Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Redirect Failure

    Scheduled Pinned Locked Moved DHCP and DNS
    23 Posts 4 Posters 1.9k Views 3 Watching
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ Offline
      johnpoz LAYER 8 Global Moderator
      last edited by

      @gwaitsi said in DNS Redirect Failure:

      Enable DNSSEC Support = checked

      No we are not crossing anything... You do not seem to grasp basic concepts here on what dnssec is... If you are going to "forward" then dnssec means NOTHING!!! Only the resolver does dnssec... If you forward to a resolver that does dnssec then your good already and they are doing dnssec for you.

      As to

      DNS should be blocked from the WAN

      Dude out of the box EVERYTHING is BLOCKed into the wan..

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 25.07.1 | Lab VMs 2.8.1, 25.07.1

      1 Reply Last reply Reply Quote 0
      • 4 Offline
        4o4rh
        last edited by

        after all this discussion.....i am back to forwarding mode, for the below reason.
        https://forum.netgate.com/topic/137628/solved-weird-dns-problem/5

        1 Reply Last reply Reply Quote 0
        • J Offline
          jamestford
          last edited by

          Wanted to get some feedback on DNS privacy from the group, I've gone back and forth on this issue several times and it seems that there is no perfect solution. Either you run your on recursive resolver with QNAME minimisation or you forward to an external resolver via TLS over DNS. I've never been a fan of passing the security buck on to someone else, which is exactly what you're doing when you forward via TLS to Cloudfare or others, you are trusting they are not using your data for nefarious purposes and maybe they aren't .... today. But that leaves running your own resolver which still posses privacy issues for the ISP or others inline who can sniff the traffic. Some of this is mitigated with Qname mimimisation but the last query from the resolver to the authoritative server will have the full query.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.