Unbound iface bind settings in CARP/VIP scenario
Hi all, I have looked around but can't seem to find a definitive answer to this issue or possibly missed something: in an HA setup with a CARP VIP for the outgoing GW iface, to have an automatic failover it would make sense to assign this VIP also among the ones the unbound / dns resolver service listens to in order to have a seemless failover. However this config is replicated to the secondary pfSense and the dns resolver tries to bind to this CARP VIP also and fails to start (duh). My solution was to simply set the 2 physical pfSense IPs as DNSs and not specify any CARP VIP in the dns resolver settings (so listen on LAN and Localhost) and this naturally works - but in the case of a failure of one box, clients would need to time out (yes we're tallking only about a 3 seconds here) before they would switch to the 2nd DNS / pfSense which is not "seemless".
Is there any way to tell the failover pfSense box to restart the unbound / dns resolver so that it will successfully bind to the newly available CARP VIP once the failed box has released it? This also impacts pfBlocker as it relies on unbound to work.