DNS Resolver issues with OpenDNS Web Filtering

matthewdeets

Hello!

As of last week, I'm excited to be a newcomer to the pfSense community. After researching and speaking with the most helpful pfSense sales department, we decided to go with the SG-2440 network appliance.

Fortunately, although new to pfSense, I was able to find the answers to most all of my configuration questions in the definitive guide, documentation, and community discussions.

My question is regarding the DNS Resolver versus the DNS Forwarder in pfSense v2.2.4. From what I understand, the development is moving toward the Resolver.

I had the DNS Resolver configured with only one major issue. I'm using OpenDNS for web content filtering, and I discovered that when using the DNS Resolver, although I am using the OpenDNS servers, their web filtering and other services no longer work and their test pages show that I'm not using OpenDNS - none of my logs show any DNS related errors.

After noticing that the OpenDNS web content filtering and test pages work when using an OpenVPN connection into my network, and checking out the pfSense community discussions, I decided to try the DNS Forwarder Service instead - everything started to work as expected with open DNS - content filtering, error pages, etc!

Assuming that the DNS Resolver is a better solution, I would be grateful if anyone has any ideas regarding why the OpenDNS services do not seem to work when using the DNS Resolver, but work just fine when using the DNS Forwarder.

Pre-post update:
I also attempted trying the "forwarding mode" option in the DNS resolver, but after applying the changes, that stopped anything on our network from resolving on the Internet. Also thought I'd mention that I have the OpenDNS server addresses set in the System -> General set up section. My configuration is for a home network that's using many defaults and is very basic.

Thanks,
matt :)

Derelict

I would use the resolver in forwarding mode with the OpenDNS servers configured.  That way you are using the favored DNS solution in the project (the one that will be receiving the most attention) while maintaining the OpenDNS filtering functionality.

The resolver does things completely differently.  Instead of just asking the configured name servers for an answer it has the list of root servers.

Then it asks the roots where can I go for information about com.
Thei it asks one of those where can I go for information about google.com.
Then it asks one of those what is the A record for www.google.com.

That's why there is sometimes a delay of 100ms or so the first time a name is resolved.  Then it's answered out of your own local cache.

That's also why OpenDNS doesn't work in Resolver.  The resolver isn't asking just OpenDNS servers for answers.  it's asking essentially the whole internet.

What DNS Servers did you configure in System > General Setup? I think those are used as the forwarders by default in forwarding mode.

I haven't tested but try this in the advanced section of the resolver.  Leave forward mode unchecked.

forward-zone:
  name: "."
  forward-addr: 208.67.222.222
  forward-addr: 208.67.220.220

matthewdeets

Thank you for your help and information regarding how the new DNS Resolver works. This was very helpful.

I tried your suggestion in the advanced options section, but this produced the same results with OpenDNS as when I actually turned on the "forwarder Mode" - no DNS resolution at all for the Internet.

Your information on how the new DNS Resolver works encouraged me to try another option which I found to "fix" the issue - kind of…

I replaced the OpenDNS servers with servers that support DNSSEC in the System -> General  section… And everything started to work - I had DNS resolution with "Forwarder mode" enabled or disabled.

I remembered reading that OpenDNS does not support DNSSEC - by disabling DNSsec in the DNS Resolver, OpenDNS test page worked correctly in "forwader mode" or with your suggested options in advanced settings.

As I mentioned, disabling DNSSEC when using OpenDNS servers "kind of" fixed the issue, because while addresses on the Internet were able to be resolved and the OpenDNS welcome / test page did function as expected, the web filtering services still did not work - most likely for the reasons you mentioned in your post.

After re-enabling DNSSEC and disabling Forwarder Mode, I ran a DNS benchtest tool to determine the fastest DNS servers for my network which also support DNSsec.  Although I am giving up the web filtering such provided by OpenDNS, i'm happy to say that everything seems to be resolving much faster while at the same time having the new DNS Resolver enabled using that service's default settings.

sstretchh

@matthewdeets:

Thank you for your help and information regarding how the new DNS Resolver works. This was very helpful.

I tried your suggestion in the advanced options section, but this produced the same results with OpenDNS as when I actually turned on the "forwarder Mode" - no DNS resolution at all for the Internet.

Your information on how the new DNS Resolver works encouraged me to try another option which I found to "fix" the issue - kind of…

I replaced the OpenDNS servers with servers that support DNSSEC in the System -> General  section… And everything started to work - I had DNS resolution with "Forwarder mode" enabled or disabled.

I remembered reading that OpenDNS does not support DNSSEC - by disabling DNSsec in the DNS Resolver, OpenDNS test page worked correctly in "forwader mode" or with your suggested options in advanced settings.

As I mentioned, disabling DNSSEC when using OpenDNS servers "kind of" fixed the issue, because while addresses on the Internet were able to be resolved and the OpenDNS welcome / test page did function as expected, the web filtering services still did not work - most likely for the reasons you mentioned in your post.

After re-enabling DNSSEC and disabling Forwarder Mode, I ran a DNS benchtest tool to determine the fastest DNS servers for my network which also support DNSsec.  Although I am giving up the web filtering such provided by OpenDNS, i'm happy to say that everything seems to be resolving much faster while at the same time having the new DNS Resolver enabled using that service's default settings.

First off welcome to the pfSense community ! I am also new to the community myself and I recently just purchased a SG-2440 as well. Instead of using openDNS for your filtering have you thought about using Squid and Squidguard ? since you have everything going thru pfSEnse now, use its ability to web filter.

Couple youtube links on it

https://www.youtube.com/watch?v=H-6_13P8pS8

https://www.youtube.com/watch?v=MeSVE_UetX4