesn't know it, she might ask Susan.. If Susan doesn't know it then she might ask Sally... At some point if none of the NS in a line of forwarders know it they are going to have to ask a "RESOLVER" which is what unbound does default out of the box on current versions of pfsense..

This Resolver is the one that will do
Hey root servers who is NS for .com
Hey .com NS who is NS for domain.com
Hey domain.com NS what is IP of www.domain.com

So you can resolve and always get your info from the authoritative name server for the domain your looking for.. Or you can just ask Karen for the IP... Problem is Karen can tell you whatever she wants is the number - you have no idea your trusting Karen... Might be good, might be bad - you just trust Karen to give your the right number.. This bitch Karen might just be asking Sally anyway, etc. etc.. And maybe Sally is a lying bitch.. .Or maybe Karen got confused and is not asking Sally but is actually asking Sabrina, etc... How do you know you just forwarding your request and hoping it comes back with the number you want..

Now Maybe you trust Karen so much that if you ask for something BAD... She won't tell you.. Maybe... That might be one reason to use a forwarder vs resolver.. I don't like that idea - tell you what I will just keep my own list of bad things that souldn't be looked up.. And run my queries through that list before I even attempt to resolve.. Most browsers do this on their own even.. Or you could use pfblocker or pihole, etc.. This sort of function has little to do with the method of finding that IP that is the address of the fqdn your wanting to go to.. So you can do this yourself or just trust Karen to do it all for you ;)

Other nonsense is people think forwarders are faster.. Just not true unless your talking about the initial lookup vs getting back what Karen already knew... That might be a few ms faster sure - how far away is Karen? Did she have it cached or does she have to ask Sally, etc. etc. Keep in mind if she had look it up some time ago.. the TTL is only going to be what is left so you might have to ask her yet again few seconds from now..

With a resolver, it caches the NS for .tld and it caches the ns for domainX.. So even when the TTL expires for host.domainx.tld the resolver will just go ask the the NS for domainx.tld for the IP of host.. Which for all you know might even be closer to you than Karen ;)

In the big picture a resolver is going to give you more control, better results and yes can use dnssec to validate that your talking to the real shit and not some poser wanting to give you the wrong answer.. That is if the owner of the domain took the time to actually setup dnssec.. The roots and .tld NS have (most of the .tlds have) Some of the new oddball ones might not as of yet..

What most people should do is not worry about it - and just let pfsense do what it does out of the box which is resolve and use dnssec.. If you have come to the point on wanting to understand this - then you really should grab a dns book and do your own research on how this fascinating protocol works.. I highly recommend DNS and BIND, google it - the book now in its 5th edition will be the first hit.. That is what is meant by google it ;) hehe It will change your life - when it comes to understanding DNS.. Vs oh my idiot buddy says I should use TLS and forward to xyz... Just what you want to speed up your dns queries <rolleyes>..

jimp

I went over this in detail in a hangout not too long ago:

https://www.netgate.com/resources/videos/local-dns-with-pfsense-24.html

Slides that go with it:

https://www.slideshare.net/NetgateUSA/local-dns-with-pfsense-24-pfsense-hangout-april-2018

tobiasm

@gertjan said in Difference between DNS Resolver and DNS Forwarder:

For historical reason, pfSense used dnsmasq for DNS resolving. It behaved as many SOHO routers : it centralized DNS request from LAN clients, and if dnsmasq can't resolve direcly, it passes them to the DNS server upstream, often the one or two proposed by the ISP.
Some time ago, unbound became more popular. unbound behaves differently : it will question the 13 (?) main DNS Internet root servers, who will give the top level DNS server (like dot com), and these will pass the actual name resolution servers. A name server will actually translate de domaine.tld to an IP and hand you over the result to unbound, who will hand it over to the client.

One of the advantages of unbound is that it is compatible with DNSSEC.

These two DNS tools, unbound and dnsmasq, are mutual exclusive, you can use only one of them.

Thanks! This is very helpful. The slides by @jimp are great, too.

caigeliu

This post is a good post and asked a question that is also in my mind for years. Now I am more clear that in pfSense, you can either use DNS forwarder ( dnsmasq) or DNS resolver (unbound, DNSSEC). Because these two are mutual exclusive.

jrsmiley

This post is deleted!