Rules-Based DNS Forwarding
-
If I recall correctly, in dnsmasq I could define DNS servers based on an alias -> Client IP or range.
I know that I can create a NAT forward rule to do something similar, but this is limited to just one destination DNS server address, and I would like 2 or more.
So is it possible to forward all requests from specific LAN Clients (defined as alias) to more than 1 DNS server thereby preventing the client from trying to use an alternative DNS server and forcing all requests to the override servers ?
-
@crankshaft said in Rules-Based DNS Forwarding:
and I would like 2 or more.
Why? Any of the major players are anycast. If you forward to 8.8.8.8 there are loads of dns that could answer if 1 was down or too busy to answer. It make little sense to use a 2nd server like 8.8.4.4 with anycast.
And you shouldn't forward to servers that could resolve differently. For example if 1 of your NS did filtering and the other didn't - you have no idea actually which one might be asked, so you wouldn't know if your going to be filtered or not filtered for something you asked for.
Yes dnsmasq could be set to ask all the dns at the same time, and give the first answer back. If that is what you want to do. Then setup dnsmasq to do that, and then setup your redirect so if client wants to ask 1.2.3.4, it gets redirect to dnsmasq. Or it could be setup to ask sequentially.. So if first is down or doesn't answer ask the 2nd one.
But again its a bad idea to send to more than 1 dns if they could answer differently for something. Filtering is the big one, but another thing is dnssec - if one does dnssec, and the other doesn't - you have no idea if dnssec is going to be used or not.
On a side note - if you forward, there is no reason to ask for dnssec. Because to where you forward is either doing dnssec out of the box, or they aren't.
-
@johnpoz - Thanks and yes I did not explain very well.
I am not looking to concurrently send to 2 servers, but only send to the second one if the first one fails, basically mimicking dns forwarding with 2 dns host servers.
I don't thing this can be done with a NAT rule ??
This is basically for a media device that connects via a vpn, and some apps on that device refuse to use the DNS provided and use their own choice of DNS server to perform some queries.
-
@crankshaft said in Rules-Based DNS Forwarding:
I don't thing this can be done with a NAT rule ??
Yes it can if you redirect the dns to dnsmasq and have it forward for you..
But no trying to redirect directly from say 53 going to 8.8.8.8 to 9.9.9.9 or 4.2.2.2 is not possible in just port forwarding, but it can be done if you redirect the 53 traffic to something that would ask more than 1 NS.
that device refuse to use the DNS provided and use their own choice of DNS server to perform some queries.
Yeah that is a common scenario - just setup your normal dns redirection.
https://docs.netgate.com/pfsense/en/latest/recipes/dns-redirect.html
