Resolvolving LAN hosts names - help

chudak

Trying to understand better how to manage ability to resolve LAN hosts by names.

It used to work fine and alas I touched something, so maybe it's time to clarify it once and for all (for me of cause, all other smart people here know this by heart :D )

Here is what I have

What am I not doing right?

System/General Setup

Services/DHCP Server/LAN

Services/DNS Resolver/General Settings

chudak

I think I made it work again, but still comment, I like to learn more about this…

johnpoz

single label domain - bad idea

Your in resolver mode - so what dns serves you put there are pointless and never used.

chudak

@johnpoz:

single label domain - bad idea

Your in resolver mode - so what dns serves you put there are pointless and never used.

@johnpoz
can you please elaborate? what would you do ?

johnpoz

Use a domain with a tld vs just a tld… put something on the end of that domain, say whatever.lan or whatever.something

Don't waste your time putting in dns that would never get asked since out of the box pfsense resolves.

How is it in this day and age people so worried about dns leaks don't understand the difference between a forwarder and a resolver? Google it!!!

Are you pointing your clients to something other than pfsense for dns? There is no reason to put something into dhcp server unless your going to point to something other than pfsense lan IP for your clients. Since if you leave it blank it auto hands out pfsense IP on that interface.. It says so right there in the note.

chudak

ok removed values from DNS/General and Resolver

I am not using DNS Forwarder, but will read more about it vs Resolver

Wondering why "single label domain - bad idea" ?

Thx !

johnpoz

From a DNS point of view its not a good idea..

This is a windows based reason list

https://support.microsoft.com/en-us/help/300684/deployment-and-operation-of-active-directory-domains-that-are-configur

There just is no point to it.. Any devices should have a fqdn, this would include the host, the second level domain and the top level domain… With just using single label like that, that is not possible for your host names.

chudak

@johnpoz

I've made changes you suggested and everything seems working fine

Specifically:
Domain as 'something.lan'
no DNS servers set in System/General Setup and DNS Server Override
no DNS set in Services/DHCP Server/LAN

Where pfSense getting DNS now ? From my ISP ?

Thx

johnpoz

"Where pfSense getting DNS now ? From my ISP ?"

So you didn't look up the difference of forwarder and resolver ;)

A resolver walks down from the root servers to the authoritative name server for the domain you are wanting to know the resource from.

Your looking for www.domain.com it asks one of the root servers - google those ;)

Hey root server who is the nameserver for .com domains, ok thanks
Hey .com nameserver who is nameserver for domain.com, ok thanks
Hey domain.com NS who what is the A record for www.domain.com, ok thanks

Your ISP has nothing to do with this other than connectivity to the internet to allow you to talk to the authoritative NS.

edit: Since you prob wont google it https://en.wikipedia.org/wiki/Root_name_server

chudak

@johnpoz:

"Where pfSense getting DNS now ? From my ISP ?"

So you didn't look up the difference of forwarder and resolver ;)

A resolver walks down from the root servers to the authoritative name server for the domain you are wanting to know the resource from.

Your looking for www.domain.com it asks one of the root servers - google those ;)

Hey root server who is the nameserver for .com domains, ok thanks
Hey .com nameserver who is nameserver for domain.com, ok thanks
Hey domain.com NS who what is the A record for www.domain.com, ok thanks

Your ISP has nothing to do with this other than connectivity to the internet to allow you to talk to the authoritative NS.

edit: Since you prob wont google it https://en.wikipedia.org/wiki/Root_name_server

I won't lie to you that "oh yeah I knew all of this" :)

This is something I had no clue about and why I started using pfSense last year.
I can't say that I get all of this but it makes sense now.

Thanks a million for explaining and patience!

chudak

@johnpoz

I think the last question here is - do you think that using DNS names in System/General Setup may/will improve performance ?

And if yes, how do you suggest doing this?

I tried running benchmark and selecting best performing servers, but found that sometime when DBS server got slow or unavailable all system is slow (as expected) and was not sure how to solve this issue without manual intervention.

johnpoz

There is ZERO reason to put anything into general dns.. ZERO… Unless your going to turn off resolver and user forwarder mode. And unless your on some HIGH latency ISP, like sat or something. Or your isp filters dns and only lets you use them or specific ones then there is ZERO Reason to do anything other than resolve.

This is why it is the default out of the box - this is what everyone should be doing unless there is a specific reason why you can not.

chudak

@johnpoz:

There is ZERO reason to put anything into general dns.. ZERO… Unless your going to turn off resolver and user forwarder mode. And unless your on some HIGH latency ISP, like sat or something. Or your isp filters dns and only lets you use them or specific ones then there is ZERO Reason to do anything other than resolve.

This is why it is the default out of the box - this is what everyone should be doing unless there is a specific reason why you can not.

Very clear, thx !

I guess people doing what I was doing is because when started they look for available resources, I used youtube and apparently not all of them trustworthy, which is as expected.

chudak

@johnpoz:

There is ZERO reason to put anything into general dns.. ZERO… Unless your going to turn off resolver and user forwarder mode. And unless your on some HIGH latency ISP, like sat or something. Or your isp filters dns and only lets you use them or specific ones then there is ZERO Reason to do anything other than resolve.

This is why it is the default out of the box - this is what everyone should be doing unless there is a specific reason why you can not.

@johnpoz I followed your suggestions and happy so far.

However I see some DNS quires to IPs addressed that I can not explain https://pastebin.com/zwa92uZe, can you help me understand this ?

I wonder if I have something mis-configured.

Thx!

Gertjan

@chudak:

However I see some DNS quires to IPs addressed that I can not explain https://pastebin.com/zwa92uZe, can you help me understand this ?

You're not the only one that uses Youtube as a manual. Inspect the devices on your LAN(s).
PC's and other devices could have 'static' DSN addresses set up, so they will contact for example "8.8.8.8", bypassing completely the local DNS authority (your pfSense).
That explains also why local resolution, like "Resolvolving LAN hosts names" doesn't work any more. 8.8.8.8 doesn't know nothing about that network printer in your pool house.

Leave the network settings of any device you unpack with its original settings, and all will work just fine.

Handing over all your requests to 6.6.6… sorry 8.8.8.8 is ok, but first make up the full list with consequences ...
8.8.8.8 and Youtube are the same house ;)

Note : I'm not against 8.8.8.8. But why should I learn to use that one if my pfSense already does everything I need ?

Also : some devices, some software have DNS hard coded - you can't do anything about that, except blocking all outgoing DNS request, forcing the device to use pfSense, or have it shut up.

chudak

@Gertjan:

PC's and other devices could have 'static' DSN addresses set up, so they will contact for example "8.8.8.8", bypassing completely the local DNS authority (your pfSense).

That makes sense and explains those queries, thx!

@Gertjan:

Also : some devices, some software have DNS hard coded - you can't do anything about that, except blocking all outgoing DNS request, forcing the device to use pfSense, or have it shut up.

I do force all DNS requests to use pfsense only!