DNS Hijacked? Slow? Setup Unbound on pfSense

Why Is It Slow?

When you request a website, say, b3n.org, your computer needs the IP address.  So it sends out packets through your router/firewall, your modem, and out to your ISPs DNS Servers.  Your ISP’s DNS server will probably have it cached, if not it queries the authoritative (starting with the Root Name Servers) recursively to find out what the authoritative DNS servers are and then queries those DNS servers.  It gets the IP address, and sends it back to your computer.  Your computer can then query the server IP for b3n.org.  Any latency along this process will result in delays.  If you ever type in a url in the address bar and nothing happens for a few hundred milliseconds and then suddenly the website starts to load this is likely the problem.

Typical DNS Lookup Path

Is Your DNS Hijacked by Your ISP?

It’s pretty easy for ISPs to hijack DNS queries.  A small number of ISPs (Comcast, CenturyLink, Time Warner, Cox, Rogers, Charter, Verizon, Sprint, T-Mobile, Frontier, etc.) have been caught doing exactly that.  Want to know why?  Advertising revenue.  When you misspell a domain some ISPs, instead of returning an NXDOMAIN (does not exist) like any RFC compliant DNS server it will resolve the domain anyway, point it at a page they control, and advertise to you!  This is a really bad idea.  But there is a way to prevent your ISP from doing this…

Using Google’s Nameservers

If you’re not tech savvy using 8.8.8.8 and 8.8.4.4 is probably better than your ISPs nameservers.  It won’t hurt, and will probably help, but it may not help… it’s very trivial for an ISP to route those IPs to their own servers and some do.

Even if your ISP is pure goodness and would never do that, someone could setup a rogue DNS server posing as theirs and intercept all your DNS traffic.

The only solution is to query the Root name servers for authoritative DNS servers and use DNSSEC.  Cut out any 3rd party DNS provider and run your own DNS server locally.

Setup an Unbound Server on pfSense

pfSense Unbound Lookups

Unbound is a high performance caching DNS server.  Unbound queries recursively authoritative DNS servers directly, completely bypassing your ISP.  It uses DNSSEC to make sure your queries haven’t been tampered with.  And best of all, it caches DNS results locally (like your ISP would) but since it’s on your own network, the cached DNS queries are local!

You can setup a local FreeBSD server and run Unbound on it, but if you’re already using a router like pfSense or OPNsense you can setup an Unbound server in a few clicks.

Open up pfSense, first make sure the forwarder under Services, DNS Forwarder, is disabled.  Slowness warning: if you are running a low query lookup network such as on your home network having the forwarder disabled may cause lookups to be slower because you’re having to traverse the DNS servers regularly to get results… this can sometimes take a second or two and result in DNS timeouts while it’s trying to traverse the DNS nameservers.  If you find that unbound performance is slow I’d suggest turning on forwarding mode which will use the DNS servers specified in pfSense under system, general setup.  In this case I’d recommend pointing them at 8.8.8.8 and 8.8.4.4.  If you run with forwarding enabled you should verify that your ISP is not hijacking your DNS results, if they are you should switch ISPs.

  • Go to Services, DNS Resolver.
  • Enable the DNS Resolver
  • Select the Network interfaces that you want Unbound to listen on (do not select ALL, you’ll definitly want to select LAN).
  • System Domain Local Zone Type: Transparent
  • Enable DNSSEC Support
  • Do NOT enable Forwarding Mode
  • You can also choose to register DHCP addresses in the DNS Resolver which is very handy if you’re using pfSense to manage DHCP.

pfSense Unbound

  • Under System, General Setup
  • Make sure all DNS Server fields are empty.  DNS Server Override and
  • Disable DNS Forwarder should be unchecked.

pfSense General Setup

Finally, Under Services, DHCP Server, set your DNS Server to your pfSense’s LAN IP.  As your DHCP clients renew their lease they’ll start using pfSense for DNS.

As far as performance if you have low latency to your ISPs DNS you probably won’t notice anything.  But if you’re on a high latency connection  with 70ms pings like I am, this makes a big difference.