DNS Resolver in Forwarder Mode

McMurphy · Mar 24, 2024, 3:09 AM

I have pfSense configured to use the DNS Resolver in Forwarding Mode

I have specified a DNS server in System => General Setup

DNS lookups are working

Q1) How can I confirm it is using the specified DNS server "only"?
Q2) What happens when the resolver is in Forwarding mode and the specified DNS server cannot be reached?

Thanks in advance...

johnpoz · Mar 24, 2024, 3:11 AM

@McMurphy Do a sniff if you want to validate its only talking to the server your forwarding to.. For question 2, if where you forward is down, then your dns would be down.

McMurphy · Mar 24, 2024, 3:14 AM

@johnpoz

My DNS server is only available via an OpenVPN like however DNS is required to establish the link.

SteveITS · Mar 24, 2024, 9:41 PM

@McMurphy in System/General Setup would setting “DNS Resolution Behavior” to remote only do what you want? Then pfSense wouldn’t use itself but client devices could.

McMurphy · Mar 24, 2024, 9:41 PM

@SteveITS

Interestingly that is the default setting:

"By default the firewall will use local DNS service (127.0.0.1, DNS Resolver or Forwarder) as the first DNS server when possible, and it will fall back to remote DNS servers otherwise. Use this option to choose alternate behaviors."

However resolution stopped when my OVPN connection when down and it was unable to reconnect.

Gertjan · Mar 25, 2024, 9:38 PM

@McMurphy said in DNS Resolver in Forwarder Mode:

However resolution stopped when my OVPN connection when down and it was unable to reconnect.

Chicken and egg problem.
Instead of using a host name of your VPN, use their IP. And yes, as soon as they (the VPN) change the VPN server, you have to modify it.
Not ideal, I guess.

McMurphy · Mar 25, 2024, 9:38 PM

@Gertjan

I did think about this however there is no guarantee they will not change the IP associated with the hostname at some time.

The solution I have implemented is:

Place pfSense in Forwarder mode
Configure the Forwarder to query the DNS servers sequentially
List my OVPN DNS server 1st and 8.8.8.8 2nd

I have tested and this setup allows the OVPN link to be re-established when it goes down and when up all DNS appears to use the private DNS server.

Gertjan · Mar 26, 2024, 7:09 AM

@McMurphy

Why would forwarding instead of resolving work better ?

Resolving : the resolver (pfSense unbound) will use any of these and from these it will receive the IP address of TLD servers, and the TLD DNS server used will give the IP of the 2 (at least) domain name servers.
Forwarding : the resolver (unbound) will use the commercially upstream resolver you've entered yourself, like 1.1.1.1 or 8.8.8.8 or the DNS IP of your ISP.
Note : Both methods will not use host names at all.

Both methods need to have a working WAN => the VPN WAN uplink should be active before any traffic can go to the net => so doing DNS doesn't work if the OpenVPN connection isn't up.
But to make the OpenVPN link, the OpenVPN server host name should be resolved first.

So, back to the chicken problem : the egg or the chicken ? and you introduce a cock (the forwarding against resolving). And now I"m scratching my head ...

The thing is : if the OpenVPN isn't up, pfSense DNS (resolver) should be allowed to use the original WAN, over which the OpenVPN connection also flows. This is considered as 'leaking' but what choice you have ?
As soon as the the OpenVPN connection comes up, unbound restarts, and now it will use the OpenVPN uplink.

McMurphy · Mar 26, 2024, 8:09 AM

@Gertjan

Thanks for the feedback. I appreciate your help but am not following.

My private DNS server (100.96.1.1) is ignored unless the resolver is in forwarding mode.

If I only list my private DNS server in System => General Setup then the OVPN connection cannot be established as the OVPN hostname cannot be resolved. I have tested and confirmed this.

If I list backup DNS servers in System => General Setup then resolver (in forwarding mode) will use them randomly.

The Forwarder allows the DNS servers to be used sequentially. So, if I list my private DNS server and backup DNS servers then the OVPN connection can be re-established and the forwarder will only use my private DNS server as it is 1st in the list.

1st 100.96.1.1
2nd 8.8.8.8
3rd 8.8.4.4

This work well so please explain how a better, or equal, outcome can be achieved with the resolver.

Happy to have an misunderstandings pointed out.

Gertjan · Mar 26, 2024, 9:08 AM

This tells me :

@McMurphy said in DNS Resolver in Forwarder Mode:

My private DNS server (100.96.1.1) is ignored unless the resolver is in forwarding mode.

that you do not know what "resolving" and "forwarding" means.
Reserve 15 minutes, take a snack and watch the first 3 : what is DNS resolving ? (the third is the I guess).
I'm pretty sure you'll thank me later ;)

@McMurphy said in DNS Resolver in Forwarder Mode:

1st 100.96.1.1

I can't neither :

[23.09.1-RELEASE][root@pfSense.bhf.tld]/root: dig @100.96.1.1 google.com
;; communications error to 100.96.1.1#53: timed out
;; communications error to 100.96.1.1#53: timed out
;; communications error to 100.96.1.1#53: timed out

If that DNS server 100.96.1.1 doesn't work for you, have a talk with the admin ?!
100.0.0.0 - 100.255.255.255 is "special", it isn't RFC1918 but not really the '"Internet" neither. Can you tell more ?

McMurphy · Mar 26, 2024, 4:07 PM

@Gertjan

Thank you again.

I have two options for pfSense to use the private DNS server (100.96.1.1)

DNS resolver (in Forwarding Mode)
https://docs.netgate.com/pfsense/en/latest/services/dns/resolver-modes.html
DNS Forwarder

@McMurphy said in DNS Resolver in Forwarder Mode:

1st 100.96.1.1

I can't neither :
[23.09.1-RELEASE][root@pfSense.bhf.tld]/root: dig @100.96.1.1 google.com
;; communications error to 100.96.1.1#53: timed out
;; communications error to 100.96.1.1#53: timed out
;; communications error to 100.96.1.1#53: timed out
If that DNS server 100.96.1.1 doesn't work for you, have a talk with the admin ?!
100.0.0.0 - 100.255.255.255 is "special", it isn't RFC1918 but not really the '"Internet" neither. Can you tell more ?

Correct. That private DNS server is only accessible over the OVPN link. Until the link is established pfSense is unable to access it.

When the OVPN link is down:

When the OVPN link is up:

Accordingly I need pfSense to be able to perform DNS lookups to establish the OVPN link then use the private DNS for all DNS lookups

This is currently working using the Forwarder in sequential mode however I cannot see how this can be done with the resolver in Forwarding mode.

Gertjan · Mar 26, 2024, 4:07 PM

@McMurphy said in DNS Resolver in Forwarder Mode:

This is currently working using the Forwarder in sequential mode however I cannot see how this can be done with the resolver in Forwarding mode.

With forwarder, you mean dnsmasq, the pfSense DNS solution from way way back, and it's still there :

?

It's probably a better forwarder as the forward mode of unbound.
If it works for you, I'm good with that ^^

johnpoz · Mar 26, 2024, 5:36 PM

@Gertjan yeah forwarder (dnsmasq) forwarding is prob more configurable for how it forwards, vs a resolver (unbound) in forward mode ;)

McMurphy · Mar 26, 2024, 9:25 PM

@Gertjan @johnpoz

Here is my working config using the Forwarder. Please let me know if a better outcome can be achieved using the Resolver.

Unless a better outcome can be suggested my original setup is optimal.