DNS forwarder (dnsmasq) with multiple WAN and multiple DNS servers?

CDuv

Hello,

I have a multi-WAN load-balancing setup (from 3 different ISP: 2 static, 1 DHCP) where failure detection seems to work (pfSense detects and notify me about WAN failures) but web browsing during such degraded period is "random".

Because established TCP connections (such as SSH) continue to work with failed connection I suspect the web browsing problem experienced by users to be DNS-related.

Under System: General Setup > System > DNS servers I have typed in 3 IP addresses, one for each DNS server our 3 ISP provides us and set the "Use Gateway" accordingly:

Is it correct?

jimp

That is correct. Also make sure that you get a valid response from all of them when the WANs are all up – check Diagnostics > DNS.
And make sure you didn't get the routing criss-crossed by doing something such as setting x.x.x.x as the DNS for WAN_A but as the gateway monitor IP for WAN_B.

CDuv

I obviously didn't took the time to thank you for your answer :-: thanks.

I'm still having some issues with that setup: but it's now the opposite of the initial problem: all 3 WANs are OK (can ping the Internet from each one: thanks to pfSense webGUI) but DNS resolution fails giving bad user experience (Internet access seems down from their point of view).

I'm not sure one of the DNS wasn't down at that time and will double check that.

Considering I'm using the ISP's DNS servers, I'm pretty sure server 1.1.1.1 (WAN_A's ISP) won't reply to requests coming from ISP B's network. Then should I also add firewall rules to make sure DNS traffic to server 1.1.1.1 uses only WAN_A, traffic to 2.2.2.2 uses only WAN_B and traffic to 3.3.3.3 uses only WAN_C?

With all theses external servers (WAN monitoring IP and DNS servers) determining the status of my Internet access I'm starting to consider using my own pair of DNS resolution server…

doktornotor

I'd run my own recursive server (such as unbound) and move on.

CDuv

Thanks, I'll look into Unbound.

If use pfSense package: I won't have to specify anything in System: General Setup > System > DNS servers right?

doktornotor

Specifying nothing nowhere can have undesired effects such as with DHCP servers. Double-check your setup and make sure you are pointing your DHCP clients to a working DNS server, such as  unbound interface IP. I'd frankly leave some known to be working servers there for WAN traffic. Consider e.g., when you upgrade pfSense, your packages will fail to fetch and install - and that includes unbound. So, in the end your pfSense box will be left with broken networking without any DNS.

Note: In case you have an AD somewhere, do NOT point the domain member computers to your pfSense box. Otherwise, everything will break. Instead, point the authorized domain DNS servers to pfSense as a forwarder.

CDuv

I see, I'll specify DNS servers there for pfSense to resolve domains for himself and tell my LAN clients to use Outbound on pfSense's IP (via DHCP or manually).

CDuv

Quick update : In my setup my pfSense server has IP 192.168.0.42/24 but a virtual IP (menu Firewall: Virtual IP Address) of type "IP alias" (on Interface "LAN") makes him available via 192.168.0.254/24 (I'm considering this IP as my gateway IP and then I'm free to use whatever server I want as long as it responds to 192.168.0.254/24.

But Unbound package (v1.4.22), when asked to listen on "Network interface" LAN and loopback seems ignore this virtual IP.

I can successfully contact Unbound on 192.168.0.42:

nslookup www.pfsense.org 192.168.0.42
Server:        192.168.0.42
Address:        192.168.0.42#53

Non-authoritative answer:
Name:  www.pfsense.org
Address: 208.123.73.69

But it fails on 192.168.0.254:

nslookup www.pfsense.org 192.168.0.254
;; connection timed out; no servers could be reached

GUI and netstat confirms it:
Menu Services: Unbound DNS Forwarder: Status: Unbound configuration:

[...]
# Interface IP(s) to bind to
interface: 192.168.0.42
interface: 127.0.0.1
interface: ::1
[...]

[2.1.2-RELEASE][admin@router.example.com]/(36): netstat -n | grep 53
udp6       0      0 ::1.53                 *.*
udp4       0      0 127.0.0.1.53           *.*
udp4       0      0 192.168.0.42.53        *.*
c8e86ec8 stream      0      0 c8e3f53c        0        0        0 /var/run/check_reload_status

Is there a way to add the "interface: 192.168.0.254" Unbound directive (GUI or CLI)? Tried to add it in "Services: Unbound DNS Forwarder: Advanced Settings: Custom Options" but Unbound then fails to start…
If this is not supported by this package nor the pfSense UI could I set up some "iptables" redirection?