DNS Resolver Status not showing the resolved domains
-
Hi,
I have DNS resolver configured , when I go to Status > DNS resolver , normally I should see all the resolved domains , but in my case this is what I see :
,
any idea ?Thank you
-
Interesting, are you using Resolver as your DNS or CloudFlare?
Here ia a small shot of the things I see with Resolver.
-
I've noticed the same thing : when you remove the resolver part from unbound (a resolver) it looks like it becomes a 'dumb' forwarder : no cache ?!
To get the cache back, make the resolver resolve again.More serious : I don't know why the GUI doesn't show the local DNS cache.
Btw : check also what 1.1.1.1 or 1.0.0.1 gives you back as an asnwer : if the TTL is very low, normal that the cache flushes 'very fast'.
I can some what understand that they want to know what you do with their data in real time .... and I'm NOT wondering why ^^ -
@Uglybrian , I did not understand clearly your question;
her is my setup:
then I have configured the DNS Resolver.
@Gertjan , What do you mean by make the resolver resolve again?
I did also change the DNS to google 8.8.8.8 but the same issue , no DNS entries cache are displayed -
@moelharrak said in DNS Resolver Status not showing the resolved domains:
I did not understand clearly your question;
Not a question. A confirmation.
I have :
which is normal, I guess, as I'm using the resolver as a resolver. You can see the resolved domain names.
I confirm your finding : as soon as you forward, the very same page doesn't show any details, and no, cached, resolved host names anymore.In reality : I don't know why.
-
Try these settings, they are what i use. I do not use 3rd party for my DNS like google or cloudflare. PfSense does it all for me.
-
That is not the "cache" that is the infrastructure cache.. Ie name servers it talks to, if your just forwarding then no there will be no cache of ns to talk to for other domains. Just the info to where your forwarding.
If you want to look at the cache of fqdn.. Then look at it using the client..
unbound-control -c /var/unbound/unbound.conf dump_cacheexample here is what is cached for netgate.com
[24.03-RELEASE][admin@sg4860.home.arpa]/var/unbound: unbound-control -c /var/unbound/unbound.conf dump_cache | grep netgate netgate.com. 3366 IN MX 30 aspmx3.googlemail.com. netgate.com. 3366 IN MX 20 alt1.aspmx.l.google.com. netgate.com. 3366 IN MX 30 aspmx2.googlemail.com. netgate.com. 3366 IN MX 30 aspmx4.googlemail.com. netgate.com. 3366 IN MX 10 aspmx.l.google.com. netgate.com. 3366 IN MX 20 alt2.aspmx.l.google.com. netgate.com. 3366 IN MX 30 aspmx5.googlemail.com. netgate.com. 3366 IN A 199.60.103.104 netgate.com. 3366 IN A 199.60.103.4 forum.netgate.com. 2118 IN A 208.123.73.71 www.netgate.com. 3363 IN CNAME 1826203.group3.sites.hubspot.net. ns3.netgate.com. 2534 IN A 34.197.184.5 ns2.netgate.com. 2534 IN A 208.123.73.90 ns1.netgate.com. 2534 IN A 208.123.73.80 netgate.com. 2534 IN NS ns3.netgate.com. netgate.com. 2534 IN NS ns2.netgate.com. netgate.com. 2534 IN NS ns1.netgate.com. pfsense.org. 568 IN NS ns2.netgate.com. pfsense.org. 568 IN NS ns3.netgate.com. pfsense.org. 568 IN NS ns1.netgate.com. msg forum.netgate.com. IN A 32896 1 2118 0 1 1 3 -1 forum.netgate.com. IN A 0 netgate.com. IN NS 0 ns1.netgate.com. IN A 0 ns2.netgate.com. IN A 0 ns3.netgate.com. IN A 0 msg netgate.com. IN MX 32896 1 2534 0 1 1 3 -1 netgate.com. IN MX 0 netgate.com. IN NS 0 ns1.netgate.com. IN A 0 ns2.netgate.com. IN A 0 ns3.netgate.com. IN A 0 msg netgate.com. IN AAAA 32896 1 2534 0 0 1 3 -1 netgate.com. IN NS 0 ns1.netgate.com. IN A 0 ns2.netgate.com. IN A 0 ns3.netgate.com. IN A 0 msg netgate.com. IN A 32896 1 2534 0 1 1 3 -1 netgate.com. IN A 0 netgate.com. IN NS 0 ns1.netgate.com. IN A 0 ns2.netgate.com. IN A 0 ns3.netgate.com. IN A 0 msg www.netgate.com. IN A 32896 1 3363 0 3 0 0 -1 www.netgate.com. IN CNAME 0 [24.03-RELEASE][admin@sg4860.home.arpa]/var/unbound:notice
forum.netgate.com. 2118 IN A 208.123.73.71
That is the IP and the time left on the ttl in the cache.
-
@Uglybrian said in DNS Resolver Status not showing the resolved domains:
Try these settings, they are what i use. I do not use 3rd party for my DNS like google or cloudflare. PfSense does it all for me.
-
@johnpoz thank you for your answer, I do understand that the Forwarder status shows only the status of the server that it talks to, so How can I see all the cache as @Uglybrian able to see ?
@Uglybrian are you using pfblocker ? Python Module Script is not shown in my case -
@moelharrak yes, I am using PF blocker.
-
@moelharrak that has nothing to do with pfblocker what he posted.. That is just the "infrastructure" cache..
I already showed you how to view the full cache.. I was not aware that pfblocker has an option to show you that - it might be able to show you stuff that was queried, etc.
I don't see any post from him other than the standard infrastructure cache that is under status resolver
-
That is become confusing for me now, I did disable the " DNS Query Forwarding", and now I am able to see the cache
Any Idea why , and if the Upstream DNS configured in the systems will be used or no?
-
@moelharrak what part are you not getting - that is not the full cache!!! That is the infrastructure cache.. IE what name servers unbound is talking too..
-
What do you mean by Infrastructure ?
If you see my first post, I was not able to see anything at all, so what is the difference now , that when I disabled DNS Query Forwarding , I start at least seeing something? -
@moelharrak dude your first post you do see the dns you were pointing to 1.1.1.1 and 1.0.0.1
Not sure what your not getting..
https://docs.netgate.com/pfsense/en/latest/monitoring/status/dns-resolver.html#dns-resolver-status
-
@moelharrak said in DNS Resolver Status not showing the resolved domains:
If you see my first post, I was not able to see anything at all, so what is the difference now , that when I disabled DNS Query Forwarding
When you installed pfSense, the resolver was resolving, and you had something to show up under Status > DNS Resolver.
Then, for some reason, you didn't mention that, you disabled the resolving mode and went on doing forwarding. Do you know or can you tell why ?
Anyway, even I had my memory refreshed, as Status > DNS Resolver shows the 'infrastructure' : the DNS sources (servers !) it uses to resolve.What do you mean by Infrastructure ?
If you forward to 1.1.1.1 and 1.0.0.1 then these two are the only ones listed.
If you were resolving, you would see a whole list of DNS servers, the root servers, de TLD servers, and the domain name servers.
It's the domain name servers that eventual give the answer to question like :
What is a IPv4 (or A record) of "www.facebook.com" ?To really see what is in the query DNS answer cache, you have to visit the command line. The command to use is shown above.
Or
Install pfBlockerng, and look at the Firewall > pfBlockerNG > Alerts - see the Unified logs.
Or, when you use pfBlockerng, another command :cat /var/unbound/var/log/pfblockerng/dns_reply.logThis file shows the host name requested, who whas asking it, what the answer was, and if the answer was in the local unbound cache, or if it was resolved. The TTL isn't shown.
-
Thank you all for your answers.
What is the best practice regarding DNS queries ? Specify the DNS servers in the System > General Setup , and what is the best to enable DNS Resolver or DNS Forwarder ? and I need to know if the both can save the cache locally to check first because my goal is to make DNS queries faster that all. -
@moelharrak said in DNS Resolver Status not showing the resolved domains:
Specify the DNS servers in the System > General Setup
My 'church' says : you'll add none.
This is the perfect way of doing things :
And this goes with it :
(do not select that button ! )Why ?
Because it's the default setting, Netgate has chosen these, and as these guy know their DNS around, that's what you should use.
But, of course, if you signed up a contract with "8.8.8.8" or "1.1.1.1" and they pay you for your private DNS info, then, why not, you should forward to these guys.
It's a free world after all, and if you can make some money out of it, then that's just great
pfSense has its own resolver for years now, so you don't need to use any 'DNS server' - the only thing you need, is an access to the free 13 main DNS root server. These are the ones who make DNS work, these are the ones you should use, as it was intended when the Internet (DNS actually, DNS didn't exist in the beginning)
edit : another reason : these settings are part of the Keep It Simple concept.
Install pfSense - done nothing (well, you change the password) and your good, it works, like any other router you'll find out there.
The planet wide sickness "you have to use 8.8.8.8, or some other remote entity, as a DNS" has been crafted because your DNS traffic is worth gold, and I'm not exaggerating here, for them, and this belongs to the "You are the product" concept.Also, when you belong to the "I resolve" club, you have statically spoken, less issues with DNS. It just works. and that's not a hazard or be lucky, the DNS system was meant to be used like that.
How DNS Works - ComputerphileBtw : all this is of course my own opinion.
-
This post is deleted!
