DNS Resolver weird resolution

Vents22 · May 19, 2020, 12:30 AM

Hello,

I'm slightly puzzled about the way in which the DNS Resolver is querying at the minute. I've setup my DNS Resolver NOT in forwarding mode, and to used 2 VPN Gateways as the Outgoing Interface. This works fine as If i run a "dig google.com +trace" from the terminal on the pfSense Box it shows the request going to a root-server and then this connection appears on my VPN server from the pfSense box VPN IP -> root-server IP.
However, when checking the traffic on the VPN Server I'm also getting lots of DNS requests from the pfSense Box to random DNS servers as per the image below, does anyone know why this is happening and not just querying the root-servers or the other DNS servers I have in the "General Setup" page?

And in the DNS Resolver log on pfSense:
May 19 00:22:54 unbound 67567:1 info: resolving (init part 2): ns4.p31.dynect.net. A IN
May 19 00:22:54 unbound 67567:1 info: resolving (init part 3): ns4.p31.dynect.net. A IN
May 19 00:22:54 unbound 67567:1 info: processQueryTargets: ns4.p31.dynect.net. A IN
May 19 00:22:54 unbound 67567:1 debug: removing 1 labels
May 19 00:22:54 unbound 67567:1 info: processQueryTargets: ns4.p31.dynect.net. A IN
May 19 00:22:54 unbound 67567:1 info: sending query: ns4.p31.dynect.net. A IN
May 19 00:22:54 unbound 67567:1 debug: sending to target: <dynect.net.> 162.88.61.21#53
May 19 00:22:54 unbound 67567:1 debug: iterator[module 1] operate: extstate:module_state_initial event:module_event_pass
May 19 00:22:54 unbound 67567:1 info: iterator operate: query pdns6.ultradns.co.uk. A IN
May 19 00:22:54 unbound 67567:1 info: resolving pdns6.ultradns.co.uk. A IN
May 19 00:22:54 unbound 67567:1 info: resolving (init part 2): pdns6.ultradns.co.uk. A IN
May 19 00:22:54 unbound 67567:1 info: resolving (init part 3): pdns6.ultradns.co.uk. A IN
May 19 00:22:54 unbound 67567:1 info: processQueryTargets: pdns6.ultradns.co.uk. A IN

I had my DNS Resolver running in forwarding mode for a while but was unsure if that means that pfSense is still caching and serving requests locally? If so then I may as well switch back to that but then the "DNS Resolver Infrastructure Cache Speed" page doesn't show a list of cached domains anymore.

Thanks

Gertjan · May 21, 2020, 10:29 AM

Hi,

root servers are used to prime the tld part, like "gime a server that knows about dot com ?!"
With the answer coming back, the Resolver will question that server, and ask where are the name servers of google.com ?!".
With that answer coming back, the Resolver will question one of these name servers of google.com, and ask : "gime the A or AAAA records of google.com ?!"
After all, these name servers of google.com are the only ones that the ones that can be trusted to answer that question.
root server do not cache every possible zone (domain info) of the planet earth. They couldn't do that.

So, yes, it's normal that you see many DNS servers being used.
VPN or not, "DNS" doesn't chance.

Example : ask if a root server - let's take 'a') knows the IPv4 of the domain forum.netgate.com :

dig @a.root-servers.net forum.netgate.com A +short

It can't ....
It will tell you where to find the guys that know all about dot com zones.
Etc.