Differences

This shows you the differences between two versions of the page.

--- pfsense:install_pfsense:dns_configuration [2022/10/20 08:44] – peter
+++ pfsense:install_pfsense:dns_configuration [2022/10/20 09:05] (current) – [Advanced Privacy Options] peter
@@ Line 22: / Line 22: @@
 <WRAP info>Default is actually **ALL**.
-  * The network(s) that the pfSense sends its queries out of.
+  * By default the DNS Resolver utilizes all interfaces for outbound queries so it will source the query from whichever interface and IP address is closest to the target server from a routing perspective.
-    * Can be set for instance to a VPN interface to force pfSense to use the VPN.
+    * Selecting specific interfaces will limit the choices to only specific interfaces that may be used as a source of queries.
+  * Controls which interfaces the firewall will utilize when sending its own queries to other DNS servers.
+    * Can be set for instance to a VPN interface to to prevent DNS leaks.
+    * Or by deselecting the WAN interface to force pfSense to use a local DNS server, like pihole.
+    * Or only select localhost if pfSense is running a BIND DNS server.
 </WRAP>
@@ Line 97: / Line 103: @@
   * The **LAN** view, is the default one handling the LAN, and does include the pfBlockerNG DNSBL checks.
   * The **CLEAR** view, does NOT include pfBlockerNG DNSBL checks, i.e. it bypasses these additional checks.
-  * The **IOT** view does include the pfBlockerNG DNSBL checks.
-    * An option is that it could be configured to use local-data for DNS queries. <code>
-view:
-    name: "IOT"
-    view-first: no
-    local-data: "localdomain. 10800 IN SOA pfsense.localdomain. root.localdomain. 1 3600 1200 604800 10800"
-    include: /var/unbound/pfb_dnsbl.*conf
-</code>
     *  The **view-first: no** means it also does not use the Global zone for data queries. <WRAP important>
 **WARNING:**  With the **view-first: no**, it might result in some devices, such as mobile phones, taking a long time (~30s) to connect to the network at first.
@@ Line 110: / Line 108: @@
 You should consider whether to allow this to be changed to **view-first: yes**.
 </WRAP>
+  * The **IOT** view does include the pfBlockerNG DNSBL checks.
   * The **GUEST** view includes pfBlockerNG DNSBL checks.
@@ Line 126: / Line 124: @@
 ----
+==== Using local-data ====
+An option that could be configured is to use local-data for DNS queries. For example: <code>
+view:
+    name: "IOT"
+    view-first: no
+    local-data: "localdomain. 10800 IN SOA pfsense.localdomain. root.localdomain. 1 3600 1200 604800 10800"
+    include: /var/unbound/pfb_dnsbl.*conf
+</code>
 The **local-data** parameters declares the DNS Resolver as authoritative for .localdomain.
@@ Line 240: / Line 248: @@
     * Even though this is increased, not all the space will necessarily be used for caching:
     * The malloc code in FreeBSD is very good and the actual cache size that is used might be lower most of the time than set here.
-    * Memory fragmentation (the space between allocated memory blocks) will increases slowly, so not all of the cache will actually be used for "proper" caching.
+    * Memory fragmentation (the space between allocated memory blocks) will increase slowly, so not all of the cache will actually be used for "proper" caching.
     * Unbound has an internal alloc-check mode that tests memory as well (The Unbound extra memory checks are slow) which will set actual caching usage.