How to use DNS servers from active tier only in dual WAN failover setup
I have pfSense with two WAN interfaces configured for failover. DNS forwarder is enabled. How do I make DNS forwarder to use DNS servers from the active WAN interface only?
My gateway group consists of Tier 1 WAN with unmetered cable modem and Tier 2 OPT1 with metered wireless dongle.
In General Setup / DNS server settings I do not have any manually configured DNS servers, but have DNS Server Override enabled as I want to use the ISP assigned DNS servers.
Regular traffic from LAN is routed correctly. But when both gateways are online, DNS queries are being forwarded to DNS servers from both ISPs. This causes unnecessary traffic to the Tier 2 backup connection when it should remain idle.
Create floating rule with destination addresses and use Gateway group in it.
Thanks. Do you mean rules with the DNS server IP addresses as the destination?
The DNS servers are ISP assigned through DHCP/PPP. So those IP addresses aren't really known in advance. Static rules would rot on the first change at the ISP.
Or is there a way to reference the assigned DNS servers by a symbolic name in the rules?
Well, ISP rarely change DNS but…
You have two options:
1. Create floating rule with destination any and port 53 - this will force all DNS queries to go through active tier. There is some caveats with this (cant access any DNS through inactive tier), but probably will work fine for you.
2. Create floating rule with destination any and port 53 AND source ''This firewall (self)''. This is best solution (forces only traffic originating from pfsense to go through active tier), but depends on how queries are made.
Start with second variant, if no success - fallback to first.
Thanks pan_2 for your suggestions.
Actually the caveat in option 1 would actually be in line with what I need. My goal is zero traffic on inactive tier.
However, I think there are issues with both options. DNS forwarding would still use the DNS server addresses provided by the inactive tier ISP as well. These queries would simply be routed through active tier ISP, right?
1. inactive tier ISP DNS would see the queries as coming from outside network, not their own clients: likely denying recursive queries?
2. wireless networks typically use private addresses and NAT: DNS servers provided may not even be routable from outside?
You're probably right that DNS may not change that often, but there is little point using automatically configured DNS in the first place if you have to specify the same addresses elsewhere manually anyway.
DNS forwarding would still use the DNS server addresses provided by the inactive tier ISP as well
Your only option would be to use some public DNS, like Google ones, or PublicDNS. If you need to resolve some entries through ISP servers only, you can add them to unbound overrides.