DNS Forwarder and "Query DNS servers sequentially"

jrmitchell83 · Jan 16, 2014, 3:53 PM

Hello,

I'm running 2.1 64-bit and leverage the DNS Forwarder in our environment. I understand what "Query DNS servers sequentially" does, however I'm trying to understand different scenarios for enabling or disabling this feature. Can anyone explain why this setting should be configured one way over another? Again, I understand what it does, just trying to understand the pros/cons either way.

1.) When sequentially polling, obviously it always hits the same DNS server unless it's down. It will still send traffic to the server even if it's slower than the secondary
2.) When polling all, I assume that if you have 4 DNS servers, whoever comes back first wins? So this would probably be the best option then?

Thanks in advance!
-Justin

phil.davis · Jan 16, 2014, 4:29 PM

I believe the main problem with sequential polling is that when the 1st DNS server is down or unreachable, there is then always a significant wait for the timeout before moving on to the next DNS server. So name resolution becomes painfully slow.

Others feel free to add your thoughts…

johnpoz · Jan 16, 2014, 4:41 PM

yeah with sequential I would have to assume if the first one doesn't answer the client asking pfsense would of already timed out.. Now its possible client would give a neg cache for that.. So wouldn't even ask pfsense again until that ran out.

Don't quote me, but I believe that option was per someones feature request.. To be honest I am not sure why someone would use it.. I setup my isp anycast addresses and couple other public that are quick for pfsense to use. Let the fastest win I say ;)

jasonlitka · Jan 16, 2014, 6:48 PM

@johnpoz:

yeah with sequential I would have to assume if the first one doesn't answer the client asking pfsense would of already timed out.. Now its possible client would give a neg cache for that.. So wouldn't even ask pfsense again until that ran out.

Don't quote me, but I believe that option was per someones feature request.. To be honest I am not sure why someone would use it.. I setup my isp anycast addresses and couple other public that are quick for pfsense to use. Let the fastest win I say ;)

Sequential resolution is useful for when you have Split DNS but still need your network to function when all internal servers are offline. It guarantees that queries are served from the preferred servers if they are available, rather than just whoever ends up responding the fastest.

johnpoz · Jan 16, 2014, 7:04 PM

So your saying that pfsense client using pfsense forwarder where pfsense uses some internal dns server(s)

like
127.0.0.1
1.2.3.4 you control
8.8.8.8

So you want pfsense to ask your 1.2.3.4 box for dns all the time to resolve stuff that is not public. But if 1.2.2.4 down you want to still be able to resolve google from the client of pfsense.

Ok guess that makes sense - but does pfsense stop asking 1.2.3.4 if he doesn't answer, or does it continue to keep asking it and having to timeout before he asks 8.8.8.8?

If he keeps asking - yeah I agree dns is going to blow for the clients behind pfsense.

jasonlitka · Jan 16, 2014, 11:30 PM

@johnpoz:

So your saying that pfsense client using pfsense forwarder where pfsense uses some internal dns server(s)

like
127.0.0.1
1.2.3.4 you control
8.8.8.8

So you want pfsense to ask your 1.2.3.4 box for dns all the time to resolve stuff that is not public. But if 1.2.2.4 down you want to still be able to resolve google from the client of pfsense.

Ok guess that makes sense - but does pfsense stop asking 1.2.3.4 if he doesn't answer, or does it continue to keep asking it and having to timeout before he asks 8.8.8.8?

If he keeps asking - yeah I agree dns is going to blow for the clients behind pfsense.

Yeah, it's slow but at least it works. It's enough to get your network back up and running.

NOYB · Jan 18, 2014, 2:21 AM

How slow it is may depend on how aggressive an application is at getting a name resolved.

For example I just assigned some non DNS address as the first DNS server and pinged a domain from a Windows 8.1 client. A second DNS query was made by the client after about 20ms for which pfSense used the second DNS server and returned the domains address back to the client in under 40 ms from the time of the clients first query.

Windows NSLOOKUP on the other hand is a total timeout failure that only hits the first DNS address.

IE 11 name resolution results where similar to that of ping.

I prefer not querying every DNS server since probably about 99% of the time the one I have listed first is the fastest anyway. And because that is mostly due to network latency it's not likely to change. So there is little benefit in some cases to sending all those DNS queries when the first one is going to be used anyway for the vast majority of the time.

For a highly critical system it very well be required though.