DNS Resolver Custom Options

Asmodeus666

My goal is to have all devices on my network/s use the options in the General Setup DNS Servers (8.8.8.8, 8.8.4.4, 1.1.1.1, 1.0.0.1).

To this extent, the General Setup is as follows:

DNS Servers are 8.8.8.8, 8.8.4.4, 1.1.1.1, 1.0.0.1. DNS Hostname is blank on each entry, and all gateways are set to None

DNS Server Override is unchecked

DNS Resolution Behavior is Use Local DNS, Fall back to remote DNS Servers

Everything else is unchanged from default settings

DNS Resolver is as follows:

Enable DNS resolver is Checked
Listen Port is 53
Enable SSL/TLS Service is unchecked
SSL/TLS Certificate is set to default
SSL/TLS Listen Port is 853
Network Interfaces is set to ALL
Outgoing Network Interfaces is set to WAN only
System Domain Local Zone Type is Transparent
DNS Query Forwarding is enabled
DHCP Registration is checked
Static DHCP is checked

I have set up NordVPN/OpenVPN correctly, it is working as intended, but in the Outbound NAT rule I set it up as follows:

So only devices under the Alias VPN_OUT_ENDPOINT are using the NORDVPN gateway. For testing purposes, only 1 device is listed under that alias, static IP 10.26.26.8. The WAN/LAN rules to deal with the VPN traffic for this Alias are setup and working correctly.

Since I want the DNS queries from devices using the NORDVPN gateway to use the NordVPN DNS Servers, and that those queries also use the NORDVPN gateway, I added this snippet to the Custom Options in the DNS Resolver:

 server:
     access-control-view: 10.26.26.8/32 VPN_DNS_View  # Apply VPN DNS View to this specific IP

 view:
     name: "VPN_DNS_View"
     view-first: yes
     forward-zone:
         name: "."
         forward-addr: 103.86.96.100@53 # NordVPN DNS server 1, using standard DNS port
         forward-addr: 103.86.99.100@53 # NordVPN DNS server 2, using standard DNS port
         outgoing-interface: "ovpnc1"  # Directs DNS queries from the VPN client through the NordVPN interface enclosed in quotation marks

 view:
     name: "default_view"
     view-first: no
     # No specific settings needed for default view as it uses the system defaults

However, this produces an error with the outgoing-interface: "ovpnc1" line. If I remove that line no error is produced. I had first tried "NordVPN" instead of "ovpnc1" but that resulted in the same error.

Is the outgoing-interface: directive correct as I am using it? I thought it was, ChatGPT 4.0 thinks it is correct as well, and hopefully, someone else has direct experience with this.

Perhaps I am referencing the interface incorrectly?

Note that I understand that the DNS Resolver settings, etc., may not be optimal as-is. If there are recommendations feel free to make them in addition to any suggestions regarding the use of outgoing-interface as described above.

I don't have DNSSEC enabled because it is a global setting and if it is enabled in the DNS Resolver, it cannot be altered even through a custom options snippet (correct me if I am wrong). NordVPN setup specifically instructs you to leave DNSSEC Support unchecked. That is why I have it unchecked. If I can get this to work I will most likely enable DoT to make up for it, and expand the snippet so that it isn't used for the devices using the NordVPN gateway.

If I can't get this to work I can try to handle this at the network routing level rather than at the DNS configuration level, by configuring the system’s routing table to direct all traffic from the NordVPN/ovpnc1 interface (including DNS) to go through the VPN, which I believe will bypass the need for specifying the interface in Unbound.

I previously posted regarding this and another route I was attempting; however, that required that DNS Server Override be enabled, which I rather avoid. I don't think there is anything there that needs to be referenced, but just in case I included it
https://forum.netgate.com/topic/187283/all-devices-use-dns-resolver-and-general-setup-except-select-ips