In dual WAN, how can i use one interface for DNS but have all traffice traverse the other?
-
So here's the situation;
I work for a small tv station and we need youtube.
We have a Cogent fiber connection and a comcast business cable connection.The problem is Cogent sux.. we have a 3 year contract with them and i can't break it now.
for security, i have a full DoT setup using cloudflare and quad9 for secure dns.
All works perfectly over comcast. However, if i were to make cogent our primary and use the comcast as backup (which it's supposed to be), a number of sites won't work because cogent is forcing us to use THEIR dns. Youtube being one of them (the site comes up but doing a search results in an attempt to force us to log in with an account) it's 1Gig fiber whereas the comcast is 350/40.
is there a way that i can get our pfsense firewall to use comcast for DoT and then have all traffic sent/received over cogent?
Cogent REFUSES to do anything about it.. yeah, it's not that they can't, they just don't wanna be bothered..
Thanks!!
-
If you are using Unbound in pfSense in forwarding mode you can just set the Comcast WAN as the only outgoing interface for queries in the resolver config.
-
it is not in forwarding mode. I set it up for DoT as per the pfsense config recipe.
Dunno if that means anything to you or not..
Thanks!
-
@jc1976
Also, as of now, i have the comcast connection set as the primary gateway with the cogent line as backup/failover.I dunno if that tells you anything you didnt already know.
thanks again!
-
You mean this?
https://docs.netgate.com/pfsense/en/latest/recipes/dns-over-tls.html#enable-dns-over-tls-for-forwarded-queriesYou have to set Unbound in forwarding mode for that to work.
In which case you can just set which interface(s) for Unbound to use for outgoing queries. By deault it uses all interfaces but you can just set Comcast.
-
yes, that's the documentation I used to config DoT.
Under Services/dns resolver/general settings, i set the outgoing network interfaces to use the comcast connection but got the same result.
-
What result are you seeing? How are you testing?
If you go to Diag > States and filter by
:853do you see outbound DoT connections on both WANs? -
@stephenw10 said in In dual WAN, how can i use one interface for DNS but have all traffice traverse the other?:
go to Diag > States and filter by :853
NB: This will only show IPv4 states.
-
I'm making the change, resetting the state table, and then going to youtube.com and doing a search..
click on a video and it prompts me to put in my youtube account credentials to prove that i'm not a bot.
-
So do you see the DoT states on Comcast only?
Are you sure this is actually a DNS problem?
Is the client actually using pfSense for DNS? It could be be using DoH directly for example.
-
doh is not permitted. i'm just using my own pc for testing.
i navigate to speedtest.net and run a test, all pegs 1Gb without issue. then i navigate to youtube and do a lookup. upon clicking a video i'm prompted to sign in to make sure i'm not a bot.
if i were to put the static ip assigned by cogent into my laptop and use their dns,and plug directly into their equipment, all works fine.
-
So do you see the DoT states on Comcast only? That's the important thing there.
If you switch the DNS to use 8.8.8.8/8.8.4.4 instead does it still ask you to login?
The difference here is that the remote servers see requests come in from your Cogent public IP but DNS resolved at the target forwarded servers. For whatever reason that mismatch there triggers the login for the Cogent public IP but not Comcast.
-
if i switch my dns to googles, same thing happens. Cogent simply will not allow me to use any other DNS.
"The difference here is that the remote servers see requests come in from your Cogent public IP but DNS resolved at the target forwarded servers. For whatever reason that mismatch there triggers the login for the Cogent public IP but not Comcast."
so is there anything that can be done?
-
@jc1976 said in In dual WAN, how can i use one interface for DNS but have all traffice traverse the other?:
Cogent simply will not allow me to use any other DNS.
So DNS fails entirely if you try to use it over the Cogent WAN?
And, again, do you see the DoT states on Comcast only if you set Unbound to use only that for outbound connections.
As I understand it the only issue you're seeing here is that youtube flags your connection as suspicious if you try to use the Cogent WAN whilst resolving at some remote server?
One thing you could try is to just resolve on Unbound locally since that would then also use the Cogent public IP to resolve.
-
@stephenw10 said in In dual WAN, how can i use one interface for DNS but have all traffice traverse the other?:
As I understand it the only issue you're seeing here is that youtube flags your connection as suspicious if you try to use the Cogent WAN whilst resolving at some remote server?
yes that is correct.
if i use cogent's dns, all works fine. however, if i use a 3rd party dns it fails on youtube. i haven't tried on other sites, since the youtube is the most serious of problems.
@stephenw10 said in In dual WAN, how can i use one interface for DNS but have all traffice traverse the other?:
One thing you could try is to just resolve on Unbound locally since that would then also use the Cogent public IP to resolve.
i could do that, but
- i'm trying to bring a modicum of security to our dns,
- it's the principle of it; Cogent shouldn't be able to force us to use their dns..
and - the way i've been treated by them is appalling.. they literally said it's google/youtube's fault after i proved to them its their fault and that they were not going to help me any further.
-
Well from what we've seen here it is googles fault. Cogent is not preventing you use other DNS servers. What's happening is that Google's servers detects you are resolving DNS from a different location than you're are sourcing requests and flags the connection as suspicious in some way requiring additional screening. The same way that some sites will do that for VPN connections. A "DNS leak" is one way sites detect it. The interesting thing is that they only flag the Cogent connection that way.
One other thing you could do VPN all your traffic over the Cogent WAN to the same location you are resolving from.
But I would at least try resolving locally first since that would also set the DNS and source IPs to match. With DNSSec enabled you can be pretty confident in the results. Using DoT really just outsources your trust to cloudflare.
