Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Servers - use gateway - groups?

    DHCP and DNS
    1
    1
    1764
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      phil.davis
      last edited by

      As I understand it, and can see in the code:
      a) DNS Servers specified in System:General Setup get get queried using the default gateway.
      b) If a gateway is selected in the "Use gateway" column, then a static route is added for that DNS Server to be routed through the specified gateway, forcing queries to it out the requested gateway.

      Typically, the popular public DNS servers provide 2 IP addresses (for redundancy…) e.g.
      OpenDNS:
        208.67.222.222
        208.67.220.220
      DynDNS:
        216.146.35.35
        216.146.36.36

      These providers have paid services that can filter DNS queries, returning a block page address for "naughty" names... To use these effectively, pfSense needs to query only the DNS servers of the selected provider. Thus only 2 DNS server IPs are available.

      On a system with WAN1 and WAN2, the typical solution is to assign DNS-IP1 to WAN1GW and DNS-IP2 to WAN2GW.
      When WAN1 is down, the system is then reliant on DNS-IP2 working on WAN2.
      When WAN2 is down, the system is then reliant on DNS-IP1 working on WAN1.

      If there are 3+ WANs, then you can't spread just 2 DNS IPs across 3+ WANs. So if WAN1 and WAN2 are down, and WAN3 is up, there is internet but no DNS.

      If DNS Servers could be assigned to gateway groups, then it would be flexible and redundant.
      e.g.
      DNSIP1 on DNSGWG1 - WAN1 tier1, WAN3, tier2, WAN2, tier3
      DNSIP2 on DNSGWG2 - WAN2 tier1, WAN3, tier2, WAN1, tier3
      Then if any WAN fails, the pfSense code can change the static route to the highest tier available WAN in the gateway group.

      Feature http://redmine.pfsense.org/issues/785 also mentions this kind of thing - comments imply that something might be possible in pf rules also.

      a) Have I missed something, and the needs above can already be met in some way by the existing system?
      b) Is DNS Server assignment to a gateway group a useful feature to add?
      c) If so, is it best done all in pfSense PHP code changing the static routes in response to gateway status changes, or by some method in pf?

      As the Greek philosopher Isosceles used to say, "There are 3 sides to every triangle."
      If I helped you, then help someone else - buy someone a gift from the INF catalog http://secure.inf.org/gifts/usd/

      1 Reply Last reply Reply Quote 0
      • First post
        Last post