Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Bind 9 Recursion - how to route querys over non-default gateway

    Routing and Multi WAN
    2
    2
    392
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      Sebastiaan76
      last edited by

      Hi there,
      I'm using the pfSense BIND package and for testing/learning have it set up as a recursive and caching DNS server on my LAN + have it managing my non-public facing domain for the homelab network. All works great.

      I have 3 interfaces: WAN, LAN and a WG0 (Wireguard Tunnel) which i use as an outbound VPN basically, and the other end of the tunnel is a VM hosted in the cloud.

      When a client is set up to route over the Wireguard tunnel and I go on the the internet and check my external IP, it rightly shows the Wireguard endpoint VM IP address. Great, and all works fine, no problem there.

      However, I'd also like to have BIND (and only BIND) also send recursive queries to the root servers out that gateway.

      currently the client sends the DNS query to the LAN IP of pfsense, and the firewall is sending recursive queries if needed out the default WAN and hence dnsleaktest will show my IP as the DNS server. At least that's what I figure is happening.

      Is there an elegant way to identify and separate out BIND traffic only, and select which Interface to use for Recursive queries? I couldn't actually see anything in the BIND docs on configuration that would let me select this either.

      Is the only way perhaps to get a list of all the root servers into an Alias and then set up floating rule to catch any of those outbound and send them over the wireguard interface instead?

      Or is there a more elegant/less fragile way to do this? Maybe with marking packets?

      and yes, I know some will go "Why do you even want to do this?", but for learning purposes, please humor me :)

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @Sebastiaan76
        last edited by johnpoz

        @sebastiaan76 said in Bind 9 Recursion - how to route querys over non-default gateway:

        Is the only way perhaps to get a list of all the root servers

        This wouldn't work because query roots is just the start of the resolution of whatever fqdn your looking for. It then asks the gtld servers, and then the authoritative ns for the domain. When you are resolving you might need to talk to any IP on the internet - since you have no idea where a authoritative ns for a domain IP might be.. It could be anything.

        To be honest the best way to make sure bind queries go out a specific gateway, would be to run bind on some device in your network, and policy route that devices 53 traffic.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        1 Reply Last reply Reply Quote 1
        • First post
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.