Project

General

Profile

Actions

Feature #6103

open

DNS Resolver Outgoing Interfaces should be able to use Gateway Groups

Added by Tobias Wigand over 5 years ago. Updated almost 2 years ago.

Status:
New
Priority:
Normal
Assignee:
-
Category:
DNS Resolver
Target version:
-
Start date:
04/10/2016
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:

Description

If I use the default Outgoing Interface setting for Unbound (ALL), the DNS Resolver does not really use all interfaces but follows the IPV4/6 default routes for queries. So if the deafult route switches, Unbound uses the new one.
If I select WAN1 and WAN2 as outgoing interfaces, Unbound uses both simultaneously. If one of those interfaces gateways goes down, Unbound does still use that interface for queries and they fail.
So it would be great if Unbound were able to use a loadbalancing Gateway Group (all interfaces in that group as outgoing) and in case of one gateway going down, remove that interface from unbound.conf.

Actions #1

Updated by → luckman212 over 5 years ago

Don't think this is viable at this point because of a larger issue that prevents traffic originating from the firewall itself from using Gateway Groups.
https://redmine.pfsense.org/issues/5476

That ticket has stalled out because I didn't have the bandwidth to build a FreeBSD-11-CURRENT system from scratch and set up the firewall in such a way as to replicate the floating rules issue and file a bugreport upstream. I posted to the forum about it as JimP suggested but it didn't take off.
https://forum.pfsense.org/index.php?topic=109249.0

Actions #2

Updated by Viktor Gurov almost 2 years ago

You can select Loopback as Outgoing interface of DNS Resolver -
In this case it uses gateway group

Actions #3

Updated by Jim Pingle almost 2 years ago

That would still only do failover, and wouldn't have the behavior suggested by OP. It should be possible to populate the selected interfaces based on a gateway group so it uses only the active interfaces. It may not be very simple, however, and would require a restart of unbound any time a gateway changed status, which could be disruptive.

Actions

Also available in: Atom PDF