DNS Resolver Status Explanation

qwerty123

I'm running into issues web browsing and feel like it's mostly a DNS issue. It will initially take a site a few seconds to load and after that it's pretty instant.

I have added a few DNS servers based on results from DNS Benchmark tool. When looking at the "DNS Resolver Infrastructure Cache Speed", I see various columns TTL, Ping, Var, etc... TTL and Ping I understand. But the others, not so much.

What is the end goal here? Try to get the numbers as low as possible? Is there a warning sign that tells me I should remove a DNS server?

bingo600

@qwerty123
What is your issue ??

Why are you messing with the DNS system ?
Untouched pfSense has a well tuned system that will query the A-Root servers directly and go down from there.

My suggestion would be to keep away , unless you have a valid reason not to.

/Bingo

qwerty123

@bingo600 said in DNS Resolver Status Explanation:

@qwerty123
What is your issue ??

Why are you messing with the DNS system ?
Untouched pfSense has a well tuned system that will query the A-Root servers directly and go down from there.

My suggestion would be to keep away , unless you have a valid reason not to.

/Bingo

Thanks for the reply. I wanted to add some additional DNS servers besides the comcast ones to speed queries up if needed. I set this up in system -> general. I am using pfblockerng and unbound set to forwarding mode.

I think I found part of the problem. It looks like unbound would just stop and restart a couple of times. I think it may had been doing this because a NIC would get set down and then back up again.

I ended up switching some cables due to me seeing some errors on the interfaces. I also uninstalled ntopng, as I no longer use it. For now, things are working well, but I'm going to let it sit for a bit and see what happens.

I am curious if I should settle with the default comcast dns servers, or if I should also add google and opendns to speed things up. If so, what should I be looking at in the diagnostic page to see if I made a poor choice or not.

johnpoz

@qwerty123 said in DNS Resolver Status Explanation:

if I should also add google and opendns to speed things up.

That is a horrible idea, google doesn't filter, opendns does.. If you want to use upstream NS to resolve stuff for you - you should pick dns services that do the same thing, filter or not filter, dnssec or not dnssec, etc. Picking different ones leads to not having any idea if stuff is going to be filtered or not, or will it use dnssec or not, etc.

Did you specifically change unbound to forward? Because out of the box its a resolver and whatever you have in general dns servers has zero to do with what happens when a client asks unbound for xyz.domain.tld.

qwerty123

@johnpoz said in DNS Resolver Status Explanation:

Did you specifically change unbound to forward? Because out of the box its a resolver and whatever you have in general dns servers has zero to do with what happens when a client asks unbound for xyz.domain.tld.

If it is not like that out of the box, then yes, I probably changed it. I can't remember why I changed it though. I do have a bunch of host overrides so that I don't have to remember ip addresses for my home machines. I also did some experimentation with dns over tls and ipv6 and run pfblockerNG.

I can't remember exactly why I enabled it....I'm guessing maybe it was one of those things above?

johnpoz

@qwerty123 host overrides have nothing to do with it. if you had tried forwarding to tls.. that would of required forward mode.

ipv6 and pfblocker nothing to do with forwarding..