Possible to use different upstream DNS servers for certain clients?

  • I want all my LAN clients to use unbound DNS.  I would also like to push certain LAN clients through Unbound, but to a different upstream DNS server for specific clients.

    For example:
    Client 1 –> DNS: Unbound DNS) --> Upstream DNS:
    Client 2 --> DNS: Unbound DNS) --> Upstream DNS:

    Is the above scenario possible with pfSense?  I know I can set static DNS mappings for specific clients but that would bypass the local unbound DNS server.


  • LAYER 8 Global Moderator

    you don't even understand how unbound works do you…  Its a resolver not a forwarder..  Did you put it in forwarder mode?

    A resolver works down from roots to find the authoritative server for the domain the record you looking for is in... And then directly asks it for the IP of say www.domainx.com.

    If you want client1 to use dns1, and client 2 to use dns2 - then point those clients there directly..

  • Perhaps I didnt explain this well.

    Im using Unbound in resolver mode and it's working fine.  I was under the impression that unbound still leverages my ISP DNS. In fact if i go to dnsleaktest it shows my internet DNS servers being used. My clients are correctly configured to point unbound and host overrides work well.

    If you are saying that unbound doesnt use or need an external DNS server at all then I am very confused.

  • LAYER 8 Global Moderator

    "I was under the impression that unbound still leverages my ISP DNS"

    Is your isp dns authoritative for some domain your looking up??  Did you put unbound in forwarder mode?  If not then NO resolver has no need to talk to your isp dns.

    Unbound only needs to know where to start, the root hints.. That is already knows about.

    ;.                              IN      NS

    .                      433739  IN      NS      l.root-servers.net.
    .                      433739  IN      NS      g.root-servers.net.
    .                      433739  IN      NS      m.root-servers.net.
    .                      433739  IN      NS      i.root-servers.net.
    .                      433739  IN      NS      b.root-servers.net.
    .                      433739  IN      NS      d.root-servers.net.
    .                      433739  IN      NS      h.root-servers.net.
    .                      433739  IN      NS      f.root-servers.net.
    .                      433739  IN      NS      c.root-servers.net.
    .                      433739  IN      NS      k.root-servers.net.
    .                      433739  IN      NS      a.root-servers.net.
    .                      433739  IN      NS      e.root-servers.net.
    .                      433739  IN      NS      j.root-servers.net.

    From there is finds the authoritative servers for say .org

    ;org.                          IN      NS

    org.                    86400  IN      NS      a2.org.afilias-nst.info.
    org.                    86400  IN      NS      a0.org.afilias-nst.info.
    org.                    86400  IN      NS      b0.org.afilias-nst.org.
    org.                    86400  IN      NS      b2.org.afilias-nst.org.
    org.                    86400  IN      NS      d0.org.afilias-nst.org.
    org.                    86400  IN      NS      c0.org.afilias-nst.info.

    It then asks one of them for the authoritative server for say pfsense.org

    ;pfsense.org.                  IN      NS

    pfsense.org.            300    IN      NS      ns3.pfmechanics.com.
    pfsense.org.            300    IN      NS      ns1.pfmechanics.com.
    pfsense.org.            300    IN      NS      ns2.pfmechanics.com.

    It then goes and asks one of them for www.pfsense.org

    It never "Forwards" a query to any specific name server..

  • Thanks johnpoz.  I didn't realize that's how unbound worked, so was a valuable lesson.

    There must be something else that is causing DNS leak.

  • LAYER 8 Global Moderator

    what do consider a dns leak??  Something asking your isp??

  • Yes, from a client that I am routing out a DNS connection, I don't want my ISP to be able to be able to see any information that could show internet history.  If I use a service to check for DNS leak, it is listing my real IP address as DNS server, which I have come to understand could be an issue.  Perhaps I am misunderstanding how this should work.

    I use firewall rules to route certain clients out my VPN gateway interface.

Log in to reply