Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Gateway failover and gateway's DNS

    Scheduled Pinned Locked Moved Routing and Multi WAN
    3 Posts 2 Posters 711 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hb
      last edited by hb

      Hi,

      Latest pfSense (2.4.3-RELEASE-p1 (amd64)), multi WAN, default gateway switching on.

      DNS Resolver: DNS Query Forwarding active, DNSSEC active, Harden DNSSEC Data active. (And I must admit I haven't verified my DNSes below can use that, as I have no direct idea how to do that.)

      DNS Forwarder: not enabled.

      General settings/DNS Server Settings:
      8.8.8.8 none
      8.8.4.4 WAN1
      208.67.222.222 WAN2
      208.67.222.220 WAN3 (corrected from first post)

      Whenever one of the WANs goes down, (test case: WAN3) I find that I MUST remove the corresponding line in the DNS Server Settings in General settings, or otherwise many web requests hang or timeout.

      When one enables "Allow DNS server list to be overridden by DHCP/PPP on WAN", things get even more weird: suddenly most DNS queries return the IP address of the fake DNS entry that the WAN modem has hard coded (French provider 'Free" "freebox-server"->212.27.38.252), which makes loads of sites suddenly point to that IP address, which of course is not correct. Only a reboot of pfSense solved this, restarting services does not seem to help.

      It looks like gateway ejection (manual or automatic) does NOT disable the resolving through the DNS that is linked to that gateway, nor its routing. As a consequence, one must either

      • manually remove the DNS entry,
        OR
      • only use public DNSes, and add a floating 'out' rule FW to any port 53, to your favorite GW group.

      Only the last method allows ignoring of the routing that the General settings/DNS Server Settings imply, and keep the installation working properly. But why is this needed? Can't pfSense by itself kick out the DNS line, just like it apparently does to the routing for everything but the DNS?

      Am I doing something wrong? If not, can this behaviour be changed somehow?

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by

        @hb said in Gateway failover and gateway's DNS:

        8.8.8.8 none
        8.8.4.4 WAN1
        208.67.222.222 WAN2
        208.67.222.222 WAN3

        You cannot put the same DNS servers on multiple WANs like that. Is that just a typo for 208.67.222.222?

        And, no. OpenDNS and google do not support DNSSEC at least the last time I looked. Disable DNSSEC when forwarding to those.

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        H 1 Reply Last reply Reply Quote 0
        • H
          hb @Derelict
          last edited by hb

          @derelict
          Yeah that was a typo.

          After some digging,

          https://developers.google.com/speed/public-dns/faq :
          "Google Public DNS is a validating, security-aware resolver. All responses from DNSSEC signed zones are validated unless clients explicitly set the CD flag in DNS requests to disable the validation."

          OpenDNS does not indeed. So I moved to some of the verisign servers that do (according to https://wiki.ipfire.org/dns/public-servers).

          So far no issues.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post
          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.