DNS forwarder, resolver or both

newbie_sense

Hi,

I am trying to find out the difference between them, i just fail to understand.

Do i use DNS forwarder or DNS resolver or both?

KOM

https://doc.pfsense.org/index.php/DNS_Forwarder

https://doc.pfsense.org/index.php/Unbound_DNS_Resolver

The short & dirty answer is Resolver doesn't need any defined upstream DNS like Forwarder does.  You only need one running, not both.  Resolver is the default.

johnpoz

That resolve doc should prob be updated to explain what a resolver is vs a forwarder.  If I get a chance I will add that to the wiki articles.

In a nutshell a forward doesn't do anything but "forward" on your request.  So While your client might ask pfsense for www.pfsense.org, it can not actual resolve that so it just asks who is was set to forward to, be it your isp dns or googledns or opendns, etc.  Which may in turn just forward as well.  But sooner or later that has to be a resolver.

Now forwarders and resolvers can also cache, so if they have recently either looked up or gotten the answer for something they can just return that to the client without having to forward or resolve it again until the ttl (time to live) expires on that item.

So while a forwarder just asks someone else for the answer.  A resolver actual talks to all the nameservers from roots to get to the owning nameserver of the domain in question.

So if you ask for www.pfsense.org.  First the resolve asks (if not cached) hey roots (it knows these already) give me a ns for .org - thanks, ok ns of .org give me the ns of pfsense.org, ok thanks - hey ns for pfsense.org please give me the A record for www.pfsense.org

This can be advantageous depending on your needs.  So with a resolver your sure you are always getting the information direct from the horses mouth, ie the authoritative name server for pfsense.org.  You can be sure if domains support it can validate via dnssec, etc.  When you just forward and are asking someone else, this info could be old, could be bad?  While they might pass on dnssec they may not support it, etc.

Where it can be an issue is if your isp likes to intercept dns or only allows you to query them, then sure trying to talk to all the different name servers required to find the authoritative servers for specific domain can fail.  Depending on your connection, it might take a few extra ms to find a specific record if you have not looked it up before because you have to walk the tree down and talk to multiple servers vs just asking someone else hey whats the IP of www.pfsense.org.  Which if busy caching fowarder, someone prob recently looked that up and has it cached already, etc.

Running your own resolver gives you more options, more control.  But its not always the best answer for everyone.  If your on a high latency connection resolving prob going to be an issue while just asking a close name server like your isp might be faster.

In general the default resolver mode of using unbound should work, and now for sure dnssec is available and enabled.  But if you have issues then yes you might need to forward vs resolve.

newbie_sense

Thanks for your reply,

The server I wanted to make its using the captive portal, squid proxy and maybe a filter + country blocker.. CP I have working till the point that laptops make Wi-Fi connection the inlog page does not show up automatic.. In CP they say DNS forwarder needs to be enabled do that means I need to disable the DNS resolver.

I am try for a week now to get things to work, but I am out of ideas and internet I can't find anything.
What is your advice¿

KOM

I don't know anything about CP, but if they say you need the Forwarder then you should disable Resolver, enable Forwarder and then add your upstream DNS servers to System - General Setup - DNS Server Settings, and lastly uncheck the Disable DNS Forwarder checkbox if it is checked.

johnpoz

Where does it say that?  Are you using some really old version of pfsense?

Clearly states that forwarder or resolver be enabled is all

"Also, the DNS Forwarder or Resolver must be enabled for DNS lookups by unauthenticated clients to work."

newbie_sense

I have seens that, just wanted to make sure I did the right thing. I am still trying everything.

John you maybe also know where to look so laptops get the login page when they connect or try to surf?. I have seen so many topics the last days about this issue just havent seen a solution for it.

Mobiles and tablets I got to work.. Laptops not unless they type a http pafe first

johnpoz

well yeah did you enable https login?  Mobiles and tables normally have a built in login into captive portal type thing when you join the wifi network.  Laptops running full blown OS normally do not.  So yeah http site is always first thing to do.

Https and captive portals can be problematic..  If user tries to go to https://www.google.com and gets redirect to https://yourpfensednsorIP your browser should throw a bitch fit about that.. Saying hey you wanted to go to https://www.google.com but this site does not have that name and cert is not for www.google.com, etc.  Even your going to use https for login to the captive portal your client will need to trust that cert or your going to get an error so it needs to be a trusted CA that signs it, or your client has to trust the CA that signed the cert. Then your going to need to make sure fqdn matches the common name on the cert or you have SAN setup for how your accessing, etc.

How is that that users do not know this?  Have they never been to a hotel?  Or used any sort of captive before ever?

Keep in mind the https login does not fix users getting errors.. It just means your captive portal login will be via https.

By the very nature of https wanting to make sure its talking to who it wanted to talk to, any sort of redirection to something else when user asked for https://something is going to give you issues.  Unless the captive portal can do a MITM on the fly for whatever fqdn the user tried to go to, etc.

newbie_sense

I did try to enable the https option and got a certificate error, reading through forum and google i have seen some sites explaining.

https://forum.pfsense.org/index.php?topic=63791.0

http://www.rocainet.com/2014/03/securing-captive-portal-login-page-on.html

I did found another one but can't find it at the moment. I read that a proper ssl like StartSSl would help to get the error away.
and guest can login properly if the DNS is set to go the webpage of that SSl

am I correct?

johnpoz

your correct that you need a cert your machines trusts if you don't want errors yes.

newbie_sense

Thanks, i will get the cert and such and play around with it reading the topics to install it and set everything.
If i get an error I will report again :)

newbie_sense

I do not get it to work, I tried to follow the guide from the link in a earlier post, just what he is writing doesn't make sence to me and the website Startssl does not do the things he is writing.. is there another guide that shows how to install it, been searching for even with no luck.

chose certificate target “Webserver SSL/TLS Certificate”. Press continue and set a key that you remember. Press continue.

not possibl after selecting "Webserver SSL/TLS Certificate" you go directly to the screen to enter your domains

Once the wizard is done go to the Tool Box leaf and select the “Decrypt Private key” option.

I do not see any option to do this :/

I added the 2 cert into the CAs part of the certificate manager.
then i added the cert into the certificite leaf. on the name saide it gives me
ca: NO server: NO ..not sure if this is good.

i use autentication local user manager

added IP in DNS forwarder

https:// hangs when i try to enter a website..

EDIT: when i use a http connection I get the green lock with the right sertificate and inlog page
but any other site still has a cert error :/

"this certificate is only valid for the following names"

any idea's maybe?

johnpoz

Why do you need something from startssl.. Pfsense has a CA built right in, create a cert there and have your machine trust this CA.  Are you needing this for machines that are not under your control?  So a public CA that everyone trusts?

newbie_sense

I thought the build in CA gave errors and wanted soemthing that did not gave any errors.. users or guest do not always click yes to something they don't know..
thats the reason i wanted guest to directly go to the login page in https without any error.. even in the build in one i cant get that to work with no error.
I am building this for a hotel and wanted to have it working properly and not half way

Do you know a guide or can you guide me through this?

johnpoz

Guide on trusting pfsense cert signed by pfsense.. Hmm I just went over this not so long ago in a thread..

https://forum.pfsense.org/index.php?topic=114712.0

Again this is for machines that you set to trust your CA that creates your cert.  If these are like guests machines and you want them to trust your cert without them trusting your CA then yeah you need to get a cert from a public CA that everyone's machine will trust automatic.

How is it your using something your new to for building out a system for a hotel?  So you have no SSL experience, no captive portal experience with working https and your building a captive portal system using something your new to pfsense..  And they are paying you for this??  Or is this some hotel that your uncle owns with like 3 rooms?  And your computer guy in the family??

newbie_sense

We have a pfsense system in the hotel that was made by the son of a technician that is working there.. He seperated the office and wifi, the only problem is that non guest around the hotel are using the wifi and like to have it guests only, from the 75Mbps I never reach higher then 10Mbps in the night.
Its needed to block this.. And his son doesn't work on the old machine anymore, so if this machine dies nobody knows anything..

I also haven't found another solution for this and again an upgrade could be help full and also if I could make a proxy later on.
I know my knowledge is minimum, but asking and searching I mostly get things working..
I don't give up that easy, and I always like to learn new stuff.

Your help is much appreciated :)

EDIT: from my LAN i can ping to domainname.com  still when using http it redirects to https site.. https gives me an error that i cant go on..
DNS forward is set (it should) as decribed in the link earlier.. I am just not sure what i am missing.

your link i followed it, it gave me an error that i need to execpt the cert first..

JKnott

Is there a password that's only given to guests?  If the WiFi is open, you can't stop others from using it.  You might also want to change the password frequently.

newbie_sense

the situation now is that everyone can use the wifi, guests and non guests.. the idea is to give the guests a username and pass when they check in that rotates every week/month so it block others out.. this way the internet speed is faster and more "protected" from non guests.
I know there are other ways like having guest accept the error, just i like to have things work properly then half work, till now I am almost there from working good, just when guests use https:// i get the error "ssl_error_bad_cert_domain" this because i visit a site other then what the domain is.. when this is solved everything work with the right ssl cert..

JKnott

I could be wrong, but I don't see this as being a pfSense issue.

newbie_sense

I believe I have it working, I was working the wrong way on to this, and tried most things though a wired connection while they only can connect through WIFI.
When connecting with a laptop and opening a page it sometimes takes a few moments before the inlog page shows up.

The only thing I have now is that when i connect it gives me the wrong DNS any idea how to solve that?
system give me (example) 192.168.3.100 while it should be 192.168.3.254