DNS and DNS Resolver questions

DeltaOne · Apr 18, 2017, 7:45 PM

I’ve been using pfSense on a Netgate SG-2220 for five months. I’ve got a question about DNS and I think a little history may be helpful:

First run at setting up pfSense went fine. No problems.
Wanted to change from our ISP’s DNS server to OpenDNS. Went to System / General Setup and entered the IP addresses of two OpenDNS servers. After hitting Save, nothing worked.
With help from Netgate tech support, re-set the SG-2220 to factory defaults and gave it another try. Same result…after entering values for OpenDNS … nothing worked.
Netgate’s tech guy took over…got everything working again.
I asked him to change to OpenDNS and was quite surprised when we saw what he did. He entered the OpenDNS values and then ALSO changed the right side of this section from NONE to pre-populated values for our ISP. I had somehow completely missed this.

Fast forward to this week. While our Internet had been working fine, we thought we sensed a slight delay (when the DNS lookup would be happening). Some research found info on the DNS Resolver.

Our DNS Resolver was NOT enabled. Had the Netgate tech guy done this? I’m not sure (he was making changes very fast). I believe the DNS Resolver is enabled by default.

So, I turn on the DNS Resolver. The very slight delay we had been seeing seems to be gone.

Next I discover that OpenDNS does not support DNSSEC. So we changed from OpenDNS to Google DNS. DNSSEC seems to be working…at least the DNS logs aren’t full of errors now.

Questions:

What’s with the part of DNS Server Settings where you not only have to enter your desired DNS values but ALSO select the ISP settings on the right side? The previous router’s I’ve used simply had one enter the desired values and hit save.
Later my son went in and added Google’s IPv6 DNS values in to the DNS Server Settings page. Everything still works fine, but I was surprised at “what is my IP address” web sites no reporting our IPv6 address instead of our IPv4 address. And my computer’s network settings reports two DNS values…the IP address of our Netgate router and also its IPv6 values.
Do you guys that use Google DNS enter 4 DNS servers (two with IPv4 addresses and two with IPv6 addresses)?

Thanks for any info you can provide!

johnpoz · Apr 18, 2017, 8:10 PM

"Our DNS Resolver was NOT enabled. "

"So, I turn on the DNS Resolver."

What is you want to do resolve or forward? I think your confused at what resolving actually does if you turned it on and still want to use opendns or any other dns.. Unless you put the resolver in forwarder mode.. Which just confused as to why you would want to do that?

If your going to resolve, you have zero use of putting in your isp or any other dns server in general settings or allowing your isp to hand you dns via dhcp, etc. If your going to resolve only thing you should pfsense is pointing to itself 127.0.0.1 for dns.

DeltaOne · Apr 19, 2017, 2:39 PM

What is you want to resolve or forward?
If your going to resolve, you have zero use of putting in your sip or any other dis server in general settings

Yes, I'm confused. And I'm not an expert in DNS.

My goal is to use either OpenDNS or Google DNS instead of my ISP's DNS. I believe OpenDNS or Google will do a better job of providing DNS. And having DNSSEC doesn't seem like a bad thing.

My understanding of pfSense's DNS Resolver is that one of the things it provides is a DNS cache. Also validation (which I guess is the DNSSEC part.) The subtle delay we were seeing did seem better after enabling DNS Resolver, so I feel that the cache was working. Now, the delay was very subtle, impossible to measure. But it did seem better.

I've read (or saw in a pfSense youtube video) that DNS Forwarder may be taken out of pfSense. That DNS Resolver (or Unbound) is the newer, better way to go.

You say using DNS Resolver means zero chance of using personalized DNS settings. But I do know that when we had OpenDNS settings, and DNS Resolver on, the DNS logs were full of DNSSEC errors. When we switched to Google DNS (who supports DNSSEC) the errors in the log stopped.

In the DNS Server Settings (General Setup) is the reason for the pop-ups on the right side for environments that have more than one Internet provider? And wish to use different DNS settings for the different Internet providers?

And thanks for providing info!

johnpoz · Apr 19, 2017, 3:37 PM

Why do you want to use different dns for different isp? if your going to be using resolver this seems pointless. Only reason to use different dns for different isp if you were going to leverage their dns.. If your going to use google or open I don't see the point of using google for one and open for the other.

Even if they remove dnsmasq (forwarder) from pfsense, the resolver (unbound) can be put in forwarder mode. But to be honest dnsmasq forwarding is more robust.. In the fact that you could query multiple NS all at the same time and use the fastest response. I am not aware that unbound can do that.

If you use the resolver, yes it will cache just like the forwarder. But where it differs is that it resolves to find your answer vs just forwarding to some other nameserver asking the question. So if your looking www.domain.com,

The resolver will ask roots, hey what is NS for .com, thanks
Hey NS for .com what is NS (name server) for domain.com
Hey NS for domain.com what is the IP of www.domain.com

This is resolving walking down from the roots. Yes it can verify responses with dnssec if the domains are signed, etc. You are always sure your getting the info from the horses mouth this way vs something that was cached in the place you forwarded to cache and might be outdated or even wrong (poisoned). And might not be the correct answer for you if domain is wanting to hand you IP pointing based upon geo location, etc.

Unless your on a high latency connection or your isp intercepts dns there is normally no reason not to just resolve vs forwarding somewhere. If your isp is intercepting dns there is little you can do other then use their dns, or tunnel it through them via vpn or dnscrypt maybe. If using dnscrypt your stuff just forwarding, if your using a vpn you could still resolve.

If you forward your at the mercy of where you forward to if they support dnssec, if you resolve you know for sure you can use it or not use it depending if you want to or not.

Only other reason to forward would be if you wanted to leverage some sort of filtering like is available with opendns, etc. Where for example p0rn sites do not resolve, etc.

Most of the time you should just use the default out of the box settings which is let pfsense resolve.

DeltaOne · Apr 19, 2017, 10:38 PM

I want to use a DNS other than my ISP, Comcast, because I believe other folks will have a better run DNS server than Comcast. OpenDNS and Google's DNS get good reviews. Running OpenDNS or Google's DNS is a fairly popular thing to do. It seems you feel your ISP's DNS is good enough…and that's fine. We all get to set up and maintain our systems as we see fit.

I think you may have misunderstood part of my question. I don't want to run OpenDNS and Google's DNS at the same time. I only want to use a good DNS that isn't run by Comcast.

The cache function of pfSense's DNS Resolver did seem to speed up my web surfing. And my research indicates it is "on" by default. I just don't know how or when it got turned off on my system.

Thanks for your help, you've been great. By the way, I found a neat web site that will give one loads of information about their Internet connection. I was able to use it to determine if pfSense was using Comcast's DNS or Google's DNS. After my changes it is using Google's DNS.

johnpoz · Apr 19, 2017, 11:15 PM

"It seems you feel your ISP's DNS is good enough…and that's fine."

Dude look up what a resolver is vs a forwarder.. Clearly your just not getting it.. Where did I say I was using my isp dns..

I am resolving - I use the roots and the the actual authoritative ns for the specific domains. I don't ask my isp anything, nor do not forward, I resolve - its not asking my isp dns or google or open.. Its resolving..

DeltaOne · Apr 19, 2017, 11:50 PM

Okay, I see. You're using the root servers, not your ISP's DNS, not anyone else's.

Are you using the root name servers by turning off "enable forwarding mode" on the DNS Resolver page? (In an earlier message you made it sound like you were using DNS Forwarder because you felt it was more robust).

Again, thanks for the info you've provided. I'm very new at this…my last router was an Apple Airport Extreme. ;-)

iced98lx · Apr 28, 2017, 3:19 AM

@DeltaOne:

Okay, I see. You're using the root servers, not your ISP's DNS, not anyone else's.

Are you using the root name servers by turning off "enable forwarding mode" on the DNS Resolver page? (In an earlier message you made it sound like you were using DNS Forwarder because you felt it was more robust).

Again, thanks for the info you've provided. I'm very new at this…my last router was an Apple Airport Extreme. ;-)

Lets try from a different angle:

If you are using pfSense as a RESOLVER:

pfSense will tell your machines to ask it for all DNS lookups. If it has the address already it will hadn it back, if not it will go ask the root nameservers what the address is, and then return with an authoritative answer to your machine

If you are using pfSense as a forwarder :

pfSense will tell your machine to go ask your ISP's (or google or..) DNS servers for the address. They will either have it, or go ask other servers

It seems you may be unclear what the benefits of using pfSense as a resolver are?

DeltaOne · Apr 28, 2017, 2:14 PM

@iced98lx:

Lets try from a different angle:
If you are using pfSense as a RESOLVER:
pfSense will tell your machines to ask it for all DNS lookups. If it has the address already it will hadn it back, if not it will go ask the root nameservers what the address is, and then return with an authoritative answer to your machine
If you are using pfSense as a forwarder :
pfSense will tell your machine to go ask your ISP's (or google or..) DNS servers for the address. They will either have it, or go ask other servers
It seems you may be unclear what the benefits of using pfSense as a resolver are?

Yes…the differences between Forwarder and Resolver weren't clear to me. Your explanation is perfect. Thanks!

iced98lx · Apr 28, 2017, 2:26 PM

Glad it helped though I think I made a couple errors in terminology (I don't think the answer you get back when pfSense is a DNS resolver is authoritative for example- sorry johnpoz can hopefully correct me) but hopefully it helps you decide on if you want pfSense to be a DNS Resolver or a forwarder and why johnpoz was on his line of questioning.

johnpoz · Apr 28, 2017, 2:29 PM

"if not it will go ask the root nameservers what the address is, and then return with an authoritative answer to your machine"

This is not actually how it works.. I already went over how a resolver works..

The resolver will ask roots, hey what is NS for .com, thanks
Hey NS for .com what is NS (name server) for domain.com
Hey NS for domain.com what is the IP of www.domain.com

The only thing that is asked of "roots" is what are the name servers for the TLD, you then walk down the tree asking in turn each authoritative NS for their portion of the FQDN..

But if you think you understand it now, we can all rest easy ;)

So are you using the resolver or forwarder - what do you want to do now that you understand the difference?

iced98lx · Apr 28, 2017, 3:58 PM

@johnpoz:

"if not it will go ask the root nameservers what the address is, and then return with an authoritative answer to your machine"

This is not actually how it works.. I already went over how a resolver works..

The resolver will ask roots, hey what is NS for .com, thanks
Hey NS for .com what is NS (name server) for domain.com
Hey NS for domain.com what is the IP of www.domain.com

The only thing that is asked of "roots" is what are the name servers for the TLD, you then walk down the tree asking in turn each authoritative NS for their portion of the FQDN..

But if you think you understand it now, we can all rest easy ;)

So are you using the resolver or forwarder - what do you want to do now that you understand the difference?

Thank you for correcting me I certainly poorly shortened the process of the lookup and misrepresented what happens when it's set as a resolver in an attempt to shorten the understanding to "This block of work will either be handled by pfSense or your chosen external DNS servers (google etc)".

johnpoz, would you mind listing a few pros/cons to resolving vs forwarding as you see it? Perhaps caching, DNSSEC? I think many home users or those of us not as savy in the DNS world would appreciate it. I use pfSense as a resolver assuming it takes away other resolver's propensity to filter /alter requests as well as for caching but perhaps I could simplify and just forward. I think this may be the crux of DeltaOne's discussion - I think understanding in what scenarios one might chose to resolve vs forward could be helpful…

DeltaOne · Apr 28, 2017, 7:21 PM

@johnpoz:

So are you using the resolver or forwarder - what do you want to do now that you understand the difference?

Currently using resolver. The last few posts, plus some other reading, make me think the forwarder is a better choice for me. I hope to have some time this weekend to switch from resolver to forwarder.

DeltaOne · Apr 28, 2017, 7:27 PM

@iced98lx:

johnpoz, would you mind listing a few pros/cons to resolving vs forwarding as you see it? Perhaps caching, DNSSEC? I think many home users or those of us not as savy in the DNS world would appreciate it. I use pfSense as a resolver assuming it takes away other resolver's propensity to filter /alter requests as well as for caching but perhaps I could simplify and just forward. I think this may be the crux of DeltaOne's discussion - I think understanding in what scenarios one might chose to resolve vs forward could be helpful…

My goal was to solve a subtle delay I was seeing. I guessed the delay was DNS related. (For the record, the delay was VERY subtle…and maybe was all in my perception? I don't know...)

Some research led me to pfSense's forwarder and resolver. And that led to my initial post ten days ago.

I think, now, my goal is even simpler...the best way to configure pfSense for using either OpenDNS or Google's DNS. Pretty simple set up here...two computers, 3 iPhones, 3 iPads, a few Apple TVs, a few TiVo's. That's about it.

johnpoz · Apr 28, 2017, 7:38 PM

"the best way to configure pfSense for using either OpenDNS or Google's DNS"

If you say so - I wouldn't ever do it that way… But sure if you think forwarder is faster better, have fun..

Me I would rather be using dnssec and know for a FACT I got the info direct from the authoritative server for what I am looking up via some cached info that quite possible could be poisoned.. Couple of ms longer in looking a up a record is never going to be an issue. And that is only if the record is not already cached..

A resolver is always going to be a better choice vs forwarding from a security point of view, and once you have cached an entry and you use prepop, and let your resolver look up a record when it has 10% of the ttl left your clients queries for common stuff you look up should always be only 1 or 2 ms away.. vs having to go ask googledns again which is prob 30+ ms away anyway every time the ttl expires for something.

If you were on a very high latency connection, sat for example. Or the domains you like to frequent NS were on the other side of the planet from you. Then might be better to ask a local forwarder.. But that would rarely be the case - this is why pfsense using the resolver out of the box..

DeltaOne · Apr 29, 2017, 12:39 PM

@johnpoz:

A resolver is always going to be a better choice vs forwarding from a security point of view, and once you have cached an entry and you use prepop, and let your resolver look up a record when it has 10% of the ttl left your clients queries for common stuff you look up should always be only 1 or 2 ms away.. vs having to go ask googledns again which is prob 30+ ms away anyway every time the ttl expires for something.

You've made a convincing argument, I'll stick with the Resolver.

I do have a few more questions:

I'm nearly certain, 11 days ago when this became an issue for me, I found both the Resolver and Forwarder disabled (unchecked). Everything was working. Was DNS working solely from the settings on pfSense's System / General Setup page?
If I'm right that the Resolver was unchecked…I wonder why. I don't remember making any changes in this area.
Is the Forwarder going to be removed from the next major release of pfSense? Just curious, I think I read this somewhere.

Finally, thanks again for your help. Much appreciated!