Unbound forwarder/resolver mode when multi wan interfaces?
-
So there is a comment in the wiki about having to use forwarder mode in unbound if having multiple wan interfaces.
https://doc.pfsense.org/index.php/Unbound_DNS_Resolver#Configuration
Forwarding mode is necessary for Multi-WAN Configurations.I don't see why this would be a requirement, I reached out to jimp who created the wiki article where it states that. He was kind of enough to respond, but also suggest this would be good topic for discussion in the forum.. So here we are ;)
I don't really see why that would be a requirement, when it resolves it should use your default gateway.. And any say local interfaces you allow it to get to local ns you might want to point to for specific domain overrides based upon routing. But if enabled on the multiple wan interfaces, and say wan1 is down, why could you not set it up to use wan2 in that scenario.. For example if you had a wan interface group?
Anyone shed some further light on such a requirement? What possible sort of issues could you run into with multi wan and using it in resolver mode, etc.
-
I use it with three concurrent WAN connections and each of them has it's own DNS server set up in system -> general setup. Each of the DNS servers there is using a different WAN connection so send the query.
If I disable forwarding mode then I have DNS leaks. So this is a useful feature for me.
Why not using DNS forwarder instead? Because I need to run DNS resolver in order to use the DNSBL feature of pfblockerng.
Possible to acieve it in a different way without forwarding mode? Maybe, but I don't bother to find out. -
It's not strictly necessary, if you use default gateway switching it'll fail over to where the default gateway goes.
-
So that should be removed from the wiki then… It is confusing to new users of unbound.. Ran into a thread where when asked why he was using forwarder mode in unbound.. He stated docs told him he had too..
@fraglord... Your concern over "dns leakage" has nothing to do with the topic.. My question is to the wiki stating that if you have multi wan you have to use forwarder mode... Which make no sense to me, and was asking for clarification to why that might be an issue.
@cmb if didn't use default gateway switching, and link went down how would the forwarder mode work? Unless the dns isp was on the same segment as the wan? Forwarder mode seems like a really bad idea to me in unbound with multiple wan... Many isp only allow access to their dns from their netblocks.. If you try and forward to isp A (wan a) dns, and try and connect from isp B (wan b) IP its quite possible it would fail.. in unbound the forwarding is sequential queries is in not, unlike forwarder where you can query all the listed dns at the same time and first one to answer wins.. So in that scenario if multi wan and you can query out whatever wan is up you should get your queries responded too.
Isn't default switching default setup in multi wan?? To be honest shouldn't this statement from the multiwan doc be removed now that pfsense has a actual RESOLVER vs forwarder..
https://doc.pfsense.org/index.php/Multi-WAN
"Make sure at least one DNS server is set for each WAN gateway under System > General."There is a whole section there that should most likely be edited to reflect using resolver vs a forwarder mode.. DNS considerations..
-
@cmb if didn't use default gateway switching, and link went down how would the forwarder mode work? Unless the dns isp was on the same segment as the wan?
Because you always define a gateway for each DNS server in System>General Setup and that adds a route. The forwarded servers will only go out that specific WAN.
I updated that wiki page to specify default gateway switching is another option.
