DNS Forwarder (dnsmasq) not obeying Gateway Offline

nicole4pt

Hello
I hope I am asking this in the correct place. Please let me know if not.

I have PFsense 2.51 and multi homed to a Comcast router and an ATT router and set via a Gateway Group,

I have in General, Setup, 2 DNS servers entered for "DNS Server Settings". One using ATT Gateway and one using Comcast Gateway. For whatever reason it does not allow me to assign them to the Gateway group. Only physical interfaces.

For the magical reasoning of ATT, when the ATT router cannot connect to ATT. it replies and re-routes Everything to 192.168.1.254 Even DNS requests. So when it goes down, even though the gateway group knows it is down, ( Offline/Packetloss) dnsmasq still queries it for an IP and passes on that everything now lives at 192.168.1.254.

Is there anything I can set to have dnsmasq not try to access a gateway that is Offline/Packetloss?
This seems almost like a bug or perhaps just lack of integration?

Since so far Comcast does not highjack my requests (yet) my only workaround seems to be have ATT last in line and set to query servers in order. Which doesn't seem a great long term solution.

Thanks!

viragomann

@nicole4pt
Is there any reason for forcing the DNS servers to a specific gateway?
That only makes sense if you use the ISPs DNS servers which are only accessible from inside its network.

nicole4pt

@viragomann Not sure I follow you.
System/General Setup.
"Gateway
Optionally select the gateway for each DNS server. When using multiple WAN connections there should be at least one unique DNS server per gateway."
There is a "None" but I am not sure what that does at the moment.

This is what they require and is what is used by DNSmasq/forwarder.

I am hopeful there may be System Tunables or Custom Options that could be set in the DNS forwarder.

If we ran our own separate DNS forwarder server locally, it would then follow a down gateway. Just seems sad to have to run yet another machine that would be non redundant to solve such a thing. :(

nicole4pt

@nicole4pt

https://docs.netgate.com/pfsense/en/latest/multiwan/interfaces-and-dns.html#multiwan-dns-servers-and-static-routes

"When using the DNS Resolver in forwarding mode or the DNS Forwarder, the firewall uses its routing table to reach the configured DNS servers. This means without any static routes configured, it will only use the WAN with the default gateway to reach DNS servers."

"Gateways must be selected for each DNS server defined on the firewall. This forces the firewall to use a specific WAN interface to reach a given DNS server. At least one gateway from each WAN should be selected where possible."

I have one DNS server per WAN, but even though Comcast was set as default WAN, it was/is always using my ATT WAN for DNS lookups (perhaps) because it was the first entry in "DNS Server Settings".
I had not set to use DNS servers sequentially.

"Note - DNS servers obtained from a dynamic WAN are automatically routed back out the appropriate dynamic WAN."

Does this mean setting to None for each DNS server will route based on the dynamic WAN routing?
(We have our own outside DNS servers so allowing for each routes IP is fine) If so this may be good to add to the documentation?

viragomann

@nicole4pt
When setting the gateway option for a DNS server to None, pfSense uses the current default route to access the DNS server. With a gateway stated, it add a route for the DNS IP to use the specific gateway. But the route persists even if the gateway is down.

It's also possible to state a failover-group, but I think that makes no sense for you.

nicole4pt

@viragomann
Ah Ha! Thank you!
I haven't seen anything that defined what "none" meant. The wording made it seem very much like you Had to chose one or the other WAN connection for each.

I will give this a try!

nicole4pt

@viragomann
Been very busy with other things. Sadly, actually, it does not work using none.
At least for me. Maybe it's because I have a VPN but when set to none, it does not seem able to perform DNS lookups at all. Either from requests or at the CLI.

So.. I will just have to hope setting to do DNS lookups in order and selecting Comcast as the first option works.

viragomann

@nicole4pt
So possibly your default gateway is the VPN.

You said above, you cannoot state a gateway group for the DNS servers?
That should work, however.
Anything special with your gateway group?

You can also try to create a new one, especially for this purpose. Just a failover group with both upstream gateways.
Then you should state this gateway group for both DNS servers in general setup.

nicole4pt

@viragomann
My gateway group was created at midnight under a full moon? :) There is nothing I know of that could make it be special.
System/Routing/Gateway Groups
Wan0 Tier2
VPN Never
Wan2 Tier1
Default gateway IPv4 = GatewayGroup1

Under General Setup it's interesting it says "Optionally"
"Optionally select the gateway for each DNS server.
When using multiple WAN connections there should be at least one unique DNS server per gateway."
It punches a hole in my VPN routing of many IP ranges since my DNS servers exist in the IP segments I need to access using my VPN forcing each DNS server to use that gateway.

netstat -r
default = IP of the tier1 gateway
ns1.myowndnsserver.com IP of chosen gateway.
ns2.myowndnserver.com IP of chosen gateway

My VPN I can chose the gateway group as its operating endpoint. But also it will stay on whichever wan is working. If it's on one that is removed for latency it will switch WANs and stay there until that WAN has latency issues even when the other tier1 wan comes back. It does not just jump back or attach to say a group Non routable IP that points to whatever wan is best at the moment.
(Which is another flaw as unless you log into the shell you have no idea which WAN your VPN may be using. I can get not auto switching as that would drop the connection and have to re-establish which sucks for things like ssh)

So yes it is very annoying that DNS servers are being tied to a particular route so that if that route goes down, that DNS server will not respond. I have not seen any other setups so as far as I know this is a flaw.
I mean it says "When using multiple WAN connections there should be at least one unique DNS server per gateway." So it seems like my not having this choice is by design.