DNS - Removing Service Provider Defauits

CaladorGCS

Under - System > General Setup > DNS Server Settings
I set up 3 of the fastest servers for my location using the namebench tool.
I thought pfSense would replace the Comcast Default DNS, but they are still there.
It now list 6 DNS Services…

Is there a way to remove them or are they required?

Thanks for your time!

beremonavabi

Under Services / DHCP Server, for each of the interfaces listed, what do you have in those DNS Servers fields?

CaladorGCS

@beremonavabi:

Under Services / DHCP Server, for each of the interfaces listed, what do you have in those DNS Servers fields?

DNS server(s)

127.0.0.1
75.75.75.75
75.75.76.76
63.251.129.1
68.105.28.11
156.154.71.22
8.8.8.8

Derelict

Are you using the DNS Forwarder or the DNS Resolver?

You can prevent ISP/DHCP DNS servers from being added to the list of DNS Servers used by the firewall itself and DNS Resolver (In forwarding mode) or the DNS Forwarder by unchecking "DNS Server Override" in System > General Setup.

You have to figure out how you want your DNS to work and can either configure your chosen DNS servers for direct use by the clients (in the DHCP server configuration) or use by the DNS Forwarder (or the Resolver in forwarding mode) (In System > General).

If the clients are set to use pfSense as their DNS server and the Resolver is in Resolver mode, it will query the internet from the root down to fill its cache, but it won't use your configured list of servers.

There are a lot of different ways to configure this and one might be completely wrong for certain circumstances and perfect for others.

CaladorGCS

@Derelict:

Are you using the DNS Forwarder or the DNS Resolver?

You can prevent ISP/DHCP DNS servers from being added to the list of DNS Servers used by the firewall itself and DNS Resolver (In forwarding mode) or the DNS Forwarder by unchecking "DNS Server Override" in System > General Setup.

You have to figure out how you want your DNS to work and can either configure your chosen DNS servers for direct use by the clients (in the DHCP server configuration) or use by the DNS Forwarder (or the Resolver in forwarding mode) (In System > General).

If the clients are set to use pfSense as their DNS server and the Resolver is in Resolver mode, it will query the internet from the root down to fill its cache, but it won't use your configured list of servers.

There are a lot of different ways to configure this and one might be completely wrong for certain circumstances and perfect for others.

Thank you this was of great help! And… to answer your question, I'm using the DNS Resolver.

Derelict

That's great, but there is a lot more to it than that.

Is the resolver in resolver or forwarding mode?

If it is in resolver mode, then your selected DNS servers will not be used in any capacity other than for queries made by the firewall itself.

Client queries to your resolver will start at the roots and work down to resolve all names not already in its cache.

CaladorGCS

@Derelict:

That's great, but there is a lot more to it than that.

Is the resolver in resolver or forwarding mode?

If it is in resolver mode, then your selected DNS servers will not be used in any capacity other than for queries made by the firewall itself.

Client queries to your resolver will start at the roots and work down to resolve all names not already in its cache.

Under - System > General Setup> DNS Server Settings
DNS Server Override is checked
Disable DNS Forwarder is unchecked

Under - Services > DNS Forwarder > General DNS Forwarder Options
Enable DNS forwarder is unchecked

Under - Services > DNS Resolver > General Settings > General DNS Resolver Options
Enable DNS forwarder is checked

Derelict

One more piece. What DNS servers are you telling your inside clients to use? This is in the DHCP servers or static client configurations.

Bottom line is if you are using the Resolver you might as well just give up trying to use "highest-performing" DNS servers. The resolver will use what the internet tells it to use. If you are using either DNS resolver or forwarder, once something is in the cache it will be given to inside clients nearly-instantaneously anyway. This probably falls into the "don't overthink it" category.

CaladorGCS

@Derelict:

One more piece. What DNS servers are you telling your inside clients to use? This is in the DHCP servers or static client configurations.

Bottom line is if you are using the Resolver you might as well just give up trying to use "highest-performing" DNS servers. The resolver will use what the internet tells it to use. If you are using either DNS resolver or forwarder, once something is in the cache it will be given to inside clients nearly-instantaneously anyway. This probably falls into the "don't overthink it" category.

I didn't input any DNS servers on that list, just left them all blank.

CaladorGCS

1st image - System > General Setup > DNS Server Settings

2nd image - Services > DHCP Server > LAN > Server

pfSenseGen.PNG_thumb

pfSenseSer.PNG_thumb

ptt

Just "Uncheck" Allow DNS server list to be overridden by DHCP/PPP on WAN

DNS.PNG_thumb

Derelict

It is up to you how to design your DNS. What is it you are looking for? What are you looking to accomplish?

CaladorGCS

Nice, that definitely took care of them!
DNS server(s)

127.0.0.1
63.251.129.1
68.105.28.11
156.154.71.22
8.8.8.8

Mostly just trying to get as secure as possible without affecting the speed I love so much.

Thank you so much! For your time and patience!

CaladorGCS

@Derelict:

It is up to you how to design your DNS. What is it you are looking for? What are you looking to accomplish?

I need to read up more on the different DNS setups so I can really figure that out. "Secure as possible without affecting the speed" sounds too general for what your asking.

TS_b

https://calomel.org/unbound_dns.html

CaladorGCS

@TS_b:

https://calomel.org/unbound_dns.html

Thank you!