DNS Resolver vs DNS Forwarder vs Rule to OpenDNS or Quad9?



  • I am experimenting with different ways to secure DNS queries and while I suspect this is a hugely debated topic, what is the best way to secure your DNS queries?

    DNS resolver where pfsense does the resolving.

    DNS Forwarder using OpenDNS, Quad9 or other.

    Creating a rule to allow access to Quad 9 or OpenDNS(using alias as destination) only and turning off Resolver and Forwarder.

    Assumption:
    Using a reputable VPN…lets assume this is trusted. Pushing all DNS quesries thru VPN

    My thoughts are:

    DNS resolver where pfsense does the resolving.
    Pro-            DNSEC support, Control
    Con-            More complex, potential leaky DNS, more complexity=less security?

    DNS Forwarder using OpenDNS, Quad9 or other.
    Pro-            ??
    Con-            ??

    Creating a rule to allow access to Quad 9 or OpenDNS only and turning off Resolver and Forwarder.

    Pro-            Simplicity
    Con-            Less features, rely on 3rd party to resolve, additional service to trust

    What are the pros and cons of these approaches with regards to security?


  • Rebel Alliance Global Moderator

    You forgot the CON on your last option that you will not be able to resolve anything local.

    Your going to have to be specific on what your "secure your DNS queries" is in regard too…

    Not all of us have our tinfoil hats on so tight that we are worried about our ISP sniffing our traffic to find our dns queries out.  Nor are we worried about the authoritative NS for a domain, or the roots knowing what IP we are asking for some FQDN from, etc.

    So when you want to discuss "secure" your dns your going to need to spell it out so we know what your wanting to "secure" it from..

    Out of the box pfsense resolves and uses dnssec.. This should be optimal configuration for typical use that the person has not cut off the blood flow to their brain with how tight their tin foil hat is ;)

    Using something like opendns or quad9 have feature that resolving your own does not support and that is filtering out bad domains per some listing.  Now you could do this your self in unbound or with pfblocker and still resolve.  So vs handing over everything to some 3rd party company that says hey we have these lists of bad sites and wont resolve them for you.  You could do that yourself on pfsense and never send the query out in the first place.

    If you do not want roots to know your looking for say www.domain.tld, you can turn on a setting to only send roots .tld and second level roots domain.tld and not send... But from my experience that are many domains that this is broken for.