• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

Custom resolv.conf Options

Scheduled Pinned Locked Moved DHCP and DNS
5 Posts 2 Posters 610 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • T
    TheNarc
    last edited by Oct 10, 2018, 7:03 PM

    I run unbound in forwarding mode for DNS over TLS, and maintain two VPN client connections over which DNS traffic is routed. So I have four DNS servers configured in System > General Setup, with two of those servers set to use the first tunnel and the other two set to use the second. I've noticed, though, that when one of the tunnels goes down, DNS seems to go down as well. With the realization that I may be barking up entirely the wrong tree, I found the following potentially interesting information on calomel.org:
    lhttps://calomel.org/unbound_dns.html
    0_1539197891263_2018-10-10 14_57_47-Window.png

    However, I'm not aware of any easy way to add custom options to resolv.conf (i.e. nothing like loader.conf.local). Using the shellcmd package, though, seems to achieve the desired effect via the following rule:
    0_1539198011135_2018-10-10 14_59_53-Window.png

    At least, that achieves the desired modification to resolv.conf following a filter reload. So mostly I'm wondering:

    • Is this method of adding custom options to resolv.conf dumb and/or stupid and/or dangerous?
    • Is changing the specific options that I'm changing also any of the above adjectives and/or pointless?
    1 Reply Last reply Reply Quote 0
    • J
      jimp Rebel Alliance Developer Netgate
      last edited by Oct 11, 2018, 1:01 PM

      The firewall itself should be hitting Unbound for DNS, so you should have 127.0.0.1 as the first nameserver line, which should render the other lines and options moot.

      When using forwarding mode, Unbound tracks the quality and reachability of the servers you list independently and uses whichever one it thinks it can get a response from the fastest.

      Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

      Need help fast? Netgate Global Support!

      Do not Chat/PM for help!

      1 Reply Last reply Reply Quote 1
      • T
        TheNarc
        last edited by Oct 11, 2018, 2:27 PM

        Thanks Jim, that makes sense. If I may tack on one additional related question . . . any idea why I might regularly be seeing terrible ping times on the DNS servers I list in "Status > DNS Resolver"? I'll often see ping times > 1s that I can't corroborate by pinging manually. As an example, just now the status showed as:
        0_1539267724695_2018-10-11 10_21_36-Window.png

        But for all three servers showing ping times of over a second, manual pings - even when run for a few minutes - never got over ~90ms (and averaged < 30ms). Those manual pings were also run through my VPN client tunnels, to rule out extra latency induced by them.

        Thanks again.

        1 Reply Last reply Reply Quote 0
        • J
          jimp Rebel Alliance Developer Netgate
          last edited by Oct 11, 2018, 2:57 PM

          IIRC the pings it's talking about are not ICMP but in the DNS protocol itself. It may be slower to respond to a TCP TLS request than an ICMP echo.

          Remember: Upvote with the 👍 button for any user/post you find to be helpful, informative, or deserving of recognition!

          Need help fast? Netgate Global Support!

          Do not Chat/PM for help!

          1 Reply Last reply Reply Quote 1
          • T
            TheNarc
            last edited by Oct 11, 2018, 3:38 PM

            Ah okay, that would explain it, thanks!

            1 Reply Last reply Reply Quote 0
            5 out of 5
            • First post
              5/5
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
              This community forum collects and processes your personal information.
              consent.not_received