DNS configuration

Gertjan

I can't delete the last one.

A minor interface glitch - empty the last line like this :

and Save.

I had 2 servers configured, both Google DNS IPv6 addresses. When I watch the DNS traffic, I see queries to the Google servers, though with a slightly different address. One query to that address was for Youtube, another for translate.googleapis.com.

These DNS requests come from pfSense, or from one of the LAN devices ?
Nothing forbids a device to use it's own burned in DNS server, bypassing everything upstream.

Btw : this is the list with root servers, probably compiled into unbound :
http://www.internic.net/domain/named.root

These servers don't know nothing, but do cache.
If they don't have the answer - from cache, they answer back the list with (?) the corresponding tld DNS server(s).
The tld - like dot com - knows who are the name servers (typically 2) of a domain name.
Having that info, unbound contacts the / a name server and asks the final question :
do you have an A record for "forum.netgate.com" ?
The name server comes back with :
208.123.73.199

Try for yourself : block all DNS requests coming in on LAN (port 53 - UDP and TCP), except those with destination : the Firewall itself.
This forces devices to use pfSense as a centralized DNS resolver.
I bet you won't see any strange DNS servers IP's anymore.

I think pfSense is missing something in /etc/resolv.conf
The ::1 !

That's why I set things up like this :

So I wind up using a classic default 'FreeBSD' /etc/resolv.conf like :

[2.4.4-RELEASE][root@priv.brit-hotel-fumel.net]/var/unbound: cat /etc/resolv.conf
nameserver 127.0.0.1
nameserver ::1
search brit-hotel-fumel.net

Btw : https://www.freebsd.org/cgi/man.cgi?resolv.conf
You will find there :

nameserver	 Internet address (in dot notation) of a name server that the
resolver should query.  Up to MAXNS (currently 3) name
servers may be listed, one per keyword.  If there are multiple servers,
the resolver library queries them in the order
listed.  If no nameserver entries are present, the default is
to use the name server on the local machine.  (The algorithm
used is to try	a name server, and if the query times out, try
the next, until out of	name servers, then repeat trying all
the name servers until a maximum number of retries are made).

Thus, putting in more then 2 IP's as DNS servers is useless ? (127.0.0.1 is already there IF unbound or dnsmasq is running)
So, what about all those people charging a max (more ten 3) DNS servers = nameserver??

JKnott

@Gertjan said in DNS configuration:

These DNS requests come from pfSense, or from one of the LAN devices ?

What I'm seeing on the wire is from pfSense. It's the local DNS server that all my devices use. I've seen requests from Youtube, Indeed and others, that would typically originate from my desktop system. So, they'd request from pfSense, which in turn requests from elsewhere. I'll try deleting those 2 servers and see what happens.

JKnott

I just deleted those servers and rebooted pfSense. I again see a DNS request to 2001:4860:4802:34::a, which is a Google DNS server. The query is for gmail, which is likely coming from my desktop computer, but might also be from my cell phone or tablet. Regardless, the source IP is my pfSense firewall, as would be expected, when it's the local DNS server. Why is it doing this, when configured as a resolver? I am also seeing some that are likely root servers, 2001:500:d937::30. I also see 216.239.34.10, which is Google.

Why am I seeing Google DNS requests, when there are no servers configured for them? If fact, I have never configured that IPv4 address.

johnpoz

If unbound is resolver, which is default.. it talks to roots to get the NS for the tld, then asks the tld NS for for the NS for the domain in question. Then asks the NS for domain.tld for the actual record.

You state slightly other IPs... So how and the F do you think the IPs you have setup have anything to do with it?

Yeah in the process of resolving say google.com - going to have to talk to NS that are authoritative for google.com.. Which yeah going to be on a google owned IP ;)

Do a simple dig +trace if you want understand how the resolving process works.

How it you have been in the biz for how many years and you don't understand basic dns?

KOM

Not everybody knows everything. I've been doing this for years and I still got schooled for assuming that I could port-forward traffic to a non-existent address until I stopped and thought about it.

johnpoz

Agreed... But dns is how the internet works.. And he is a techy.. Never wondered how www.google.com gets you IP address?

Pretty sure he has been around for the birth of the internet ;) Same as me - how you got an IP from a name was pretty essential in understanding how the network works, and it didn't come up until now?

I can understand the nontechy kids of today, or grandma etc. not getting it... But he is a tech guy that works in the biz.. And if not mistaken for many many years - like before there even was an internet ;) So how it 30 some years latter just not getting to figuring it out? That is my question.

Not asking him how he doesn't know the correct formatting for bind conf file.. Or how to register a authoritative ns, etc But understanding the basic concept of how it works.. You would of thunk would be something he looked into years and years ago just saying.

JKnott

@johnpoz said in DNS configuration:

Agreed... But dns is how the internet works.. And he is a techy.. Never wondered how www.google.com gets you IP address?

Yes, I have been around for years, but never really focused on DNS. I was just going through the psSense book and decided to see what was happening with my own system.

johnpoz

Just nuts... Here is a fantastic book if you want to get some better understanding.
http://shop.oreilly.com/product/9780596100575.do

They have a dns and IPv6 you prob be more interested in.
http://shop.oreilly.com/product/0636920020158.do

KOM

DNS and BIND, 5th Edition: 648 pages

DNS and BIND on IPv6: 54 pages

kiokoman

eh knowledge come to a price

KOM

@kiokoman Yes, but how is the IP6 book a tenth of the size? I assume it's a typo, but I still thought it was funny.

kiokoman

nope. "this concise book provides the essentials you need to support this protocol "
generally speaking someone should read the first book and than the second one. dns concept are, for the most, the same for ipv4 and ipv6

johnpoz

Yeah you need to read the first one first ;) But I threw in link to IPv6 one because that would get his motor running.. He is the local ipv6 Drum Major ;)

Gertjan

[google]
@johnpoz said in DNS configuration:

he has been around for the birth of the internet ;)

I remember very well, in the old days when Compuserve offered something called a 'gateway' to a new network called 'Internet' (had to install a program called "SPRY Mosaic" to 'browse' that network). Yahoo had a site that permits to search the available resources. Google, as a site and competitor, came some time afterwards.

johnpoz

Remember the old trumpet winsock program to get tcp/ip back in the day ;)

So yeah back at the birth... So how is some 25-30 years later just now getting around to figuring out how dns works.. Just funny to me is all. Happy to help... That book is very good read.. Back when I read it 1st or 2nd edition ;) Early 1990s time frame.

JKnott

@johnpoz said in DNS configuration:

So yeah back at the birth... So how is some 25-30 years later just now getting around to figuring out how dns works.

As someone else mentioned, you can't know everything and I hadn't focused on DNS. I am aware of how it works, with root servers etc., but my attention was elsewhere. All I was doing the other day is seeing how pfSense matched up with what was in the book and used Wireshark to see what was happening, as I often do.