DNS forwarder .vs DNS resolver/ 2.2.2 .vs 2.1.x



  • I have purchased a "gold" membership and gotten a copy of the latest pfSense book, in the hope it would help hit me with a clue stick.

    The book is somewhat lacking on 2.2.2 content, and appears to still be firmly oriented to the 2.1 release.

    Am I correct in assuming the install from 2.1 and patch up to the latest release would be safe to fall back to for the better documentation - ie., all the latest and greatest security patches would be present?

    Anyone have reading suggestions?



  • Yes I think you're right - the book hasn't been updated with the absolute latest content.  Time will take care of that I'm sure… it's the nature of the beast with software (especially open source) that the docs typically lag a little behind the cutting edge of the code releases.

    A good place to do some extra reading would be the DocuWiki "recent changes" page:
    https://doc.pfsense.org/index.php?title=Special:RecentChanges&days=30

    Other than that nothing like browsing these forums and reading the active topics to learn  :)


  • Banned

    Stick with 2.1.5.

    Its much more resilient on DDoS attacks than the current code.


  • Banned

    @Supermule:

    Stick with 2.1.5.

    Its much more resilient on DDoS attacks than the current code.

    Please, read the damned subject, the OP and quit this DoS crap. Enough really. For starters, some 99.99999% of users do NOT get DoSed. And when they do, they use their brain and call their ISP, instead of trying to fight a DDoS with a packet filter.  ::)



  • Thank you for the link.  I'm looking for a somewhat reasonable write up of the differences between the two.  DNS Resolver is not working for me and I really have no clue why.
    We can't transfer files across  pfsense (private network hosts downloading content from hosts outside the private network, through pfsense), the transfer eventually times out.
    Every time I update any setting on pfsense I see this script error occuring that scrolls through a small area behind the title bar across the top of the GUI,

    I'm pretty sure I don't know pfSense at all, but setting up an IPV4 NAT gateway isn't hat difficult.
    This just looks like I'm using something not-quite-ready-for-prime-time.
    Which is fine and all, but I'm looking for a version that I can find full, reliable documentation for that just works…

    Edit: I quoted the wrong response.  :P
    To be fair, our network environment is a bit .. challenging.
    I have 10 IP address on our internal network that I have to use to hide about 135 - 150 physical and virtual machines for various tests that we do.
    The corporate network too is an IPV4 private address range, and we even occasionally see collisions on our class B behind our NAT firewall with some rogue system someone plugged into the corporate network.  That's rare these days but has happened in the past.


  • Banned

    @MakOwner:

    Thank you for the link.  I'm looking for a somewhat reasonable write up of the differences between the two.

    Between what two? 2.2.2 vs 2.1.x? Considered reading the release notes?

    https://doc.pfsense.org/index.php/2.2_New_Features_and_Changes
    https://doc.pfsense.org/index.php/2.2.1_New_Features_and_Changes
    https://doc.pfsense.org/index.php/2.2.2_New_Features_and_Changes

    @MakOwner:

    DNS Resolver is not working for me and I really have no clue why.
    We can't transfer files across  pfsense (private network hosts downloading content from hosts outside the private network, through pfsense), the transfer eventually times out.

    Transfer how? And how's that timeout related to DNS?

    @MakOwner:

    Every time I update any setting on pfsense I see this script error occuring that scrolls through a small area behind the title bar across the top of the GUI,

    Don't you think it'd be important to post the exact error to get any help?

    @MakOwner:

    The corporate network too is an IPV4 private address range, and we even occasionally see collisions on our class B behind our NAT firewall with some rogue system someone plugged into the corporate network.  That's rare these days but has happened in the past.

    Job for a decent switch, not pfSense.



  • Don't you think it'd be important to post the exact error to get any help?

    If there had been some way to capture the error, you think I wouldn't have posted it?
    It's a script error that was being displayed behind the transparent image used in the web GUI display.

    I just shut it down and went back to the IPCop distribution we had been using – it does the IPV4 stuff we need without a hiccup, but doesn't do IPV6 which I need now.

    I still need IPV6, I paid for access to the manual and the manual doesn't really tell me much about the current product release.
    I am not impressed so far.


  • LAYER 8 Global Moderator

    And the system log itself did not report any error?  Find that hard to believe if you were seeing some gui announcement..  Normally which you have to acknowledge to clear..  A screenshot of what you were seeing might of helped.

    As to your resolver not working - 2 seconds of troubleshooting would of told you why it wasn't working.  Do you even understand the difference between a resolver and forwarder?  Did you try putting unbound in forwarder mode, or use the forwarder (dnsmasq) vs resolver (unbound)?

    As to your transfer - so it starts and then times out, it doesn't resolve to where your trying to get something?  And that is why it times out?

    Without clue one to your issues your having, there is no way to help you..  Why don't you try again, and this time give us something to work with..  What hardware are you installing pfsense on?  Are you using 64 or 32 bit?  Is it a VM install?  Is pfsense behind a nat?  Or public on its wan IP, do you only have 1 large flat 10 network or do you have multiple segments?  What exactly is this transfer your trying to do? cifs/smb/ftp/sftp/tftp/http/??  Is from another private network on the wan, or actual internet?  If resolver is not working - how about a simple sniff on your wan, do you see it query.. Does it get any responses? If for example pfsense is behind a NAT, and 53 udp/tcp is not allowed outbound to the public net then resolver is going to have a really hard time talking to the roots and authoritative name servers for the domains your wanting to resolve..

    I was a big fan of ipcop back in the day..  Is a good distro, glad your happy with it - but pfsense is so far past the feature set of ipcop..  IPv6 has been working in pfsense for long time..  that ipcop has not started support for it very disappointing..


  • Banned

    @johnpoz:

    I was a big fan of ipcop back in the day..  Is a good distro, glad your happy with it - but pfsense is so far past the feature set of ipcop..  IPv6 has been working in pfsense for long time..  that ipcop has not started support for it very disappointing..

    I have translated the entire thing to Czech, years and years ago. And frankly, it's extremely hard to spot any progress ever since. Plus, IPv6 indeed virtually nonexistent. Pretty much dead project.



  • @johnpoz:

    And the system log itself did not report any error?  Find that hard to believe if you were seeing some gui announcement..  Normally which you have to acknowledge to clear..  A screenshot of what you were seeing might of helped.

    Not that I could tell - and not that I am that skilled at looking either.

    As to your resolver not working - 2 seconds of troubleshooting would of told you why it wasn't working.  Do you even understand the difference between a resolver and forwarder?  Did you try putting unbound in forwarder mode, or use the forwarder (dnsmasq) vs resolver (unbound)?

    As to your transfer - so it starts and then times out, it doesn't resolve to where your trying to get something?  And that is why it times out?

    Without clue one to your issues your having, there is no way to help you..  Why don't you try again, and this time give us something to work with..  What hardware are you installing pfsense on?  Are you using 64 or 32 bit?  Is it a VM install?  Is pfsense behind a nat?  Or public on its wan IP, do you only have 1 large flat 10 network or do you have multiple segments?  What exactly is this transfer your trying to do? cifs/smb/ftp/sftp/tftp/http/??  Is from another private network on the wan, or actual internet?  If resolver is not working - how about a simple sniff on your wan, do you see it query.. Does it get any responses? If for example pfsense is behind a NAT, and 53 udp/tcp is not allowed outbound to the public net then resolver is going to have a really hard time talking to the roots and authoritative name servers for the domains your wanting to resolve..

    Transfers were failing because name resolution failed - eventually - as best I could tell.  The results of those transfer failures were masked behind other software error logging, so it wasn't like we were doing straight sftp transfers and observing the failure.  I suspect the biggest issue was that I was trying toi setup IVP4 and IPV6 at the same time on pfSense having never touched pfSense before at all – and in addition we have to NAT from a private network to a private network.  Someone suggested the configuration called for a switch and not pfSense -- and that is correct if the world was fair and perfect.
    It isn't and I'm allowed 10 IP addresses on the10.x.x.x internal network. 
    I have 75+ machines and VMs to manage on that IP range, that have to be addressable to one another, but not on the 10.x.x.x network.
    So a NAT setup works well.  For IPV6, I dont care - the 10.x.x.x network is on thier own if I leak addresses there, but keeping the range masked would be a big plus.

    I was a big fan of ipcop back in the day..  Is a good distro, glad your happy with it - but pfsense is so far past the feature set of ipcop..  IPv6 has been working in pfsense for long time..  that ipcop has not started support for it very disappointing..

    IPCop works for IPV4, it's been a long time since I have even seen much of an update – the english support forums have folded, so I assumed it was not much longer a viable approach.
    I will say it does IPV4 well, and just does it's thing and I never have to touch unless it's to update IP address assignments.  I am familair enough with it that it is very easy for me.
    It's not that I'm unhappy with it, I just need IPV6, in addition to IPV4.


  • LAYER 8 Global Moderator

    "Transfers were failing because name resolution failed - eventually - as best I could tell"

    In the middle of the transfer?  So where you doing sftp or what?  Or was that just some example and you have some application/script using sftp?

    As to the world being perfect and fair?  Ok - you can not get a switch to do a switches job?  How is that?  Who would only give you 10 IPs in a 10.x.x.x network?  The 10 address space has some 16 million addresses, you could have over 32k /24 networks.. What freaking idiot would set it up so a site/location/department whatever could only have 10 IPs??  Or that you would have to do nat inside your 10 space? Makes ZERO sense.. Fix that nonsense!!  Or you you know what there are 2 other major networks you could leverage in the rfc1918 space that give you another 1.1 million addresses to use.. That you should be natting private address space inside a companies network is just NONSENSE.

    Now if you were supporting a different company and they were also using 10 that steps on yours, then yeah you would have to nat those between your 2 companies.  But that a single company would limit you to 10 ips in 10 space is just freaking ridiculous..  Bring that up to ever it is to be brought up to.. Get your IPAM guy fired if need be, clearly he has no clue to address space management if can only have 10 addresses to work with and have to nat your 75 machines..  Why could he not give you a /25 out of the some 65k /25's that are available in the 10 space?  How many network segments in your whole company network??



  • @johnpoz:

    "Transfers were failing because name resolution failed - eventually - as best I could tell"

    In the middle of the transfer?  So where you doing sftp or what?  Or was that just some example and you have some application/script using sftp?

    As to the world being perfect and fair?  Ok - you can not get a switch to do a switches job?  How is that?  Who would only give you 10 IPs in a 10.x.x.x network?  The 10 address space has some 16 million addresses, you could have over 32k /24 networks.. What freaking idiot would set it up so a site/location/department whatever could only have 10 IPs??  Or that you would have to do nat inside your 10 space? Makes ZERO sense.. Fix that nonsense!!  Or you you know what there are 2 other major networks you could leverage in the rfc1918 space that give you another 1.1 million addresses to use.. That you should be natting private address space inside a companies network is just NONSENSE.

    Sanity and idiocy aside, this is not an environment I control.  I work with what I have, and I have 10 IP address in a private network range and I have many systems that I need to have behind those addresses.
    NAT works well in this case.  Those machines need access to each other and some systems on the 10.x private network.  They don't need access to anything outside those two networks.

    Now if you were supporting a different company and they were also using 10 that steps on yours, then yeah you would have to nat those between your 2 companies.  But that a single company would limit you to 10 ips in 10 space is just freaking ridiculous..  Bring that up to ever it is to be brought up to.. Get your IPAM guy fired if need be, clearly he has no clue to address space management if can only have 10 addresses to work with and have to nat your 75 machines..  Why could he not give you a /25 out of the some 65k /25's that are available in the 10 space?  How many network segments in your whole company network??

    After running into these issues with 2.2.2, I took a breath and waited until 2.2.4 came out.  I set up with just IPV4 and so far it's working as I expected.  Whether that's correct or plausible is whole other question, but I'm working within my limited skills on this.


Log in to reply