Navigation

    Netgate Discussion Forum
    • Register
    • Login
    • Search
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search

    Gateway failover and gateway's DNS

    Routing and Multi WAN
    2
    3
    228
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      hb last edited by hb

      Hi,

      Latest pfSense (2.4.3-RELEASE-p1 (amd64)), multi WAN, default gateway switching on.

      DNS Resolver: DNS Query Forwarding active, DNSSEC active, Harden DNSSEC Data active. (And I must admit I haven't verified my DNSes below can use that, as I have no direct idea how to do that.)

      DNS Forwarder: not enabled.

      General settings/DNS Server Settings:
      8.8.8.8 none
      8.8.4.4 WAN1
      208.67.222.222 WAN2
      208.67.222.220 WAN3 (corrected from first post)

      Whenever one of the WANs goes down, (test case: WAN3) I find that I MUST remove the corresponding line in the DNS Server Settings in General settings, or otherwise many web requests hang or timeout.

      When one enables "Allow DNS server list to be overridden by DHCP/PPP on WAN", things get even more weird: suddenly most DNS queries return the IP address of the fake DNS entry that the WAN modem has hard coded (French provider 'Free" "freebox-server"->212.27.38.252), which makes loads of sites suddenly point to that IP address, which of course is not correct. Only a reboot of pfSense solved this, restarting services does not seem to help.

      It looks like gateway ejection (manual or automatic) does NOT disable the resolving through the DNS that is linked to that gateway, nor its routing. As a consequence, one must either

      • manually remove the DNS entry,
        OR
      • only use public DNSes, and add a floating 'out' rule FW to any port 53, to your favorite GW group.

      Only the last method allows ignoring of the routing that the General settings/DNS Server Settings imply, and keep the installation working properly. But why is this needed? Can't pfSense by itself kick out the DNS line, just like it apparently does to the routing for everything but the DNS?

      Am I doing something wrong? If not, can this behaviour be changed somehow?

      1 Reply Last reply Reply Quote 0
      • Derelict
        Derelict LAYER 8 Netgate last edited by

        @hb said in Gateway failover and gateway's DNS:

        8.8.8.8 none
        8.8.4.4 WAN1
        208.67.222.222 WAN2
        208.67.222.222 WAN3

        You cannot put the same DNS servers on multiple WANs like that. Is that just a typo for 208.67.222.222?

        And, no. OpenDNS and google do not support DNSSEC at least the last time I looked. Disable DNSSEC when forwarding to those.

        Chattanooga, Tennessee, USA
        The pfSense Book is free of charge!
        DO NOT set a source port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        H 1 Reply Last reply Reply Quote 0
        • H
          hb @Derelict last edited by hb

          @derelict
          Yeah that was a typo.

          After some digging,

          https://developers.google.com/speed/public-dns/faq :
          "Google Public DNS is a validating, security-aware resolver. All responses from DNSSEC signed zones are validated unless clients explicitly set the CD flag in DNS requests to disable the validation."

          OpenDNS does not indeed. So I moved to some of the verisign servers that do (according to https://wiki.ipfire.org/dns/public-servers).

          So far no issues.

          1 Reply Last reply Reply Quote 0
          • First post
            Last post

          Products

          • Platform Overview
          • TNSR
          • pfSense
          • Appliances

          Services

          • Training
          • Professional Services

          Support

          • Subscription Plans
          • Contact Support
          • Product Lifecycle
          • Documentation

          News

          • Media Coverage
          • Press
          • Events

          Resources

          • Blog
          • FAQ
          • Find a Partner
          • Resource Library
          • Security Information

          Company

          • About Us
          • Careers
          • Partners
          • Contact Us
          • Legal
          Our Mission

          We provide leading-edge network security at a fair price - regardless of organizational size or network sophistication. We believe that an open-source security model offers disruptive pricing along with the agility required to quickly address emerging threats.

          Subscribe to our Newsletter

          Product information, software announcements, and special offers. See our newsletter archive to sign up for future newsletters and to read past announcements.

          © 2021 Rubicon Communications, LLC | Privacy Policy