OPNsense Forum
Archive => 20.7 Legacy Series => Topic started by: hsimah on August 13, 2020, 03:51:23 am
-
Hello from Australia :)
I require your expertise and assistance!
Can Unbound DNS probe every server I have listed and serve up the result which responded first? If so, how would I configure this?
Appreciate your assistance in advance.
-
yes it is possible, check "forwarder" in ubound general settings
DNS Query Forwarding [check] Enable Forwarding Mode
in system->settings->general
DNS server options [uncheck] Allow DNS server list to be overridden by DHCP/PPP on WAN
in DNS servers (same page)
for each WAN you have, select different DNS servers
-
yes it is possible, check "forwarder" in ubound general settings
DNS Query Forwarding [check] Enable Forwarding Mode
in system->settings->general
DNS server options [uncheck] Allow DNS server list to be overridden by DHCP/PPP on WAN
in DNS servers (same page)
for each WAN you have, select different DNS servers
Thank you for your response, I am using DNSSEC and have the below custom options so I don't think your guide would work in my case?
server:
tls-cert-bundle: "/etc/ssl/cert.pem"
forward-zone:
name: "."
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853#one.one.one.one
forward-addr: 1.0.0.1@853#1dot1dot1dot1.cloudflare-dns.com
forward-addr: 2606:4700:4700::1111@853#one.one.one.one
forward-addr: 2606:4700:4700::1001@853#1dot1dot1dot1.cloudflare-dns.com
forward-addr: 9.9.9.9@853#dns9.quad9.net
forward-addr: 149.112.112.112@853#rpz-public-resolver1.rrdns.pch.net
forward-addr: 2620:fe::fe@853#dns.quad9.net
forward-addr: 2620:fe::fe:9@853#dns9.quad9.net
-
probably just verify and [uncheck] Allow DNS server list to be overridden by DHCP/PPP on WAN
if that helps
is it not working?
-
Can Unbound DNS probe every server I have listed and serve up the result which responded first? If so, how would I configure this?
This used to be possible with DNSMASQ, there was a separate ability to query sequentially, or with with a round robin style for all specified DNS servers.
However, for Unbound, I'm only aware of it using a round robin style query by default.
It's also worth noting, your config mixes two DNS providers with different use cases. Your Google DNS and CloudFlare DNS will do DNSSEC/DoT, but no filtering. Your Quad9 will do DNSSEC/DoT, and malware filtering. Due to the way Unbound will randomly query either one, you may get inconsistent results back to your clients. It's very likely that google may recommend one CDN location, while Quad9 may provide results for another. You'd be better off picking one of those two services only. Which one is another discussion entirely but, Quad9 has a much better stance on user privacy so I know which one I'd go with. :)
-
Can Unbound DNS probe every server I have listed and serve up the result which responded first? If so, how would I configure this?
This used to be possible with DNSMASQ, there was a separate ability to query sequentially, or with with a round robin style for all specified DNS servers.
However, for Unbound, I'm only aware of it using a round robin style query by default.
It's also worth noting, your config mixes two DNS providers with different use cases. Your Google DNS and CloudFlare DNS will do DNSSEC/DoT, but no filtering. Your Quad9 will do DNSSEC/DoT, and malware filtering. Due to the way Unbound will randomly query either one, you may get inconsistent results back to your clients. It's very likely that google may recommend one CDN location, while Quad9 may provide results for another. You'd be better off picking one of those two services only. Which one is another discussion entirely but, Quad9 has a much better stance on user privacy so I know which one I'd go with. :)
I don't believe I have any Google DNS providers in my config file, only Cloudflare & Quad9.
-
Yes, I should have clarified that in my response. What I was trying to convey is that most people will choose one of the 3 available large providers. Google, CloudFlare, or Quad9.
Regardless of which one you prefer, I would only recommend configuring Unbound to use one provider at a time. If you do want to run multiple different providers, I would align them so that you aren't using a combination of filtered/unfiltered results so that you can keep the client experience consistent and potentially reduce troubleshooting if there's a DNS issue.