DNS Primer?

  • I'd like to wrap my head around DNS a bit better. Is there a recommended resource for getting started with PF Sense DNS services? I'm hoping to have a better understanding of DNS forwarder and DNS resolver so that i might better configure my home network for security, speed, and functionality.

    I'm currently using PF Sense as my gateway for DHCP and DNS (no windows/mac server doing this. and no domain), and I was hoping to force a set of dns servers (ie opendns, level 3, etc) on my clients. I would also like clients to be able to resolve each other on the same network without explicitly entering them into DNS.

    Thanks for any input you can provide!

  • LAYER 8 Global Moderator

    If your pointing to pfsense for dns, and you have it register your dhcp clients in dns then local clients would be able to resolve each other.  Or you could create host over rides for the specific stuff you want to resolve locally.

    If your wanting to use opendns or any other specific dns then you would not want to use the resolver (unbound) it does all the resolving from roots and the authoritative servers directly for the stuff your looking up.  You could put it in forwarder mode, etc.  But if your just going to forward its prob best to just use forwarder (dnsmasq)

    If you forward to whatever you want to use, opendns, googledns - then all clients using pfsense would get answers from there.  Since all pfsense does is forward what you ask for if not in its local records or cached.

    If you don't want clients using other dns, then you can create a firewall rule to block access to 53 udp/tcp for anything other than pfsense.

    I personally use the resolver with dnssec enabled - and have pfsense directly query what your looking for and cache it vs forwarding your dns to someone else.  This can be a tad slower but more secure in the long run.

    Understanding the difference between a forwarder and resolver is right in the name ;)  A forwarder "forwards" your queries to where you set it to forward like your isp dns or opendns.. What the do is out of your control, it might be a resolver or it as well might forward somewhere else. It may or may not support dnssec, etc.

    Where with a resolver - when you ask for say www.something.net, it asks the roots hey what is the name server(s) for .net - ok 1 of the .net servers who is the authoritative nameservers for something.net – then it goes and asks say ns1.something.net for the record www directly.

    That is it in a nutshell.  I would highly recommend http://shop.oreilly.com/product/9780596100575.do as a great book on dns in general..  It about BIND, but all the fundamentals are there as building blocks to your understanding.

  • Moderator

    Here is one Tutorial for Unbound:


  • @johnpoz:

    Where with a resolver - when you ask for say www.something.net, it asks the roots …

    so this will query the dns servers you have set in system > general?

    thanks all for your input!

  • LAYER 8 Netgate

    No.  The forwarder will ask the servers you have configured in system > general.

    The resolver will first ask its configured root name servers (zone .) for the NS/SOA records for zone net.

    Then it will ask those name servers for the NS/SOA records for zone example.net.

    Then it will ask those name servers for the A record for www.example.net.

  • LAYER 8 Global Moderator

    A resolver has NOTHING do with what you put in pfsense dns servers.. It uses it root hint file to know the root . servers to ask.. I thought I was really clear on that???

    This is the current root hint file


    These are the servers it will ask for who the servers that manage .net, .org, .com, etc.. who know the name servers for every domain in those tlds.  Via the registrars that update them for when you register say mydomain.tld

  • @johnpoz:

    I thought I was really clear on that???

    Understood. So the static servers set in System > General are bypassed (not used) when in DNS resolver is used. And pfsense does dnssec when possible when communicating with root servers?

    Thanks All!

  • LAYER 8 Global Moderator

    yes if you enable dnssec in unbound it does it whenever possible - not just to roots, but if the end domain has it setup, then it uses it then too..

Log in to reply