Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    why does DNS over TLS require forwarding mode?

    Scheduled Pinned Locked Moved
    DHCP and DNS
    dns over tls dot
    3
    7
    1.4k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      seewolf
      last edited by

      after a lot of searching, i could not find an answer why does pfSense not use DNS over TLS over port 853 for outbound queries without forwarding mode?
      and if i am reading the DNS Resolver Status page correctly, with Forwarding Mode there is no caching? all queries are just forwarded to upstream servers?

      the pfSense is the main DNS resolver on the network, and everything else is redirected or blocked, so all LAN queries land on pfSense.
      but without 'Forwarding Mode', all dns queries leave pfSense over port 53.

      also, there is no difference in the DNS Resolver logs whether i put DNS server hostnames in System / General or not. or even if i put something wrong in the hostnames.
      am i missing something here? should it not give an error when it can verify the upstream DNS servers?

      thank you for your help :).

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by johnpoz

        Your reading it wrong - where do you think that forwarding does not cache.. No docs or anything ever says anything of the sort..

        The status page for resolver, shows you the infrastructure cache, ie how fast it talks to name servers you talk to.. If you forward the only thing listed in the infra cache would be the NS your forwarding too. Not the cache of records it has already looked up.

        If you didn't forward - and were resolving, then every single dns server on the planet would have to use TLS, and since the name is in the cert and you have to trust it.. you would have to know the names of every single dns server before you could even connect to them..

        If you wanted to look at the full cache..

        unbound-control -c /var/unbound/unbound.conf dump_cache

        If you don't forward those server in general would only ever be used by pfsense, with just normal lookups, ie over 53.. The only way they are ever used with dot, is if you forward and have unbound setup to use tls when forwarding.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.03

        S 1 Reply Last reply Reply Quote 0
        • S
          seewolf @johnpoz
          last edited by

          @johnpoz said in why does DNS over TLS require forwarding mode?:

          Your reading it wrong - where do you think that forwarding does not cache.. No docs or anything ever says anything of the sort..

          The status page for resolver, shows you the infrastructure cache, ie how fast it talks to name servers you talk to.. If you forward the only thing listed in the infra cache would be the NS your forwarding too. Not the cache of records it has already looked up.

          If you didn't forward - and were resolving, then every single dns server on the planet would have to use TLS, and since the name is in the cert and you have to trust it.. you would have to know the names of every single dns server before you could even connect to them..

          If you wanted to look at the full cache..

          unbound-control -c /var/unbound/unbound.conf dump_cache

          If you don't forward those server in general would only ever be used by pfsense, with just normal lookups, ie over 53.. The only way they are ever used with dot, is if you forward and have unbound setup to use tls when forwarding.

          thank you for a quick reply.

          also, please confirm if this is correct, DNSSEC is not required when using DoT? ie we can leave that checkmark blank because it is using encryption to talk to DNS servers so MITM attack does not apply here.

          is there a way to confirm that hostnames in System / General are being used correctly?

          the status page confused my colleague and me. not it makes much more sense.
          the dump cache command helped a lot.

          regarding the caching, is there a way to see how much memory the cache is using (or how much hosts are in there)? so we can tune the cache size accordingly to the network size/usage.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            dot and dnssec are completely different things.

            You don't use dnssec when you forward, because where you forward is either doing dnssec or it isn't - asking for dnssec info means nothing when you forward. It only makes sense when you resolve.

            dot is an encrypted tunnel to the NS your forwarding to. dnssec is validation that the info is signed by the authoritative nameservers of what your looking up.. One has nothing to do with the other.

            The default cache size is like 10k records.. With like 4MB default I believe.. As to tuning your cache. Please don't take this the wrong way - but you don't seem to understand how dns even works be it forwarding or resolving or what dnssec even is - but you think you need to tweak the cache settings? The default should be fine.. Bump it up if you think its a bit low.. The amount of memory talking is miniscule.. Now if you were talking 10k clients or something, or running a public facing dns server - ok ;) But the unless you have some crazy amount of clients talking to unbound on pfsense - there would be little reason to adjust the default settings. Is your cache count at 10k? If so bump it up to 20 or 50k even.. The difference in memory usage amounts to rounding errors your talking a few MB vs what your system has GBs of memory?

            you can view the msg.cache.count for how many items in your cache, you can look the mem.cache values for memory used by the different caches.

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.03

            S 1 Reply Last reply Reply Quote 0
            • S
              seewolf @johnpoz
              last edited by

              @johnpoz said in why does DNS over TLS require forwarding mode?:

              dot and dnssec are completely different things.

              You don't use dnssec when you forward, because where you forward is either doing dnssec or it isn't - asking for dnssec info means nothing when you forward. It only makes sense when you resolve.

              dot is an encrypted tunnel to the NS your forwarding to. dnssec is validation that the info is signed by the authoritative nameservers of what your looking up.. One has nothing to do with the other.

              The default cache size is like 10k records.. With like 4MB default I believe.. As to tuning your cache. Please don't take this the wrong way - but you don't seem to understand how dns even works be it forwarding or resolving or what dnssec even is - but you think you need to tweak the cache settings? The default should be fine.. Bump it up if you think its a bit low.. The amount of memory talking is miniscule.. Now if you were talking 10k clients or something, or running a public facing dns server - ok ;) But the unless you have some crazy amount of clients talking to unbound on pfsense - there would be little reason to adjust the default settings. Is your cache count at 10k? If so bump it up to 20 or 50k even.. The difference in memory usage amounts to rounding errors your talking a few MB vs what your system has GBs of memory?

              you can view the msg.cache.count for how many items in your cache, you can look the mem.cache values for memory used by the different caches.

              i know DoT and DNSSEC are completely different things. i was just confirming the statement you made in this forum post
              https://forum.netgate.com/topic/152338/unbound-failed-to-prime-trust-anchor-could-not-fetch-dnskey-rrset-dnskey-in?_=1606284558274
              and asking from a different angle.

              im still learning as much as i can about pfSense and networking, and sometimes the documentation does not answer some questions.

              unfortunately, since i became a one man it department with a dumpster fire of a network that can not go down, i have a lot of clients all of a sudden :D.
              it was more of a curiosity question if it becomes a necessity.

              1 Reply Last reply Reply Quote 0
              • GertjanG
                Gertjan
                last edited by Gertjan

                @seewolf : if you're ready for a level up : see this thread https://forum.netgate.com/topic/158399/sad-dns-and-unbound-question?_=1606286231170 and read what @bwoodcock said.

                The good news : DNSSEC and DoT will be possible when DANE goes 'global'.
                The bad news : for all this to happen, first DNS (from 1953) has to be understood. Then everybody, the ones who set up DNS and name servers, can go haywire and implement everything up to and including DANE. What is known as forwarding today would stop to exist. Only "resolving" will remain. No more need for a third party DNS partner.

                All DNS request will get encrypted and authenticated from the start to the end : you - the apps you use - will know that a DNS answer exists, if it is ok and taken from the trusted source. No need to go 1.1.1.1 or 8.8.8.8 as they wouldn't be part of any look up path anymore. Except if you really want to give your DNS request to some one else.

                With DANE, a simple DNS request like "what is the AAAA record of forum.netgate.com" would take millions of CPU cycles to be burned all over the planet. Caching at multiple stages becomes even more a must.

                For us, the common mortals, there is good news : pfSense resolves out of he box. Priority has been given to "obtain a certified DNS answer" over "hide the DNS request" as your DNS request will go in clear over the net after the DNS resolver you forwarded to.

                Get back to your initial question :

                why does DNS over TLS require forwarding mode?

                Short answer : because these 13 root servers don't use TLS over port 853. Neither (most of ?) the tld (com org net etc) servers.
                So you can forward using TLS to the next 'DNS hop'. After this hop you forwarded to, DNS is resolved using resolving ;)
                see DNS_over_TLS, the last line.

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                1 Reply Last reply Reply Quote 0
                • S
                  seewolf
                  last edited by

                  thank you all for the information here.. after this we started looking more into how everything works, and now it is much clearer.

                  ps regarding cache size, i needed to bump it up, it was using more then default.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post