Gateway failover and gateway's DNS



  • Hi,

    Latest pfSense (2.4.3-RELEASE-p1 (amd64)), multi WAN, default gateway switching on.

    DNS Resolver: DNS Query Forwarding active, DNSSEC active, Harden DNSSEC Data active. (And I must admit I haven't verified my DNSes below can use that, as I have no direct idea how to do that.)

    DNS Forwarder: not enabled.

    General settings/DNS Server Settings:
    8.8.8.8 none
    8.8.4.4 WAN1
    208.67.222.222 WAN2
    208.67.222.220 WAN3 (corrected from first post)

    Whenever one of the WANs goes down, (test case: WAN3) I find that I MUST remove the corresponding line in the DNS Server Settings in General settings, or otherwise many web requests hang or timeout.

    When one enables "Allow DNS server list to be overridden by DHCP/PPP on WAN", things get even more weird: suddenly most DNS queries return the IP address of the fake DNS entry that the WAN modem has hard coded (French provider 'Free" "freebox-server"->212.27.38.252), which makes loads of sites suddenly point to that IP address, which of course is not correct. Only a reboot of pfSense solved this, restarting services does not seem to help.

    It looks like gateway ejection (manual or automatic) does NOT disable the resolving through the DNS that is linked to that gateway, nor its routing. As a consequence, one must either

    • manually remove the DNS entry,
      OR
    • only use public DNSes, and add a floating 'out' rule FW to any port 53, to your favorite GW group.

    Only the last method allows ignoring of the routing that the General settings/DNS Server Settings imply, and keep the installation working properly. But why is this needed? Can't pfSense by itself kick out the DNS line, just like it apparently does to the routing for everything but the DNS?

    Am I doing something wrong? If not, can this behaviour be changed somehow?


  • Netgate

    @hb said in Gateway failover and gateway's DNS:

    8.8.8.8 none
    8.8.4.4 WAN1
    208.67.222.222 WAN2
    208.67.222.222 WAN3

    You cannot put the same DNS servers on multiple WANs like that. Is that just a typo for 208.67.222.222?

    And, no. OpenDNS and google do not support DNSSEC at least the last time I looked. Disable DNSSEC when forwarding to those.



  • @derelict
    Yeah that was a typo.

    After some digging,

    https://developers.google.com/speed/public-dns/faq :
    "Google Public DNS is a validating, security-aware resolver. All responses from DNSSEC signed zones are validated unless clients explicitly set the CD flag in DNS requests to disable the validation."

    OpenDNS does not indeed. So I moved to some of the verisign servers that do (according to https://wiki.ipfire.org/dns/public-servers).

    So far no issues.


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy