Status → DNS Resolver shows only 1 upstream server (forwarding mode)
-
pfSense+ 22.05
I'm using Unbound in Forwarding mode. It's basically working fine.
I've got 4 DoH servers defined in System → General:
9.9.9.10 (dns.quad9.net) 149.112.112.10 (dns.quad9.net) 8.8.4.4 (dns.google) 208.67.220.220 (doh.opendns.com)
When first (re)started, my DNS Resolver status looks like this:
But, after a short time (minutes) the list shrinks down to just 1 resolver:
I get the same thing when dropping to the CLI and running
/usr/local/sbin/unbound-control -c /var/unbound/unbound.conf dump_infra
...so I know it's not a GUI issue. Just wondering if anyone's encountered this odd behavior. If I refresh that page every couple of minutes, I also note that the listed resolver does seem to "rotate" but at any given time there's only 1.
-
Found a couple of seemingly relevant links:
https://serverfault.com/questions/1095452/how-does-unbound-handle-multiple-forwarders-forward-addr
and maybe
https://unbound-users.unbound.narkive.com/Ydl7o99f/query-over-forward-addr-forward-first
So it seems that this behavior may be expected. But I'd love to hear any feedback from anyone else that's using forwarding mode to get confirmation that nothing's wrong.
-
@luckman212 where did you come up with those 4 to use? They don't do the same thing - that is problematic out of the gate.
9.9.9.10 Provides: No security blocklist, no DNSSEC, No EDNS Client-Subnet
8.8.4.4 does dnssec for sure, but no filtering - not sure about edns
But 208.67.220.220 is filtering.. and does dnssec..
If your going to forward to multiple servers - you should make sure they all do the same thing.. They should either all do dnssec for you, or they all shouldn't do. If they one is going to filter malware links, etc. then they should do the same filtering - or none of them should do any sort of filtering.
-
@johnpoz Thanks, I was vaguely aware that these servers had different features. I thought it was a good idea to use a few different providers in case of an outage. Quad9 is my primary & favorite. Tbh I wasn't too concerned about it since I wasn't interested in the filtering much.
I don't remember seeing anything in the Unbound docs about all
forward-addr
hosts needing to have identical capabilities. Do you think that's why I'm seeing the odd behavior? Are you using Unbound like this & seeing something different? -
@luckman212 said in Status → DNS Resolver shows only 1 upstream server (forwarding mode):
about all forward-addr hosts needing to have identical capabilities
Your not going to see it in a doc, but its common sense. Lets say you use a filtering dns service, and another one that doesn't do filtering. Which do you get? You can never be sure which one will be used. So user says site X doesn't work but then you go to check it and it does work, etc.
If your going to forward.. if they do not all provide the same features you can have issues that are quite difficult to figure out why something is not working, or is working when it shouldn't be..
No I do not forward, I have no use of forwarding - why should I send all my dns request to someone.. When I can just get the info straight from the horses mouth.. Guess what I could care less if google dns goes down. Or quad 9 or opendns.. If the roots are down all dns is down everywhere.. If the authoritative ns for a domain are down, then they are down for everyone as well.
There is zero reason to forward when you can just resolve. There is no advantage to it, and your handing all your dns queries to some company.. You think they provide that service out of the goodness of their hearts? No they getting something from it.. No thanks.
Using dot, or doh - who are you hiding that info from, your isp. But then you hand it all over on a silver platter to who you forward too. And guess what your isp still knows exactly where your going. Because they know what IP you go to, and they can see the sni. So unless your using esni or ech (replacement for esni) and every site you go to also supports it. Your not hiding anything from your isp even, etc.
Only time it makes sense to forward, is say maybe your on a really bad connection.. Or maybe your isp is intercepting your dns - then sure ok use dot to make sure they don't mess with your dns, etc. But those are specific cases.. To be honest if your isp is messing with your dns, prob best to move isps ;)
If you are worried about your isp knowing where your going, or messing with your dns - route your traffic through a vpn, and just route your dns queries through the vpn as well, etc.
-
@johnpoz Always enjoy your unapologetically opinionated replies
You know what, I'm sure at some point I enabled forwarding mode for some reason (testing something, working around some weird bug, or ...???) but for the life of me I can't remember what that reason was.
You convinced me to go back to pure resolver mode, and so far everything's working just fine.
-
I checked it out of curiosity on one of my test systems where I am checking how it behaves with forwarding and SSL/TLS. For that I have 3 DNS addresses set - 1.1.1.1, 8.8.8.8 and 9.9.9.9. And in DNS resolver status I have now only 1.1.1.1@853. It doesn't bother me because it is just test system so I'm just letting know that I see the same. I'm using 22.05 but one or two versions before I always had all three listed on that status page
-
@tomashk Thanks for checking it out. It's not what I would expect to see, but I also found that everything seems to work fine even though it's only listing 1 server at a time. So maybe it's a bug, or maybe it's by design. I wouldn't be surprised if it was the former, since I don't think it's common for people to run Unbound in forward-only mode.
In any case, this whole thing has prompted me to switch back to native resolver mode, which is probably a good thing.
-
@luckman212 infra cache is only going to be there for so long. Defaults to 15 minutes I believe.
So yeah if you haven't asked a specific NS your forwarding to anything in a while, it would most likely fall out of the cache.