[DNS RESOLVER] IPSEC DNS local.domain on two servers, howto?

  • Hi,

    I have two pfSense servers setup. Both 2.3.2_1 with unbound.
    The servers are interconnected with IPSEC.

    Domain on both pfSenses: local.domain
    ServerA.local.domain: some static DNS names set that are to be used on on both pfSenses.
    ServerB.local.domain: has static arp mappings that are put into DNS. These mappings are also to be used on both pfSenses.

    (I have setup a route-hack to enable DNS over IPSEC: local route from LAN net ServerA to LAN net ServerB is routed over GATEWAY: "LAN interface address".)
    This all works.

    Now both pfSenses run the same domain. So, next to the static DNS mappings on ServerA I have set an override domain for local.domain to ServerB.
    I've done the same on ServerB (-> ServerA). This works too, but seems to delay a lot on servers that are attached to f.e. ServerA.


    1. Is this the right way to use multiple DNS servers in the same domain or should I do it differently?
    2. Do the static mappings take precedence over the 'domain override'? Or is this maybe conflicting?


  • I haven't set up a configuration like this before - I generally use a dedicated subdomain for each location so I can easily tell where something based based entirely on its DNS entry.

    That said, regarding your second question, DNS results list DHCP entries first, with HBO's following.

  • Rebel Alliance Global Moderator

    "Now both pfSenses run the same domain"

    Well thats a bad idea right out of the gate..  To be honest if you want to run more than 1 authoritative ns for a domain unbound is a bad choice as well.  If you want to have either ns in either location return the results for IP in either location run an actual authoritative NS and setup your other sites to be slaves and do zone xfers so than when you add a record to your SOA your slave NS will also get a copy, etc.

    Unbound is not well suited for such a setup.  Or as geudrik mentions just run different subdomains for your locations. So you end up with host.siteA.domain.tld and host.siteB.domain.tld, etc.