Can you implement DNS Round Robin for local IP's?



  • I have a couple of local Pi-Hole DNS servers on my home network for redundancy in case a I take one down for maintenance ( add memory, hard drive , etc ) . I'm looking for a way to direct DNS requests to servers that are online, so that if one is offline, computers on my home network are unaffected.

    Currently DHCP hands out the addresses of both in hope that if one does not respond, the client is smart enough to try the other DNS server.

    Ideally though, this should be hidden from the client and they should only query online DNS servers.

    I would be great if pfsense could do this ,but if I need a 3rd party solution ( open source, of course! ) that would be fine , too.

    Edit
    I realized that I didn't provide enough information for anyone to answer my question

    1. My current DNS for workstation computers and my mobile devices ( iPhone, tablets ) is
      client -> pihole -> pfsense DNS Server -> Internet DNS

    With Pfsense DNS resolving local server names to IP addresses
    e.g
    plex.local for my Plex server
    synology.local for my Synology NAS server
    kvm.locak for my KVM server, and so on.

    1. Servers - I don't browse the Internet on my servers, so they only need to find each other and also Yum repositories for updates, so they look like this
      server -> pfsense DNS server -> Internet

    2. Same for home automation devices, game consoles, etc
      <device> -> pfsense DNS server -> Internet

    I hope that this helps.

    I'm wondering if I can simplify things by having everyone go to pfsense DNS, then have pfsense forward to pi-hole, and pi-hole forwards to Internet DNS ( 8.8.8.8 or similar )
    i.e. <all clients> -> pfSense DNS -> pi-hole -> Internet DNS.

    Would that work if one of the pi-hole servers is offline? Other than slowing down DNS response times in some cases, it doesn't seem too bad of a setup.


  • Galactic Empire

    Have you had a look at using load balancer, I think it would round robin, if not it would automatically fail over to the other host.

    You might have to monitor on ICMP as you can't use UDP.

    https://doc.pfsense.org/index.php/Inbound_Load_Balancing



  • @nogbadthebad said in Can you implement DNS Round Robin for local IP's?:

    Have you had a look at using load balancer, I think it would round robin, if not it would automatically fail over to the other host.

    You might have to monitor on ICMP as you can't use UDP.

    https://doc.pfsense.org/index.php/Inbound_Load_Balancing

    I've looked at it and even create an load balancing group with both Pi-Hole servers in it. But it appears that the requests have to arrive from the WAN interface to be forwarded to the load balancer group. Internal request were not forwarded, and all of my DNS requests are from the internal / home network.


  • Galactic Empire

    @pfkomrad

    Can you put them on a different internal subnet?

    I had a play with a couple devices and it did balance then, i just tested with ssh.



  • @nogbadthebad said in Can you implement DNS Round Robin for local IP's?:

    @pfkomrad

    Can you put them on a different internal subnet?

    I had a play with a couple devices and it did balance then, i just tested with ssh.

    I'll try if I get some time to do it. I'm really behind on some other projects.

    I did try the below setup and DNS requests to my PFSense for ".local" domain worked, but requests for any other domain failed.

    It went like this

    1. host -t A www.amd.com => Failed, SERVFAIL error from pfsense Unbound DNS server.
    2. host -t A www.amd.com 192.168.1.8 => success
    3. host -t A www.amd.com 8.8.8.8 => success
    NS Resolver Settings
    
    DNS Query Forwarding Enable Forwarding Mode
    If this option is set, DNS queries will be forwarded to the upstream DNS servers defined under System > General Setup or those obtained via DHCP/PPP on WAN (if DNS Server Override is enabled there).
    
    
    General Setup Settings
    DNS Servers - local PFSense Server IP address ( 192.168.1.8 )
    DNS Server Override - unchecked - since I want to use local Pi-hole instead of ISP assigned DNS Servers
    Disable DNS Forwarder - unchecked -  since I want local DNS entries resolved by PF sense and external entries resolved by Pi-hole
    
    Pi-host settings
    forwards to Google 8.8.8.8
    

    I've since given up and installed pfBlockerNG with the same DNS block lists ( DNSBL's ) as pi-hole. I did like pi-hole's interface and ease of setup better, but I can't get it to work the way I want it to. I'm also in the process of simplifying my network setup to low management overhead, so this is one less server to worry about.



  • @pfkomrad said in Can you implement DNS Round Robin for local IP's?:

    Currently DHCP hands out the addresses of both in hope that if one does not respond, the client is smart enough to try the other DNS server.
    Ideally though, this should be hidden from the client and they should only query online DNS servers.

    ???

    With DHCP, any server that hears the discovery is supposed to respond with an offer. The client then selects one and proceeds with it. This means that a failed server should not cause a problem. Are you seeing offers from both servers? If not, that's where the problem is.


  • Rebel Alliance Global Moderator

    @pfkomrad said in Can you implement DNS Round Robin for local IP's?:

    Ideally though, this should be hidden from the client

    For what possible reason? If you have 2 piholes that resolve the same stuff, then hand them both out to your clients. Any client is going to be smart enough to move to the other listed ns if the first one does not answer.

    If you want your piholes to resolve your dhcp clients names - then forward them to pfsense that is acting as your dhcp server.

    So clients ask pihole, if asking for www.domain.com and not blacklisted, it forwards to pfsense that resolves it or forwards (however you like it to work - resolving is default pfsense setup). If its a local domain, then pfsense would respond and pi-hole would hand it back to client.

    Seems like your overthinking something that is quite simple. I also don't get the need for registration of dhcp in a home setup to be honest. If there is something you want to be able to resolve - why not just make sure its always on the same IP either with static and host override or dhcp reservation and let pfsense register the registration.

    Clients can list as many ns as you want.. The only thing you need to be sure of is any and all of the listed ns for the client need to resolve the same stuff. You can point client to say pihole and google and then wonder why sometimes fqdn is blocked and sometimes its resolved. You can never be sure what ns a client will query when you list more than 1, doesn't matter what order you hand them to the client. ALL ns listed on a client need to be able to resolve the same stuff, or block the same stuff, etc. Pointing a client to 1 ns that can resolve local, and another that can not is asking for failure.