DNS Resolver vs Standard DNS servers



  • I used to use OpenNIC servers to be my DNS server for pFsense, "System" > "General Setup" > "DNS" and I fill in the various DNS servers there. The OpenNIC dns servers I use are experiencing a lot of downtime now and I decided to try Pfsense's DNS Resolver, it works very well, fast and everything. So I am asking here, is there any reason for me to use other DNS servers instead of my own? What are the drawbacks, ddossing or DNS abusing or something? Does bandwidth usage rise?

    EDIT: I can not properly test but I think the way DNS resolver is currenctly configured, everyone can use the DNS server (outside of Pfsens's networks) which I do not like.


  • Rebel Alliance Global Moderator

    There is no reason to use other dns if your going to run your own resolver, you even have dnssec enable I would hope. Your not running a ns to the public.. Your doing queries to the owning name servers from your box.. Pretty much no different than a simple query.

    Dns resolvers, checks its root hints and just walks the tree.. Hey . I am looking up a .com domain - ok go to the ns for .com, hey .com ns I am looking up a record in something.com – ok the owning server of something.com is ns1.something.com at ip 1.2.3.4 -- hey ns1.something.com what is the A record for www.something.com

    Other than this can be slower than just asking your isp dns for www.something.com -- and it already looked it up because someone else 10 minutes before looked it up and the ttl is 1 hour so here is what I looked up 10 minutes ago vs to go ask again..  There is no reason to use any other dns if your running your own resolver.  Unless you want to leverage their cache or filtering, etc.



  • @johnpoz:

    There is no reason to use other dns if your going to run your own resolver, you even have dnssec enable I would hope. Your not running a ns to the public.. Your doing queries to the owning name servers from your box.. Pretty much no different than a simple query.

    Dns resolvers, checks its root hints and just walks the tree.. Hey . I am looking up a .com domain - ok go to the ns for .com, hey .com ns I am looking up a record in something.com – ok the owning server of something.com is ns1.something.com at ip 1.2.3.4 -- hey ns1.something.com what is the A record for www.something.com

    Other than this can be slower than just asking your isp dns for www.something.com -- and it already looked it up because someone else 10 minutes before looked it up and the ttl is 1 hour so here is what I looked up 10 minutes ago vs to go ask again..  There is no reason to use any other dns if your running your own resolver.  Unless you want to leverage their cache or filtering, etc.

    Informative but so just to be sure, nobody else can enter my external IP and use my DNS as a "resolver"? Also, I was referring more to being my own resolver (USING only my pfsense box to resolve domains) vs only using a DNS server (such as OpenNIC). Is there really any difference/disadvantage besides maybe it being slower and more bandwidth? Basically, why don't most home routers (or even things like Sonicwall) and things offer their own DNS Resolver and instead just make people use the DNS from their ISP.



  • @altiris:

    Is there really any difference/disadvantage besides maybe it being slower and more bandwidth?

    Reliability and accuracy typically trump DNS performance, so long as it is within reason.  What does it matter how fast it is if it is unreliable or wrong/tainted/poisoned/etc.  On the other hand what does it matter if it is reliable and accurate if it is impartially slow.

    In real world typical usage an address is locally cached once looked up.  So the performance hit of the resolver walking the chain is not actually all that significant.  Typically just once per address per/ttl.

    I've been using the resolver for a while now and have not complaints.



  • Your WAN should have everything blocked and only exactly the things you want (often nothing) allowed in. So anybody on the public internet cannot send a request to your WAN IP port 53. They will get nothing. Thus when running DNS Resolver you are not offering a resolver to the rest of the world.

    I guess forwarders are simpler code - less potential for bugs, takes less space… - and so that works for out-of-box massed produce home edge devices.

    A forwarder is useful if you want to get filtered DNS of some sort. Some upstream DNS server (OpenDNS, DynDNS...) recognize the requests from your public IP and know what sort of filtering you have set up. Then when asked for "playboy.com" "violence.com" or whatever unsuitable category you want it to filter, it gives back NXDOMAIN or some bogus IP address that will respond to a browser with a blocked message.

    If you use resolver then you get real unfiltered name resolution of everything.


  • Rebel Alliance Global Moderator

    "So the performance hit of the resolver walking the chain is not actually all that significant"

    Exactly and the resolver will cache it as well for the ttl of whatever is you looked up, so the guy next to you also using your resolve that wants to get to www.pfsense.org the resolver doesn't have to look it up again.  But if you have sites that have low ttls and shitty dns servers there can be a hit now and then when you first go to look it up your browser times out on it, etc.

    Where if its popular and lots of users hit it with the common forwarder your using - which is normally like 1000's and 1000's of ISP customers vs just the hand full of machines using your resolver.

    As stated out of the box pfsense blocks all unsolicited inbound traffic - so nobody can query your resolver from the outside unless you open up the firewall and even have your resolver listen on your wan.  You can pick what interfaces it listens on in the pfsense page for it.  Why should it even listen on your wan???

    I would not use a forwarder unless you wanted to leverage filtering they provide, or you have a really shitty network connection and doing all the dns yourself ends up being slower then just asking your isp dns.