Unbound doesn't use GIF for Outgoing Network Interfaces

[blusens]

I have two sites, A and B. Between them there's an IPv4 IPSEC connection. Both sites have dynamic IPv6 WANs and Hurricane Electric (HE_WAN) tunnels for static IPv6 WAN addresses. Problem is, Unbound doesn't use HE_WAN interface for address resolution of Domain Overrides.

In Unbound I've set Domain Overrides for each others' site internal domain, to the respective HE_WAN IPv6 address. For example Domain A has a Domain Override: DomainB.com -> HE_WAN_Site_B_IPv6 and Site B has DomainA.com -> HE_WAN_Site_A_IPv6 .

Unbound's Outgoing network interfaces have WAN, HE_WAN and IPSEC set on both sites. They both listen on all interfaces.

Unbound won't do lookups via HE_WAN on either site. They use WAN IPv6 and IPSEC IPv4 interfaces but won't use HE_WAN, even if it's the only one selected as Outgoing Network Interface - in this case, it'll use WAN IPv6.

I've checked all rules and HE_WANs respond to Unbound queries. If I use something like

Code Select Expand

dig -b HE_WAN_Site_A_IPv6 DomainB.com @HE_WAN_Site_B_IPv6

it works properly.

I've also a 3rd site which I've used to confirm this behavior. As far as I know, Unbound should use all interfaces for  queries and I'm pretty sure this was the behavior on pfsense. Site A runs opn 2.1.6 while Sites B and C use 2.1.5.

[franco]

Wrong ACL in Unbound maybe? Have you used log / log level to see if requests are made?


Cheers,
Franco

[blusens]

Wrong ACL in Unbound maybe? Have you used log / log level to see if requests are made?


Cheers,
Franco

I've a custom ACL to allow all. I've enabled logging and I can't see the requests. They are not reaching the firewall at all cause I'm monitoring firewall traffic for port 53