Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    [SOLVED] Which DNS-Servers does unbound use?

    Scheduled Pinned Locked Moved DHCP and DNS
    12 Posts 5 Posters 8.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • U
      user12
      last edited by

      Hi!

      Might be a pretty simple question, but: which DNS-Servers does unbound actually use?
      I use it as a DNS-Resolver, so my DNS-Servers are:

      • 127.0.0.1
      • 8.8.8.8
      • 8.8.4.4

      (I configured the last two during installation).
      So are those google-DNS-Servers the ones, unbound uses?
      I couldn't find any specific servers in unbound.conf

      1 Reply Last reply Reply Quote 0
      • pttP
        ptt Rebel Alliance
        last edited by

        Unbound will query root servers directly (unless you enable "Forwarding Mode")

        https://doc.pfsense.org/index.php/Unbound_DNS_Resolver

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          You need to understand the dif between a forwarder and a resolver.  If your going to use pfsense out of the box config then it will be in resolver mode and ask roots hey who is authoritative for .com, hey .com ns who is authoritative for domain.com, hey domain.com ns what is A record for www.domain.com

          this seems to be a big issue with users understanding the difference.  If your going to use unbound in default resolver mode then really the only dns you should have listed in pfsense is loopback 127.0.0.1

          you then know for sure your getting the info straight from the horses mouth, and will have full dnssec support, etc..

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.7.2, 24.11

          1 Reply Last reply Reply Quote 1
          • U
            user12
            last edited by

            Ah ok, so forwarding would mean, that pfSense "forwards" the Requests (to a public DNS or a DNS of my provider, I specified under "DNS-Servers"), but as a resolver it directly asks the root-DNS-servers?

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by

              exactly but roots only know the name servers for the tld, the tld servers know the domains that are under their tld.  You walk the tree down using a resolver.

              Where with forwarder you just ask your isp or google, then they either have it cached or they forward, or they resolve it.  Some point in the chain there will be a resolver.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.7.2, 24.11

              S 1 Reply Last reply Reply Quote 0
              • U
                user12
                last edited by

                Alright, thanks a lot :-)

                1 Reply Last reply Reply Quote 0
                • S
                  shjfliejfasel @johnpoz
                  last edited by

                  @johnpoz said in [SOLVED] Which DNS-Servers does unbound use?:

                  exactly but roots only know the name servers for the tld, the tld servers know the domains that are under their tld.  You walk the tree down using a resolver.

                  Where with forwarder you just ask your isp or google, then they either have it cached or they forward, or they resolve it.  Some point in the chain there will be a resolver.

                  So how do you actually decide what is better for you to use? Is using a DNS service like cloudfare just faster? Is using the netgate box as the DNS resolver slower but has better privacy?

                  johnpozJ 1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator @shjfliejfasel
                    last edited by johnpoz

                    @shjfliejfasel said in [SOLVED] Which DNS-Servers does unbound use?:

                    DNS resolver slower

                    This is a misunderstanding of how dns works to be honest.. Resolving is not end up slower then forwarding. And sometimes can actually be faster ;)

                    When you forward - what you ask them if not cached, they will have to resolve. But you might already have a 30 some ms latency to your dns your forwarding to.

                    This 30ms is every single time you request anything.. And then longer if they have to resolve something. What is the latency to where your forwarding. Me asking my local resolver is less than 1ms ;)

                    Once a resolver asks roots for tld of .com - that is cached.. Don't have to ask that again until the ttl expires. So I can directly ask .com servers for domain.com.. Now that is cached - so when I look up record www.domain.com I could just directly ask the ns for that domain. Which might only be 10ms away..

                    While sure a resolver might be a tad slower on resolving from a dead start then asking some forwarder that has it cached. Depending what and how you query - resolving could be faster ;) But in the pig picture if your not resolving because you "think" its slower.. You need to think again about how that actually works.

                    As you ask googledns for www.domain.com every single time that single ttl your storing expires.. And how as just get whatever ttl that forwarded had left on their last time they looked it up. And so you will be doing that again.. So you could have more queries than resolving since you will always get the full TTL that authoritative ns set on the record.

                    If you are making a decisions on forwarding or resolving because you think there is some speed advantage to handing all your info over to google.. You need to rethink that.. Generally speaking the few ms that might take even for a cold lookup vs asking cached forwarder makes no difference..

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                    G 1 Reply Last reply Reply Quote 2
                    • G
                      Griffo @johnpoz
                      last edited by Griffo

                      @johnpoz On my home network with dozens of devices but only 2 humans, i definitely find that many web pages feel a little slower with the standard Unbound resolver mode compared to forwarding. Why? Because resolvers like Cloudflare etc have millions of users keeping records in their cache fresh and up to date. A lot of services these days have very short expiry times, so your resolver ends up going out constantly to re-fresh it's cache.
                      The fix for this is the "hack" setting under advanced "Serve Expired" which means Unbound will reply with the expired record but then simultaneously go and refresh it.

                      As to comments about Google getting all your records in forwarder mode - sure. Except there's other sides to this coin. I can use someone like Cloudflare as a resolver an enforce TLS which means all my requests are encrypted. The only person who knows is Cloudflare (or whoever I use). Using resolver mode, most of the DNS requests will end up being in the clear. In a country with enforced metadata retention laws, i'm equally as worried about big brother sniffing all that unencrypted DNS traffic.

                      johnpozJ 1 Reply Last reply Reply Quote 2
                      • S
                        shjfliejfasel
                        last edited by shjfliejfasel

                        Thanks for the answers. I was looking at DNS "stuff" specifically because I didn't want my ISP getting all my browsing history. I thought cloudfare might be a good choice because it is what Firefox is now usuing.

                        However, I never knew you could roll your own, so this feature of the netgate box was a nice surprise.

                        In that case, is there a reason that a computer really even needs an external DNS resolver/forwarder? Couldn't the desktop machine just act as its own resolver the same way that the netgate box does?

                        G 1 Reply Last reply Reply Quote 0
                        • G
                          Griffo @shjfliejfasel
                          last edited by

                          @shjfliejfasel That would be horrendously inefficient ( I believe something like 98% of the traffic the root servers get could be classified as "un-necessary") and would also require much more code on every clients end. It would also make central administration pretty much impossible for most networks.

                          1 Reply Last reply Reply Quote 0
                          • johnpozJ
                            johnpoz LAYER 8 Global Moderator @Griffo
                            last edited by

                            @griffo said in [SOLVED] Which DNS-Servers does unbound use?:

                            have millions of users keeping records in their cache fresh and up to date

                            You would think that huh - but quite often when you query you get a very short ttl, and now you have to do a second query.. And then again it might not be full ttl.

                            Also with pointing to a cdn based forwarder - are you sure your getting the closest answer for everything your doing queries on that use geoip to point you to the closest place your wanting go..

                            The only reason I would ever forward, is you have crap internet where resolving is a pain - satellite internet not good for resolving.

                            Other would be you have some concern with your isp doing something with your dns traffic - so you want to forward and encrypt.. Which is going to be a hit to performance, and would be hit to forwarding is faster.

                            How many different websites do you actually go to to be honest? Now and then a new one - The million of users increasing the cache.. Doesn't make forwarding faster to the point that it makes any sense to think its worth not just resolving.

                            You do you - if you want to forward, then forward. If you want to use dot then do that.. But resolving is the default for a reason.. Because normally 99/100 times its going to be the best option.

                            If these dns providers had their way every single client would be doing queries to them via doh.. So there goes your local cache of even your 2 or 3 users sharing.. And sure isn't going to be faster for any of your local clients.

                            But resolving is not slower to the point that it should be a deciding factor to you forward or resolve. Even on a cold resolve vs asking someone else, that may or may not have it cached. Your talking a few ms..

                            An intelligent man is sometimes forced to be drunk to spend time with his fools
                            If you get confused: Listen to the Music Play
                            Please don't Chat/PM me for help, unless mod related
                            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

                            1 Reply Last reply Reply Quote 4
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.