Using pfSense with a L3 core switch

[ddaenen1]

I have also done some experimenting with DNS some time ago. I used THIS tool and could not find anything better than using Unbound with the below settings. All my clients have 192.168.1.1 as DNS server and i cannot recall that i had to use another setting for that in pfSense to enable the clients to pick this up when set to DHCP. The guideline is to leave the DNS settings in the DHCP service blank to ensure the below is applied.

 

[coxhaus]

Me to ddaenen1 except I use DNS forwarder and QUAD9. Have you tried using "Use Local DNS (127.0.0.1), ignore remote DNS Servers"?
I run DHCP off my Cisco L3 switch. I am not seeing a real difference in using pfsense LAN IP vs 9.9.9.9 but it sounds like Windows 11 does local caching when using 9.9.9.9. I am trying to figure it out. I would think you could plug in 8.8.8.8 since you are using it for DNS in your clients as an override on DNS and maybe not see a difference. You need to run it long enough to make sure caching is working.
When I set my switch up I am going to set up DHCP to hand out the DNS for all networks. I playing around waiting for my StarTech console cable to arrive.

Local caching may be better. So, I might stay with using 9.9.9.9 for all my Windows PCs. I am still testing.

 

[Christos]

I have also done some experimenting with DNS some time ago. I used THIS tool and could not find anything better than using Unbound with the below settings. All my clients have 192.168.1.1 as DNS server and i cannot recall that i had to use another setting for that in pfSense to enable the clients to pick this up when set to DHCP. The guideline is to leave the DNS settings in the DHCP service blank to ensure the below is applied.

View attachment 50923

Unbound will use these settings only if Enable Forwarding Mode is checked.
Otherwise it will resolve domains by itself.

 

[coxhaus]

I found Windows 11 DNS cache by default is 1 day. This may be my option. I wonder how long pfsense caches DNS. I will try to find it. What I found is pfsense's cache is 15 minutes. I am thinking 1 day is better. Sites that I go to don't really change IPs very often.
So, I am still thinking using 9.9.9.9 in DHCP for clients instead of pfsense LAN IP. I wonder how Apple handles DNS? It may have to settle with 15 minutes.
I go to a lot of the same sites. If I hit a site in the morning and then later want to check it in the afternoon with my Windows 11 PC the site will still be cached. If I use pfsense then it will have already expired so it will be slower access the first time in the afternoon. I see no reason not to take advantage of the longer cache. I know we are not talking that much time.

 

[ddaenen1]

Unbound will use these settings only if Enable Forwarding Mode is checked.
Otherwise it will resolve domains by itself.

So what is the better choice here? I always used the resolver as it was the default setting in pfSense. I am sure my cache is extensive as pfSense has been running in this config for a couple of years now. Even whilst understanding the difference between resolver and fowarder, i haven't figured out which one is the better choice and why...

 

[Christos]

I found Windows 11 DNS cache by default is 1 day. This may be my option. I wonder how long pfsense caches DNS. I will try to find it. What I found is pfsense's cache is 15 minutes. I am thinking 1 day is better. Sites that I go to don't really change IPs very often.
So, I am still thinking using 9.9.9.9 in DHCP for clients instead of pfsense LAN IP. I wonder how Apple handles DNS? It may have to settle with 15 minutes.
I go to a lot of the same sites. If I hit a site in the morning and then later want to check it in the afternoon with my Windows 11 PC the site will still be cached. If I use pfsense then it will have already expired so it will be slower access the first time in the afternoon. I see no reason not to take advantage of the longer cache. I know we are not talking that much time.

This is the max time for cache. Most sites use dns records that expire very shortly, like after 300 seconds.
After a dns record is expired OR after max time for cache has passed, the dns record is deleted from cache.
What you are looking for is the "serve stale" option on Unbound, that always gives you answers from the cache, even when they are expired.

 

[Christos]

So what is the better choice here? I always used the resolver as it was the default setting in pfSense. I am sure my cache is extensive as pfSense has been running in this config for a couple of years now. Even whilst understanding the difference between resolver and fowarder, i haven't figured out which one is the better choice and why...

If you want your dns queries to be encrypted over http or tis, you need unbound as forwarder.
Also, if you need the security lists (protection) of Quad9 and Cisco umbrella, then you need unbound as forwarder to these dns providers.
In other cases, unbound works fine as a resolver.

 

[ddaenen1]

I was wondering why Unbound had a tickbox for forwarding and there was a separate forwarder in the services list (which i now learned is dnsmasq) so today i learned something new again which is always a good thing. In fact, i see a noticeable improvement in browser response time when i activate the forwarding option in Unbound (just tried that). I am not going to check out dnsmasq as pfBlockerNG needs Unbound and i am quite happy with pfBlockerNG.

 

[coxhaus]

If you want your dns queries to be encrypted over http or tis, you need unbound as forwarder.
Also, if you need the security lists (protection) of Quad9 and Cisco umbrella, then you need unbound as forwarder to these dns providers.
In other cases, unbound works fine as a resolver.

My thinking is that being in the US and using a major ISP that I am safe using DNS forwarding. If I was out of country, then defiantly unbound.
I do not plan to encrypt DNS. I don't want to encrypt anything I don't have to. AT some point I want IDS/IPS.

I ran tracert to Spectrum's DNS and to QUAD9. QUAD9 is less hops. I think QUAD9 has direct exit from Spectrum. So, I feel like forwarding DNS is OK for me. Spectrum is my ISP.

 

[coxhaus]

What you are looking for is the "serve stale" option on Unbound, that always gives you answers from the cache, even when they are expired.

So, tell me about serve stale? Is that an option in pfsense? This might change my thinking on unbound.
PS
I found serve expired option in pfsense. Is that what you are talking about?

 

[Christos]

So, tell me about serve stale? Is that an option in pfsense? This might change my thinking. Does it live on pfsense?

"Serve Expired" works both in forwarding and resolver mode.

Let's say, instagram.com has a DNS TTL (time to live) of 300 seconds. So, this record can live in cache for 300 seconds and it is served to clients for this amount of time.

With unbound and pfsense, you can manipulate this behaviour in 2 ways:
1. you can check Serve Expired option, so this record will stay forever in cache and will be updated when a client asks for it.
So the client gets the expired answer really fast and afterwards unbound refreshes the record in the background.

2. You can change the value in "Minimum TTL for RRsets and Messages" to whatever you want (don't push it over 3600 seconds though). In this way, you increase the time of small TTL so the records will live in cache longer. In our example, if you set the value to 600 seconds, the dns record will be served from cache for 600 instead of 300 seconds. I prefer this approach.

Serve Expired is more dangerous (because dns records can be irrelevant after some hours) but has an extra benefit. If the DNS server of a site is down and unbound cannot reach it to get an answer, you will still be able to access the site because you will always be served from cache.
For example, if the DNS server of instagram goes down, nobody will be able to access the site after 300 seconds, except from you.

 

[coxhaus]

"Serve Expired" works both in forwarding and resolver mode.

Let's say, instagram.com has a DNS TTL (time to live) of 300 seconds. So, this record can live in cache for 300 seconds and it is served to clients for this amount of time.

With unbound and pfsense, you can manipulate this behaviour in 2 ways:
1. you can check Serve Expired option, so this record will stay forever in cache and will be updated when a client asks for it.
So the client gets the expired answer really fast and afterwards unbound refreshes the record in the background.

2. You can change the value in "Minimum TTL for RRsets and Messages" to whatever you want (don't push it over 3600 seconds though). In this way, you increase the time of small TTL so the records will live in cache longer. In our example, if you set the value to 600 seconds, the dns record will be served from cache for 600 instead of 300 seconds. I prefer this approach.

Serve Expired is more dangerous (because dns records can be irrelevant after some hours) but has an extra benefit. If the DNS server of a site is down and unbound cannot reach it to get an answer, you will still be able to access the site because you will always be served from cache.
For example, if the DNS server of instagram goes down, nobody will be able to access the site after 300 seconds, except from you.

Ok. I switched back to unbound with forwarding to 9.9.9.9. I set Serve Expired. I upped Minimum TTL for RRset to 600 seconds. I will run this for a while. Thanks for the help.
I am going to use 9.9.9.9 for my DHCP server.

 

[Christos]

I suggest to use encrypted DNS as well, as with Serve Expired feature you will not see any delay due to the encryption. You will be served instantly from cache.

Just check “Use ssl/TLS for outgoing DNS” on unbound and put this hostname next to each quad9 IP:
“dns.quad9.net”

 

[coxhaus]

I suggest to use encrypted DNS as well, as with Serve Expired feature you will not see any delay due to the encryption. You will be served instantly from cache.

Just check “Use ssl/TLS for outgoing DNS” on unbound and put this hostname next to each quad9 IP:
“dns.quad9.net”

Ok. done.

 

[coxhaus]

Well, I am using Microsoft edge's default page and I am noticing some empty squares that don't paint right away. I have done like 20 new tab,s and it is not painting as fast. Before it would paint the full first page all at once. So I think it is slower. Any ideas?

I am using a Dell laptop with an I9 cpu.
PS
It is definitely slower. When I use the page down key on the edge default screen it slows down with missing blank boxes. It is slow from the get go using the pagde down key. If I did this the old way it would page for a while and then slow down. It is slower this way. Did I miss something?

I tried both using 9.9.9.9 and pfsense LAN IP in my Windows 11 laptop and they are both slow. I can't really see a difference.

 

[avtella]

Did you try disabling DNSSEC support just for troubleshooting?

Per Q9 and pFsense's own docs when using forwarding:

• Disable Enable DNSSEC Support if enabled.
  DNSSEC is already enforced by Quad9, and enabling DNSSEC at the forwarder level can cause false DNSSEC failures.

https://support.quad9.net/hc/en-us/articles/4433380601229-Setup-pfSense-and-DNS-over-TLS

pfSense® software Configuration Recipes — Configuring DNS over TLS | pfSense Documentation

docs.netgate.com

 

[coxhaus]

Ok, I disabled DNSSEC, unchecked it and it had no effect I could tell. It is still slow.
I don't think it is QUAD9 as the cache should pick up and make it faster but it does not.

I ran DNS lookup. Did you notice 127.0.0.1 shows in diagnostic as 180 msec whereas QUAD9 is 18 msec. Why so long on the loopback IP.

 

[Christos]

Ok, I disabled DNSSEC and it had no effect I could tell. It is still slow.
I don't think it is QUAD9 as the cache should pick up and make it faster but it does not.

I ran DNS lookup. Did you notice 127.0.0.1 shows in diagnostic as 180 msec whereas QUAD9 is 18 msec. Why so long on the loopback IP.
View attachment 50956

180ms is due to dns encryption, but it is not that big to cause problems.
Also, since you use 9.9.9.9 as dns on laptop and still have the problem, it is not pfsense related.

 

[coxhaus]

OK. I will switch back to forwarding.
I am actually using the pfsense LAN IP right now.

I am still seeing 2 white boxes on painting but it is faster. I can tell the cache is working. The dns encrytption runs at the same speed like the cache is not working.
I am not sure I have everything back the way it was. I will look at it tomorrow. But it is faster now. DNS encrytption kind of lags for me.

PS
I just looked at the logs and it says caching is working. So I don't know.

Jun 13 23:52:59

unbound

61773

[61773:0] info: server stats for thread 3: 205 queries, 104 answers from cache, 101 recursions, 35 prefetch, 0 rejected by ip ratelimiting

 

[avtella]

Here's mine pretty much at 0ms.. Yeah 180sec was a lot..