Exclusive DNS server for each WAN possible?

[soko]

Hi guys,

In short: Can I define a single DNS server for each gateway/WAN which gets exclusively/solely used when the gateway/WAN is the active one in a failover gateway group?

In long:
I'm running a multi WAN setup successfully at the moment. The gateway group uses gateway/WAN=AT111 when available and gateway/WAN=BACKUP when AT111 fails.

This failover works as it should.

In System->Settings->General->DNS-Server I've entered 2 DNS servers. One for each gateway.

www.dnsleaktest.com revealed to me, that both DNS servers are used by Unbound DNS (forwarding mode is enabled).

After reading the help to each setting carefully I'm kinda shocked that this is how it should be?!?

At General->DNS-Server the column header for the gateway says "Use gateway". Which may mean something like"Packages to this DNS server send using this gateway".
But not - as I thought - "When this gateway is active use solely this DNS server".

Also at Unbound-DNS->General it reads: "If forwarding is enabled, Unbound will use the DNS servers entered in System: General setup".
So this also doesn't say something like "I will use only the entry from there that fits the current gateway".

thanks
Soko

PS: The DNS server for AT111 is only reachable through AT111. Thats why I need this feature

[marcquark]

Have you done packet captures on both WAN interfaces while doing the DNS Leak Test? If i'm not mistaken here, DNS A should be used through WAN A and DNS B through WAN B. So it shouldn't be a problem in your scenario should it?

[tong2x]

to  my knowledge, ubound will still randomly or choose the fastes reply server from the list.

this is ithink because of ubounds design
but i could be wrong

[soko]

@marcquark: My issue isn't that the DNS go through the wrong WAN. I thought DNS A is use solely wen WAN A is up. And DNS B (through WAN B) is used solely when WAN A is down.

@tong2x: Thats what I was worried about. I've disabled Unbound and used Dnsmasq. There is the option "Query DNS servers sequentially" which sounds promising.
First tests were OK, but just now dnsleaktest showed DNS B again

[lar.hed]

If Unbound, or DNScrypt-Proxy, in standard definition (setup) is used, there is limited ways to control this.

However, Unbound has Advanced options setting letting you use DNS-over-TLS which makes the control of which DNS server to use a much easier task. That will not let you choose different DNS servers for different WANs.

Since I run a Multi-WAN also, I know for a fact that my WAN-FTTH (prim) is used for all DNS lookups, and when my WAN-LTE takes over (FTTH fails) it of course changes route out. So I am a bit curious how set up the Multi WAN part?

[soko]

Since I run a Multi-WAN also, I know for a fact that my WAN-FTTH (prim) is used for all DNS lookups, and when my WAN-LTE takes over (FTTH fails) it of course changes route out. So I am a bit curious how set up the Multi WAN part?

I'm not quite sure if you mean the same thing as I do. I don't have a problem which WAN is used to contact the DNS server. My issue is, that I want to use different DNS with different active WANs.
Or am I missing something here?

My Multi WAN setup is done as described here: https://docs.opnsense.org/manual/how-tos/multiwan.html

[marcquark]

@marcquark: My issue isn't that the DNS go through the wrong WAN.

but that is exactly what said was your issue in your first post?

PS: The DNS server for AT111 is only reachable through AT111. Thats why I need this feature

If your AT111 DNS is only queried via your AT111 line, i fail to understand what your problem then is to be honest...

I thought DNS A is use solely wen WAN A is up. And DNS B (through WAN B) is used solely when WAN A is down.

As has been established already, that doesn't seem possible with OPNsense at the moment. But again, i fail to understand why it's an issue.

[lar.hed]

I think you might be helped by reading up on how DNS works, and most important: How Unbound works inside.

[soko]

As has been established already, that doesn't seem possible with OPNsense at the moment.

OK, thats more or less what I wanted to know: Its not possible with OPNsense.

I think you might be helped by reading up on how DNS works, and most important: How Unbound works inside.

I know how DNS works. But nowhere it says that all available DNS servers need to be used (in parallel). That apparently specific to Unbound. So I know now that Unbound cannot do that...

But again, i fail to understand why it's an issue.

WAN A with DNS A is a secure/trusted internet connection and is the highest tier in my Multi WAN group.
WAN B with DNS B is untrusted and should be only used as failover when WAN A is down.

So the issue is, that I don't want the untrusted DNS B used when WAN A (and therefore DNS A) is available.

[banym]

Why would you use any untrusted DNS?
You could easily use trusted DNS on all connections? Just don't use the provider DNS.

I see the point to be able to configure the path for the DNS server. But using untrusted DNS even if one up-link is gone, does not sound like a good idea.

You could use a free DNS resolver or setup your own. If that one is available over both up-links a switch is not necessary.

[soko]

Sorry, maybe "untrusted" was not the correct word. Maybe "not-so-trusted" would be better

I also still see a point in activating/deactivating DNS servers on gateway changes but I understand that it's not high up in the wanted feature list of OPNsense.

I'm basically satisfied by the knowledge that all DNS servers are used all the time. So I just misinterpreted the settings in OPNsense.

[tong2x]

Sorry, maybe "untrusted" was not the correct word. Maybe "not-so-trusted" would be better

I also still see a point in activating/deactivating DNS servers on gateway changes but I understand that it's not high up in the wanted feature list of OPNsense.

I'm basically satisfied by the knowledge that all DNS servers are used all the time. So I just misinterpreted the settings in OPNsense.

quite easy to misinterpret as the instruction said to "assign" dns for each WAN. logically you would assumed it is for DNS resolution. I think it is in the manual also or in forum that the DNS is only used by OPNsense for Internet checking. something to do with the monitor IP.

I do also think it would be a "nice" feature. useful if say, DNS-a has faster response with wan1, while DNS-b has faster response to wan2.
then again this is not probably important... since the fastest resolution will be accepted