Redundant DNS

[sesquipedality]

I'd like my local network to be a bit more robust on internal DNS if the router goes down.  I could create a second OpnSense machine, but that seems like overkill.  All I really want to do is have a second DNS server, which copies all the configuration on the OpnSense box, and can be referred to if the primary server goes down.

Is there a good way to accomplish this?

[TheSmoker]

You can always add a raspberry pi box with a slave/caching dns based on need, or you can always rent a 5/9USD VPS in cloud which you can use a a secondary dns.

Both of them are cheap. Although if you have services behind the opnsense box, they will not be available even if the dns will resolve the requests.

[sesquipedality]

I am entirely happy with running another box / docker container - it's more about the "how".  In particular, I would need it to serve the same aliases as unbound does.

[TheSmoker]

Is your dns serving stand alone zones, or you are using unbound just as caching dns?

I am asking this because unbound is just a resolver/caching dns server, the authoritative part of that package is NSD.

If you are just using it to serve local zones only, then you just need to copy paste the unbound.conf (the configuration of the unbound) to another box.

Of course that box/docker/whatever needs to be on separate hardware in case your opnsense box fails.

Additionally you will need to instruct dhcpd to announce both dns servers in the dhcp answer to hosts or configure them by hand on your deployed OSes.

https://www.nlnetlabs.nl/documentation/nsd/
https://nlnetlabs.nl/documentation/unbound/

[sesquipedality]

Thanks.

Yes, it is local caching plus aliases, which suggests the replicating the Unbound config would get me most of the way.

However, that still leaves the problems of how to keep unbound's cache of DHCP hosts in sync, since only the router will be serving DHCP.  Getting the secondary to host DHCP too would not solve this problem as then it would be pot luck as to which DNS server contained the A record associated with a given lease.

I'm starting to wonder here if the answer isn't another minimally configured OpnSense server which uses the HA/Replication features to provide DNS and DHCP.

[amichel]

The way I have set it up is:
I have three domain controllers acting as DC/AD Integrated DNS for my domain.
Each of those server is using my OPnsense box as forwarder.
As I do have some rules on my firewall based on internal DNS names I use Bind on the OPnsense box pulling all my AD Integrated zones as secondaries from one of the DC's.
The client's are using my internal domain controllers as DNS Servers, and in case all DNs Servers are down I still can manually enable DHCPv4 on the OPnsense to depoly IP Addresses to the clients instead of my Windows DHCP Servers.

So in your case to have some redundancy you can simply install another DNS server in yout environment and use this as Primary DNS serveer, install bind on your Firewall and create the zones as secondaries there and configure your clients to use both DNS-Servers. In case one is down you should still be able to resolve your internal zones even if the firewall is down.
HTH
amichel

[sesquipedality]

In the end, I solved this by creating a second OPNsense router, following the High Availability guide on the website, but only for the local interface, and selectively syncing DHCP and unbound to the backup server.  I then changed the DHCP settings to use the CARP address for DNS.

One slight wrinkle was that  I had to add an explicit firewall rule allowing DNS traffic to the local network CARP address on both machines, although I am still not entirely sure why that was necessary.