Why is Unbound sending DNSSEC queries over inactive WAN interface?



  • I run 2.4.4-RELEASE-p3 with two WANs (with failover):

    • an unlimited cable connection (cheap "main-WAN" which is up >99% of the time)
    • a MiFi to a local mobile tower ("WAN-via-MiFi" which is expensive) - it is only used when main-WAN is down.

    When I capture packets via "WAN-via-MiFi" gateway (192.168.8.101) I see two types of traffic:

    • the IP monitor traffic to IP=1.1.1.1
    • quite a lot of DNSSEC traffic to IP=9.9.9.9 which is the DNS server for the main-WAN connection specified in the "System/General Setup" (I have DNS "Forwarding mode" enabled):

    Here is a capture:

    13:00:40.687525 IP 192.168.8.101 > 1.1.1.1: ICMP echo request, id 39212, seq 10888, length 8
    13:00:40.708176 IP 1.1.1.1 > 192.168.8.101: ICMP echo reply, id 39212, seq 10888, length 8
    13:00:41.188981 IP 192.168.8.101 > 1.1.1.1: ICMP echo request, id 39212, seq 10889, length 8
    13:00:41.207163 IP 1.1.1.1 > 192.168.8.101: ICMP echo reply, id 39212, seq 10889, length 8
    13:00:41.359524 IP 192.168.8.101.50727 > 9.9.9.9.853: tcp 0
    13:00:41.387279 IP 9.9.9.9.853 > 192.168.8.101.50727: tcp 0
    13:00:41.387326 IP 192.168.8.101.50727 > 9.9.9.9.853: tcp 0
    13:00:41.387354 IP 192.168.8.101.50727 > 9.9.9.9.853: tcp 311
    13:00:41.420094 IP 9.9.9.9.853 > 192.168.8.101.50727: tcp 0
    13:00:41.422391 IP 9.9.9.9.853 > 192.168.8.101.50727: tcp 1350
    13:00:41.422438 IP 192.168.8.101.50727 > 9.9.9.9.853: tcp 0
    13:00:41.422847 IP 9.9.9.9.853 > 192.168.8.101.50727: tcp 1350
    13:00:41.422875 IP 192.168.8.101.50727 > 9.9.9.9.853: tcp 0
    13:00:41.422878 IP 9.9.9.9.853 > 192.168.8.101.50727: tcp 174
    13:00:41.422901 IP 192.168.8.101.50727 > 9.9.9.9.853: tcp 0
    

    What puzzles me is that I see this traffic even though WAN-via-MiFi has a separate DNS server set via "System/General Setup"(and it is NOT 9.9.9.9). Could this be a bug in unbound?

    I would appreciate all ideas about preventing this unnecessary DNSSEC traffic to "9.9.9.9" because I am paying for MiFi connection and there is no reason for it to exist before main-WAN is down (ideally it should only be packets to/from "Monitor IP").

    Thanks in advance!


  • Rebel Alliance Developer Netgate

    Unbound can only follow the default route or server-specific routes in the routing table (if you have forwarders setup). It doesn't know about active or inactive WANs.

    If you are in forwarding mode with multiple servers configured and some using each WAN, then it is normal for unbound to query them all. Again, it doesn't know about active or inactive WANs, it just queries the forwarders and tracks their quality at all times.

    If you are in non-forwarding mode, then you may want to change the option under System > Routing so the default gateway follows your chosen gateway group.


Log in to reply