Having issues with pfSense box

KOM

A forwarder merely forwards DNS requests to another upstream DNS server. For it to work, you need to give it the IP address of another server to forward to.

A resolver talks directly to the root DNS servers to find out from them who is the authoritative DNS for the FQDN you're requesting, and then talks to that authoritative DNS server and gets the IP address from that server. You don't supply any upstream DNS for this to work because it talks to the root servers which are a standard well-known list of special core DNS servers. However, resolver can work in forwarding mode, in which case you do need to supply it with upstream DNS via General Settings - DNS Servers. If you're going to forward, you may as well just use the forwarder and disable resolver.

There are other reasons why you would use one over the other that we can get into later if you're curious.

maverickws

@KOM

OOHH! Excellent explanation ok it all makes sense. Removing the upstream DNS servers from config!
I am always curious if you got the time and the will to let know about those other reasons, let it rip! :)

You've been great, thanks for all the help!

EDIT: It seems that disabling the option "Enable DNS Forwarding" isn't enough, I MUST remove the upstream DNS servers from General Settings, or it will still query those. Am I wrong?
(bc I just disabled the option then went on Diagnostics > DNS Lookup and it kept querying the upstream servers.)

Gertjan

@maverickws said in Having issues with pfSense box:

I MUST remove the upstream DNS servers from General Settings, or it will still query those. Am I wrong?

Yes ;)

The GUI page "Diagnostics => DNS Lookup" gets a listed of all name servers form the known systemwide resolver.conf file.
That's where are listed 127.0.0.1 (pfSense itself, thus the Resolver) and all other listed name servers, the ones you added yourself on the "General" page.
They are all tested by this PHP page.

The Resolver itself, accsibkle at 127.0.0.1 @ port 53 - using default settings - doesn't use the these servers. It will question the 13 main root servers and dig downwards.

maverickws

@Gertjan
Hi there, thanks for your reply!

So what you say is, just to confirm I am understanding fully, I may keep them under General Settings, they may be used by the webConfigurator when I query via Diagnostics > DNS Lookup, but as long as I have forwarding disabled on the DNS Resolver they won't be used. That's it?

Gertjan

@maverickws IMHO : Yep.

stephenw10

Yes, Diag > DNS Lookup will test all the defined DNS servers on the system.

In the default config it will use the resolver directly though.

That means you are running the resolver (Unbound) not the forwarder (DNSMasq). Unbound is not running in forwarding mode. You have not checked Disable DNS Forwarder in System > General Setup.

Steve

KOM

@maverickws said in Having issues with pfSense box:

I am always curious if you got the time and the will to let know about those other reasons, let it rip! :)

Resolver is initially slower as it has to walk the DNS tree from the roots down until it gets its answer, but this is more private as you don't have a middleman seeing your DNS requests. Once resolver's cache fills up with the requests you make most frequently, it's just as fast as forwarder.

Forwarder is fast because it talks to upstream DNS that most likely already has cached the ip address you're requesting, but it's less secure because whomever you're forwarding to knows what you're requesting.

You can enable DNS over TLS to encrypt your DNS traffic from man-in-the-middle snooping by your ISP, for instance.

bcruze

@KOM said in Having issues with pfSense box:

@maverickws said in Having issues with pfSense box:

I am always curious if you got the time and the will to let know about those other reasons, let it rip! :)

Resolver is initially slower as it has to walk the DNS tree from the roots down until it gets its answer, but this is more private as you don't have a middleman seeing your DNS requests. Once resolver's cache fills up with the requests you make most frequently, it's just as fast as forwarder.

Forwarder is fast because it talks to upstream DNS that most likely already has cached the ip address you're requesting, but it's less secure because whomever you're forwarding to knows what you're requesting.

You can enable DNS over TLS to encrypt your DNS traffic from man-in-the-middle snooping by your ISP, for instance.

so if you enable DNS over TLS with just the resolver enabled, no other DNS servers listed in general..

how do you know the DNS servers are capable of handling that type of service?

stephenw10

You don't and generally they are not. You need to use forwarding mode for DNS over TLS to something you know does support it.

Steve

KOM

I should also clarify that when I said middlemen can't snoop on you with resolver, I meant the DNS servers doing the replying eg Google, Level3 etc. Your ISP can still see what you're requesting, which is where encryption helps.

maverickws

Thank you all.
I appreciate your comments on DNS Resolver and everything got sorted. Super!