Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS forwarder, resolver or both

    Scheduled Pinned Locked Moved DHCP and DNS
    38 Posts 4 Posters 9.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • N
      newbie_sense
      last edited by

      Hi,

      I am trying to find out the difference between them, i just fail to understand.

      Do i use DNS forwarder or DNS resolver or both?

      1 Reply Last reply Reply Quote 0
      • KOMK
        KOM
        last edited by

        https://doc.pfsense.org/index.php/DNS_Forwarder

        https://doc.pfsense.org/index.php/Unbound_DNS_Resolver

        The short & dirty answer is Resolver doesn't need any defined upstream DNS like Forwarder does.  You only need one running, not both.  Resolver is the default.

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by

          That resolve doc should prob be updated to explain what a resolver is vs a forwarder.  If I get a chance I will add that to the wiki articles.

          In a nutshell a forward doesn't do anything but "forward" on your request.  So While your client might ask pfsense for www.pfsense.org, it can not actual resolve that so it just asks who is was set to forward to, be it your isp dns or googledns or opendns, etc.  Which may in turn just forward as well.  But sooner or later that has to be a resolver.

          Now forwarders and resolvers can also cache, so if they have recently either looked up or gotten the answer for something they can just return that to the client without having to forward or resolve it again until the ttl (time to live) expires on that item.

          So while a forwarder just asks someone else for the answer.  A resolver actual talks to all the nameservers from roots to get to the owning nameserver of the domain in question.

          So if you ask for www.pfsense.org.  First the resolve asks (if not cached) hey roots (it knows these already) give me a ns for .org - thanks, ok ns of .org give me the ns of pfsense.org, ok thanks - hey ns for pfsense.org please give me the A record for www.pfsense.org

          This can be advantageous depending on your needs.  So with a resolver your sure you are always getting the information direct from the horses mouth, ie the authoritative name server for pfsense.org.  You can be sure if domains support it can validate via dnssec, etc.  When you just forward and are asking someone else, this info could be old, could be bad?  While they might pass on dnssec they may not support it, etc.

          Where it can be an issue is if your isp likes to intercept dns or only allows you to query them, then sure trying to talk to all the different name servers required to find the authoritative servers for specific domain can fail.  Depending on your connection, it might take a few extra ms to find a specific record if you have not looked it up before because you have to walk the tree down and talk to multiple servers vs just asking someone else hey whats the IP of www.pfsense.org.  Which if busy caching fowarder, someone prob recently looked that up and has it cached already, etc.

          Running your own resolver gives you more options, more control.  But its not always the best answer for everyone.  If your on a high latency connection resolving prob going to be an issue while just asking a close name server like your isp might be faster.

          In general the default resolver mode of using unbound should work, and now for sure dnssec is available and enabled.  But if you have issues then yes you might need to forward vs resolve.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • N
            newbie_sense
            last edited by

            Thanks for your reply,

            The server I wanted to make its using the captive portal, squid proxy and maybe a filter + country blocker.. CP I have working till the point that laptops make Wi-Fi connection the inlog page does not show up automatic.. In CP they say DNS forwarder needs to be enabled do that means I need to disable the DNS resolver.

            I am try for a week now to get things to work, but I am out of ideas and internet I can't find anything.
            What is your advice¿

            1 Reply Last reply Reply Quote 0
            • KOMK
              KOM
              last edited by

              I don't know anything about CP, but if they say you need the Forwarder then you should disable Resolver, enable Forwarder and then add your upstream DNS servers to System - General Setup - DNS Server Settings, and lastly uncheck the Disable DNS Forwarder checkbox if it is checked.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                Where does it say that?  Are you using some really old version of pfsense?

                Clearly states that forwarder or resolver be enabled is all

                "Also, the DNS Forwarder or Resolver must be enabled for DNS lookups by unauthenticated clients to work."

                cp.jpg
                cp.jpg_thumb

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • N
                  newbie_sense
                  last edited by

                  I have seens that, just wanted to make sure I did the right thing. I am still trying everything.

                  John you maybe also know where to look so laptops get the login page when they connect or try to surf?. I have seen so many topics the last days about this issue just havent seen a solution for it.

                  Mobiles and tablets I got to work.. Laptops not unless they type a http pafe first

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    well yeah did you enable https login?  Mobiles and tables normally have a built in login into captive portal type thing when you join the wifi network.  Laptops running full blown OS normally do not.  So yeah http site is always first thing to do.

                    Https and captive portals can be problematic..  If user tries to go to https://www.google.com and gets redirect to https://yourpfensednsorIP your browser should throw a bitch fit about that.. Saying hey you wanted to go to https://www.google.com but this site does not have that name and cert is not for www.google.com, etc.  Even your going to use https for login to the captive portal your client will need to trust that cert or your going to get an error so it needs to be a trusted CA that signs it, or your client has to trust the CA that signed the cert. Then your going to need to make sure fqdn matches the common name on the cert or you have SAN setup for how your accessing, etc.

                    How is that that users do not know this?  Have they never been to a hotel?  Or used any sort of captive before ever?

                    Keep in mind the https login does not fix users getting errors.. It just means your captive portal login will be via https.

                    By the very nature of https wanting to make sure its talking to who it wanted to talk to, any sort of redirection to something else when user asked for https://something is going to give you issues.  Unless the captive portal can do a MITM on the fly for whatever fqdn the user tried to go to, etc.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • N
                      newbie_sense
                      last edited by

                      I did try to enable the https option and got a certificate error, reading through forum and google i have seen some sites explaining.

                      https://forum.pfsense.org/index.php?topic=63791.0

                      http://www.rocainet.com/2014/03/securing-captive-portal-login-page-on.html

                      I did found another one but can't find it at the moment. I read that a proper ssl like StartSSl would help to get the error away.
                      and guest can login properly if the DNS is set to go the webpage of that SSl

                      am I correct?

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        your correct that you need a cert your machines trusts if you don't want errors yes.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • N
                          newbie_sense
                          last edited by

                          Thanks, i will get the cert and such and play around with it reading the topics to install it and set everything.
                          If i get an error I will report again :)

                          1 Reply Last reply Reply Quote 0
                          • N
                            newbie_sense
                            last edited by

                            I do not get it to work, I tried to follow the guide from the link in a earlier post, just what he is writing doesn't make sence to me and the website Startssl does not do the things he is writing.. is there another guide that shows how to install it, been searching for even with no luck.

                            chose certificate target “Webserver SSL/TLS Certificate”. Press continue and set a key that you remember. Press continue.

                            not possibl after selecting "Webserver SSL/TLS Certificate" you go directly to the screen to enter your domains

                            Once the wizard is done go to the Tool Box leaf and select the “Decrypt Private key” option.

                            I do not see any option to do this :/

                            I added the 2 cert into the CAs part of the certificate manager.
                            then i added the cert into the certificite leaf. on the name saide it gives me
                            ca: NO server: NO ..not sure if this is good.

                            i use autentication local user manager

                            added IP in DNS forwarder

                            https:// hangs when i try to enter a website..

                            EDIT: when i use a http connection I get the green lock with the right sertificate and inlog page
                            but any other site still has a cert error :/

                            "this certificate is only valid for the following names"

                            any idea's maybe?

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              Why do you need something from startssl.. Pfsense has a CA built right in, create a cert there and have your machine trust this CA.  Are you needing this for machines that are not under your control?  So a public CA that everyone trusts?

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 0
                              • N
                                newbie_sense
                                last edited by

                                I thought the build in CA gave errors and wanted soemthing that did not gave any errors.. users or guest do not always click yes to something they don't know..
                                thats the reason i wanted guest to directly go to the login page in https without any error.. even in the build in one i cant get that to work with no error.
                                I am building this for a hotel and wanted to have it working properly and not half way

                                Do you know a guide or can you guide me through this?

                                1 Reply Last reply Reply Quote 0
                                • johnpozJ
                                  johnpoz LAYER 8 Global Moderator
                                  last edited by

                                  Guide on trusting pfsense cert signed by pfsense.. Hmm I just went over this not so long ago in a thread..

                                  https://forum.pfsense.org/index.php?topic=114712.0

                                  Again this is for machines that you set to trust your CA that creates your cert.  If these are like guests machines and you want them to trust your cert without them trusting your CA then yeah you need to get a cert from a public CA that everyone's machine will trust automatic.

                                  How is it your using something your new to for building out a system for a hotel?  So you have no SSL experience, no captive portal experience with working https and your building a captive portal system using something your new to pfsense..  And they are paying you for this??  Or is this some hotel that your uncle owns with like 3 rooms?  And your computer guy in the family??

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                                  1 Reply Last reply Reply Quote 0
                                  • N
                                    newbie_sense
                                    last edited by

                                    We have a pfsense system in the hotel that was made by the son of a technician that is working there.. He seperated the office and wifi, the only problem is that non guest around the hotel are using the wifi and like to have it guests only, from the 75Mbps I never reach higher then 10Mbps in the night.
                                    Its needed to block this.. And his son doesn't work on the old machine anymore, so if this machine dies nobody knows anything..

                                    I also haven't found another solution for this and again an upgrade could be help full and also if I could make a proxy later on.
                                    I know my knowledge is minimum, but asking and searching I mostly get things working..
                                    I don't give up that easy, and I always like to learn new stuff.

                                    Your help is much appreciated :)

                                    EDIT: from my LAN i can ping to domainname.com  still when using http it redirects to https site.. https gives me an error that i cant go on..
                                    DNS forward is set (it should) as decribed in the link earlier.. I am just not sure what i am missing.

                                    your link i followed it, it gave me an error that i need to execpt the cert first..

                                    1 Reply Last reply Reply Quote 0
                                    • JKnottJ
                                      JKnott
                                      last edited by

                                      Is there a password that's only given to guests?  If the WiFi is open, you can't stop others from using it.  You might also want to change the password frequently.

                                      PfSense running on Qotom mini PC
                                      i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                      UniFi AC-Lite access point

                                      I haven't lost my mind. It's around here...somewhere...

                                      1 Reply Last reply Reply Quote 0
                                      • N
                                        newbie_sense
                                        last edited by

                                        the situation now is that everyone can use the wifi, guests and non guests.. the idea is to give the guests a username and pass when they check in that rotates every week/month so it block others out.. this way the internet speed is faster and more "protected" from non guests.
                                        I know there are other ways like having guest accept the error, just i like to have things work properly then half work, till now I am almost there from working good, just when guests use https:// i get the error "ssl_error_bad_cert_domain" this because i visit a site other then what the domain is.. when this is solved everything work with the right ssl cert..

                                        1 Reply Last reply Reply Quote 0
                                        • JKnottJ
                                          JKnott
                                          last edited by

                                          I could be wrong, but I don't see this as being a pfSense issue.

                                          PfSense running on Qotom mini PC
                                          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
                                          UniFi AC-Lite access point

                                          I haven't lost my mind. It's around here...somewhere...

                                          1 Reply Last reply Reply Quote 0
                                          • N
                                            newbie_sense
                                            last edited by

                                            I believe I have it working, I was working the wrong way on to this, and tried most things though a wired connection while they only can connect through WIFI.
                                            When connecting with a laptop and opening a page it sometimes takes a few moments before the inlog page shows up.

                                            The only thing I have now is that when i connect it gives me the wrong DNS any idea how to solve that?
                                            system give me (example) 192.168.3.100 while it should be 192.168.3.254

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.