DNS forwarder or resolver for a new home-office network?

  • Could someone give me some pros/cons for choosing the forwarder or resolver option for my DNS?

    This is my 1st deployment of pfSense, so forgive my novice questions!  It is a simple home-office setup with maybe 20 downstream devices.  pfSense does the routing, firewall, dhcp, and openvpn nicely.  Now I want to sort out my DNS setup.

    I currently run dnsmasq on a separate server and intended to move it to the pfsense box.  But now I keep reading that the unbound resolver is "strategic", so I'm wondering if I should switch.  I have no experience with unbound.

    My requirements are basic … dnsmasq's forwarding, caching, and logging seems to do the job well enough.

    I use a list of local hosts and a list of overrides for ad-blocking etc.

    Normally I'm happy to forward all queries to my ISP's DNS servers.  But I do need to be able to override requests for some clients and "force" them to specific external DNS servers (geo-blocking issues).

    So which should I use, the forwarder or the resolver?

  • LAYER 8 Global Moderator

    Just use the forwarder if that is what your use too.  Resolver can be a tad slower on initial look ups because your walking the full tree to lookup www.something.com - roots hey ns for .com please, hey ns for .com what is ns for something.com hey ns for something.com what is A record for www

    With forwarder you just ask your isp or googledns hey what is A record for www.something.com, if someone had recently looked that up - there you go you get the answer right away its cached.  If not then it has to walk the tree and find it for you.. But normally there are 1000's to 100's of thousands of uses using those name serves so most popular sites are always cached.

    Normally its just a few ms different, but sometimes sites that have shitty dns or on the other side of the planet from you can take a bit longer and you may see time outs now and then on that first lookup and then after the ttl expires, etc.

    But the advantage of resolver is you KNOW your talking to authoritative ns for that domain to get the answer not some cached entry that could be stale, all your sure you have full dnssec while with forwarding.. do you??  Where you forwarding, etc.

    Both forwarder and resolver support easy over rides for hosts or domains, they are just in their own menu area, they don't share a db or anything.. So if you create a host over ride in the forwarder section and usng resolver your host over rides won't be used.

    Also while unbound does have a forwarder option, the dnsmasq fowarder allows you to query your ns in parallel while I do not believe unbound does it that way.  So if your use to forwarding - just stick with dnsmasq would be my advice.