[SOLVED] Which DNS-Servers does unbound use?
-
You need to understand the dif between a forwarder and a resolver. If your going to use pfsense out of the box config then it will be in resolver mode and ask roots hey who is authoritative for .com, hey .com ns who is authoritative for domain.com, hey domain.com ns what is A record for www.domain.com
this seems to be a big issue with users understanding the difference. If your going to use unbound in default resolver mode then really the only dns you should have listed in pfsense is loopback 127.0.0.1
you then know for sure your getting the info straight from the horses mouth, and will have full dnssec support, etc..
-
Ah ok, so forwarding would mean, that pfSense "forwards" the Requests (to a public DNS or a DNS of my provider, I specified under "DNS-Servers"), but as a resolver it directly asks the root-DNS-servers?
-
exactly but roots only know the name servers for the tld, the tld servers know the domains that are under their tld. You walk the tree down using a resolver.
Where with forwarder you just ask your isp or google, then they either have it cached or they forward, or they resolve it. Some point in the chain there will be a resolver.
-
Alright, thanks a lot :-)
-
@johnpoz said in [SOLVED] Which DNS-Servers does unbound use?:
exactly but roots only know the name servers for the tld, the tld servers know the domains that are under their tld. You walk the tree down using a resolver.
Where with forwarder you just ask your isp or google, then they either have it cached or they forward, or they resolve it. Some point in the chain there will be a resolver.
So how do you actually decide what is better for you to use? Is using a DNS service like cloudfare just faster? Is using the netgate box as the DNS resolver slower but has better privacy?
-
@shjfliejfasel said in [SOLVED] Which DNS-Servers does unbound use?:
DNS resolver slower
This is a misunderstanding of how dns works to be honest.. Resolving is not end up slower then forwarding. And sometimes can actually be faster ;)
When you forward - what you ask them if not cached, they will have to resolve. But you might already have a 30 some ms latency to your dns your forwarding to.
This 30ms is every single time you request anything.. And then longer if they have to resolve something. What is the latency to where your forwarding. Me asking my local resolver is less than 1ms ;)
Once a resolver asks roots for tld of .com - that is cached.. Don't have to ask that again until the ttl expires. So I can directly ask .com servers for domain.com.. Now that is cached - so when I look up record www.domain.com I could just directly ask the ns for that domain. Which might only be 10ms away..
While sure a resolver might be a tad slower on resolving from a dead start then asking some forwarder that has it cached. Depending what and how you query - resolving could be faster ;) But in the pig picture if your not resolving because you "think" its slower.. You need to think again about how that actually works.
As you ask googledns for www.domain.com every single time that single ttl your storing expires.. And how as just get whatever ttl that forwarded had left on their last time they looked it up. And so you will be doing that again.. So you could have more queries than resolving since you will always get the full TTL that authoritative ns set on the record.
If you are making a decisions on forwarding or resolving because you think there is some speed advantage to handing all your info over to google.. You need to rethink that.. Generally speaking the few ms that might take even for a cold lookup vs asking cached forwarder makes no difference..
-
@johnpoz On my home network with dozens of devices but only 2 humans, i definitely find that many web pages feel a little slower with the standard Unbound resolver mode compared to forwarding. Why? Because resolvers like Cloudflare etc have millions of users keeping records in their cache fresh and up to date. A lot of services these days have very short expiry times, so your resolver ends up going out constantly to re-fresh it's cache.
The fix for this is the "hack" setting under advanced "Serve Expired" which means Unbound will reply with the expired record but then simultaneously go and refresh it.As to comments about Google getting all your records in forwarder mode - sure. Except there's other sides to this coin. I can use someone like Cloudflare as a resolver an enforce TLS which means all my requests are encrypted. The only person who knows is Cloudflare (or whoever I use). Using resolver mode, most of the DNS requests will end up being in the clear. In a country with enforced metadata retention laws, i'm equally as worried about big brother sniffing all that unencrypted DNS traffic.
-
Thanks for the answers. I was looking at DNS "stuff" specifically because I didn't want my ISP getting all my browsing history. I thought cloudfare might be a good choice because it is what Firefox is now usuing.
However, I never knew you could roll your own, so this feature of the netgate box was a nice surprise.
In that case, is there a reason that a computer really even needs an external DNS resolver/forwarder? Couldn't the desktop machine just act as its own resolver the same way that the netgate box does?
-
@shjfliejfasel That would be horrendously inefficient ( I believe something like 98% of the traffic the root servers get could be classified as "un-necessary") and would also require much more code on every clients end. It would also make central administration pretty much impossible for most networks.
-
@griffo said in [SOLVED] Which DNS-Servers does unbound use?:
have millions of users keeping records in their cache fresh and up to date
You would think that huh - but quite often when you query you get a very short ttl, and now you have to do a second query.. And then again it might not be full ttl.
Also with pointing to a cdn based forwarder - are you sure your getting the closest answer for everything your doing queries on that use geoip to point you to the closest place your wanting go..
The only reason I would ever forward, is you have crap internet where resolving is a pain - satellite internet not good for resolving.
Other would be you have some concern with your isp doing something with your dns traffic - so you want to forward and encrypt.. Which is going to be a hit to performance, and would be hit to forwarding is faster.
How many different websites do you actually go to to be honest? Now and then a new one - The million of users increasing the cache.. Doesn't make forwarding faster to the point that it makes any sense to think its worth not just resolving.
You do you - if you want to forward, then forward. If you want to use dot then do that.. But resolving is the default for a reason.. Because normally 99/100 times its going to be the best option.
If these dns providers had their way every single client would be doing queries to them via doh.. So there goes your local cache of even your 2 or 3 users sharing.. And sure isn't going to be faster for any of your local clients.
But resolving is not slower to the point that it should be a deciding factor to you forward or resolve. Even on a cold resolve vs asking someone else, that may or may not have it cached. Your talking a few ms..
