Heirarchy for DNS Inquiries
-
What is the hierarchy for DNS inquiries? My DNS works fine, this is for future reference.
The DHCP page refers all DNS calls to my 2 pi-hole servers, which work well. There's the main one and a 2nd pi-hole server in hyper-v on a backup server which takes over if the main pi-hole server ever drops - which happens once or a year or so.
If both fail, what happens next?
My Setup page has several ordinary DNS servers listed, which seem to be ignored in favor of pi-hole. Would they kick in next automatically?
Also, I have pfBlockerNG installed but set to inactive. If I activated it, would it assist if both pi-hole servers went down?
Thanks.
-
@coffeecup25 said in Heirarchy for DNS Inquiries:
My Setup page has several ordinary DNS servers listed, which seem to be ignored in favor of pi-hole. Would they kick in next automatically?
Your setup page dns listed really has zero to do with what dns you hand to a client.. Those are dns servers that pfsense itself could use, or which could be used when unbound set to forwarding.. That have zero do with some client on your network and what name servers it has listed. If the NSs it has listed fail to answer then dns would fail its that simple.
-
@johnpoz Are you saying that unbound would have to be set to forwarding to make the servers on the setup page work? It's been so long since I set up pi-hole that I can't remember much about it except the dns servers on the DHCP page.
I just looked and my DNS forwarder is not checked but the DNS resolver is checked. A quick look at some setup instructions for pi-hole gave conflicting instructions. One said uncheck both while one said ignore both. Some trial and error could answer some questions but the forum seems to be a good place to trade information.
-
@coffeecup25 out of the box unbound resolves.. A client on your network ask unbound - it then via roots finds the authoritative nameserver for the domain your looking for. It cares nothing of the servers you have listed in pfsense dns. I have zero for example.
Once it has found the authoritative ns for the domain.tld your looking for it then asks one those ns for the fqdn your looking for host.domain.tld
What you have in general has zero to do with a client on your network asking pfsense (unbound) for something. Be that actual client, or a pihole you have setup on your network forwarding to pfsense.
Those are only used by pfsense itself, ie looking for if there is an update (if unbound fails or is not running) - finding the server to look to see if there are packages, etc. Or if you have setup unbound to forward, it will then use the pfsense setup dns to forward too, etc.
Normally out of the box, pfsense just ask itself (unbound) to resolve what it is looking for.. There normally never needs to be anything setup in general dns. Unless you have a problem resolving and setup unbound to forward, or you have not unchecked allow dns server list from your isp via your wan getting dhcp and your isp handing out dns to use. You will notice mine are unchecked.
I too have pihole setup - my clients ask pihole, pihole then asks unbound (pfsense) - unbound then resolves to find what I asked pihole for, etc.
The only reason I use pihole vs just the blocking you can do in pfblocker is the eye candy is nicer in pihole ;) You can see really easy what domains blocked, top blocked, easy get a specific query list for specific clients, etc. % of stuff returned from cache, etc. etc. I use pfblocker on pfsense for geoip based aliases that I use in some firewall rules.
-
@coffeecup25 said in Heirarchy for DNS Inquiries:
unbound would have to be set to forwarding to make the servers on the setup page work
On the DNS Resolver page there is a setting:
Enable Forwarding Mode
If this option is set, DNS queries will be forwarded to the upstream DNS servers defined under System > General Setup or those obtained via DHCP/PPP on WAN (if DNS Server Override is enabled there).We use this to forward queries to Quad9 or other managed DNS services.
