Dumb Question re: DNS Config

[JdeFalconr]

I know this is a dumb question but I need a hand here. What I need some help with is understanding how my current config is handling DNS requests at all and where it's sending them. I presently have Unbound DNS enabled with Forwarding Mode not enabled. However in System/General the only DNS server I have configured is the LAN IP of the firewall itself and I have un-checked the option to allow my DNS list to be overridden by WAN DHCP (no I do not want to use Comcast DNS servers). In DHCP the only DNS server configured is also the LAN IP of the firewall itself. Besides dynamic DNS none of the other DNS services on the firewall are enabled.

So with that in mind everything seems to be pointing at the firewall but I don't see anywhere the firewall or its services are configured to point elsewhere. DNS queries are unquestionably being fulfilled but I'm not sure where in my configuration it's being defined. I looked at live firewall logs for destination port 53 on the WAN interface and I see a number of different IPs, some owned by Microsoft, others to random other destinations.

I totally get that what I should do here is just add some DNS servers in the System/General area. I just want to try and understand how things are working presently before I go and change it.

Thanks in advance for your help!

[Patrick M. Hausen]

DNS is a world wide distributed database. Any recursive nameserver like Unbound is capable of working completely on its own without any upstream service. Connect to the Internet - done. Name resolution working.

Now how does that work?

Your browser asks for the address of e.g. forum.opnsense.org and you just booted your firewall so there is nothing in the cache. In that case the Unbound goes

... hmmm no idea about forum.opnsense.org, maybe opnsense.org?
... again, no clue - .org?
... nothing about .org in my cache. Dang!

The secret is that every nameserver comes preconfigured with the addresses of the nameservers that are authoritative for the root zone. Currently these:

Code: [Select]

$ dig . ns
[...]
. 155793 IN NS g.root-servers.net.
. 155793 IN NS l.root-servers.net.
. 155793 IN NS d.root-servers.net.
. 155793 IN NS f.root-servers.net.
. 155793 IN NS b.root-servers.net.
. 155793 IN NS e.root-servers.net.
. 155793 IN NS i.root-servers.net.
. 155793 IN NS c.root-servers.net.
. 155793 IN NS k.root-servers.net.
. 155793 IN NS h.root-servers.net.
. 155793 IN NS j.root-servers.net.
. 155793 IN NS a.root-servers.net.
. 155793 IN NS m.root-servers.net.
a.root-servers.net. 242192 IN A 198.41.0.4
b.root-servers.net. 242192 IN A 199.9.14.201
c.root-servers.net. 242192 IN A 192.33.4.12
d.root-servers.net. 242192 IN A 199.7.91.13
e.root-servers.net. 242192 IN A 192.203.230.10
f.root-servers.net. 242192 IN A 192.5.5.241
g.root-servers.net. 242192 IN A 192.112.36.4
h.root-servers.net. 242192 IN A 198.97.190.53
i.root-servers.net. 242192 IN A 192.36.148.17
j.root-servers.net. 242192 IN A 192.58.128.30
k.root-servers.net. 242192 IN A 193.0.14.129
l.root-servers.net. 242192 IN A 199.7.83.42
m.root-servers.net. 242192 IN A 202.12.27.33
a.root-servers.net. 242192 IN AAAA 2001:503:ba3e::2:30
b.root-servers.net. 242192 IN AAAA 2001:500:200::b
c.root-servers.net. 242192 IN AAAA 2001:500:2::c
d.root-servers.net. 242192 IN AAAA 2001:500:2d::d
e.root-servers.net. 242192 IN AAAA 2001:500:a8::e
f.root-servers.net. 242192 IN AAAA 2001:500:2f::f
g.root-servers.net. 242192 IN AAAA 2001:500:12::d0d
h.root-servers.net. 242192 IN AAAA 2001:500:1::53
i.root-servers.net. 242192 IN AAAA 2001:7fe::53
j.root-servers.net. 242192 IN AAAA 2001:503:c27::2:30
k.root-servers.net. 242192 IN AAAA 2001:7fd::1
l.root-servers.net. 242192 IN AAAA 2001:500:9f::42
m.root-servers.net. 242192 IN AAAA 2001:dc3::35

So it picks one of those at random and asks it about the whereabouts of the .org zone:

Code: [Select]

$ dig org ns @202.12.27.33
[...]
org. 172800 IN NS a2.org.afilias-nst.info.
org. 172800 IN NS b0.org.afilias-nst.org.
org. 172800 IN NS a0.org.afilias-nst.info.
org. 172800 IN NS c0.org.afilias-nst.info.
org. 172800 IN NS b2.org.afilias-nst.org.
org. 172800 IN NS d0.org.afilias-nst.org.
a0.org.afilias-nst.info. 172800 IN A 199.19.56.1
a2.org.afilias-nst.info. 172800 IN A 199.249.112.1
b0.org.afilias-nst.org. 172800 IN A 199.19.54.1
b2.org.afilias-nst.org. 172800 IN A 199.249.120.1
c0.org.afilias-nst.info. 172800 IN A 199.19.53.1
d0.org.afilias-nst.org. 172800 IN A 199.19.57.1
a0.org.afilias-nst.info. 172800 IN AAAA 2001:500:e::1
a2.org.afilias-nst.info. 172800 IN AAAA 2001:500:40::1
b0.org.afilias-nst.org. 172800 IN AAAA 2001:500:c::1
b2.org.afilias-nst.org. 172800 IN AAAA 2001:500:48::1
c0.org.afilias-nst.info. 172800 IN AAAA 2001:500:b::1
d0.org.afilias-nst.org. 172800 IN AAAA 2001:500:f::1

Then it picks one of these and asks it about opnsense.org:

Code: [Select]

$ dig opnsense.org ns @199.19.56.1
[...]
opnsense.org. 86400 IN NS ns1.openprovider.nl.
opnsense.org. 86400 IN NS ns2.openprovider.be.
opnsense.org. 86400 IN NS ns3.openprovider.eu.

Dang! The nameservers for opnsense.org are not themselves part of the opnsense.org zone. So we need to start all over again with e.g. ns1.openprovider.nl - asking one of the root nameservers for .nl, then one of the .nl nameservers for openprovider.nl etc. Let's assume we got the address of ns1.openprovider.nl - it's 52.57.114.204.

And now, after all of that, we can ask that nameserver for the address of forum.opnsense.org:

Code: [Select]

$ dig forum.opnsense.org @52.57.114.204
[...]
forum.opnsense.org. 900 IN A 178.162.131.118

This is what happens at every single name lookup on the internet on any reasonable nameserver. If you don't run one, then probably your provider's.

HTH,
Patrick

[JdeFalconr]

Thank you! That's an excellent explanation and a much more detailed one than I'd anticipated. So based on what you're saying would the advantage to specifying my own name servers (Settings / General) be to use things like DNSSEC or perhaps point exclusively at servers that are geographically closer?

[Patrick M. Hausen]

Just enable DNSSEC and let your own resolver do its magic and you have the best privacy available. (IMHO).

If you use any upstream, that upstream gets all of your requests. DOH does not improve your privacy if you use a public service run by $company. That company sees all your requests.

If you run your own resolver, the root nameservers see your requests for the .com, .net, .de, ... nameservers.
The .org nameservers see your requests for opnsense.org.
The opnsense.org nameservers see your request for forum.opnsense.org.

There's no way to improve on that unless you use Tor

BTW: some years ago the scenario was a bit different. Again picture a request for forum.opnsense.org.

Your nameserver: oh root namerserver, I am seeking forum.opnsense.org.
Root nameserver: no idea, bit maybe that dude over there who manages .org can help you.
Your nameserver: oh .org namerserver, I am seeking forum.opnsense.org.
.org nameserver: no idea, bit maybe that dude over there who manages opnsense.org can help you.
Your nameserver: oh opnsense.org namerserver, I am seeking forum.opnsense.org.
opnsense.org nameserver: why of course, it's at 178.162.131.118. Glad I could help.

But this is obviously a privacy leak. So the algorithm was changed to ask the root nameservers only for the top level domain and so on and so forth.

[JdeFalconr]

Thanks! You've been very helpful. The only downside is that I'm trying to use a dynamic DNS updater and those require either letting my DNS config be overridden by WAN DHCP or specifying DNS servers. I currently have the router itself specified and that isn't working (unsurprisingly) so I guess I'll have to bite the bullet and pick some to specify.