Possible to use different upstream DNS servers for certain clients?

macboy6 · Feb 26, 2016, 3:52 AM

I want all my LAN clients to use unbound DNS. I would also like to push certain LAN clients through Unbound, but to a different upstream DNS server for specific clients.

For example:
Client 1 –> DNS: 192.168.1.1(pfSense Unbound DNS) --> Upstream DNS: 8.8.8.8
Client 2 --> DNS: 192.168.1.1(pfSense Unbound DNS) --> Upstream DNS: 8.34.34.34

Is the above scenario possible with pfSense? I know I can set static DNS mappings for specific clients but that would bypass the local unbound DNS server.

Thanks,
Marco

johnpoz · Feb 26, 2016, 11:19 AM

you don't even understand how unbound works do you… Its a resolver not a forwarder.. Did you put it in forwarder mode?

A resolver works down from roots to find the authoritative server for the domain the record you looking for is in... And then directly asks it for the IP of say www.domainx.com.

If you want client1 to use dns1, and client 2 to use dns2 - then point those clients there directly..

macboy6 · Feb 26, 2016, 12:21 PM

Perhaps I didnt explain this well.

Im using Unbound in resolver mode and it's working fine. I was under the impression that unbound still leverages my ISP DNS. In fact if i go to dnsleaktest it shows my internet DNS servers being used. My clients are correctly configured to point unbound and host overrides work well.

If you are saying that unbound doesnt use or need an external DNS server at all then I am very confused.

johnpoz · Feb 26, 2016, 12:42 PM

"I was under the impression that unbound still leverages my ISP DNS"

Is your isp dns authoritative for some domain your looking up?? Did you put unbound in forwarder mode? If not then NO resolver has no need to talk to your isp dns.

Unbound only needs to know where to start, the root hints.. That is already knows about.

;; QUESTION SECTION:
;. IN NS

;; ANSWER SECTION:
. 433739 IN NS l.root-servers.net.
. 433739 IN NS g.root-servers.net.
. 433739 IN NS m.root-servers.net.
. 433739 IN NS i.root-servers.net.
. 433739 IN NS b.root-servers.net.
. 433739 IN NS d.root-servers.net.
. 433739 IN NS h.root-servers.net.
. 433739 IN NS f.root-servers.net.
. 433739 IN NS c.root-servers.net.
. 433739 IN NS k.root-servers.net.
. 433739 IN NS a.root-servers.net.
. 433739 IN NS e.root-servers.net.
. 433739 IN NS j.root-servers.net.

From there is finds the authoritative servers for say .org

;; QUESTION SECTION:
;org. IN NS

;; ANSWER SECTION:
org. 86400 IN NS a2.org.afilias-nst.info.
org. 86400 IN NS a0.org.afilias-nst.info.
org. 86400 IN NS b0.org.afilias-nst.org.
org. 86400 IN NS b2.org.afilias-nst.org.
org. 86400 IN NS d0.org.afilias-nst.org.
org. 86400 IN NS c0.org.afilias-nst.info.

It then asks one of them for the authoritative server for say pfsense.org

;; QUESTION SECTION:
;pfsense.org. IN NS

;; ANSWER SECTION:
pfsense.org. 300 IN NS ns3.pfmechanics.com.
pfsense.org. 300 IN NS ns1.pfmechanics.com.
pfsense.org. 300 IN NS ns2.pfmechanics.com.

It then goes and asks one of them for www.pfsense.org

It never "Forwards" a query to any specific name server..

macboy6 · Feb 26, 2016, 11:04 PM

Thanks johnpoz. I didn't realize that's how unbound worked, so was a valuable lesson.

There must be something else that is causing DNS leak.

johnpoz · Feb 27, 2016, 11:00 AM

what do consider a dns leak?? Something asking your isp??

macboy6 · Feb 28, 2016, 2:54 PM

Yes, from a client that I am routing out a DNS connection, I don't want my ISP to be able to be able to see any information that could show internet history. If I use a service to check for DNS leak, it is listing my real IP address as DNS server, which I have come to understand could be an issue. Perhaps I am misunderstanding how this should work.

I use firewall rules to route certain clients out my VPN gateway interface.