DNS Forwarder vs DNS Resolver pfSense 2.2



  • I have been using the DNS Forwarder all along and now I noticed that DNS resolver has been added. The direction going forward seems to be DNS Resolver so I am curious if I should begin transitioning my configuration over to the DNS Resolver? One thing I really linked about the DNS Forwarder was the ability to query DNS servers in parallel, leveraging the ability to always receive the fastest response from the DNS servers (in my case 6 configured). Does the DNS Resolver have similar capability? I don't see a setting for the DNS Resolver to control this like I did with the DNS forwarder: "Query DNS servers sequentially
    If this option is set, pfSense DNS Forwarder (dnsmasq) will query the DNS servers sequentially in the order specified (System - General Setup - DNS Servers), rather than all at once in parallel." I do NOT have this setting enabled so I am currently querying DNS servers in parallel.

    Thank you



  • Sequential - Not necessarily fastest.  Perhaps best though.
    Parallel - Almost certainly Fastest

    I'd use sequential when I wanted to order my DNS from most to least trusted (Thats just me)

    I'd use parallel when I just wanted to get the first response from the first resolver to reply (fastest but not necessarily best reply)

    But thats old news for me now - I'm thinking I prefer unbound.



  • Hello kejianshi,

    Thank you for your quick response. I actually typed that up in the inverse of what I meant. Sorry about that. What I meant to say is that I currently am using parallel DNS queries with DNS Forwarder and was curious if DNS Resolver worked the same or had a similar configuration setting.



  • I don't know…  Since its not stated, I'd assume its operating in parallel mode (But thats a guess)

    I can tell you this - You will not notice because effectively, using dns resolver your dns response time will probably be about 1ms or so, which is very fast.

    Its going to cache up all your DNS requests so the very first time you go to playboy.com, its going to take like 20ms or something to get an answer but every time you go back to playboy.com afterwards, you will get your answer in about 1ms.

    You won't notice the difference between 20ms and 1ms but I'm sure a DNS benchmarking app will show you.

    As a side note, speed (as measured in milliseconds of difference in response time) is far less important than reliability.  ie I always get a response and its reasonably quick and more importantly that the reply is actually correct.



  • DNS resolver dont do it parralel. It do it sequential .

    Iam glad about it.
    I have a 3g connection for Failover, and with parralel it uses that bandwith to much (the datavolume was restriced @ 100MB)



  • Querying a static list of DNS servers in parallel and using the first response as DNS forwarder does by default will undoubtedly be the fastest.  However since it is a static list of DNS servers and RTT (round trip time) is usually the most significant factor of response time, one of the DNS servers will almost always be the fastest.  So I just put that one at the top of the list and query sequentially.  Ninety nine percent of the time it would be fastest anyway and there is not need to be generating all the other DNS queries that wouldn't get used anyway.

    As for trustworthiness and reliability, I wouldn't have any untrustworthy or unreliable DNS servers in the list.

    As for DNS resolver, I've not looked into the details of how it works.  But there are a few mode settings that change it's behavior.  From just the most cursory look though I think the mode I have it set to uses the DNS root servers to get the domains designated NS and then queries that directly to resolve address, if it doesn't have in cache.  Can't get much more trustworthy than using secure DNS to query root and domain designated NS.  Don't know though if it does any parallel queries.



  • The question I've been curious about but haven't bothered to asked yet, and here now seems like maybe as good a time to  bring it up as any.  Is with DNS resolver mode set to use root server…  what is the need, use, etc. of the specified DNS list in System General Setup?



  • For me, none.



  • Another thing is that it is stated in the pfsense FAQ that forwarding mode is necessary for multi-wan configurations. Why is that if unbound will query the list of DNS servers in the general page sequentially anyway?



  • @NOYB:

    The question I've been curious about but haven't bothered to asked yet, and here now seems like maybe as good a time to  bring it up as any.  Is with DNS resolver mode set to use root server…  what is the need, use, etc. of the specified DNS list in System General Setup?

    I think that list still serves as a fallback for pfSense itself, in the event that Unbound crashes or stops responding for some reason. I keep the Google DNS servers in that list just in case… the resolv.conf shows 127.0.0.1, followed by the two Google DNS servers. Of course, the rest of my network still won't have DNS resolution if Unbound were to fail for some reason, but at least pfSense would be able to resolve outside hosts.


  • Banned

    Yeah I would strongly suggest leaving some known working DNS servers there, independent of the DNS forwarder/resolver in pfSense. Without any DNS available, things just slow down to a crawl when trying to do something in the web GUI.



  • Just incase all of the root DNS servers go down but the rest of the internet is doing fine?  haha


  • Banned

    No, just in case unbound crashes or fails to start… as said above.



  • I've had really unpredictable results with "hedging my bets" when it comes to DNS.  Seems like an all or nothing game or else super flakey.

    I removed my reliable backup servers from that list precisely because it made things dodgy.

    Take with a grain of salt of course since this is just one lone person's perhaps unique experience.



  • Any thoughts on my question above?



  • A DNS forwarder is suppose to forward DNS requests to a resolver. A DNS resolver does the actual name resolution by checking root servers and following the NS chain to the target DNS server that is responsible for the requested hostname/zone.

    So it would seem that sequence of the resolvers and such would have no impact because they are irrelevant in this case.



  • @dericd:

    A DNS forwarder is suppose to forward DNS requests to a resolver. A DNS resolver does the actual name resolution by checking root servers and following the NS chain to the target DNS server that is responsible for the requested hostname/zone.

    So it would seem that sequence of the resolvers and such would have no impact because they are irrelevant in this case.

    So do you have both set up ? what port did you use for each, since you can't use the same port for resolver and forwarder. Just trying to figure out how to go about using both



  • It's an either/or, not both thing. The resolver should be faster for most cases as it's serving locally from limited queries to the outside world (first time a name is asked for or when the TTL expires and it rechecks), rather than constantly querying the outside world.



  • ahh i didn't notice till I look at the settings again that the resolver has a button for DNS Query Forwarding …opps that should help speed things up.



  • The resolver should be faster for most cases as it's serving locally from limited queries to the outside world (first time a name is asked for or when the TTL expires and it rechecks), rather than constantly querying the outside world.

    Hmmm, I was under the impression that Forwarder also cached requests. The book says, "The DNS Forwarder in pfSense is a caching DNS resolver. " So, is Resolver really going to be faster than Forwarder, since they both cache requests?

    On https://doc.pfsense.org/index.php/DNS_Forwarder, it notes, "Important Note: This service should not be exposed publicly. Ensure inbound rules on WANs do not allow connections from the Internet to reach the DNS Forwarder service on the firewall." Is that true also for Resolver? Is that done by blocking (rejecting?) access to port 53 (or whichever port is being used) on the WAN? Or is it preferred to use the "Interfaces" section for the Forwarder service setup ("Network Interfaces" in Resolver)  to take care of that?

    The context for these questions is a simple home router without running any internet server (at the moment).

    BTW, https://doc.pfsense.org/index.php/Unbound_DNS_Resolver implies both can be running at the same time, although I'm not sure why one would do that. They must use different ports.



  • I found the answer to the "exposure" question here:
    https://forum.pfsense.org/index.php?topic=90557.msg500907#msg500907



  • i am using my domain controller to resolve the dns request . and pfsense using my domain controller as dns to resolve the request .
    using the dns forwarder and dns resolver in pfsense gonna speed things up ?
    thank you


Log in to reply