On Fri, Aug 25, 2017 at 08:14:29AM -0400, Greg Wooledge wrote: > On Fri, Aug 25, 2017 at 07:34:16AM +0900, Mark Fletcher wrote: > > On Thu, Aug 24, 2017 at 04:39:13PM -0400, Greg Wooledge wrote: > > > I strongly recommend just running your own caching DNS resolver on the > > > DHCP server host. ISP nameservers are often slow and unreliable. > > > > OK, thanks for the advice. One possibly stupid question though... > > whenever a DNS server running on my own firewall doesn't have an answer > > to a DHCP query, it is going to broadcast it out... to the ISP's DNS > > servers, no? > > DHCP and DNS are two separate things.
Sorry, that was a typo, I meant "DNS query" not "DHCP query". I do understand the difference although I recognise that what I wrote above would seem to imply I don't. > > If your firewall box is running a nameserver (i.e. a caching DNS > resolver), and if the LAN clients are configured to use that > nameserver, then no queries are ever sent to your ISP's nameservers > at all. Your caching resolver does all the work, talking directly > to the root servers, and the .COM servers, and so on. > Strictly speaking the LAN clients will be using the AirStation's nameserver, and I'd be configuring it to use this hypothetical new nameserver on the firewall box by having the DHCP server on my firewall send it the internal IP of the firewall as its nameserver. Why? Because the AirStation is already providing a nameserver to my LAN, and as I mentioned I want to futz minimally with the AirStation's configuration. Thanks for the clarification about what the nameserver would do -- I had imagined it would answer DNS queries from the AirStation that it knows the answers to, and pass through queries it didn't know the answer to to some "upstream" nameserver, presumably noting the response so it knows next time. I assumed that is what the nameserver on the AirStation is doing, otherwise it wouldn't need to be told the ISP's nameservers, and I know from early misconfigurations of my firewall's DHCP server that if I give the AirStation bollix nameservers in response to its DHCP request, its ability to resolve anything breaks... However, now, based on your response I am thinking the AirStation is just forwarding the DNS queries on to the nameservers it is given in response to its DHCP query, and not actually caching anything... So in your proposed configuration, a DNS query from a machine on my LAN would be picked up by the AirStation, forwarded to the firewall machine (because the AirStation was given the address of the firewall machine as a nameserver in response to its DHCP query), and that machine would actually be runnning a proper nameserver which would either already know the answer to the query or would interact with other DNS servers to get it. Right? If that is actually caching everything by talking to root servers, .com servers etc, doesn't that take up a lot of space? The firewall box isn't a particularly beefy machine, by any measure -- memory, disk space, etc. It's enough to do the firewall job, and answer the occasional DHCP query, but would a nameserver need a lot of memory / disk space? The machine has a 32GB SSD, of which about 15GB is free, and 4GB of RAM, of which according to top about 1.8GB is free... And as I say, it is my firewall, a very light-load DHCP server, and does a cameo role as my OpenVPN server when I'm travelling on business. Thanks for your patience in explaining this -- I'm learning a lot. Mark
