Confused: Does Unbound moot DNS servers



  • If I'm using Unbound DNS Resolver, does that imply I can delete the dns servers I defined in system > general setup? I saw a guide where the person showed how to research DNS server speed and then set up DNS resolver. But I thought I'd read that Resolver worked by building a path step by step without needing to do that. I think I'm badly misunderstanding something.



  • If you're talking about the "comprehensive guide to pfsense" video on youtube, I thought the exact same thing. On the one hand he seemed to know the nuances of every config option. On the other hand his configuration didn't make any sense.

    My understanding, and I could be wrong, is:

    1. pfsense out of the box uses unbound in resolver mode, which means it actually resolves the dns names. It doesn't forward the request to, for example, 8.8.8.8, opendns, or other dns servers.

    2. You can configure it to forward the request, or you can use the DNS Forwarder instead.

    The guy in the video seemed to go to lengths to find the fastest DNS servers, and then configured pfsense in "resolver" mode.



  • You can leave the DNS forwarders empty at System->General Setup page, the pfSense system will then use 127.0.0.1  (localhost) address in its /etc/resolv.conf (which is the resolver(3) library configuration file) and all programs running on your pfSense will use the local Unbound resolver for their DNS resolution.

    However this requires that you use the default resolver mode for Unbound because it is standalone in the resolver mode and doesn't need to know of any forwarders. If you want to use the forwarding mode of Unbound you must define the (preferably at least) two DNS forwarders in System->General Setup page, those DNS forwarders will be automatically added to Unbound's configuration as the forwarders to use if forwarding mode is set.


  • Rebel Alliance

    Thanks kpa - this answers half my question from this thread (https://forum.pfsense.org/index.php?topic=132887.0).



  • Hi, add me to the "confused" list after watching that "comprehensive guide to pfsense" video on Youtube.
    He went through all the effort in benchmarking and selecting the "best" DNS servers, but then he didn't want to enable DNS Query Forwarding.
    Then whats the point??

    My understanding is if you don't enable DNS Query Forwarding, then pfsense will just use the IANA Root Servers and not care about the list you specified in General Setup. Am I correct??

    Thanks.


  • Rebel Alliance Developer Netgate

    @kfkehua:

    Hi, add me to the "confused" list after watching that "comprehensive guide to pfsense" video on Youtube.
    He went through all the effort in benchmarking and selecting the "best" DNS servers, but then he didn't want to enable DNS Query Forwarding.
    Then whats the point??

    My understanding is if you don't enable DNS Query Forwarding, then pfsense will just use the IANA Root Servers and not care about the list you specified in General Setup. Am I correct??

    You are correct.

    If you leave the DNS Resolver in its default mode, it will contact the root servers directly. The DNS Servers under System > General will not be used by clients.

    They may be used by the firewall if the DNS Resolver is down or does not respond for some reason, but not clients.



  • How does one decide which configuration to use? Is there a preferred way to configure unbound? I'm currently using defaults, but only because I'm assuming defaults were chosen for a reason (being that they should be acceptable for typical use).


  • Rebel Alliance Global Moderator

    "How does one decide which configuration to use? "

    By reading the manual for unbound, or the notes on the setting so you understand the different settings and what they do and then changing them as you may need to fit your situation.. How else would it be done?

    What setting do you have a question on?



  • @johnpoz:

    "How does one decide which configuration to use? "

    By reading the manual for unbound, or the notes on the setting so you understand the different settings and what they do and then changing them as you may need to fit your situation.. How else would it be done?

    What setting do you have a question on?

    In System / General Setup / DNS Server Settings there is DNS Server Override, which defaults to Allow DNS server list to be overridden by DHCP/PPP on WAN. "If this option is set, pfSense will use DNS servers assigned by a DHCP/PPP server on WAN for its own purposes (including the DNS Forwarder/DNS Resolver). However, they will not be assigned to DHCP clients." Since this is the default, does that imply it's preferable for pfsense to use the DNS servers assigned by the WAN (which would be the ISP for many cases), even if unbound is being used? If so, why? That seems counterintuitive.


  • Rebel Alliance Global Moderator

    "(including the DNS Forwarder/DNS Resolver)."

    No the resolve will not use what is in general unless you set it to forward mode.

    Not sure where you go the idea its better for pfsense to use public dns set by hand or by your wan.

    If you use resolver out of the box it will list 127.0.0.1 first, itself - in the case the resolver fails then pfsense could use what you got from your isp or what you set for dns..  I don't see this as having a point..

    If your going to use the resolver then it should resolve and pfsense should use it - end of story.  There would be zero reason to allow dns to be set by dhcp for pfsense.  It has no use.  If your going to use the forwarder then that is what will get forwarded too, or turn if off and setup your own public to be forwarded too.  Dhcp on pfsense will default to send clients to talk to it for dns, then it forwards to what is set in general be it by hand or by upstream dhcp on its wan.



  • @johnpoz:

    "(including the DNS Forwarder/DNS Resolver)."

    No the resolve will not use what is in general unless you set it to forward mode.

    Not sure where you go the idea its better for pfsense to use public dns set by hand or by your wan.

    If you use resolver out of the box it will list 127.0.0.1 first, itself - in the case the resolver fails then pfsense could use what you got from your isp or what you set for dns..  I don't see this as having a point..

    If your going to use the resolver then it should resolve and pfsense should use it - end of story.  There would be zero reason to allow dns to be set by dhcp for pfsense.  It has no use.  If your going to use the forwarder then that is what will get forwarded too, or turn if off and setup your own public to be forwarded too.  Dhcp on pfsense will default to send clients to talk to it for dns, then it forwards to what is set in general be it by hand or by upstream dhcp on its wan.

    Where did I say that "I" thought it was better for pfsense to use the dns "set by hand or by your wan"? All I did was point out that the default in general setup is to allow dns servers to be overridden by the wan dhcp. Presumably, this is the default either because someone thought it should be or erroneously, which is why I asked. You seem to be confirming what I thought, which is it's the latter.