Trying to make sense of dns forwarding (noob question)
-
I was looking at these two wiki entries:
Blocking DNS queries to external resolvers
Specifically:
If the DNS forwarder is enabled, the internal interface IP for pfSense will be handed out to DHCP clients for a DNS server. If the DNS forwarder is disabled, your system's currently configured DNS servers will be handed out instead.
So… the DHCP clients receive either the pfSense Lan address, and pfSense forwards the client DNS requests to its configured servers for them; or the DHCP clients receive the configured servers that they can access directly? Guess I don't see the point, outside of not having to configure public DNS servers in the client machines, but you don't have to do that with DHCP anyway. So there is no point? Or is pfSense caching those DNS requests if the forwarder is turned on? Is caching the point?
Also, what happens with static addressing? In the 2nd link above, does that dodge work for static addressing too? In other words if your user wants to use an "anything goes" DNS so he can look at porn at work, and you'd rather steer him to OpenDNS, that method will work? Will he have to change his DNS server setting to the pfSense lan address, to see any internet at all?
-
Or is pfSense caching those DNS requests if the forwarder is turned on?
Yes.
Is caching the point?
Yes, generally. The DNS forwarder can also be used to apply local host name overrides, for example, point the name of the server of banner ads to a "non-existent" IP address or to a host that will quickly give a NULL reply.
Also, what happens with static addressing? In the 2nd link above, does that dodge work for static addressing too? In other words if your user wants to use an "anything goes" DNS so he can look at porn at work, and you'd rather steer him to OpenDNS, that method will work?
Automatic if user configures by DHCP and has no local DNS overrides. If user has local DNS overrides (or configured DNS because they have static IP address) they will find they suddenly can't access their name server and will probably have to squeal for help.
Will he have to change his DNS server setting to the pfSense lan address, to see any internet at all?
Yes if he wants to resolve hostnames (e.g. wants ping www.google.com to "work"); no if he is content to use IP addresses.