unbound fails to switch to other forwarder DNS if one fails?
-
At home I have the following setup:
- 2 pfSense in HA setup with CARP IP on WAN and LAN
- in General Setup 2 IP and Hostnames of 2 of my servers running in other countries, both offering DoT
- in General Setup - use 127.0.0.1, ingnore remote DNS servers
- unbound resolver running in forward mode, Use SSL/TLS checked
- behind 2 pihole DNS servers operating as DNS for the LAN
This works pretty nice, having DNS traffic from LAN encrypted to the external DNS servers in the other countries, not making it possible to tcpdump the DNS requests for provider or others here. Sure, on the external ones this runs out unencrypted.
I already had that one time month ago, but this night i had again one of the 2 externals unreachable and as follow up LAN was not able to resolve things. unbound was not switching to the other, still working, external DNS server. Needed to remove forwarding mode to make things working again.
Is there a known problem or can I have a misconfiguration?
Thank you for any hint.
-
@vsatmydynipnet said in unbound fails to switch to other forwarder DNS if one fails?:
not making it possible to tcpdump the DNS requests
But your sni is still in the clear, and your isp can still see what IPs you go to.
I don't want my isp knowing I went to www.amazon.com, but guess what.. Its right there in your sni in the clear when you make your https connection.
How was this 1st dns not working, did he not answer at all? Ie timeout, or did it send back nx or servfail for what you asked for?
-
The one DNS runs on a cheap vps in USA and every some month they have a few hours problems. In that case my Nagios reports them as unreachable and it loooks like they loose their connectivity.
I know the SNI problem. That is why I have a separated Tor routed Network here running a Debian XRDP system in it. All of this Net uses Tor as DNS and Tor for routing the traffic and now breakout is possible, even user does something wrong
For the normal LAN you would need to forward the local proxy to another proxy somewhere else, but this could cause to much slow downs.
-
@vsatmydynipnet ok mr robot.. seems like a lot of trouble to keep your isp from knowing your going to amazon.com ;)