Unbound Query Forwarding



  • Dear All,

    i would like to ask why the DNS Query Forwarding disabled is the preferable default method? As I know it will ask the root servers for dns queries, which are at the hierarchy top. I thought that the normal behaviour if every dns server communicate with the one level upper servers. On the other hand if every pfsense asks the root servers that can be like a DDoS effect.
    Or I misunderstood something in the documentation…


  • Rebel Alliance Developer Netgate

    One of the main reasons is that it's the best way to ensure that DNSSEC functions properly. If your forwarding servers don't support DNSSEC, you'll have broken DNS in other ways… It's also the safest and most usable default from a user perspective. It will work even if the user doesn't configure their firewall DNS servers properly (or at all).


  • LAYER 8 Global Moderator

    ddos?  If every instance of pfsense on the planet queried the roots all at the same time.. I don't even think that would be a blip on their radar for traffic ;)

    Keep in mind that once the next level servers are cached, say .net, .com, .org etc..  The actual roots are not queried again until the ttl on those expire.  And then the 2nd level is not even queried unless your looking for a new domain that they are authoritative for.  So you don't query the .org servers unless your looking up a domain.org that you have not looked for before.  Once find the name servers for pfsense.org, you don't query the .org servers again until that ttl expires.

    Unbound is still caching..  It not that every query your clients do is going all the way to roots.

    Getting the info from the horses mouth, with the use of dnssec is by far the more secure option in doing dns queries..  While this form of lookups can at times be a bit slower, if the authoritative servers for a specific domain are shitty or on the other side of the planet from you.. Compared to just asking your isp dns, that might already have whatever you were looking for cached because one of their thousands of other clients have recently looked up the same thing as you ;)  IMHO running your own resolver with dnssec is far superior in the big picture.

    I think the biggest issue is users of pfsense not understanding the actual difference between a forwarder and a resolver.  It could fail with some shitty isp that do some sort of dns hijacking to their servers or only allow udp/tcp 53 to their name servers, etc.  But you would hope that these sorts of isp are very limited in scope.



  • Dear Jimo and Johnpoz,

    Thank you for the answers! I totally forgot the caching mechanism. It's clear.
    Have a nice day!


Log in to reply