Slow DNS lookups on BACKUP box after changing Unbound outbound interface to LAN

[tomstephens89]

Hi all,

I recently changed the outbound interface setting of the unbound resolver to one of my LAN side interfaces in order to solve the problem of DNS domain override forward requests not traversing my IPSEC tunnel to the datacenter.

Since changing unbound to use one of my LAN interfaces, DNS requests to that overridden domain now successfully use the IPSEC tunnel to a remote DNS server. However, I have just noticed that during an update of my firewall pair, the box that is currently the BACKUP node suffers extremely slow DNS resolution. I noticed this when it was looking up the package repo etc....

Any ideas why this is?

[tomstephens89]

Thinking about this, could this be because the backup does not own the VIP of the LAN interface when it's in backup state? So it's falling back to another interface or something else?

[tomstephens89]

Any thoughts on this?

An explanation as to why Unbound forwards don't traverse an IPSEC tunnel unless the outbound interface is set to one of the LAN interfaces would help?