Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Custom resolv.conf Options

    Scheduled Pinned Locked Moved DHCP and DNS
    5 Posts 2 Posters 700 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • T
      TheNarc
      last edited by

      I run unbound in forwarding mode for DNS over TLS, and maintain two VPN client connections over which DNS traffic is routed. So I have four DNS servers configured in System > General Setup, with two of those servers set to use the first tunnel and the other two set to use the second. I've noticed, though, that when one of the tunnels goes down, DNS seems to go down as well. With the realization that I may be barking up entirely the wrong tree, I found the following potentially interesting information on calomel.org:
      lhttps://calomel.org/unbound_dns.html
      0_1539197891263_2018-10-10 14_57_47-Window.png

      However, I'm not aware of any easy way to add custom options to resolv.conf (i.e. nothing like loader.conf.local). Using the shellcmd package, though, seems to achieve the desired effect via the following rule:
      0_1539198011135_2018-10-10 14_59_53-Window.png

      At least, that achieves the desired modification to resolv.conf following a filter reload. So mostly I'm wondering:

      • Is this method of adding custom options to resolv.conf dumb and/or stupid and/or dangerous?
      • Is changing the specific options that I'm changing also any of the above adjectives and/or pointless?
      1 Reply Last reply Reply Quote 0
      • jimpJ
        jimp Rebel Alliance Developer Netgate
        last edited by

        The firewall itself should be hitting Unbound for DNS, so you should have 127.0.0.1 as the first nameserver line, which should render the other lines and options moot.

        When using forwarding mode, Unbound tracks the quality and reachability of the servers you list independently and uses whichever one it thinks it can get a response from the fastest.

        Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

        Need help fast? Netgate Global Support!

        Do not Chat/PM for help!

        1 Reply Last reply Reply Quote 1
        • T
          TheNarc
          last edited by

          Thanks Jim, that makes sense. If I may tack on one additional related question . . . any idea why I might regularly be seeing terrible ping times on the DNS servers I list in "Status > DNS Resolver"? I'll often see ping times > 1s that I can't corroborate by pinging manually. As an example, just now the status showed as:
          0_1539267724695_2018-10-11 10_21_36-Window.png

          But for all three servers showing ping times of over a second, manual pings - even when run for a few minutes - never got over ~90ms (and averaged < 30ms). Those manual pings were also run through my VPN client tunnels, to rule out extra latency induced by them.

          Thanks again.

          1 Reply Last reply Reply Quote 0
          • jimpJ
            jimp Rebel Alliance Developer Netgate
            last edited by

            IIRC the pings it's talking about are not ICMP but in the DNS protocol itself. It may be slower to respond to a TCP TLS request than an ICMP echo.

            Remember: Upvote with the ๐Ÿ‘ button for any user/post you find to be helpful, informative, or deserving of recognition!

            Need help fast? Netgate Global Support!

            Do not Chat/PM for help!

            1 Reply Last reply Reply Quote 1
            • T
              TheNarc
              last edited by

              Ah okay, that would explain it, thanks!

              1 Reply Last reply Reply Quote 0
              • First post
                Last post
              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.