Differences

This shows you the differences between two versions of the page.

--- pfsense:install_pfsense:dns_configuration [2021/06/18 09:28] – [DNS Resolver] peter
+++ pfsense:install_pfsense:dns_configuration [2022/10/20 09:05] (current) – [Advanced Privacy Options] peter
@@ Line 20: / Line 20: @@
   * Outgoing Network Interfaces:  **WAN**.
-<WRAP center round todo 60%>
+<WRAP info>Default is actually **ALL**.
-Default is actually ALL.  Check if changing to WAN stops anything.  What is the diff etc.
-</WRAP>
+  * By default the DNS Resolver utilizes all interfaces for outbound queries so it will source the query from whichever interface and IP address is closest to the target server from a routing perspective.
+    * Selecting specific interfaces will limit the choices to only specific interfaces that may be used as a source of queries.
+  * Controls which interfaces the firewall will utilize when sending its own queries to other DNS servers.
+    * Can be set for instance to a VPN interface to to prevent DNS leaks.
+    * Or by deselecting the WAN interface to force pfSense to use a local DNS server, like pihole.
+    * Or only select localhost if pfSense is running a BIND DNS server.
+</WRAP>
   * System Domain Local Zone Type:  **Transparent**.  Static is an alternative option to be look at here.
-<WRAP center round todo 60%>
+<WRAP info>
-Default is actually Transparent.  Check what diff using Static makes.
+**NOTE:**  The local-zone **type** can be:
+  * **deny** serves local data (if any), else, drops queries.
+  * **refuse** serves local data (if any), else, replies with error.
+  * **static** serves local data, else, nxdomain or nodata answer.
+  * **transparent** gives local data, but resolves normally for other names.
+  * **redirect** serves the zone data for any subdomain in the zone.
+  * **nodefault** can be used to normally resolve AS112 zones.
+  * **typetransparent** resolves normally for other types and other names.
+  * **inform** acts like transparent, but logs client IP address.
+  * **inform_deny** drops queries and logs client IP address.
+  * **inform_redirect** redirects queries and logs client IP address
+  * **always_transparent** resolve in that way but ignore local data for that name.
+  * **always_refuse** resolve in that way but ignore local data for that name.
+  * **always_nxdomain** resolve in that way but ignore local data for that name.
+  * **noview** breaks out of that view towards global local-zones.
 </WRAP>
@@ Line 58: / Line 83: @@
 view:
     name: "CLEAR"
-    view-first: yes
+    view-first: no
+    include: /var/unbound/host_entries.conf #Host overrides AND DHCP reservations
+    include: /var/unbound/dhcpleases_entries.conf #DHCP leases
 view:
     name: "IOT"
-    view-first: no
+    view-first: yes
-    local-data: "localdomain. 10800 IN SOA pfsense.localdomain. root.localdomain. 1 3600 1200 604800 10800"
+    include: /var/unbound/pfb_dnsbl.*conf
-    include: /var/unbound/pfb_dnsbl.*conf
 view:
     name: "GUEST"
@@ Line 77: / Line 103: @@
   * The **LAN** view, is the default one handling the LAN, and does include the pfBlockerNG DNSBL checks.
   * The **CLEAR** view, does NOT include pfBlockerNG DNSBL checks, i.e. it bypasses these additional checks.
-  * The **IOT** view does include the pfBlockerNG DNSBL checks.
-    * It could be configured to use local-data for DNS queries. <code>
-view:
-    name: "IOT"
-    view-first: no
-    local-data: "localdomain. 10800 IN SOA pfsense.localdomain. root.localdomain. 1 3600 1200 604800 10800"
-    include: /var/unbound/pfb_dnsbl.*conf
-</code>
     *  The **view-first: no** means it also does not use the Global zone for data queries. <WRAP important>
 **WARNING:**  With the **view-first: no**, it might result in some devices, such as mobile phones, taking a long time (~30s) to connect to the network at first.
@@ Line 90: / Line 108: @@
 You should consider whether to allow this to be changed to **view-first: yes**.
 </WRAP>
+  * The **IOT** view does include the pfBlockerNG DNSBL checks.
   * The **GUEST** view includes pfBlockerNG DNSBL checks.
@@ Line 106: / Line 124: @@
 ----
+==== Using local-data ====
+An option that could be configured is to use local-data for DNS queries. For example: <code>
+view:
+    name: "IOT"
+    view-first: no
+    local-data: "localdomain. 10800 IN SOA pfsense.localdomain. root.localdomain. 1 3600 1200 604800 10800"
+    include: /var/unbound/pfb_dnsbl.*conf
+</code>
 The **local-data** parameters declares the DNS Resolver as authoritative for .localdomain.
@@ Line 220: / Line 248: @@
     * Even though this is increased, not all the space will necessarily be used for caching:
     * The malloc code in FreeBSD is very good and the actual cache size that is used might be lower most of the time than set here.
-    * Memory fragmentation (the space between allocated memory blocks) will increases slowly, so not all of the cache will actually be used for "proper" caching.
+    * Memory fragmentation (the space between allocated memory blocks) will increase slowly, so not all of the cache will actually be used for "proper" caching.
     * Unbound has an internal alloc-check mode that tests memory as well (The Unbound extra memory checks are slow) which will set actual caching usage.