DNS resolving question



  • Dear All,
    i have a question and need your suggestions if i've configure it correctly or not.
    i am using Pfsense on my Virtual infrastrcute.
    i have configured Pfsense to do the DNS forward for me.
    on the General setup of the Pfsense i've configure it to forward DNS to my ISP DNS

    • i've selected this option " Do not use the DNS Forwarder as a DNS server for the firewall "
    • i've unselected this option " Allow DNS server list to be overridden by DHCP/PPP on WAN"
    • on my domain controller forward i've used the Pfsense IP

    My clients recieve Domain controlelr as their DNS server
    Pfsense as their Gateway

    Thank you


  • Rebel Alliance Global Moderator

    Correctly for what?

    So pfsense dns is whatever it gets for dhcp on the wan - its is wan dchp?  Doesn't sound like it, so it has no dns?  Or its using your isp, and not its own forwarder - why would you want this?

    What are you handing to your clients of pfsense?

    There are always multiple ways to skin the cat, which one is correct depends on multiple variables, etc.  You would want to min number of queries, and allow for fast as possible queries of local resources, etc. etc.. Without understanding your network layout its hard to tell if your doing it how I would do it or not..  Doesn't sound like it ;)



  • @johnpoz:

    Correctly for what?

    So pfsense dns is whatever it gets for dhcp on the wan - its is wan dchp?  Doesn't sound like it, so it has no dns?  Or its using your isp, and not its own forwarder - why would you want this?

    What are you handing to your clients of pfsense?

    There are always multiple ways to skin the cat, which one is correct depends on multiple variables, etc.  You would want to min number of queries, and allow for fast as possible queries of local resources, etc. etc.. Without understanding your network layout its hard to tell if your doing it how I would do it or not..  Doesn't sound like it ;)

    Hi John,
    long time no speak :), thank you for your answer.
    my WAN side is Static, and my Pfsense is using ISP DNS,
    i want to limite the number of queries for fast possible respond.

    the configuration is as the next :

    Internet >>> ISP MODEM>>>>WAN0-PFsense-LAN0>>>>>Domain controllers >>>>>> Clients

    i am handing to the client the next :

    DNS = is domain controller as DNS server
    Pfsense = as a Gateway eth1 LAN

    Domain controller forward the DNS request to the Pfsense.
    Pfsense request those to the ISP DNS

    thank you for your answer






  • Since you have a domain controller, you have a domain. In order for clients in that domain to work properly, they need to use the domain controller DNS. This part is correct.

    The domain controller needs to forward queries to the internet for those domains that it is a) not authoritative for and b) does not have a cached response already in place for. You have two ways to configure this portion…

    The domain controller DNS can forward its queries to an upstream system - pfSense - and subsequent queries will be forwarded on from there if necessary. This MAY add a very slight delay to the initial response coming back, but it should no be noticeable to the client. And, once the response is cached, there should be no perceptible delay of any kind.

    The domain controller can also be configured to be root-nameserver-aware and make its queries directly out to the Internet to understand the structure. This MAY produce a very slightly quicker initial response, and may also not work with some ISPs (they want you using THEIR DNS servers as forwarders).

    There is a third option, but it makes no sense... You could point through to the ISPs DNS servers as forwarders, but this tacks on packets being NAT'ed just to get a cached response. This process will likely be quicker overall if you just let the pfSense do this.



  • @ember1205:

    Since you have a domain controller, you have a domain. In order for clients in that domain to work properly, they need to use the domain controller DNS. This part is correct.

    The domain controller needs to forward queries to the internet for those domains that it is a) not authoritative for and b) does not have a cached response already in place for. You have two ways to configure this portion…

    The domain controller DNS can forward its queries to an upstream system - pfSense - and subsequent queries will be forwarded on from there if necessary. This MAY add a very slight delay to the initial response coming back, but it should no be noticeable to the client. And, once the response is cached, there should be no perceptible delay of any kind.

    The domain controller can also be configured to be root-nameserver-aware and make its queries directly out to the Internet to understand the structure. This MAY produce a very slightly quicker initial response, and may also not work with some ISPs (they want you using THEIR DNS servers as forwarders).

    There is a third option, but it makes no sense... You could point through to the ISPs DNS servers as forwarders, but this tacks on packets being NAT'ed just to get a cached response. This process will likely be quicker overall if you just let the pfSense do this.

    Hi Embder thank you for your answer,
    you mean configuring the DNS to use name server as the external DNS, and Pfsense will use Domain controller as it DNS forwarder?
    in the configuration is my Pfsense who is doing the forward.
    on my current configuration, i've notice that the DNS respond is a bit slow.

    so to configure this :

    on the Pfsense DNS i will use my Domain controller IP,
    and on the forward of my Domain controller need to use my ISP DNS,

    is this what you are refering to ?

    much appreciate it



  • @Jamerson:

    Hi Embder thank you for your answer,
    you mean configuring the DNS to use name server as the external DNS, and Pfsense will use Domain controller as it DNS forwarder?
    in the configuration is my Pfsense who is doing the forward.
    on my current configuration, i've notice that the DNS respond is a bit slow.

    so to configure this :

    on the Pfsense DNS i will use my Domain controller IP,
    and on the forward of my Domain controller need to use my ISP DNS,

    is this what you are refering to ?

    much appreciate it

    No.

    I thought I had laid it out pretty clearly already, but let me see if I can add detail that will help.

    Clients use domain controller. Domain controller forwards to pfSense. pfSense either forwards to ISP or is root-nameserver-aware.

    You had commented about needing the fastest responses possible for DNS. I pointed out a couple of potential increases / reductions in response time based on certain configurations, but overall you will be perfectly fine using the method I just laid out. Do not consume yourself with getting "the fastest response" for DNS… Clients are built to tolerate small delays and will be just fine.



  • @ember1205:

    @Jamerson:

    Hi Embder thank you for your answer,
    you mean configuring the DNS to use name server as the external DNS, and Pfsense will use Domain controller as it DNS forwarder?
    in the configuration is my Pfsense who is doing the forward.
    on my current configuration, i've notice that the DNS respond is a bit slow.

    so to configure this :

    on the Pfsense DNS i will use my Domain controller IP,
    and on the forward of my Domain controller need to use my ISP DNS,

    is this what you are refering to ?

    much appreciate it

    No.

    I thought I had laid it out pretty clearly already, but let me see if I can add detail that will help.

    Clients use domain controller. Domain controller forwards to pfSense. pfSense either forwards to ISP or is root-nameserver-aware.

    You had commented about needing the fastest responses possible for DNS. I pointed out a couple of potential increases / reductions in response time based on certain configurations, but overall you will be perfectly fine using the method I just laid out. Do not consume yourself with getting "the fastest response" for DNS… Clients are built to tolerate small delays and will be just fine.

    thank you for your answer,
    the way you mentioned is exactly how its configure,
    pfsense doesn't has it nameserves just send the packet to the ISP DNS.
    using one of the 2 senarios you've posted gonna have the same result, ?

    thank you



  • There are a few different ways it can be set up. They will all have roughly the same sort of responsiveness to look up a "new" host (one that is not already in the cache since the last time it was restarted) but your current configuration offers you the best reliability and stability for your clients.



  • @ember1205:

    There are a few different ways it can be set up. They will all have roughly the same sort of responsiveness to look up a "new" host (one that is not already in the cache since the last time it was restarted) but your current configuration offers you the best reliability and stability for your clients.

    thank you for sharing your idea's with me,
    much appreciate it !
    one more questions,
    on the DNS forwarder on my PFsense should i use the gatewat of my pfsense or not ?
    in the currently settings there is no gateway.
    if i have to use the Gateway can you tell me why ?
    much appreciate it .


  • Rebel Alliance Global Moderator

    why would you put a gateway on a LAN interface??  There is no setting in dns forwarder section asking for a gateway?



  • @johnpoz:

    why would you put a gateway on a LAN interface??  There is no setting in dns forwarder section asking for a gateway?

    hi John
    i referred to this settings,
    https://forum.pfsense.org/index.php?action=dlattach;topic=82987.0;attach=50469;image
    i see the settings gateway are not selected and i was curious if it should be selected, and why not ?
    i believe those are WAN not LAN settings ?


  • Rebel Alliance Global Moderator

    You would only select those if you needed a specific gateway to get to those dns servers - normal setup pfsense would use its default route, or routing tables to get to those servers.



  • @johnpoz:

    You would only select those if you needed a specific gateway to get to those dns servers - normal setup pfsense would use its default route, or routing tables to get to those servers.

    thank you John.