[SOLVED] How to have two DNS servers?

[yarn]

I need to have 2 DNS servers on 2 IPs:

• One for other members of the family, run by DNSmasq forwarding to ISP DNS servers, which are very fast, but have no DNSSEC support and probably have some poisoning (e.g. Tiktok videos doesn't load unless they use the other DNS).
• One for myself and OPNsense, run by dnscrypt-proxy with DNSSEC support but has higher latency, which is unacceptable for others (web page opens too slowly).

It needs to be on another IP and standard port due to DHCP option and NetworkManager's nm-dns-systemd-resolved plugin not supporting port (tested).
What's the best way to approach this problem? Is there a way to augment ISP's DNS answers so that we can use just 1 server with DNSSEC enabled? (I'm guessing no...)

Currently I have a virtual IP 192.168.1.53 with "Deny service binding" for dnscrypt-proxy to listen on (plus 127.0.0.1), and DNSmasq is on "port 53" (so the wildcard address 0.0.0.0). However, sometimes when I switch off the VPN on my laptop, I get DNS reply without RRsig as if it's from DNSmasq instead dnscrypt-proxy, but packet cap shows it's indeed from the virtual IP. I don't know if it's an OS bug or if DNSmasq is fighting with dnscrypt-proxy for the virtual IP.
Unbound (instead of DNSmasq) just refuses to start or produce any log if dnscrypt-proxy is listening on 192.168.1.53.

Is there a way to fix ISP's DNS poisoning? For NO-DATA I can add dnscrypt-proxy to system DNS so DNSmasq forwards to it as well, for fake IP I'm guessing no...
Is there a way to not have ISP's DHCP DNS in OPNsense's system DNS but still let DNSmasq forward to them?

[Maurice]

Have you tried Unbound with a DNS-over-TLS upstream? There shouldn't be a noticeable performance impact.

Since your ISP doesn't seem to be trustworthy, I would avoid using their DNS servers and plaintext DNS in general.

Cheers
Maurice

[yarn]

Have you tried Unbound with a DNS-over-TLS upstream?

Yes... All popular DNS servers are blocked here, hence the need for dnscrypt-proxy (for its large dynamic list of servers) and why it has a higher latency.

[nero355]

All popular DNS servers are blocked here

But can you query the Root DNS Servers directly or not ?!

If you can then just setup Pi-Hole with Unbound next to it : https://docs.pi-hole.net/guides/dns/unbound/

And then you can easily seperate your Clients into Groups that will have Filtered or Unfiltered DNS service access :)



_{(I think this is what you want considering your TikTok comment... Not sure... Just FYI...)}

[yarn]

But can you query the Root DNS Servers directly or not ?!
...
_{(I think this is what you want considering your TikTok comment... Not sure... Just FYI...)}

Thanks, but it's not quite what I meant... The ISP is blocking via DNS, which I don't want.
I can reach the root servers, but some authoritative servers are blocked, and plain-text queries to them are certainly inspected & blocked. Plus recursion is too slow...

I guess this problem probably doesn't have a perfect solution. If so I just wish DNSmasq or unbound can coexist better with dnscrypt-proxy.
I could run dnscrypt-proxy on another device, but my OPNsense PC has so much spare capacity...

[Maurice]

Tough situation, but I'd really look into other options before considering the ISP's malicious DNS servers for anything.

- Using a less popular DNS over TLS server, which might not be blocked (there's more than Cloudflare / Google / Quad9).
- Using DNS over WireGuard (or other VPN).
- Running your own recursive resolver on a VPS and forwarding to it using DoT or a VPN.
- ...

But if you really want to forward dnsmasq to the ISP's DNS servers:
Bind dnsmasq to a dedicated loopback interface only (assuming that you don't use it for DHCP / RAs). Haven't tried that with dnsmasq and dnscrypt-proxy, but it works for me for running both Unbound and BIND on port 53 (but different IP addresses).

Is there a way to not have ISP's DHCP DNS in OPNsense's system DNS but still let DNSmasq forward to them?

- Make sure "System: Settings: General: Allow DNS server list to be overridden by DHCP/PPP on WAN" is disabled.
- In the general Dnsmasq settings, enable "Do not forward to system defined DNS servers".
- In Dnsmasq / Domains, create a global override and enter the IP address of the ISP's DNS server.

Cheers
Maurice

[nero355]

Bind dnsmasq to a dedicated loopback interface only (assuming that you don't use it for DHCP / RAs). Haven't tried that with dnsmasq and dnscrypt-proxy, but it works for me for running both Unbound and BIND on port 53 (but different IP addresses).

Please share your setup configuration with us :)

[yarn]

it works for me for running both Unbound and BIND on port 53 (but different IP addresses).

Yes I'd like to know as well! The GUI for unbound only lets me select interfaces which seems to take up all IPs despite the "Deny service binding" setting.

[Maurice]

Please share your setup configuration with us :)

Just normal "bind service to loopback interface" stuff. :)

- Interfaces: Devices: Loopback, add two interfaces ('Loopback_Unbound', 'Loopback_BIND').
- Interfaces: Assignments, assign the interfaces and configure them with static /32 / /128 IP addresses (should not be within subnets used elsewhere).
- Services: Unbound DNS: General, set 'Network Interfaces' to 'Loopback_Unbound'.
- Services: BIND: Configuration, enter the IP addresses of 'Loopback_BIND' as 'Listen IPs' / 'Listen IPv6'.
- Now you can advertise the 'Loopback_Unbound' addresses to some clients and the 'Loopback_BIND' addresses to others, using a method of your choice (DNS servers setting in Kea / ISC / radvd / Dnsmasq).

Should work for any service which allows binding to specific interfaces or IP addresses. I do the same for e. g. the Web UI and downstream DNS-over-HTTPS (both on port 443).

Cheers
Maurice

[nero355]

Just normal "bind service to loopback interface" stuff. :)

I was expecting something like that, but thought maybe you have done some additional fun stuff that I did not know about so that's why I asked :)

Thanks for sharing!