DNS Server Override Question

kevindd992002 · Jan 16, 2018, 2:06 PM

The 2 OpenDNS servers are listed under my General settings but when I check the DNS Server Override box, pfsense doesn't use the DNS specified by my ISP. It still continues to use OpenDNS. What can I do to troubleshoot this?

GentleJoe · Jan 17, 2018, 2:55 AM

I have issues with this too. I never got it working correctly.

Perhaps it has to do with the pfsense DNS server that the clients use. The clients would use 192.168.1.1, if they use the pfsense DHCP server and that if the pfsense address.

kevindd992002 · Jan 18, 2018, 2:51 AM

@Gentle:

I have issues with this too. I never got it working correctly.

Perhaps it has to do with the pfsense DNS server that the clients use. The clients would use 192.168.1.1, if they use the pfsense DHCP server and that if the pfsense address.

The clients would use the LAN Interface IP of the pfsense box if DNS Forwarding is enabled and that makes sense. But regardless, pfsense should be forwarding to the ISP DNS IF the DNS Server Override is checked.

johnpoz · Jan 17, 2018, 9:57 AM

Pfsense out of the box is s resolver - it doesn't forward or use any isp or opendns.

So please post what you did that you feel changed it to fowarder mode.. Did you turn off the resolver and turn on the forwarder? Did you check the forwarder box in the resolver and tell it to be a forwarder?

DNS Query Forwarding
Enable Forwarding Mode If this option is set, DNS queries will be forwarded to the upstream DNS servers defined under System > General Setup or those obtained via DHCP/PPP on WAN (if DNS Server Override is enabled there).

If so what does your system widget say for dns being used?

kevindd992002 · Jan 18, 2018, 2:58 AM

@johnpoz:

Pfsense out of the box is s resolver - it doesn't forward or use any isp or opendns.

So please post what you did that you feel changed it to fowarder mode.. Did you turn off the resolver and turn on the forwarder? Did you check the forwarder box in the resolver and tell it to be a forwarder?

DNS Query Forwarding
Enable Forwarding Mode If this option is set, DNS queries will be forwarded to the upstream DNS servers defined under System > General Setup or those obtained via DHCP/PPP on WAN (if DNS Server Override is enabled there).

If so what does your system widget say for dns being used?

Yes, I know that. I came from an older pfsense version (before unbound even existed as an option) and upgraded through the years. I'm now at the latest version (2.4.2-RELEASE-p1) and, as you know, it doesn't change the DNS resolving scheme from DNS Forwarding to DNS Resolver, meaning it retains the old setting of it being a DNS Forwarder.

Simply put, I use DNS Forwarder and NOT DNS Resolver. As what's defined when using forwarding:

*** If this option is set, DNS queries will be forwarded to the upstream DNS servers defined under System > General Setup or those obtained via DHCP/PPP on WAN (if DNS Server Override is enabled there). ***

That means that if you have DNS Server Override checked, it should forward the DNS Queries to the DNS Servers obtained via DHCP/PPP on WAN and will bypass the list of servers listed under System > General. But this is not the case. Regardless of whether that box is checked or not, it uses the DNS Servers listed under General.

We actually had this conversation a while back and there was no solution :) Here it is for your reference: https://forum.pfsense.org/index.php?topic=124121.0 . I was waiting for your test results :)

johnpoz · Jan 18, 2018, 3:14 AM

Waiting for a year? heheeheh Really - dude you could of sent me a PM to remind me…

Here I turned off resolver, enabled forwarder.. Put in dns for opendns... See how it shows opendns IP on my widget... I then set it to override, I then released and renewed my dhcp lease on my wan... Now it shows that the isp dns was put in the list first... Doesn't remove opendns - its still there too.

Forwarder out of the box will query ALL dns!! Use the one that answers first... So unless you tell it to do your queries sequential if you leave the opendns on there - it is possible they will used. Shoot even if you put sequential it could use those.. If the isp ones don't answer, etc.

If you don't want to use opendns - remove them from your list.. And just let your dhcp hand out your dns to you.. Prob have to release and renew your wan dhcp lease to make sure those get put in after changing that setting, etc.

Now back to resolving - forwarding is so uuugghhh ;)

kevindd992002 · Jan 18, 2018, 3:51 AM

@johnpoz:

Waiting for a year? heheeheh Really - dude you could of sent me a PM to remind me…

Here I turned off resolver, enabled forwarder.. Put in dns for opendns... See how it shows opendns IP on my widget... I then set it to override, I then released and renewed my dhcp lease on my wan... Now it shows that the isp dns was put in the list first... Doesn't remove opendns - its still there too.

Forwarder out of the box will query ALL dns!! Use the one that answers first... So unless you tell it to do your queries sequential if you leave the opendns on there - it is possible they will used. Shoot even if you put sequential it could use those.. If the isp ones don't answer, etc.

If you don't want to use opendns - remove them from your list.. And just let your dhcp hand out your dns to you.. Prob have to release and renew your wan dhcp lease to make sure those get put in after changing that setting, etc.

Now back to resolving - forwarding is so uuugghhh ;)

I was joking, LOL :) I didn't even remember about the issue myself until recently.

Ok, what you're saying make sense but I guess the setting is really not a 100% override because it depends whether DNS querying is set to sequential or simulataneous.

I've been using forwarding since forever but I really want to try out resolver. What settings do you have under DNS Resolver? Do you mind posting a screenshot? And why is DNS Query Forwarding is still an option under the DNS Resolver if the whole point of unbound is to do the querying by itself (to root servers)?

johnpoz · Jan 18, 2018, 11:42 AM

Because it a feature.. Maybe you want to use it internally and just forward to an internal NS.. Or maybe your on really bad internet with bad latency and resolving is not something that works out for you, etc.. Maybe your ISP is crap and only allows access to their dns and you can not talk to others via resolving, etc..

But to be honest just going to forward - prob use the forwarder, since the forward to ALL at once is a good feature if what your worried about is dns response time ;) Can not do that with unbound I do not believe.

Like asking why does my color printer allow me to print in just black and white ;)

Maybe they should reword the statement to be something like dhcp dns added before ones listed on general, etc.

I for sure could post my settings… But out of the box they are fine... Only 2 things I have enabled that I believe are not on out of the box are

Use 0x-20 encoded random bits in the DNS query to foil spoofing attempts.
Disable the automatically-added access control entries - I set my own ACLs

Do you have some question about some of the settings? That your not understanding?

edit: Oh and I set to static vs transparent for the zone type.. If you have questions about unbound really suggest you read the manual on it - it has way more features and options than that are really presented in the gui of pfsense. Which you can set using the advanced option section.. I set plex.direct as private domainf for example via

server:
private-domain: "plex.direct"

kevindd992002 · Jan 18, 2018, 12:35 PM

@johnpoz:

Because it a feature.. Maybe you want to use it internally and just forward to an internal NS.. Or maybe your on really bad internet with bad latency and resolving is not something that works out for you, etc.. Maybe your ISP is crap and only allows access to their dns and you can not talk to others via resolving, etc..

But to be honest just going to forward - prob use the forwarder, since the forward to ALL at once is a good feature if what your worried about is dns response time ;) Can not do that with unbound I do not believe.

Like asking why does my color printer allow me to print in just black and white ;)

Maybe they should reword the statement to be something like dhcp dns added before ones listed on general, etc.

I for sure could post my settings… But out of the box they are fine... Only 2 things I have enabled that I believe are not on out of the box are

Use 0x-20 encoded random bits in the DNS query to foil spoofing attempts.
Disable the automatically-added access control entries - I set my own ACLs

Do you have some question about some of the settings? That your not understanding?

edit: Oh and I set to static vs transparent for the zone type.. If you have questions about unbound really suggest you read the manual on it - it has way more features and options than that are really presented in the gui of pfsense. Which you can set using the advanced option section.. I set plex.direct as private domainf for example via

server:
private-domain: "plex.direct"

I enabled unbound for now and let's see how it performs in my home environment :)

I agree. The statement in the DNS Server Override should be reworded, it's confusing.

I really don't know the out-of-the-box settings so I have no clue which are ticked or unticked by default. Here are my questions:

For Network Interfaces and Outgoing Network Interfaces, do you recommend keeping them at "All"? If security is of concern, I guess the answer is no. If so, which interfaces should I limit them to?
By manual, you mean the pages in the unbound.conf, right?
I don't see any automatically-added ACL entries under Access Lists. Is there somewhere I can see what those defaults are?
Anything in particular to set under Advanced Settings?

*** And yes, I have plex.direct as a private domain too and I already put that earlier before you posted as I was researching the counterpart of it in unbound :)

johnpoz · Jan 18, 2018, 1:35 PM

1) What interfaces do you want it to listen on… I am never a fan of ALL for something that listens. I have it set to my local interfaces using it on and my wan for outbound.

yes the online docs from unbound. https://www.unbound.net/documentation/unbound.html

3) Turn off the automatic and then create the ones you want in the ACL tab.. When set to automatic I do not believe they show up in the ACL tab..

4) Not unless you have specific needs, like a plex server? Or you want to load a bunch of domains your redirecting, etc. Kind of like a manual version of pfblocker can be done by loading wildcard domains for a redirect to say loopback.