Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Resolver vs Standard DNS servers

    Scheduled Pinned Locked Moved General pfSense Questions
    6 Posts 4 Posters 2.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • A Offline
      altiris
      last edited by

      I used to use OpenNIC servers to be my DNS server for pFsense, "System" > "General Setup" > "DNS" and I fill in the various DNS servers there. The OpenNIC dns servers I use are experiencing a lot of downtime now and I decided to try Pfsense's DNS Resolver, it works very well, fast and everything. So I am asking here, is there any reason for me to use other DNS servers instead of my own? What are the drawbacks, ddossing or DNS abusing or something? Does bandwidth usage rise?

      EDIT: I can not properly test but I think the way DNS resolver is currenctly configured, everyone can use the DNS server (outside of Pfsens's networks) which I do not like.

      1 Reply Last reply Reply Quote 0
      • johnpozJ Offline
        johnpoz LAYER 8 Global Moderator
        last edited by

        There is no reason to use other dns if your going to run your own resolver, you even have dnssec enable I would hope. Your not running a ns to the public.. Your doing queries to the owning name servers from your box.. Pretty much no different than a simple query.

        Dns resolvers, checks its root hints and just walks the tree.. Hey . I am looking up a .com domain - ok go to the ns for .com, hey .com ns I am looking up a record in something.com – ok the owning server of something.com is ns1.something.com at ip 1.2.3.4 -- hey ns1.something.com what is the A record for www.something.com

        Other than this can be slower than just asking your isp dns for www.something.com -- and it already looked it up because someone else 10 minutes before looked it up and the ttl is 1 hour so here is what I looked up 10 minutes ago vs to go ask again..  There is no reason to use any other dns if your running your own resolver.  Unless you want to leverage their cache or filtering, etc.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • A Offline
          altiris
          last edited by

          @johnpoz:

          There is no reason to use other dns if your going to run your own resolver, you even have dnssec enable I would hope. Your not running a ns to the public.. Your doing queries to the owning name servers from your box.. Pretty much no different than a simple query.

          Dns resolvers, checks its root hints and just walks the tree.. Hey . I am looking up a .com domain - ok go to the ns for .com, hey .com ns I am looking up a record in something.com – ok the owning server of something.com is ns1.something.com at ip 1.2.3.4 -- hey ns1.something.com what is the A record for www.something.com

          Other than this can be slower than just asking your isp dns for www.something.com -- and it already looked it up because someone else 10 minutes before looked it up and the ttl is 1 hour so here is what I looked up 10 minutes ago vs to go ask again..  There is no reason to use any other dns if your running your own resolver.  Unless you want to leverage their cache or filtering, etc.

          Informative but so just to be sure, nobody else can enter my external IP and use my DNS as a "resolver"? Also, I was referring more to being my own resolver (USING only my pfsense box to resolve domains) vs only using a DNS server (such as OpenNIC). Is there really any difference/disadvantage besides maybe it being slower and more bandwidth? Basically, why don't most home routers (or even things like Sonicwall) and things offer their own DNS Resolver and instead just make people use the DNS from their ISP.

          1 Reply Last reply Reply Quote 0
          • N Offline
            NOYB
            last edited by

            @altiris:

            Is there really any difference/disadvantage besides maybe it being slower and more bandwidth?

            Reliability and accuracy typically trump DNS performance, so long as it is within reason.  What does it matter how fast it is if it is unreliable or wrong/tainted/poisoned/etc.  On the other hand what does it matter if it is reliable and accurate if it is impartially slow.

            In real world typical usage an address is locally cached once looked up.  So the performance hit of the resolver walking the chain is not actually all that significant.  Typically just once per address per/ttl.

            I've been using the resolver for a while now and have not complaints.

            1 Reply Last reply Reply Quote 0
            • P Offline
              phil.davis
              last edited by

              Your WAN should have everything blocked and only exactly the things you want (often nothing) allowed in. So anybody on the public internet cannot send a request to your WAN IP port 53. They will get nothing. Thus when running DNS Resolver you are not offering a resolver to the rest of the world.

              I guess forwarders are simpler code - less potential for bugs, takes less space… - and so that works for out-of-box massed produce home edge devices.

              A forwarder is useful if you want to get filtered DNS of some sort. Some upstream DNS server (OpenDNS, DynDNS...) recognize the requests from your public IP and know what sort of filtering you have set up. Then when asked for "playboy.com" "violence.com" or whatever unsuitable category you want it to filter, it gives back NXDOMAIN or some bogus IP address that will respond to a browser with a blocked message.

              If you use resolver then you get real unfiltered name resolution of everything.

              As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
              If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

              1 Reply Last reply Reply Quote 0
              • johnpozJ Offline
                johnpoz LAYER 8 Global Moderator
                last edited by

                "So the performance hit of the resolver walking the chain is not actually all that significant"

                Exactly and the resolver will cache it as well for the ttl of whatever is you looked up, so the guy next to you also using your resolve that wants to get to www.pfsense.org the resolver doesn't have to look it up again.  But if you have sites that have low ttls and shitty dns servers there can be a hit now and then when you first go to look it up your browser times out on it, etc.

                Where if its popular and lots of users hit it with the common forwarder your using - which is normally like 1000's and 1000's of ISP customers vs just the hand full of machines using your resolver.

                As stated out of the box pfsense blocks all unsolicited inbound traffic - so nobody can query your resolver from the outside unless you open up the firewall and even have your resolver listen on your wan.  You can pick what interfaces it listens on in the pfsense page for it.  Why should it even listen on your wan???

                I would not use a forwarder unless you wanted to leverage filtering they provide, or you have a really shitty network connection and doing all the dns yourself ends up being slower then just asking your isp dns.

                listeninterfaces.png
                listeninterfaces.png_thumb

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.