Issue trying to run another dns resolver on a virtual ip



  • Hello everyone
    I have a encountered a strange issue trying to run another dns resolver on Pfsense using a virtual IP, it would be greatly appreciate if someone can share some insight on the issue, or propose a better solution, thanks.
    So I’m running the latest Pfsense version (at the time v2.4.4-RELEASE-p2) and I’ve installed dnscrypt-proxy to use as dns resolver. I know that dnscrypt-proxy is not a Pfsense package (I’ve installed and configed it using the console), but it runs just fine and I don’t think it’s causing any issues. I configure dnscrypt to listen on a virtual local address 10.0.0.2:53, and I added a virtual ip alias on the lan interface as 10.0.0.2/24 for dnscrypt because I can’t specify a different port number in Pfsense other than the default 53 for dns forwarding. My idea was to use dnsmasq or unbound to forward to dnscrypt. Both dnsmasq and unbound work in this configuration, but when the system reboots for some reason dnscrypt doesn’t start if dnsmasq or unbound are enabled and configured to run on the default port 53, when I check the dnscrypt logs I can see a bind error: address already in use, but If I configure dnsmasq or unbound to start on a different port (ex. 5355) and change it after boot up to the default, everything works as expected. So can anyone please tell me why can’t dnscrypt start properly listening on a virtual ip 10.0.0.2:53 and for example dnsmasq at the same time on 10.0.0.1:53.


  • Netgate Administrator

    By default Unbound and DNSMasq will listen on port 53 on all interfaces/IP. But you can select interfaces to have it listen on and exclude the VIP you created.

    Steve



  • @stephenw10 thank you, that was actually very helpful. Initially I've enabled the DNS Forwarder, but I selected the VIP in interfaces and checked Strict Binding. Now when I rethinked I chose LAN from interfaces with Strict Binding enabled and it works after reboot I can verify using dig that everything works as expected.


Log in to reply