[SOLVED] Unbound DNS & issue with"Outgoing Network Interfaces"

[FredFresh]

Hi, I have a wan connection + 3 different VPNs (to external provider like nordvpn or similar).

The connection to outside is managed using a different priority of the gateways (each one can be the default gateway).

I use unbound DNS:
- I set to use as "Outgoing Network Interfaces" the wan + the 3 VPNs
- I start the test here dnsleaktest.com
- that site is able to identify the country of each of the three VPNs

Shouldn't Unbound dns use only one connection to authoritative DNS server?

Tried to select only one of the VPNs, and the dns leak test identify only that country (dns server located in that country).
I tried to create a gateway group and use that as outgoing interface, but it was not shown in the drop-down list.

Thank you for helping me understand this.

EDIT: @Franco could you provide a feedback on this? Otherwise I would say this is an unexpected behaviour/bug and I would open a bug on github.

[userOne]

I guess this is via OpenVPN and not Wireguard?
From my understanding and testing it's 'all' outgoing interfaces, not a fail-over in Unbound as you think.

What I did (for Wireguard but somewhat applicable to you) was to:
1. Set up an dns server on another machine.
2. Add a gateway group.
3. Add a firewall rule for the dns server to use that gateway group instead of <insert default gw>

then you would have failover via the gateway group.

[FredFresh]

Hi, the VPNs are all wiregaurd.

I think that what you suggested can work if I have to redirect the dns queries from a device in the subnet, but my intention is to route the unbound queries to the authoritative DNS server.

The queries are coming out from the 127.0.0.1 and there iare no queries going inside gateways but only going out, therefore a firewall rule is not able to redirect but only to block (at least this what I understood so far).

[userOne]

I had something similar and tinkered a bit, but eventually gave up as I wanted fail-over and not depending on some WAN redirect magic due to Wireguard not working the same as OpenVPN.

My home setup as follows (don't ask why, it's fun with vms, dockers and stuff, and you may remove complexity for your use case).

Redirect rule on lan1-lan10 to catch dns: IPv4 TCP/UDP    *    *    127.0.0.1    53 (DNS)    *    *
Adguard running on :53
Opnsense unbound running on :53530

3 dns servers in Adguard (192.168.0.2, 192.168.0.3, [/local/127.0.0.1:53530])

dns1: 192.168.0.2 failover on 4 wg-tunnels
dns2: 192.168.0.3 failover on 4 (different) wg-tunnels

so queries are: Adguard -> dns1 and dns2 for external lookups with then the fail-over as mentioned, and adguard -> opnsense unbound for local lookups.

If you want to decrease complexity you may use WAN redirect rules but when one of the tunnels goes down you may see some longer times for dns queries.
Example for your WAN rule: IPv4 TCP/UDP    VPN1  address    *    9.9.9.9    853    VPN1-gw    *

Maybe someone has an easier fix, but what worked best for me and my use cases was a seperate vm with a dns server.

[FredFresh]

question 1:

Redirect rule on lan1-lan10 to catch dns: IPv4 TCP/UDP    *    *    127.0.0.1    53 (DNS)    *    *

how can this intercept the internal dns queries if the are directed to the subnet gateway IP and not to 127.0.0.1 ?

question 2:

dns1: 192.168.0.2 failover on 4 wg-tunnels
dns2: 192.168.0.3 failover on 4 (different) wg-tunnels

I think there is something wrong here, I mean that here there should be the authoritative DNS server address.

Again, my issue is not the dns queries from devices but from the firewall itself. All the devices queries are already redirected to the firewall itself.

[userOne]

Follow the excellent guide and you'll be fine: https://docs.opnsense.org/manual/how-tos/wireguard-selective-routing.html#dealing-with-dns-leaks

[FredFresh]

Again, you are replying with things not relevant for my question.

[FredFresh]

solution found: services->unbound dns->general (advanced) : if you select interfaces in the "Outgoing Network Interfaces", the system reach the dns server on every outgoing interface.
Instead if you de-select all of them and "All (reccomended)" appears as choice, only the effective outgoing interface is used.