Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    DNS Resolver

    DHCP and DNS
    4
    13
    3202
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      serialdie last edited by

      Team where can I define which server to use for external lookups in dns resolver?
      TIA!

      1 Reply Last reply Reply Quote 0
      • johnpoz
        johnpoz LAYER 8 Global Moderator last edited by

        Clearly you don't understand what a resolver is ;)

        A "resolver" uses the root hints to walk down the dns tree to finally talk to the authoritative server of the specific domain your trying to look up.  So if you want to find www.domainx.net

        It asks roots, hey roots who is NS for .net, ok thanks hey NS server for .net who is NS for domainx, ok thanks - hey NS for domainx what is A record for host called www

        Do you want to modify the root hints?

        1 Reply Last reply Reply Quote 0
        • S
          serialdie last edited by

          @johnpoz:

          Clearly you don't understand what a resolver is ;)

          A "resolver" uses the root hints to walk down the dns tree to finally talk to the authoritative server of the specific domain your trying to look up.  So if you want to find www.domainx.net

          It asks roots, hey roots who is NS for .net, ok thanks hey NS server for .net who is NS for domainx, ok thanks - hey NS for domainx what is A record for host called www

          Do you want to modify the root hints?

          lol… I understand what it is.
          Because I didn't use technical wording does not mean I don't know what it is ;)

          You got the point right?

          Yes that's what I am trying to modify.

          Thanks for the help!

          1 Reply Last reply Reply Quote 0
          • johnpoz
            johnpoz LAYER 8 Global Moderator last edited by

            So you want to use your own internal root hints?  There was a feature request for custom months ago https://redmine.pfsense.org/issues/4368

            To be honest if your wanting to use your own custom root.hints file the unbound package in pfsense prob not your best idea, why would you not run your own on its own dns be with bind or true install of unbound?

            What exactly are you wanting to accomplish, if you just need to resolve a custom tld pretty sure domain over rides would work..

            1 Reply Last reply Reply Quote 0
            • S
              serialdie last edited by

              @johnpoz:

              So you want to use your own internal root hints?  There was a feature request for custom months ago https://redmine.pfsense.org/issues/4368

              To be honest if your wanting to use your own custom root.hints file the unbound package in pfsense prob not your best idea, why would you not run your own on its own dns be with bind or true install of unbound?

              What exactly are you wanting to accomplish, if you just need to resolve a custom tld pretty sure domain over rides would work..

              johnpoz,

              After some research I came across that same request. You are right unbound is not what I need and I need something like bind but after some careful thought and revising at what I am trying to accomplish which was route all my dns traffic through opendns for reporting purposes its really not worth it.

              Thanks for the help!

              1 Reply Last reply Reply Quote 0
              • F
                fragged last edited by

                If you want to use opendns simply use the dns relay or set dns resolver to work in relay mode.

                1 Reply Last reply Reply Quote 0
                • johnpoz
                  johnpoz LAYER 8 Global Moderator last edited by

                  Yeah exactly, if you just want tu use opendns a "resolver" is not what your after at all - which again I point to my original thought that you don't actually understand what a "resolver" is ;)

                  Just use dnsmasq which is the forwarder still included in pfsense, under dns "forwarder" vs resolver..

                  1 Reply Last reply Reply Quote 0
                  • S
                    serialdie last edited by

                    Johnpoz,

                    You make funny statements… LOL
                    There is a reason why use a resolver but this is a dead thread and there is no reason to keep going back and forward. Thanks again to all for the help.

                    1 Reply Last reply Reply Quote 0
                    • johnpoz
                      johnpoz LAYER 8 Global Moderator last edited by

                      No there isn't if all you want to do is forward it to opendns..

                      Sorry dude but there is NO way to help you skin the cat if we don't know what breed it is..  Without details of what your wanting to accomplish we are just guessing..  From your statements you want a simple forwarder, so use that and point it towards opendns or put the resolver in forwarder mode..

                      1 Reply Last reply Reply Quote 0
                      • K
                        kejianshi last edited by

                        I just read the entire thread and am not sure what you want.

                        Perhaps it would be better to simply ask what behavior are you looking for?

                        1 Reply Last reply Reply Quote 0
                        • S
                          serialdie last edited by

                          @johnpoz:

                          No there isn't if all you want to do is forward it to opendns..

                          Sorry dude but there is NO way to help you skin the cat if we don't know what breed it is..  Without details of what your wanting to accomplish we are just guessing..  From your statements you want a simple forwarder, so use that and point it towards opendns or put the resolver in forwarder mode..

                          johnpoz,

                          Like I said before you are right, And yes I didn't post enough of what I am trying to accomplish.

                          I use DNS Forwarder (Unbound) mainly because of DNSSEC validation and caching, and also because I am a beta tester for pfblocker-NG and it uses DNSBL in conjunction with DNS Resolver. I have been using opendns sense God knows when and I thought it would be a good idea to use their DNS query reporting for those times where it had to validate/re-cache a query. I figure that I could modify the root.hints and add opendns servers as one of primary root dns…. But I think I read somewhere that opendns strips DNSSEC query's because of its own validation... Hence rendering my idea useless...

                          I do understand that unbound (DNS Forwarder) has statistic and reporting capabilities but I am not sure this can be turned on in pfsense.
                          So to answer everybody's question, All I am trying to accomplish is to be able to see all of my query's statistics.

                          Thanks All! :D

                          1 Reply Last reply Reply Quote 0
                          • johnpoz
                            johnpoz LAYER 8 Global Moderator last edited by

                            forwarder has the ability to log every query yes.. Resolver does not.

                            If you just forward queries, kind of defeats the purpose of dnssec does it not..  At some point the forwarder your using if just a forwarder itself has to send to a resolver, do the resolvers it uses do dnssec??

                            If what you want is dnssec, then yes running your own actual resolver is the way to go.  Logging of actual queries does not seem like something unbound does.  Use bind, or another method of logging dns traffic and parsing it.  Dnstop comes to mind.  Better might be Suricata, it does dns logging, even txt queries I do believe.

                            Not sure if the Suricata package for pfsense makes it easy to do or not, have not played with it much.

                            1 Reply Last reply Reply Quote 0
                            • S
                              serialdie last edited by

                              @johnpoz:

                              forwarder has the ability to log every query yes.. Resolver does not.

                              If you just forward queries, kind of defeats the purpose of dnssec does it not..  At some point the forwarder your using if just a forwarder itself has to send to a resolver, do the resolvers it uses do dnssec??

                              If what you want is dnssec, then yes running your own actual resolver is the way to go.  Logging of actual queries does not seem like something unbound does.  Use bind, or another method of logging dns traffic and parsing it.  Dnstop comes to mind.  Better might be Suricata, it does dns logging, even txt queries I do believe.

                              Not sure if the Suricata package for pfsense makes it easy to do or not, have not played with it much.

                              johnpoz,

                              Thanks for your reply.

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post

                              Products

                              • Platform Overview
                              • TNSR
                              • pfSense Plus
                              • Appliances

                              Services

                              • Training
                              • Professional Services

                              Support

                              • Subscription Plans
                              • Contact Support
                              • Product Lifecycle
                              • Documentation

                              News

                              • Media Coverage
                              • Press
                              • Events

                              Resources

                              • Blog
                              • FAQ
                              • Find a Partner
                              • Resource Library
                              • Security Information

                              Company

                              • About Us
                              • Careers
                              • Partners
                              • Contact Us
                              • Legal
                              Our Mission

                              We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

                              Subscribe to our Newsletter

                              Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

                              © 2021 Rubicon Communications, LLC | Privacy Policy