DNS Fowarder Or DNS Resolver

killmasta93

Hi,

So currently im using DNS Resolver (Unbound) for PfblockerNG 2.0 works great. But I was wondering what would be better to run in a Windows Server environment, with clients to query the internal DNS so that they can resolve x.server.com?

Thank you

chris4916

Is there currently anything preventing to use either Forwarder or Resolver to resolve x.server.com ?  ???
Your point/problem is not clear to me yet.

johnpoz

huh?  If your running AD, then clients should all point to your AD dns server.  This server can then either forward to pfsense forwarder/resolver or just forward to your isp/public dns directly or also it can do actual resolving directly.

If you have AD setup not sure why anyone would use pfsense forwarder or resolver or even dhcp server - AD should be doing this.  It solves many issues and just makes for cleaner setup.  Pfsense sure is not going to know about any AD domains, etc.

killmasta93

I guess what I meant is, should i use DNS Resolver instead of DNS Forwarder? And my windows Server handles the DHCP and DNS with its AD. I have pfSense DHCP server off. I guess the real question is what is the best situation to use DNS Forwarder, and the best  situation to use DNS Resolver?

Sorry for the confusion  :-[

Thank you

johnpoz

You shouldn't be using either of them if all your clients point to your AD..

As to what is better forwarder or resolver - do you understand what the difference is?  There is no one better than the other, depending on what your trying/wanting to accomplish one might be better suited than the other.

A forwarder just forwards the query to some other server to get the answer or answers from its cache.  So your client asks pfsense running forwarder or resolver in forward mode for www.pfsense.org.. If that was say just looked up by someone else, then it can return the IP for www.pfsense.org from its cache.  If not he will "forward" that question to say your isp dns, googledns, opendns, 4.2.2.2 whatever you setup that it should forward too.  That upstream server will then send down the answer from its cache, or maybe even forward it on to something else.  Until you hit a resolver.  The resolver is the one that asks the root servers, hey what is owning server for .org, ok lets go ask them for what is the owning server for pfsense.org, ok lets go that ns for the A record www in pfsense.org

So what do you want to do, do you want to forward or resolve?  And why does it matter since your clients should be talking to your AD anyway.  What you should be concerned with is how your AD is setup - does it forward, to where or does it resolve?

So for example NS for .org are below, you get them from one of these

;; ANSWER SECTION:
.                      436480  IN      NS      i.root-servers.net.
.                      436480  IN      NS      e.root-servers.net.
.                      436480  IN      NS      l.root-servers.net.
.                      436480  IN      NS      g.root-servers.net.
.                      436480  IN      NS      f.root-servers.net.
.                      436480  IN      NS      j.root-servers.net.
.                      436480  IN      NS      a.root-servers.net.
.                      436480  IN      NS      k.root-servers.net.
.                      436480  IN      NS      d.root-servers.net.
.                      436480  IN      NS      m.root-servers.net.
.                      436480  IN      NS      c.root-servers.net.
.                      436480  IN      NS      h.root-servers.net.
.                      436480  IN      NS      b.root-servers.net.

;; QUESTION SECTION:
;org.                          IN      NS

;; ANSWER SECTION:
org.                    86400  IN      NS      c0.org.afilias-nst.info.
org.                    86400  IN      NS      a2.org.afilias-nst.info.
org.                    86400  IN      NS      b0.org.afilias-nst.org.
org.                    86400  IN      NS      d0.org.afilias-nst.org.
org.                    86400  IN      NS      a0.org.afilias-nst.info.
org.                    86400  IN      NS      b2.org.afilias-nst.org.

So I can go ask them for hey who is ns for pfsense.org

; <<>> DiG 9.9.5-3ubuntu0.2-Ubuntu <<>> @c0.org.afilias-nst.info pfsense.org ns
:; udp: 4096
;; QUESTION SECTION:
;pfsense.org.                  IN      NS

;; AUTHORITY SECTION:
pfsense.org.            86400  IN      NS      dns1.registrar-servers.com.
pfsense.org.            86400  IN      NS      dns4.registrar-servers.com.
pfsense.org.            86400  IN      NS      dns5.registrar-servers.com.
pfsense.org.            86400  IN      NS      dns2.registrar-servers.com.
pfsense.org.            86400  IN      NS      dns3.registrar-servers.com.

I can then go ask one of them for www.pfsense.org

; <<>> DiG 9.9.5-3ubuntu0.2-Ubuntu <<>> @dns1.registrar-servers.com www.pfsense.org
;; QUESTION SECTION:
;www.pfsense.org.              IN      A

;; ANSWER SECTION:
www.pfsense.org.        3600    IN      A      208.123.73.69

;; Query time: 122 msec
;; SERVER: 185.61.155.14#53(185.61.155.14)

killmasta93

@johnpoz Thank you for a detailed response. Now i get it. So my testing setup should have no conflict, If I have DHCP Server disabled on pfSense and enabled on windows server, DNS on windows server with AD, And DNS resolver(unbound) block ads with DNSBL (pfblockerNG dev).  :D

johnpoz

And what is going to ask pfsense for dns stuff - your AD dns server?

killmasta93

pfSense would use the lSP DNS then the AD DNS

johnpoz

And why does pfsense need to resolve your ad clients?  And no that is not what that means..

What do you think happens when it asks 200.13.249.101 or itself running the resolver for something.yourADdomain.tld and gets back a NX?  Do you think it moves on to the next one?  That is not how dns works..

Even if you were asking in parallel on how the forwarder use to work.. It would ask all of those at the same time and first answer wins, etc.

Where is your AD dns forwarding too or resolving?  If you want pfsense to be able to resolve stuff in your AD, then point pfsense to your AD dns - period!

Or in the forwarder/resolver put in a over ride for your AD that points to your AD server..  What exactly do you want to happen, and how is your DNS in AD setup.. Does it forward - to where, or does it asks roots?

killmasta93

Allright sorry for the late reply i was having some DNS troubles with the AD. Anyways i would set the AD DNS forwarders to use pfSense and then let Unbound do the DNSBL blocking. Correct?

johnpoz

What are you using in pfsense that does DNSBL blocking?

Are you going to create local over rides for stuff you don't want to resolve?

killmasta93

im using DNSBL Feeds to block ads and malware domains  ;D

johnpoz

And how does that block dns query.. Or replace the query, that is just a firewall rule your creating with pfblocker?

Unbound has no method of using that feed that I am aware of.  So why do you have to have your AD point to pfsense - just have it forward to public say your isp or do direct from roots?  Only reason I could see to forward to pfsense resolver would be to have dnssec support.

fraglord

I have pretty much the same setup here: All clients use the AD DNS which forwards the requests to pfsense that takes care of ads and malware (DNSBL). For pfBlockerNG I had to move over to unbound (DNS resolver). Before DNS forwarder provided an option to query the DNS servers under system -> general setup sequentially. Unfortunately for DNS resolver I cannot find a setting like this. What is the default behavior of querying the DNS servers using unbound?

johnpoz

Again what does a firewall rule blocking access to specific IPs have to do with what dns you query??

Please show how your using dnsbl in pfsense to block it is you want to block.. Unbound or the forwarder have no connection with any sort of dnsbl list AFAIK..  So you have a firewall rule using some list to block stuff - this has NOTHING to do with dns query be from forwarder, resolver or your AD..

fraglord

Well ask the OP. :) My question was simply how unbound queries the DNS servers (parallel / sequiential) as there is no option to set this.

johnpoz

"I have pretty much the same setup here: All clients use the AD DNS which forwards the requests to pfsense that takes care of ads and malware (DNSBL)"

You just stated you have the same setup.. WTF are you in the thread for if you have a question about something else - start your OWN thread..

Unbound is meant to be a RESOLVER.. If you want to forwarder mode and use sequential or parallel mode use dnsmasq  - if your using unbound in forwarder mode, to be honest your using it wrong ;) Just use the older forwarder.  Why would you think you need to move to the resolver/unbound to use pfblockerNG??  pfblocker downloads lists of IPs, and put them in firewall rules/aliases - why would it freaking care if you use a forwarder/resolver be it dnsmasq, unbound, bind, tiny, etc. etc..

So I just installed pfblockerNG.. Where is it ask anything about what dns your using or have any integration with dnsbl??

doktornotor

@johnpoz:

So I just installed pfblockerNG.. Where is it ask anything about what dns your using or have any integration with dnsbl??

This is in non-public -dev version; totally off-topic here.

johnpoz

Ok how do I install this -dev version?

How does it integrate with unbound?  pfblocker has been nothing more than a list downloader that you put into rules/aliases..  What you use for dns should have nothing to do with that - other than the dns you do use needs to be able to resolver where you grab the list of IPs.

doktornotor

@johnpoz:

Ok how do I install this -dev version?

PM BBcan17.

@johnpoz:

How does it integrate with unbound?  pfblocker has been nothing more than a list downloader that you put into rules/aliases..  What you use for dns should have nothing to do with that - other than the dns you do use needs to be able to resolver where you grab the list of IPs.

It's redirecting the requests to 1x1px image on webserver run on pfSense's virtual IP instead of blocking.