In dual WAN, how can i use one interface for DNS but have all traffice traverse the other?

jc1976

@stephenw10

yes, that's the documentation I used to config DoT.

Under Services/dns resolver/general settings, i set the outgoing network interfaces to use the comcast connection but got the same result.

stephenw10

What result are you seeing? How are you testing?

If you go to Diag > States and filter by :853 do you see outbound DoT connections on both WANs?

dennypage

@stephenw10 said in In dual WAN, how can i use one interface for DNS but have all traffice traverse the other?:

go to Diag > States and filter by :853

NB: This will only show IPv4 states.

jc1976

@stephenw10

I'm making the change, resetting the state table, and then going to youtube.com and doing a search..

click on a video and it prompts me to put in my youtube account credentials to prove that i'm not a bot.

stephenw10

So do you see the DoT states on Comcast only?

Are you sure this is actually a DNS problem?

Is the client actually using pfSense for DNS? It could be be using DoH directly for example.

jc1976

@stephenw10

doh is not permitted. i'm just using my own pc for testing.

i navigate to speedtest.net and run a test, all pegs 1Gb without issue. then i navigate to youtube and do a lookup. upon clicking a video i'm prompted to sign in to make sure i'm not a bot.

if i were to put the static ip assigned by cogent into my laptop and use their dns,and plug directly into their equipment, all works fine.

stephenw10

So do you see the DoT states on Comcast only? That's the important thing there.

If you switch the DNS to use 8.8.8.8/8.8.4.4 instead does it still ask you to login?

The difference here is that the remote servers see requests come in from your Cogent public IP but DNS resolved at the target forwarded servers. For whatever reason that mismatch there triggers the login for the Cogent public IP but not Comcast.

jc1976

@stephenw10

if i switch my dns to googles, same thing happens. Cogent simply will not allow me to use any other DNS.

"The difference here is that the remote servers see requests come in from your Cogent public IP but DNS resolved at the target forwarded servers. For whatever reason that mismatch there triggers the login for the Cogent public IP but not Comcast."

so is there anything that can be done?

stephenw10

@jc1976 said in In dual WAN, how can i use one interface for DNS but have all traffice traverse the other?:

Cogent simply will not allow me to use any other DNS.

So DNS fails entirely if you try to use it over the Cogent WAN?

And, again, do you see the DoT states on Comcast only if you set Unbound to use only that for outbound connections.

As I understand it the only issue you're seeing here is that youtube flags your connection as suspicious if you try to use the Cogent WAN whilst resolving at some remote server?

One thing you could try is to just resolve on Unbound locally since that would then also use the Cogent public IP to resolve.

jc1976

@stephenw10 said in In dual WAN, how can i use one interface for DNS but have all traffice traverse the other?:

As I understand it the only issue you're seeing here is that youtube flags your connection as suspicious if you try to use the Cogent WAN whilst resolving at some remote server?

yes that is correct.

if i use cogent's dns, all works fine. however, if i use a 3rd party dns it fails on youtube. i haven't tried on other sites, since the youtube is the most serious of problems.

@stephenw10 said in In dual WAN, how can i use one interface for DNS but have all traffice traverse the other?:

One thing you could try is to just resolve on Unbound locally since that would then also use the Cogent public IP to resolve.

i could do that, but

1. i'm trying to bring a modicum of security to our dns,
2. it's the principle of it; Cogent shouldn't be able to force us to use their dns..
   and
3. the way i've been treated by them is appalling.. they literally said it's google/youtube's fault after i proved to them its their fault and that they were not going to help me any further.

stephenw10

Well from what we've seen here it is googles fault. Cogent is not preventing you use other DNS servers. What's happening is that Google's servers detects you are resolving DNS from a different location than you're are sourcing requests and flags the connection as suspicious in some way requiring additional screening. The same way that some sites will do that for VPN connections. A "DNS leak" is one way sites detect it. The interesting thing is that they only flag the Cogent connection that way.

One other thing you could do VPN all your traffic over the Cogent WAN to the same location you are resolving from.

But I would at least try resolving locally first since that would also set the DNS and source IPs to match. With DNSSec enabled you can be pretty confident in the results. Using DoT really just outsources your trust to cloudflare.