Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Possible to use different upstream DNS servers for certain clients?

    Scheduled Pinned Locked Moved DHCP and DNS
    7 Posts 2 Posters 1.7k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      macboy6
      last edited by

      I want all my LAN clients to use unbound DNS.  I would also like to push certain LAN clients through Unbound, but to a different upstream DNS server for specific clients.

      For example:
      Client 1 –> DNS: 192.168.1.1(pfSense Unbound DNS) --> Upstream DNS: 8.8.8.8
      Client 2 --> DNS: 192.168.1.1(pfSense Unbound DNS) --> Upstream DNS: 8.34.34.34

      Is the above scenario possible with pfSense?  I know I can set static DNS mappings for specific clients but that would bypass the local unbound DNS server.

      Thanks,
      Marco

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        you don't even understand how unbound works do you…  Its a resolver not a forwarder..  Did you put it in forwarder mode?

        A resolver works down from roots to find the authoritative server for the domain the record you looking for is in... And then directly asks it for the IP of say www.domainx.com.

        If you want client1 to use dns1, and client 2 to use dns2 - then point those clients there directly..

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • M
          macboy6
          last edited by

          Perhaps I didnt explain this well.

          Im using Unbound in resolver mode and it's working fine.  I was under the impression that unbound still leverages my ISP DNS. In fact if i go to dnsleaktest it shows my internet DNS servers being used. My clients are correctly configured to point unbound and host overrides work well.

          If you are saying that unbound doesnt use or need an external DNS server at all then I am very confused.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            "I was under the impression that unbound still leverages my ISP DNS"

            Is your isp dns authoritative for some domain your looking up??  Did you put unbound in forwarder mode?  If not then NO resolver has no need to talk to your isp dns.

            Unbound only needs to know where to start, the root hints.. That is already knows about.

            ;; QUESTION SECTION:
            ;.                              IN      NS

            ;; ANSWER SECTION:
            .                      433739  IN      NS      l.root-servers.net.
            .                      433739  IN      NS      g.root-servers.net.
            .                      433739  IN      NS      m.root-servers.net.
            .                      433739  IN      NS      i.root-servers.net.
            .                      433739  IN      NS      b.root-servers.net.
            .                      433739  IN      NS      d.root-servers.net.
            .                      433739  IN      NS      h.root-servers.net.
            .                      433739  IN      NS      f.root-servers.net.
            .                      433739  IN      NS      c.root-servers.net.
            .                      433739  IN      NS      k.root-servers.net.
            .                      433739  IN      NS      a.root-servers.net.
            .                      433739  IN      NS      e.root-servers.net.
            .                      433739  IN      NS      j.root-servers.net.

            From there is finds the authoritative servers for say .org

            ;; QUESTION SECTION:
            ;org.                          IN      NS

            ;; ANSWER SECTION:
            org.                    86400  IN      NS      a2.org.afilias-nst.info.
            org.                    86400  IN      NS      a0.org.afilias-nst.info.
            org.                    86400  IN      NS      b0.org.afilias-nst.org.
            org.                    86400  IN      NS      b2.org.afilias-nst.org.
            org.                    86400  IN      NS      d0.org.afilias-nst.org.
            org.                    86400  IN      NS      c0.org.afilias-nst.info.

            It then asks one of them for the authoritative server for say pfsense.org

            ;; QUESTION SECTION:
            ;pfsense.org.                  IN      NS

            ;; ANSWER SECTION:
            pfsense.org.            300    IN      NS      ns3.pfmechanics.com.
            pfsense.org.            300    IN      NS      ns1.pfmechanics.com.
            pfsense.org.            300    IN      NS      ns2.pfmechanics.com.

            It then goes and asks one of them for www.pfsense.org

            It never "Forwards" a query to any specific name server..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • M
              macboy6
              last edited by

              Thanks johnpoz.  I didn't realize that's how unbound worked, so was a valuable lesson.

              There must be something else that is causing DNS leak.

              1 Reply Last reply Reply Quote 0
              • johnpozJ
                johnpoz LAYER 8 Global Moderator
                last edited by

                what do consider a dns leak??  Something asking your isp??

                An intelligent man is sometimes forced to be drunk to spend time with his fools
                If you get confused: Listen to the Music Play
                Please don't Chat/PM me for help, unless mod related
                SG-4860 24.11 | Lab VMs 2.8, 24.11

                1 Reply Last reply Reply Quote 0
                • M
                  macboy6
                  last edited by

                  Yes, from a client that I am routing out a DNS connection, I don't want my ISP to be able to be able to see any information that could show internet history.  If I use a service to check for DNS leak, it is listing my real IP address as DNS server, which I have come to understand could be an issue.  Perhaps I am misunderstanding how this should work.

                  I use firewall rules to route certain clients out my VPN gateway interface.

                  1 Reply Last reply Reply Quote 0
                  • First post
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.