Unbound vs MultiWAN

  • I'm a 2.0 n00b (rebuilt on 2.0 after a hardware failure last weekend) and am exploring dnsmasq vs Unbound in a MultiWAN configuration.

    1. The basic question is this: Is Unbound MultiWAN aware/compatible?  Will DNS lookups work when the primary WAN is down if I'm resolving from the roots directly without forwarders?  How about if one WAN is experiencing high latency or packet loss (but isn't fully down)?

    With dnsmasq the solution was to have one forwarder on each WAN, but if we're not relying on forwarders than Unbound needs to be MultiWAN aware.

    1. Alternatively if I do still use forwarders, does Unbound send queries up to each forwarder and use the fastest like dnsmasq, or does it send in sequence only using the next forwarder in line if there was a timeout/failure/whatever?

    In case it's relevant:
    Current version: 2.0-BETA4
    Built On: Sat Dec 11 04:27:50 EST 2010

  • #1)  You will need to add static routes for the root-servers (or at least half of them) if you wish to run unbound in this mode.  The alternative is to check the box and use the built in DNS Servers defined in System -> General.  Specify the WAN for each of these if you go this route and the static routes are automatically added behind the scenes.

    #2) That is a good question.  I am not sure if it does parallel queries like DNSMasq.

    I have alerted the author of the Unbound package (warren) so we can start discussing the root server issue in relation to static routes so this might be handled behind the scenes in the future.

  • #1) I'm not sure that adding static routes to the roots will do any good.  Say I'm looking for www.pfsense.org, I first hit the roots (which will be reachable by way of static routes) and they refer me to the org. zone which is hosted by afilias-nst.org:

    org.                    172800  IN      NS      a0.org.afilias-nst.info.
    org.                    172800  IN      NS      a2.org.afilias-nst.info.
    org.                    172800  IN      NS      b0.org.afilias-nst.org.
    org.                    172800  IN      NS      b2.org.afilias-nst.org.
    org.                    172800  IN      NS      c0.org.afilias-nst.info.
    org.                    172800  IN      NS      d0.org.afilias-nst.org.
    ;; Received 438 bytes from in 326 ms

    Unless Unbound is multiWAN aware, I won't be able to query those servers to find out what NS is responsible for pfsense.org (rinse+repeat downstream)

    So in order to rely on static routes, I'd have to go through every domain we might need to access while the WAN is down and create static routes for 50% of each of their NS records.

  • Yeah, I see what you mean.    You can try creating a floating rule for the host itself and try to use a load balancing, pool, etc.

    I have not tried this as of yet.  If that does not work you might be forced to use the built in DNS Servers.

  • Hi sullrich,

    according to http://twitter.com/sullrich/status/19903124395266048 you seemed to have resolved the problem. I would be quite interested in this, could you share some more details?



  • Rebel Alliance Developer Netgate

    We're trying to nail down and document that process better (the one sullrich has in his twitter feed) but we've hit a couple snags.

    Once the bugs are ironed out there will be a wiki doc about how to set it up.

  • Yeah it was working and then it stopped.  Trying to find the reason.  Hopefully we can get it resolved before RC1.

  • Can you try with the latest snapshot that will come out and see if it works:

    • Just enable AON and put any as source on rules
    • Create a floating rule with direction out, quick selected, and the load balance pool

Log in to reply