CARP and Unbound DNS response

Started by rudiratlos63, February 04, 2026, 05:14:29 PM

Previous topic - Next topic
Print
Go Down Pages1
User actions
February 04, 2026, 05:14:29 PM
Hello,
I have a CARP-IP (10.8.99.1) on my INT ernal Interface and a physical IP (10.8.99.3).
my client gets per KEAdhcp the DNS serverIP as CARP-IP (10.8.99.1).
a nslookup to google.com from client cli gets the error, that the info is expected from 10.8.99.1#53, but 10.8.99.3#3 responded.
The client drops the dns info, because its not from the CARP-IP.
How to configure, that Unbound uses the CARP-IP and not the physical IP from node1 in the HA config.
February 04, 2026, 09:06:53 PM #1
Create a NAT port forwarding rule on the INT interface:

Source: INT net
Destination: CARP-IP (create a manual alias if necessary)
Protocol: TCP & UDP
Destination port: 53
Redirect target: 127.0.0.1:53

If all your interfaces have a CARP address you can do this for all of them and bind Unbound to 127.0.0.1:53 only.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
February 05, 2026, 03:55:05 PM #2
Hello Patrick,
this is not working. same result. pls. see attached screenshots. I've defined the nat rule you suggested.
February 05, 2026, 04:14:18 PM #3
Then try to bind Unbound to 127.0.0.1 only, please.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
February 05, 2026, 07:01:03 PM #4 Last Edit: February 05, 2026, 07:08:27 PM by rudiratlos63
Where should I do this?
I have Adguard running on DNS Port 53. Unbound runs on Port 5354
February 06, 2026, 11:29:24 AM #5
So it is not Unbound which is answering with a wrong source address but AdGuard Home? That is a known bug in AdGuard Home and can be worked around just the same way.

Edit /usr/local/AdGuardHome/AdGuardHome.yaml:

Code Select
dns:
  bind_hosts:
    - 127.0.0.1
  port: 53

And use the same port forward NAT rule as I already advised.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
February 06, 2026, 06:46:09 PM #6
I#ve got the following error:

There were error(s) loading the rules: /tmp/rules.debug:187: no translation address with matching address family found. - The line in question reads [187]: rdr on vtnet1 inet6 proto {tcp udp} from {(vtnet1:network)} to $CARP_DMZ_IP port {53} -> 127.0.0.1 port 53 # CARP DNS forwarding
February 06, 2026, 06:55:34 PM #7
You cannot redirect IPv6 to IPv4. You need to redirect your IPv4 CARP address to 127.0.0.1.

You can run DNS over IPv4 only even in a dual stack network - simplifies many things.
Deciso DEC750
People who think they know everything are a great annoyance to those of us who do. (Isaac Asimov)
Print
Go Up Pages1
User actions