I dont understand!



  • Hi

    Cliche but long term listener, first time caller..

    I have a conundrum that I can work out the theory on.

    I have DNS resolver set up; DNSSEC enable, forwarding disabled. My DNS servers in general setup and DHCP are all blank. Disable DNS forwarder is left unchecked.

    I have am connected to paid VPN. There is a group of clients in a group VPN clients as some I want using the VPN, some I dont. One alias group with less clients is a killswitch group, which should not be able to access WAN if VPN goes down.

    My rules are:

    https://i.redd.it/w8huijosp9y01.png

    In theory my DNS should be resolved via the root servers. But it has been unpredictable with well known sites not resolving. If I reboot, it works. If I flushdns from a windows PC which is a LAN client all the DNS/internet breaks across the network. This makes no sense.

    Also; using the DNSleak.com and IPleak.com DNS tests it returns the IP (for my DNS server) as the IP of the VPN server I connect to do. The absolutely puzzling thing is, this is also the case for those clients not connecting via the VPN (I confirm this by checking my public IP on each). How is this the case? I'm led to believe when using root servers it will list my server IP, but should list not be my public IP? Why are both VPN and non VPN network clients displaying the same? I wonder whether this is due to my DNS resolver interface setting which are both set to "all"

    If I enable DNS forwarding and put google DNS in, everything works fine and google servers are returned via the DNS check.

    More to the point, after researching, I am aware the trade off of speed versus security by getting DNS from root servers. Is this worth it? i.e. is the risk significant?

    Thanks!



  • Hi,

    Add this info to the equation :
    8.8.8.8 is a huge DNS cache with some additional functionalities **.
    If "8.8.8.8" doesn't know the answer, it will behave exactly like the pfSense Resolver : it will ask the 13 root server, and drill downwards.

    The Resolver can only work. If it doesn't, two things might happen :

    • Resolver can't connect to at least one root DNS server => bad connection ? Your ISP (or VPN) is playing tricks on you ?
    • You mentioned "well known sites" so I can rule out faulty DNS name servers I guess.
      (third option : your "well known sites" do not like your VPN IP, sites like Netflix blacklisted most of them already.)

    If asking the root servers (directly) doesn't work well, consider the Internet as broken …. and that did not happens up until today.

    ** like Google knowing what your are doing, where, with who and when.