Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    unbound fails to switch to other forwarder DNS if one fails?

    Scheduled Pinned Locked Moved DHCP and DNS
    4 Posts 2 Posters 467 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      vsatmydynipnet
      last edited by

      At home I have the following setup:

      • 2 pfSense in HA setup with CARP IP on WAN and LAN
      • in General Setup 2 IP and Hostnames of 2 of my servers running in other countries, both offering DoT
      • in General Setup - use 127.0.0.1, ingnore remote DNS servers
      • unbound resolver running in forward mode, Use SSL/TLS checked
      • behind 2 pihole DNS servers operating as DNS for the LAN

      This works pretty nice, having DNS traffic from LAN encrypted to the external DNS servers in the other countries, not making it possible to tcpdump the DNS requests for provider or others here. Sure, on the external ones this runs out unencrypted.

      I already had that one time month ago, but this night i had again one of the 2 externals unreachable and as follow up LAN was not able to resolve things. unbound was not switching to the other, still working, external DNS server. Needed to remove forwarding mode to make things working again.

      Is there a known problem or can I have a misconfiguration?

      Thank you for any hint.

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @vsatmydynipnet
        last edited by

        @vsatmydynipnet said in unbound fails to switch to other forwarder DNS if one fails?:

        not making it possible to tcpdump the DNS requests

        But your sni is still in the clear, and your isp can still see what IPs you go to.

        I don't want my isp knowing I went to www.amazon.com, but guess what.. Its right there in your sni in the clear when you make your https connection.

        clienthello.jpg

        How was this 1st dns not working, did he not answer at all? Ie timeout, or did it send back nx or servfail for what you asked for?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        V 1 Reply Last reply Reply Quote 0
        • V
          vsatmydynipnet @johnpoz
          last edited by

          @johnpoz

          The one DNS runs on a cheap vps in USA and every some month they have a few hours problems. In that case my Nagios reports them as unreachable and it loooks like they loose their connectivity.

          I know the SNI problem. That is why I have a separated Tor routed Network here running a Debian XRDP system in it. All of this Net uses Tor as DNS and Tor for routing the traffic and now breakout is possible, even user does something wrong

          For the normal LAN you would need to forward the local proxy to another proxy somewhere else, but this could cause to much slow downs.

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @vsatmydynipnet
            last edited by

            @vsatmydynipnet ok mr robot.. seems like a lot of trouble to keep your isp from knowing your going to amazon.com ;)

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.