Maybe a dumb DNS / pfSense question

Hey all,

I have all my customers using either google or quad9 for DNS, most of them go out through a pfSense box some on Draytek routers, others just on the ISP router. A week or so ago there was an outage in the quad9 data centre in Manchester, UK which affected several customers.

I always thought that DNS was done sequentially, trying primary, then secondary, etc but it looks like, at least in the dns forwarder, that pfSense can do either all at once or sequentially. No such option in the DNS resolver but given that in dns forwarder it is an option that needs to be set I am assuming the default is to do them all at once.

That got me thinking that it would make sense to have quad9, google, and the customer ISP in the DNS forwarder.

Then I realised that the reason I use quad9 is to get the malware / bad site protection and that using additional servers would potentially mean that bad sites get through.

So, what do people think. Better to have more reliable DNS by using multiple providers for redundancy or safer DNS by using one that filters?

If Qaud9 fails to resolve a site due to being malicious but another one does resolve it you have voided any benefits of Qaud9. Just use one and you should be fine. Quad9 has lots of redundant servers.

That was always my logic but I did have problems a couple of weeks ago and whilst most customers were ok with a 2 hour strange period where things were sporadically resolving, one in particular was very not ok.

Maybe I need to have the “if I mitigate problem A, it will potentially lead to problem B”, which one would you prefer? (although the answer will be neither…)

also, on a side note, what are you @LTS_Tom doing up at this time of day! surely it’s still the middle of the night?

DNS problems do occur, but not very often and I wake about about 5AM EST every day :wink:

Far to early for me.

I’m wondering about adding fixed dns entries for the one service this specific customer relies on for production. Of course, if they had listened to me then it would be onsite and this wouldn’t be an issue but they wanted it “in the cloud…”.

That works unless the service changes IP addresses and you forget to change it.

As Tom said Quad9 has allot of redundancy build inter their systems, as well as additional IP address in addition to Mixing Quad9 with Google DNS is generally not a good idea as most of Googles public DNS servers are just recursive query servers. If your just using the pfsense as a DNS forwarder it will work just fine but you are really missing out on the full potential of of Unbound DNS, such as the recursive caching, prefetching and controlling how expired lookups are handled. As long as you are not overloading your firewall you could have extremely fast DNS lookups using Quad9 as its upstream for the additional security.

@LTS_Tom this is true, might be worth the risk though.

@sdfungi understood. I’m using the full dns module not just the forwarder.

Will talk to the client and see what they would prefer. Thanks all for the pointers.