DNS Resolver Mode

The DNS Resolver can act in either a DNS resolver or forwarder role. These roles are described in detail on DNS Resolution Process.

Resolver mode

In resolver mode (default) the DNS Resolver contacts root DNS servers and other authoritative servers directly in search of answers to queries submitted by clients. This eliminates issues typically encountered by users with missing or incorrect local DNS configuration since it does not require forwarding DNS servers to operate. Resolver mode also enables the use of Domain Name System Security Extensions (DNSSEC) which makes the DNS results more trustworthy and verifiable.

Note

Some ISPs block or rate limit these types of DNS queries and instead prefer users to contact forwarders. If resolver mode does not work, use forwarding mode.

As this mode contacts servers which cannot be known beforehand, it must utilize the default route on the firewall to make outbound connections. This may not be optimal with multiple WANs, but there are ways around this limitation such as configuring failover for the default gateway. See Interface and DNS Configuration.

Forwarding mode

In forwarding mode the DNS Resolver will forward DNS queries to the list of servers configured under System > General Setup or those obtained automatically from a dynamic WAN.

Tip

For increased privacy these forwarded queries can be made using DNS over TLS.

This method tends to work better with multiple WANs as each forwarding DNS server may be configured to use a different WAN, allowing queries to be sent over whichever WAN is available at a given moment. See Interface and DNS Configuration.

While in forwarding mode the DNS Resolver monitors response timing from all available DNS servers in its infrastructure cache. The daemon will direct queries to servers based on their current status so it can avoid using servers which are slow or unavailable. This data is available in the GUI at Status > DNS Resolver (DNS Resolver Status).