Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Forwarder and "Query DNS servers sequentially"

    Scheduled Pinned Locked Moved General pfSense Questions
    7 Posts 5 Posters 3.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • J Offline
      jrmitchell83
      last edited by

      Hello,

      I'm running 2.1 64-bit and leverage the DNS Forwarder in our environment. I understand what "Query DNS servers sequentially" does, however I'm trying to understand different scenarios for enabling or disabling this feature. Can anyone explain why this setting should be configured one way over another? Again, I understand what it does, just trying to understand the pros/cons either way.

      1.) When sequentially polling, obviously it always hits the same DNS server unless it's down. It will still send traffic to the server even if it's slower than the secondary
      2.) When polling all, I assume that if you have 4 DNS servers, whoever comes back first wins? So this would probably be the best option then?

      Thanks in advance!
      -Justin

      1 Reply Last reply Reply Quote 0
      • P Offline
        phil.davis
        last edited by

        I believe the main problem with sequential polling is that when the 1st DNS server is down or unreachable, there is then always a significant wait for the timeout before moving on to the next DNS server. So name resolution becomes painfully slow.

        Others feel free to add your thoughts…

        As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
        If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

        1 Reply Last reply Reply Quote 0
        • johnpozJ Offline
          johnpoz LAYER 8 Global Moderator
          last edited by

          yeah with sequential I would have to assume if the first one doesn't answer the client asking pfsense would of already timed out.. Now its possible client would give a neg cache for that.. So wouldn't even ask pfsense again until that ran out.

          Don't quote me, but I believe that option was per someones feature request.. To be honest I am not sure why someone would use it..  I setup my isp anycast addresses and couple other public that are quick for pfsense to use.  Let the fastest win I say ;)

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 25.07 | Lab VMs 2.8, 25.07

          1 Reply Last reply Reply Quote 0
          • J Offline
            jasonlitka
            last edited by

            @johnpoz:

            yeah with sequential I would have to assume if the first one doesn't answer the client asking pfsense would of already timed out.. Now its possible client would give a neg cache for that.. So wouldn't even ask pfsense again until that ran out.

            Don't quote me, but I believe that option was per someones feature request.. To be honest I am not sure why someone would use it..  I setup my isp anycast addresses and couple other public that are quick for pfsense to use.  Let the fastest win I say ;)

            Sequential resolution is useful for when you have Split DNS but still need your network to function when all internal servers are offline.  It guarantees that queries are served from the preferred servers if they are available, rather than just whoever ends up responding the fastest.

            I can break anything.

            1 Reply Last reply Reply Quote 1
            • johnpozJ Offline
              johnpoz LAYER 8 Global Moderator
              last edited by

              So your saying that pfsense client using pfsense forwarder where pfsense uses some internal dns server(s)

              like
              127.0.0.1
              1.2.3.4 you control
              8.8.8.8

              So you want pfsense to ask your 1.2.3.4 box for dns all the time to resolve stuff that is not public.  But if 1.2.2.4 down you want to still be able to resolve google from the client of pfsense.

              Ok guess that makes sense - but does pfsense stop asking 1.2.3.4 if he doesn't answer, or does it continue to keep asking it and having to timeout before he asks 8.8.8.8?

              If he keeps asking - yeah I agree dns is going to blow for the clients behind pfsense.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 25.07 | Lab VMs 2.8, 25.07

              1 Reply Last reply Reply Quote 0
              • J Offline
                jasonlitka
                last edited by

                @johnpoz:

                So your saying that pfsense client using pfsense forwarder where pfsense uses some internal dns server(s)

                like
                127.0.0.1
                1.2.3.4 you control
                8.8.8.8

                So you want pfsense to ask your 1.2.3.4 box for dns all the time to resolve stuff that is not public.  But if 1.2.2.4 down you want to still be able to resolve google from the client of pfsense.

                Ok guess that makes sense - but does pfsense stop asking 1.2.3.4 if he doesn't answer, or does it continue to keep asking it and having to timeout before he asks 8.8.8.8?

                If he keeps asking - yeah I agree dns is going to blow for the clients behind pfsense.

                Yeah, it's slow but at least it works.  It's enough to get your network back up and running.

                I can break anything.

                1 Reply Last reply Reply Quote 0
                • N Offline
                  NOYB
                  last edited by

                  How slow it is may depend on how aggressive an application is at getting a name resolved.

                  For example I just assigned some non DNS address as the first DNS server and pinged a domain from a Windows 8.1 client.  A second DNS query was made by the client after about 20ms for which pfSense used the second DNS server and returned the domains address back to the client in under 40 ms from the time of the clients first query.

                  Windows NSLOOKUP on the other hand is a total timeout failure that only hits the first DNS address.

                  IE 11 name resolution results where similar to that of ping.

                  I prefer not querying every DNS server since probably about 99% of the time the one I have listed first is the fastest anyway.  And because that is mostly due to network latency it's not likely to change.  So there is little benefit in some cases to sending all those DNS queries when the first one is going to be used anyway for the vast majority of the time.

                  For a highly critical system it very well be required though.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.