DNS Resolver



  • Team where can I define which server to use for external lookups in dns resolver?
    TIA!


  • LAYER 8 Global Moderator

    Clearly you don't understand what a resolver is ;)

    A "resolver" uses the root hints to walk down the dns tree to finally talk to the authoritative server of the specific domain your trying to look up.  So if you want to find www.domainx.net

    It asks roots, hey roots who is NS for .net, ok thanks hey NS server for .net who is NS for domainx, ok thanks - hey NS for domainx what is A record for host called www

    Do you want to modify the root hints?



  • @johnpoz:

    Clearly you don't understand what a resolver is ;)

    A "resolver" uses the root hints to walk down the dns tree to finally talk to the authoritative server of the specific domain your trying to look up.  So if you want to find www.domainx.net

    It asks roots, hey roots who is NS for .net, ok thanks hey NS server for .net who is NS for domainx, ok thanks - hey NS for domainx what is A record for host called www

    Do you want to modify the root hints?

    lol… I understand what it is.
    Because I didn't use technical wording does not mean I don't know what it is ;)

    You got the point right?

    Yes that's what I am trying to modify.

    Thanks for the help!


  • LAYER 8 Global Moderator

    So you want to use your own internal root hints?  There was a feature request for custom months ago https://redmine.pfsense.org/issues/4368

    To be honest if your wanting to use your own custom root.hints file the unbound package in pfsense prob not your best idea, why would you not run your own on its own dns be with bind or true install of unbound?

    What exactly are you wanting to accomplish, if you just need to resolve a custom tld pretty sure domain over rides would work..



  • @johnpoz:

    So you want to use your own internal root hints?  There was a feature request for custom months ago https://redmine.pfsense.org/issues/4368

    To be honest if your wanting to use your own custom root.hints file the unbound package in pfsense prob not your best idea, why would you not run your own on its own dns be with bind or true install of unbound?

    What exactly are you wanting to accomplish, if you just need to resolve a custom tld pretty sure domain over rides would work..

    johnpoz,

    After some research I came across that same request. You are right unbound is not what I need and I need something like bind but after some careful thought and revising at what I am trying to accomplish which was route all my dns traffic through opendns for reporting purposes its really not worth it.

    Thanks for the help!



  • If you want to use opendns simply use the dns relay or set dns resolver to work in relay mode.


  • LAYER 8 Global Moderator

    Yeah exactly, if you just want tu use opendns a "resolver" is not what your after at all - which again I point to my original thought that you don't actually understand what a "resolver" is ;)

    Just use dnsmasq which is the forwarder still included in pfsense, under dns "forwarder" vs resolver..



  • Johnpoz,

    You make funny statements… LOL
    There is a reason why use a resolver but this is a dead thread and there is no reason to keep going back and forward. Thanks again to all for the help.


  • LAYER 8 Global Moderator

    No there isn't if all you want to do is forward it to opendns..

    Sorry dude but there is NO way to help you skin the cat if we don't know what breed it is..  Without details of what your wanting to accomplish we are just guessing..  From your statements you want a simple forwarder, so use that and point it towards opendns or put the resolver in forwarder mode..



  • I just read the entire thread and am not sure what you want.

    Perhaps it would be better to simply ask what behavior are you looking for?



  • @johnpoz:

    No there isn't if all you want to do is forward it to opendns..

    Sorry dude but there is NO way to help you skin the cat if we don't know what breed it is..  Without details of what your wanting to accomplish we are just guessing..  From your statements you want a simple forwarder, so use that and point it towards opendns or put the resolver in forwarder mode..

    johnpoz,

    Like I said before you are right, And yes I didn't post enough of what I am trying to accomplish.

    I use DNS Forwarder (Unbound) mainly because of DNSSEC validation and caching, and also because I am a beta tester for pfblocker-NG and it uses DNSBL in conjunction with DNS Resolver. I have been using opendns sense God knows when and I thought it would be a good idea to use their DNS query reporting for those times where it had to validate/re-cache a query. I figure that I could modify the root.hints and add opendns servers as one of primary root dns…. But I think I read somewhere that opendns strips DNSSEC query's because of its own validation... Hence rendering my idea useless...

    I do understand that unbound (DNS Forwarder) has statistic and reporting capabilities but I am not sure this can be turned on in pfsense.
    So to answer everybody's question, All I am trying to accomplish is to be able to see all of my query's statistics.

    Thanks All! :D


  • LAYER 8 Global Moderator

    forwarder has the ability to log every query yes.. Resolver does not.

    If you just forward queries, kind of defeats the purpose of dnssec does it not..  At some point the forwarder your using if just a forwarder itself has to send to a resolver, do the resolvers it uses do dnssec??

    If what you want is dnssec, then yes running your own actual resolver is the way to go.  Logging of actual queries does not seem like something unbound does.  Use bind, or another method of logging dns traffic and parsing it.  Dnstop comes to mind.  Better might be Suricata, it does dns logging, even txt queries I do believe.

    Not sure if the Suricata package for pfsense makes it easy to do or not, have not played with it much.



  • @johnpoz:

    forwarder has the ability to log every query yes.. Resolver does not.

    If you just forward queries, kind of defeats the purpose of dnssec does it not..  At some point the forwarder your using if just a forwarder itself has to send to a resolver, do the resolvers it uses do dnssec??

    If what you want is dnssec, then yes running your own actual resolver is the way to go.  Logging of actual queries does not seem like something unbound does.  Use bind, or another method of logging dns traffic and parsing it.  Dnstop comes to mind.  Better might be Suricata, it does dns logging, even txt queries I do believe.

    Not sure if the Suricata package for pfsense makes it easy to do or not, have not played with it much.

    johnpoz,

    Thanks for your reply.


Log in to reply