Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Resolver issues with OpenDNS Web Filtering

    Scheduled Pinned Locked Moved DHCP and DNS
    4 Posts 3 Posters 1.9k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      matthewdeets
      last edited by

      Hello!

      As of last week, I'm excited to be a newcomer to the pfSense community. After researching and speaking with the most helpful pfSense sales department, we decided to go with the SG-2440 network appliance.

      Fortunately, although new to pfSense, I was able to find the answers to most all of my configuration questions in the definitive guide, documentation, and community discussions.

      My question is regarding the DNS Resolver versus the DNS Forwarder in pfSense v2.2.4. From what I understand, the development is moving toward the Resolver.

      I had the DNS Resolver configured with only one major issue. I'm using OpenDNS for web content filtering, and I discovered that when using the DNS Resolver, although I am using the OpenDNS servers, their web filtering and other services no longer work and their test pages show that I'm not using OpenDNS - none of my logs show any DNS related errors.

      After noticing that the OpenDNS web content filtering and test pages work when using an OpenVPN connection into my network, and checking out the pfSense community discussions, I decided to try the DNS Forwarder Service instead - everything started to work as expected with open DNS - content filtering, error pages, etc!

      Assuming that the DNS Resolver is a better solution, I would be grateful if anyone has any ideas regarding why the OpenDNS services do not seem to work when using the DNS Resolver, but work just fine when using the DNS Forwarder.

      Pre-post update:
      I also attempted trying the "forwarding mode" option in the DNS resolver, but after applying the changes, that stopped anything on our network from resolving on the Internet. Also thought I'd mention that I have the OpenDNS server addresses set in the System -> General set up section. My configuration is for a home network that's using many defaults and is very basic.

      Thanks,
      matt :)

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        I would use the resolver in forwarding mode with the OpenDNS servers configured.  That way you are using the favored DNS solution in the project (the one that will be receiving the most attention) while maintaining the OpenDNS filtering functionality.

        The resolver does things completely differently.  Instead of just asking the configured name servers for an answer it has the list of root servers.

        Then it asks the roots where can I go for information about com.
        Thei it asks one of those where can I go for information about google.com.
        Then it asks one of those what is the A record for www.google.com.

        That's why there is sometimes a delay of 100ms or so the first time a name is resolved.  Then it's answered out of your own local cache.

        That's also why OpenDNS doesn't work in Resolver.  The resolver isn't asking just OpenDNS servers for answers.  it's asking essentially the whole internet.

        What DNS Servers did you configure in System > General Setup? I think those are used as the forwarders by default in forwarding mode.

        I haven't tested but try this in the advanced section of the resolver.  Leave forward mode unchecked.

        forward-zone:
          name: "."
          forward-addr: 208.67.222.222
          forward-addr: 208.67.220.220

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        1 Reply Last reply Reply Quote 0
        • M
          matthewdeets
          last edited by

          Thank you for your help and information regarding how the new DNS Resolver works. This was very helpful.

          I tried your suggestion in the advanced options section, but this produced the same results with OpenDNS as when I actually turned on the "forwarder Mode" - no DNS resolution at all for the Internet.

          Your information on how the new DNS Resolver works encouraged me to try another option which I found to "fix" the issue - kind of…

          I replaced the OpenDNS servers with servers that support DNSSEC in the System -> General  section… And everything started to work - I had DNS resolution with "Forwarder mode" enabled or disabled.

          I remembered reading that OpenDNS does not support DNSSEC - by disabling DNSsec in the DNS Resolver, OpenDNS test page worked correctly in "forwader mode" or with your suggested options in advanced settings.

          As I mentioned, disabling DNSSEC when using OpenDNS servers "kind of" fixed the issue, because while addresses on the Internet were able to be resolved and the OpenDNS welcome / test page did function as expected, the web filtering services still did not work - most likely for the reasons you mentioned in your post.

          After re-enabling DNSSEC and disabling Forwarder Mode, I ran a DNS benchtest tool to determine the fastest DNS servers for my network which also support DNSsec.  Although I am giving up the web filtering such provided by OpenDNS, i'm happy to say that everything seems to be resolving much faster while at the same time having the new DNS Resolver enabled using that service's default settings.

          1 Reply Last reply Reply Quote 0
          • S
            sstretchh
            last edited by

            @matthewdeets:

            Thank you for your help and information regarding how the new DNS Resolver works. This was very helpful.

            I tried your suggestion in the advanced options section, but this produced the same results with OpenDNS as when I actually turned on the "forwarder Mode" - no DNS resolution at all for the Internet.

            Your information on how the new DNS Resolver works encouraged me to try another option which I found to "fix" the issue - kind of…

            I replaced the OpenDNS servers with servers that support DNSSEC in the System -> General  section… And everything started to work - I had DNS resolution with "Forwarder mode" enabled or disabled.

            I remembered reading that OpenDNS does not support DNSSEC - by disabling DNSsec in the DNS Resolver, OpenDNS test page worked correctly in "forwader mode" or with your suggested options in advanced settings.

            As I mentioned, disabling DNSSEC when using OpenDNS servers "kind of" fixed the issue, because while addresses on the Internet were able to be resolved and the OpenDNS welcome / test page did function as expected, the web filtering services still did not work - most likely for the reasons you mentioned in your post.

            After re-enabling DNSSEC and disabling Forwarder Mode, I ran a DNS benchtest tool to determine the fastest DNS servers for my network which also support DNSsec.  Although I am giving up the web filtering such provided by OpenDNS, i'm happy to say that everything seems to be resolving much faster while at the same time having the new DNS Resolver enabled using that service's default settings.

            First off welcome to the pfSense community ! I am also new to the community myself and I recently just purchased a SG-2440 as well. Instead of using openDNS for your filtering have you thought about using Squid and Squidguard ? since you have everything going thru pfSEnse now, use its ability to web filter.

            Couple youtube links on it

            https://www.youtube.com/watch?v=H-6_13P8pS8

            https://www.youtube.com/watch?v=MeSVE_UetX4

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.