DNS Resolver Infrastructure Cache Stats
-
Hi, can someone explain, eDNS lame known? What it mean?
-
Ah, a resolver guy ^^
Item 2 here explains, imho, what lame is.
I see it like this : there are 13 main root servers. If one goes down, the other will take the load.
There are, for each TLD (dot com dot org dot net dot whatever) many DNS servers. They, like the root servers, sync among themselves. Ones goes down, no issue, many others are dispo.
The TLD will hand over at least two domain name servers IP addresses. These will do the final resolving, like, what is the A record of the zone "www.facebook.com". Typically, "facebook.com" hosts their own domain name servers.
If one of them is down, then this server is considered 'lame'.Again : my interpretation of things.
Where in the pfSense GUI 'lame' is shown ?
Or are you dumping unbound stats on the command line ? -
@Gertjan said in DNS Resolver Infrastructure Cache Stats:
Where in the pfSense GUI 'lame' is shown ?
Or are you dumping unbound stats on the command line ?
-
You're forwarding, so exist all the nice advantages (of resolving).
Your unbound talks to one upstream DNS server that does the heavy lifting.
This means your unbound can't be aware of lame servers, DNSSEC etc. It just accepts what the upstream DNS found and handed over.Moreover : found more : about 'lame' : https://nlnetlabs.nl/documentation/unbound/requirements/
so lame is also a DNSSEC (Secure DNS) thing.
You're forwarding :: no DNSSEC issues for you. -
@Gertjan said in DNS Resolver Infrastructure Cache Stats:
Your unbound talks to one upstream DNS server that does the heavy lifting
Is it better to set one or two more?
-
@Antibiotic to be honest when you forward, there is little reason to forward to more than 1 ip.. I mean these dns providers are anycast networks.. So its not like 8.8.8.8 is 1 server or cluster of servers in one DC... They are most likely thousands of "servers" on the anycast network all over the globe..
The likelihood that 8.8.8.8 is down while 8.8.4.4 up is highly unlikely.. I mean these major players have spent lots of money to setup robust dns services.. Could it happen sure I guess.. but it would be so rare.. When was the last time you heard of a major players dns service going down? I mean they do happen now and then.. But not like it happens every month or for that matter every year. And even if it did or does, switching over to forward to a different provider is simple click.
And forwarding to 1 service and also a different services runs into the problem maybe 1 services filters X and another filters Y.. so which one will you talk to? You have problem talking to X now, but couple of minutes later you don't - is it because there was an issue with site, or dns or did you just happen to query the dns service where that was filtered, but not filtered on the other service.
If you really have some ocd reason to put in more than 1, then they should be the same service so your assured that responses from them will be consistent.
One of the advantages of resolving vs fowarding is, if the root servers are down - the internet is down for everyone on the planet, not just some dns service provider.. If some NS for domain XYZ is down, again its down for everyone on the planet be it your trying to resolve or your forwarding and asking them to resolve it for you.
-
More is always better.
Just keep in mind that if you forward to a.a.a.a, b.b.b.b and c.c.c.c (etc) and they have different operating policies (also known as "they decide what you can access") then you can get randomly failing DNS requests. Like : it works one moment, and not the next moment, etc.
And guess who gets blamed ? => unbound of course ....
( because the admin decided to ditch the mode Netgate has chosen : Resolving, and went for the DNS rabbit hole called forwarding )So my real answer would be : none ! Don't forward, resolve. Get your DNS answers from the source, not from "some other intermediate"
.Ok, ok, I admit, I'm biased. We all forwarded in the past, as we had no choice. It was the ISP DNS, and that's it.
These days, we have a resolver in our own routeredit : and just saw the johnpoz reply.
True, big players have the anycast, many points of presence and so on. So using just one doesn't really introduce a single point of failure.
They don't break often, very true, because, as said :@johnpoz said in DNS Resolver Infrastructure Cache Stats:
these major players have spent lots of money to setup robust dns services
.... and doesn't this make you wonder why ? What's in it for them ? (
)
I mean, I saw (own eyes, I was privileged) "8.8.8.8" in Europe, it's 'hidden' right in here](https://maps.app.goo.gl/FyPLtJBN2R6GkGLK7).
And look just to the right of there buidling, a couple of 100 m or so : everything is windmill driven : green power !
There is big sign at the entrance :" No households are using any green energy here, as we (Google) bought it all to serve your mail, DNS and storage ^^". I've a photo somewhere ...And whatever happens in the future, the original Internet DNS system will always exist, as the big players are actually ... resolvers.
So, yeah, I'm pushing hard hard, I know, but why would you need a external resolver if you have a resolver ? -
@Gertjan exactly - the days of isp provided dns, and even recall where they wouldn't even let you query another NS that wasn't theirs.. The vpn services are trying to put that in place now.. Look at all the shenanigans going on with nord where they are high jacking your dns queries.
Now that you can resolve yourself - I just don't get why everyone doesn't just resolve, you couldn't get me to go back to forwarding ever..
-
@Gertjan said in DNS Resolver Infrastructure Cache Stats:
So, my real answer would be: none! Don't forward, resolve
I agree, better to resolve, the reason me forwarding, that my ISP filtering DNS request and in resolve mode I cannot get some sites even with VPN!
-
@johnpoz said in DNS Resolver Infrastructure Cache Stats:
Now that you can resolve yourself - I just don't get why everyone doesn't just resolve, you couldn't get me to go back to forwarding ever.
The main reason, that my ISP filter DNS, cannot get some sites
-
@Antibiotic said in DNS Resolver Infrastructure Cache Stats:
The main reason, that my ISP filter DNS, cannot get some sites
I get it.
I'm not all against forwarding. Reasons exist, and its always better to have a choice.Public resolving will never (not in a near future) happens over TLS, your port 853, as this will make every DNS request "a thousand" time more expensive (resources needed) a creating TLS connection for small very temporary connections is a bad thing.
See my edited post above about Google in Europe.You could still resolve, but then you need to VPN out all your traffic.
Or only VPN out your DNS requests (dono if that can be done, I 'think' you could) ? -
@Gertjan said in DNS Resolver Infrastructure Cache Stats:
You could still resolve, but then you need to VPN out all your traffic.
Or only VPN out your DNS requests (dono if that can be done, I 'think' you could) ?Yes, I tried but without success, could you please get 2 firewalls examples. how to make this. For first option and for me I think preferable second option. VPN out your DNS requests , this is my dream to make,
-
@Antibiotic how would your isp stop you from going to site xyz if you were running your dns also through the vpn. Unless of course your vpn was also filtering your dns like nord.
It is unlikely your isp is filtering dns in that they prevent looking up xyz, but what they could be doing is hijacking and redirecting your dns which can break resolving.
I mean if an isp doesn't want their user base going to xyz site, its pretty lame attempt at stopping the users to just break dns, and not actually block the traffic to that sites IPs as well.
If I found out my isp was doing anything weird with my dns first thing I would be doing would be looking for a new isp. Which is not always possible sure. Next best option prob find vpn service that doesn't mess with dns either..But would prob just spin up a vpn on a vms somewhere - you can run a vps for a couple of bucks a month. I have one that is like 20 a year I can route traffic through, be more than capable of running a dns resolver for me.
I have little desire to send my dns to these dns providers - they are not providing dns out of the goodness of their hearts, there is profit in it for them, in one form or another or they wouldn't be doing it.
A simple smoking gun test to see if your isp or vpn is hijacking dns is simple directed dig to 1.2.3.4 for something.. If you get an answer then your dns is being redirected, either you are doing it yourself on pfsense or its happening up stream. But 1.2.3.4 does not answer dns, so if you got an answer its a smoking gun that you have been redirected.
dig @1.2.3.4 www.google.com
That should just time out, if you get a response your dns has been hijacked/redirected that is a fact jack ;)
-
@johnpoz said in DNS Resolver Infrastructure Cache Stats:
how would your isp stop you from going to site xyz if you were running your dns also through the vpn. Unless of course your vpn was also filtering your dns like nord.
It is unlikely your isp is filtering dns in that they prevent looking up xyz, but what they could be doing is hijacking and redirecting your dns which can break resolving.
I mean if an isp doesn't want their user base going to xyz site, its pretty lame attempt at stopping the users to just break dns, and not actually block the traffic to that sites IPs as well.
Sorry, I'm not expert in this. Try to explain, when set Unbound to resolver mode and using VPN , LAN rule here:
I cannot get some sites.
-
@Antibiotic where in those rules do you have pfsense dns route through your vpn? That routes your clients traffic over a vpn via policy route. What your client asks for something.domain.tld of pfsense resolver.. Does your resolver query route out the vpn? If not then no it would just be out your isp.
-
@johnpoz said in DNS Resolver Infrastructure Cache Stats:
Does your resolver query route out the vpn?
Could you please give a firewall rule example for this? If yes, regarding my settings where better to arrange this rule, I mean by rules order on this interface?
-
@Antibiotic wouldn't be a firewall rule, it would be a setting in your resolver on what outbound interface to use. Or it would be the default route in pfsense to send all traffic out the vpn.
-
@Antibiotic said in DNS Resolver Infrastructure Cache Stats:
could you please get 2 firewalls examples. how to make this. For first option and for me I think preferable second option.
Long story short : I can't.
I use a (just one now) pfSense, and that's the one used by the company I work for.
Experimenting with that setup, and my boss knows that it is me messing around (again), and I already lost all my "who broke the Internet to credit points" for this year.If I have DNS issues with my ISP, I terminate the contract with them.
I prefer by far keeping my pfSense setup as simple (for me) as possible. And we all know it, we use pfSense, so it won't be simple, that why we use pfSense.
-
@johnpoz said in DNS Resolver Infrastructure Cache Stats:
it would be a setting in your resolver on what outbound interface
Actually, I tried to do like you tell now. But anyway, cannot get some sites.
Could be make restart?
-
@Gertjan said in DNS Resolver Infrastructure Cache Stats:
Long story short : I can't.
I use a (just one now) pfSense, and that's the one used by the company I work for.
Experimenting with that setup, and my boss knows that it is me messing around (again), and I already lost all my "who broke the Internet to credit points" for this yearNo problem, buddy, anyaway thank you