DNS Resolver vs. DNS Forwarder



  • Can someone please explain the difference between the DNS Resolver and DNS Forwarder in pfSense?

    I'm looking to speed up DNS lookups on my network, and I'm confused about which one I should be using.



  • Forwarder just forwards the requests up stream. Upstream is either a forwarder or resolver itself. At some point a resolver is involved because a forwarder cannot "resolve" the name into an IP. A forwarder can cache.



  • So if I'm looking to improve DNS lookups within my network I should use a DNS Forwarder?



  • Both can cache and both can make it faster. I am not familiar enough with the practicalities of the minor differences for most every-day users to be able to say one is better than the other. I personally just use it as a resolver. For the utmost in lowest latency forwarder might win if you have a reliable low latency upstream target, like what 1.1.1.1 or 8.8.8.8 might provide depending on your ISP.

    I have "Prefetch Support" enabled under advanced, this should keep the cache hot. Using wireshark to sniff request and response, I have about a 300us-600us response time or ~0.5ms. As long as you're hitting the cache, the performance will be pretty much identical.



  • I was running a DNS forwarder, I just switched it to a resolver and tweaked some settings. Seems to have made an improvement.

    I switched to using Cloudflare already.


  • Rebel Alliance Global Moderator

    "I switched to using Cloudflare already."

    Then your NOT resolving…. Your just using unbound as your forwarder vs the dnsmasq as the forwarder..



  • @acascianelli:


    I switched to using Cloudflare already.

    So, instead of resolving directly, you tunnel (forward) all request to another resolver : Cloudfare.
    Somewhere, somehow, some one has to resolve your requests because no DNS server on the world will have an up to date 'list' will all domain names versus IP's, that just impossible.
    True, Cloudfare has probably a very big cache, so some or more requests could be send back to you right away, but your requests from LAN with all your devices will end up in your local (!) cache anyway.

    Rule of thumb : use the shortest path = Resolver. You'll be getting the correct - less chance to be spoofed, and DNSSEC secured when available - answers as a bonus.
    Nice free side effect : Cloudfare doesn't know what you are doing ^^



  • @johnpoz:

    "I switched to using Cloudflare already."

    Then your NOT resolving…. Your just using unbound as your forwarder vs the dnsmasq as the forwarder..

    Yea. That’s correct, my mistake.



  • @Harvy66:

    I have "Prefetch Support" enabled under advanced, this should keep the cache hot.

    Can you please share more specifics…where under advanced...system turnable, if so which one?


  • Rebel Alliance Global Moderator

    If it was a snake it would bite you ;)  Its right at the top of the advanced section.




  • @johnpoz:

    If it was a snake it would bite you ;)  Its right at the top of the advanced section.

    Thank you Johnpoz…I was looking under system > advanced.


  • Rebel Alliance Global Moderator

    keep in mind it does not prefetch everything every queried.  It just renews a record that is queried if the ttl is 10% of life or left.

    You prob want to turn on the serve ttl 0 option as well if your having delays with resolving.