DNS forwarder, resolver or both



  • Hi,

    I am trying to find out the difference between them, i just fail to understand.

    Do i use DNS forwarder or DNS resolver or both?



  • https://doc.pfsense.org/index.php/DNS_Forwarder

    https://doc.pfsense.org/index.php/Unbound_DNS_Resolver

    The short & dirty answer is Resolver doesn't need any defined upstream DNS like Forwarder does.  You only need one running, not both.  Resolver is the default.


  • LAYER 8 Global Moderator

    That resolve doc should prob be updated to explain what a resolver is vs a forwarder.  If I get a chance I will add that to the wiki articles.

    In a nutshell a forward doesn't do anything but "forward" on your request.  So While your client might ask pfsense for www.pfsense.org, it can not actual resolve that so it just asks who is was set to forward to, be it your isp dns or googledns or opendns, etc.  Which may in turn just forward as well.  But sooner or later that has to be a resolver.

    Now forwarders and resolvers can also cache, so if they have recently either looked up or gotten the answer for something they can just return that to the client without having to forward or resolve it again until the ttl (time to live) expires on that item.

    So while a forwarder just asks someone else for the answer.  A resolver actual talks to all the nameservers from roots to get to the owning nameserver of the domain in question.

    So if you ask for www.pfsense.org.  First the resolve asks (if not cached) hey roots (it knows these already) give me a ns for .org - thanks, ok ns of .org give me the ns of pfsense.org, ok thanks - hey ns for pfsense.org please give me the A record for www.pfsense.org

    This can be advantageous depending on your needs.  So with a resolver your sure you are always getting the information direct from the horses mouth, ie the authoritative name server for pfsense.org.  You can be sure if domains support it can validate via dnssec, etc.  When you just forward and are asking someone else, this info could be old, could be bad?  While they might pass on dnssec they may not support it, etc.

    Where it can be an issue is if your isp likes to intercept dns or only allows you to query them, then sure trying to talk to all the different name servers required to find the authoritative servers for specific domain can fail.  Depending on your connection, it might take a few extra ms to find a specific record if you have not looked it up before because you have to walk the tree down and talk to multiple servers vs just asking someone else hey whats the IP of www.pfsense.org.  Which if busy caching fowarder, someone prob recently looked that up and has it cached already, etc.

    Running your own resolver gives you more options, more control.  But its not always the best answer for everyone.  If your on a high latency connection resolving prob going to be an issue while just asking a close name server like your isp might be faster.

    In general the default resolver mode of using unbound should work, and now for sure dnssec is available and enabled.  But if you have issues then yes you might need to forward vs resolve.



  • Thanks for your reply,

    The server I wanted to make its using the captive portal, squid proxy and maybe a filter + country blocker.. CP I have working till the point that laptops make Wi-Fi connection the inlog page does not show up automatic.. In CP they say DNS forwarder needs to be enabled do that means I need to disable the DNS resolver.

    I am try for a week now to get things to work, but I am out of ideas and internet I can't find anything.
    What is your advice¿



  • I don't know anything about CP, but if they say you need the Forwarder then you should disable Resolver, enable Forwarder and then add your upstream DNS servers to System - General Setup - DNS Server Settings, and lastly uncheck the Disable DNS Forwarder checkbox if it is checked.


  • LAYER 8 Global Moderator

    Where does it say that?  Are you using some really old version of pfsense?

    Clearly states that forwarder or resolver be enabled is all

    "Also, the DNS Forwarder or Resolver must be enabled for DNS lookups by unauthenticated clients to work."




  • I have seens that, just wanted to make sure I did the right thing. I am still trying everything.

    John you maybe also know where to look so laptops get the login page when they connect or try to surf?. I have seen so many topics the last days about this issue just havent seen a solution for it.

    Mobiles and tablets I got to work.. Laptops not unless they type a http pafe first


  • LAYER 8 Global Moderator

    well yeah did you enable https login?  Mobiles and tables normally have a built in login into captive portal type thing when you join the wifi network.  Laptops running full blown OS normally do not.  So yeah http site is always first thing to do.

    Https and captive portals can be problematic..  If user tries to go to https://www.google.com and gets redirect to https://yourpfensednsorIP your browser should throw a bitch fit about that.. Saying hey you wanted to go to https://www.google.com but this site does not have that name and cert is not for www.google.com, etc.  Even your going to use https for login to the captive portal your client will need to trust that cert or your going to get an error so it needs to be a trusted CA that signs it, or your client has to trust the CA that signed the cert. Then your going to need to make sure fqdn matches the common name on the cert or you have SAN setup for how your accessing, etc.

    How is that that users do not know this?  Have they never been to a hotel?  Or used any sort of captive before ever?

    Keep in mind the https login does not fix users getting errors.. It just means your captive portal login will be via https.

    By the very nature of https wanting to make sure its talking to who it wanted to talk to, any sort of redirection to something else when user asked for https://something is going to give you issues.  Unless the captive portal can do a MITM on the fly for whatever fqdn the user tried to go to, etc.



  • I did try to enable the https option and got a certificate error, reading through forum and google i have seen some sites explaining.

    https://forum.pfsense.org/index.php?topic=63791.0

    http://www.rocainet.com/2014/03/securing-captive-portal-login-page-on.html

    I did found another one but can't find it at the moment. I read that a proper ssl like StartSSl would help to get the error away.
    and guest can login properly if the DNS is set to go the webpage of that SSl

    am I correct?


  • LAYER 8 Global Moderator

    your correct that you need a cert your machines trusts if you don't want errors yes.



  • Thanks, i will get the cert and such and play around with it reading the topics to install it and set everything.
    If i get an error I will report again :)



  • I do not get it to work, I tried to follow the guide from the link in a earlier post, just what he is writing doesn't make sence to me and the website Startssl does not do the things he is writing.. is there another guide that shows how to install it, been searching for even with no luck.

    chose certificate target “Webserver SSL/TLS Certificate”. Press continue and set a key that you remember. Press continue.

    not possibl after selecting "Webserver SSL/TLS Certificate" you go directly to the screen to enter your domains

    Once the wizard is done go to the Tool Box leaf and select the “Decrypt Private key” option.

    I do not see any option to do this :/

    I added the 2 cert into the CAs part of the certificate manager.
    then i added the cert into the certificite leaf. on the name saide it gives me
    ca: NO server: NO ..not sure if this is good.

    i use autentication local user manager

    added IP in DNS forwarder

    https:// hangs when i try to enter a website..

    EDIT: when i use a http connection I get the green lock with the right sertificate and inlog page
    but any other site still has a cert error :/

    "this certificate is only valid for the following names"

    any idea's maybe?


  • LAYER 8 Global Moderator

    Why do you need something from startssl.. Pfsense has a CA built right in, create a cert there and have your machine trust this CA.  Are you needing this for machines that are not under your control?  So a public CA that everyone trusts?



  • I thought the build in CA gave errors and wanted soemthing that did not gave any errors.. users or guest do not always click yes to something they don't know..
    thats the reason i wanted guest to directly go to the login page in https without any error.. even in the build in one i cant get that to work with no error.
    I am building this for a hotel and wanted to have it working properly and not half way

    Do you know a guide or can you guide me through this?


  • LAYER 8 Global Moderator

    Guide on trusting pfsense cert signed by pfsense.. Hmm I just went over this not so long ago in a thread..

    https://forum.pfsense.org/index.php?topic=114712.0

    Again this is for machines that you set to trust your CA that creates your cert.  If these are like guests machines and you want them to trust your cert without them trusting your CA then yeah you need to get a cert from a public CA that everyone's machine will trust automatic.

    How is it your using something your new to for building out a system for a hotel?  So you have no SSL experience, no captive portal experience with working https and your building a captive portal system using something your new to pfsense..  And they are paying you for this??  Or is this some hotel that your uncle owns with like 3 rooms?  And your computer guy in the family??



  • We have a pfsense system in the hotel that was made by the son of a technician that is working there.. He seperated the office and wifi, the only problem is that non guest around the hotel are using the wifi and like to have it guests only, from the 75Mbps I never reach higher then 10Mbps in the night.
    Its needed to block this.. And his son doesn't work on the old machine anymore, so if this machine dies nobody knows anything..

    I also haven't found another solution for this and again an upgrade could be help full and also if I could make a proxy later on.
    I know my knowledge is minimum, but asking and searching I mostly get things working..
    I don't give up that easy, and I always like to learn new stuff.

    Your help is much appreciated :)

    EDIT: from my LAN i can ping to domainname.com  still when using http it redirects to https site.. https gives me an error that i cant go on..
    DNS forward is set (it should) as decribed in the link earlier.. I am just not sure what i am missing.

    your link i followed it, it gave me an error that i need to execpt the cert first..



  • Is there a password that's only given to guests?  If the WiFi is open, you can't stop others from using it.  You might also want to change the password frequently.



  • the situation now is that everyone can use the wifi, guests and non guests.. the idea is to give the guests a username and pass when they check in that rotates every week/month so it block others out.. this way the internet speed is faster and more "protected" from non guests.
    I know there are other ways like having guest accept the error, just i like to have things work properly then half work, till now I am almost there from working good, just when guests use https:// i get the error "ssl_error_bad_cert_domain" this because i visit a site other then what the domain is.. when this is solved everything work with the right ssl cert..



  • I could be wrong, but I don't see this as being a pfSense issue.



  • I believe I have it working, I was working the wrong way on to this, and tried most things though a wired connection while they only can connect through WIFI.
    When connecting with a laptop and opening a page it sometimes takes a few moments before the inlog page shows up.

    The only thing I have now is that when i connect it gives me the wrong DNS any idea how to solve that?
    system give me (example) 192.168.3.100 while it should be 192.168.3.254


  • LAYER 8 Global Moderator

    "your link i followed it, it gave me an error that i need to execpt the cert first.."

    You mean the link to a pfsense forum thread?  Then you got something messed up with your CA's on your machine that is for sure..  As to your clients getting the wrong dns, well then you have something else handing out dhcp or your dhcp is not correct plain and simple.  Or you set the dns on the client directly?



  • I fixed it.. it was the router that was giving the wrong DNS.. I did not have anything else to work with then this router. adding the right DNS IP solved the issue.

    Thank you for your help john :)

    Now I have everything working, even on win10 it will automatic gives you the inlog page when you connect to the WIFI like on mobile devices with the proper SSL cert and without asking people to import ANY cert.

    I think I will make a topic on how I did this so others can use it as well..

    next on the list squid proxy :)


  • LAYER 8 Global Moderator

    "I did not have anything else to work with then this router. adding the right DNS IP solved the issue."

    What router??



  • I do not have a wireless accesspoint to test the wireless devices like laptops and phones, for this I uses a router with WIFI (WNRT-627) I know pfsense has DHCP I just had nothing else lying around. with this Captive Portal is working as it should.. I still need to ask a friend to share a mac to see if this works as well. had a topic mac devices could not connect


  • LAYER 8 Global Moderator

    If your using a old wifi router, then you should use it just as AP.  Any wifi router can be just an access point.

    Give its lan an IP on your network, turn off its dhcp server and connect it to your network via one of its lan port = AP..



  • I did at the end, seems everything is working properly now.. proxy is working, CP.. not sure what else i need on this :)


  • LAYER 8 Global Moderator

    so you want to use the proxy and the cp at the same time?  Are you wanting to use transparent proxy or explicit?



  • Transparent proxy, what I read and heard to save at least some bandwitdh, it sounds like it's not the best idea to do this..


  • LAYER 8 Global Moderator

    No its not really.  To be honest if the reason you want to use proxy is save some bandwidth.. Prob not going to get much bang for your buck.. Pretty much most of the net these days is dynamic and doesn't bode well for cached copy on your proxy.  While clients cache themselves anyway so most of the stuff that can be cached and use is already done on the client.

    If what your wanting to use if for is filtering of bad stuff, ok – but if this is a guest wifi for a hotel, why would it be your place to say what porn they can or can not watch, etc..

    Captive portal sure ok, you don't want the homeless guy outside sucking up all your bandwidth which is for your guest to use, etc.  And you can use the portal page to remind your guests of stuff going on in the hotel, how to get info etc.  So that sort of thing I don't think any one that is using free hotel wifi would complain about.

    But if what you want to do is just limit the non guest from using your wifi, its much easier to just set a PSK and change it everyday or few days and just make it easy for your guest to get without the homeless guy outside just looking at it on your bulletin board.  I have been to hotels where the psk is on the little envelope they put your key in, etc.



  • I understand you, disabling the proxy is done in seconds.. it was more because the non guest are taking all the bandwidth away…

    if you have 75Mbps and you cant get over 10Mbps and sometimes 2Mbps it's an issue, thats why I wanted to have a proxy ready because of the slow bandwidth.. and there 60 rooms not the biggest hotel but everything that can be faster is something..
    now that users need a voucher or pass it should be much better.. this I have to try out,  if the speed is fast enough I disable the proxy and use it only for CP..

    thanks for the advice..

    What would be your advice to improve the pfsense even better?


  • LAYER 8 Global Moderator

    60 rooms?  how many AP do you only provide wifi in the lobby or something?  So lets say 120 guests.  Lets count 1 phone each your looking at 120 devices if your full could be more.  I would say this would be min number of devices, etc.

    Are you limiting each connection.  Or you could have 1 guest using up most of the bandwidth..  So lets say a few guests are streaming movies in HD from netflix..  Are they on the same AP?

    You need to be able to spread your connections over multiple AP and to be honest 75mbps seems like a pretty low amount of bandwidth for 120 users to share, etc.  At even 60 sharing its not very much..  People be so frustrated with it they would just use their phones data.



  • I know 75Mbps (I see 100Mbps is available) isn't much but not possible to get more unless you have a 2nd wan connection to double the bandwidth I am limited to what I have got.
    We have around 7 AP's around the hotel, how it is connected I do not know I havent installed it.
    At this moment people rate us with a 7.2 for internet and this is with guests and non guest together.. after the CP it should be better..

    I was also calculating how many rooms and guests that can use internet, and an option would be a 2nd WAN or limiting the bandwitdh to say 10Mbps for each user (i know it isnt much) or is there a package that calcuates the users and devide it with the current users connected?


  • LAYER 8 Global Moderator

    What are these AP?  you really should understand where they are deployed and if they are deployed in the best locations for best coverage.

    If your limited to 75 per line, then yeah get a few lines you can always split your users across the different connection.  You could even leverage that to provide for "premium" wifi that cost something, etc.



  • What I can see they are linksys and hp pro curve AP's in total 7 of them 2 on each floor that have an overall good coverage on every floor.

    The extra line I need to have a talk about with the management to see what is possible, while after talking to them they have around 20/30 guests daily means 2 to 3Mbps each guest which isn't that much.
    and a double WAN 150Mbps or if they have the 100Mbps that would be 200Mbps should be good enough to have a decent internet.
    Only wifi should be free, not sure who pays for internet nowaday unless you live in Australië

    Would like to know more about stuff.. not sure if this is the right chat for it


  • LAYER 8 Global Moderator

    Are they actual business AP or just home stuff?  Proper placement for best coverage would normally mean setting up min rssi for each AP so that they don't let weak connections that drag everyone on it down.

    As to paying for internet, you mean wifi in a hotel?  I will agree many hotels provide basic wifi for free.  Unless your at a higher end hotel - they guys seems to charge you..  You would think it would be the other way around.  But when I stay at say a real hilton vs hampton inn which one of their properties Hampton is free but Hilton or say Conrad charge you.. Along with the 5$ for the bag of MM's in your room hehehe

    What I mean by premium is would be faster connection, maybe allow for real IP vs being behind a nat if you need to use a vpn connection to work that doesn't play nice behind nat, etc.

    What are these APs - are they G, N 2.4 and 5 or just 2.4?  AC maybe?

    There is much more too providing good wifi then throwing up some AP ;)



  • I have no clue if they are business or home AP's, I will be there this weekend to test drive the new pfsense and can check, also if they are 2.4 or 5 or both, the technician will be there its easy to have him pointing where they are :)

    As for paying I meant Wifi, here in Europe like Holland the internet contracts can be pretty fast over 500Mbps and more, belgium is another story and some providers have 120Mbps max for business that isn't much, Belgium also works with a limit with some contrats while Holland does not.

    Setting up min rssi is a basic option in the AP?


  • LAYER 8 Global Moderator

    would be if business class sort of AP



  • I have set the DNS forwarder but for some reason the LAN comupters can only see each other by IP, which option should I pick to be able to search by name as well?


Log in to reply