System won't use the requested DNS server

BartH

I hope I don't already know the answer to this question!

If I do a traceroute to a url, the result shows the route from my system to my ISP's system and then on to eventually the url I requested.

My computer has no DNS servers specified, which I understand means it will use the router's DNS servers.

My router System->General Setup->DNS Servers has 8.8.8.8 and 8.8.4.4 entries. My understanding is this should override my IPS's dns servers.

However, as I am using failover to my secondary ISP, in the gateway entry, I have the address of my ISP entered. Is this what it's seeing / using?

Bart

Gertjan

@barth said in System won't use the requested DNS server:

My computer has no DNS servers specified, which I understand means it will use the router's DNS servers.

It most probably does.
It's a Microsoft windows PC ?
Open a cmd black box, and type

ipconfig /all

You will find :
...
DNS Servers. . . . . . . . . . . . . : 192.168.1.1
2001:470:dead:beef:2::1
...

so it knows here to send DNS requests : your pfSense.

@barth said in System won't use the requested DNS server:

My router System->General Setup->DNS Servers has 8.8.8.8 and 8.8.4.4 entries. My understanding is this should override my IPS's dns servers.

That's your choice.
You don't need your ISP DNS servers.
You don't need 8.8.8.8 8.8.4.4 servers, neither.
You didn't even have to check this box :

By default, it isn't checked.

Still, DNS was working just fine from the moment you installed pfSense

@barth said in System won't use the requested DNS server:

However, as I am using failover to my secondary ISP, in the gateway entry, I have the address of my ISP entered. Is this what it's seeing / using?

You've entered what where ?

BartH

@gertjan

I am not using Windows, I'm using Linux. Although that should not matter.

From all the documentation I can find, the DNS system works like this:
The ISP provides DNS servers with the DHCP address it allocates. These will be used unless the router has DNS servers configured. Router DNS will override ISP DNS.

The router's DNS servers, if any, will be used unless the computer has DNS servers configured. Computer DNS will override router DNS.

I obviously have DNS provided by my ISP. Traceroute command shows these as being used. However, I have DNS servers listed in pfSense:
System->General->DNS Server Settings->DNS Servers->8.8.8.8.
Shouldn't this setting override the ISPs settings?

On my computer,
Network Settings->Hostname/DNS->Name Server
the fields are blank. Therefore, my computer is not demanding it's DNS to be used and defers to the router. As it should.

My problem is the pfSense does not seem to override my ISPs offered name servers. I would really rather not use them. Actually, I'd rather not use Google's servers either but that's another story.

I guess I'm just spoiled. I want MY system to use the server I want, not what someone else decided I should use.

rcoleman-netgate

@barth said in System won't use the requested DNS server:

I obviously have DNS provided by my ISP. Traceroute command shows these as being used. However, I have DNS servers listed in pfSense:
System->General->DNS Server Settings->DNS Servers->8.8.8.8.
Shouldn't this setting override the ISPs settings?

What is this setting set to?
System->General Setup

Jarhead

Also, this one. Same place.

BartH

@rcoleman-netgate
It is set to what your picture shows

Oh!!! Perhaps it should be Use local DNS, ignore remote DNS servers?

BartH

@jarhead
It is unchecked.

johnpoz

@barth said in System won't use the requested DNS server:

I obviously have DNS provided by my ISP. Traceroute command shows these as being used

Huh? How is that - traceroute doesn't show what dns is being used.. It shows the path the traffic takes to get from point A to B - dns has nothing to do with that..

On your linux box do a host or dig or nslookup - this will show you what dns is being used, most likely on linux it will show you 127.0.0.53, which is just pointing to local that got its dns from either dhcp or what you manually set.

Your dhcp from your isp while they might hand out dns sure - your client being behind a nat router (pfsense) doesn't get dhcp from your isp. It gets it from pfsense. Pfsense will hand out its own IP to its dhcp clients.

Pfsense out of the box resolves - doesn't use your isp dns, doesn't even use what you put in general dns setting for clients that ask it for something. Those settings in general are only for pfsense itself to use, if its local system unbound or dnsmasq fail.

Unless you setup forwarding in unbound.. Or use the forwarder (dnsmasq).

What exactly do you want your clients to do - do you want them to ask googledns directly, do you want them to ask pfsense, and then pfsense to ask googledns?

But there is almost no scenario when your isp dns would be used by a client behind pfsense - unless you specifically set them up as forwarder in pfsense, or specifically set them on your client to use.

And there is no way traceroute would in any way show you what dns is being used..

BartH

You are, of course, absolutely correct!
And I'm embarrassed. I got it in my head and didn't really think it out.

I am actually wanting to use a name server that doesn't log everything. That pretty much leaves google out, and my ISP also. Looking at the settings in pfSense, and then I doing traceroute and didn't see the entries I made, I just locked on to what I saw and not what I used.

Thanks very much for the very polite correction. And the following explanation.

Bart

johnpoz

@barth said in System won't use the requested DNS server:

I am actually wanting to use a name server that doesn't log everything

That would be resolving.. Your not sending all your info to someone specific, of course the roots.. But you can use qname minimization to limit that.. Say you want to look up www.domain.com.

Well the root don't really care about that, they just need to know what .tld your after. Then to the gtlds you send domain.com, so it can send you the authoritative ns for the domain.com so you can ask it for www.domain.com

https://www.isc.org/blogs/qname-minimization-and-privacy/

But even without qname - when you resolve you don't hand everywhere you want to go to some service or isp - unless your isp is sniffing your traffic. You only send where you want to go to the actual nameservers involved in getting there.

Out of the box pfsense resolves - this is the most robust method of looking up something. You don't hand your dns to anyone specific, and if the roots are done - the whole internet is down.. If the authoritative NSes for some domain are down, well then that domain is down, etc.

You don't need to put anything in pfsense dns.. Out of the box it resolves.. It will hand clients on your network its own IP, and it doesn't "log" those if you don't set it specific to do that with a custom option ;)

If your worried about your isp sniffing your dns - then forward to your own resolver you run on some vps somewhere via a vpn tunnel between pfsense and your vps, etc. Or forward to it via dot, -- you don't need to use any of the dns services - you can just resolve. Now not saying some of these services don't provide some benefit for you handing them all your dns - they can block bad shit for you, etc. But you can also do that yourself on pfsense, pfblocker comes in handy there for maintaining lists of bad shit you don't want your clients to resolve.

Also keep in mind you only need to ask the roots when you looking for a new tld, and you only ask the gtld servers for the ns for a new domain, etc. Once you have the authoritative ns cached for say domain.com - if you look up www or ftp, or service.domain.tld your only directly asking that NSs for that domain directly.

So sure you ask roots for domain.com, but when you want to look up someotherdomain.com - you don't need to ask the roots, you only need to task the gtld servers.. Again read up on qname.. Then the only thing you send roots is .com or .net or .org, etc. they have no idea what actual domain your looking for.

You can try strict - but pretty much promise you will run into issues with some domains trying to do that.. You know the domains that have like 5 cnames setup you have to follow, etc.

BartH

A HUGE thank you for taking the time to point out the relevant parts in the documentation and explain them.

Bart