different DNS servers for different gateways

Petr Menšík pemensik at redhat.com
Fri May 10 14:30:08 UTC 2024 

Hello Howard,

I do not think there is simple way to make it working. It should help if 
you configure forwarding per internal-only domains, which would always 
target internal VPN server. For general domains, it would forward 
everything to 9.9.9.9.

We have made dnsconfd project [1] to configure unbound from Network 
Manager. One of things it should do is split tunelling, which I think 
you need here. I doubt pfSense would have UI for configuration of 
subdomain forwarders, but I do not know it. If you can configure your 
additional unbound snippets in console, then it might work.

if you could have config file with:

forward-zone:
   name: example.com
   forward-addr: 10.255.255.2

and repeated for all zones having special content in your VPN, then you 
could put just 9.9.9.9 into DNS general settings.

Hope this helps.
Petr

1. https://github.com/InfrastructureServices/dnsconfd

On 29/03/2024 22:22, Howard Spindel via Unbound-users wrote:
> I have unbound configured under pfSense+ on a Netgate 8200.  I also 
> have a Wireguard VPN configured under pfSense.
>
> I have DNS forwarding configured under pfSense/DNS Resolver/General 
> Settings.  That caused unbound to forward to the two DNS server 
> configured under pfSense General Setup.  The two DNS servers I have 
> configured there are 10.255.255.2 (the DNS server recommended by my 
> VPN provider) and 9.9.9.9 (Quad 9 public server).
>
> What I want is that when the VPN is up for unbound to forward solely 
> to 10.255.255.2 and for unbound to fall back to using 9.9.9.9 only 
> when the VPN is down.
>
> What happens now, is that unbound is free to choose either DNS server, 
> and therefore sometimes chooses 9.9.9.9 when the VPN is up. When the 
> VPN is down now, I presume that unbound still tries to forward to 
> 10.255.255.2 but since that is not a routable address when the VPN is 
> down the lookup will fail and unbound will use 9.9.9.9 instead.
>
> Is there a way to tell unbound to use 10.255.255.2 if and only if the 
> VPN is up?  I can't find it.
>
> Thank you.
>
> Howard
>
>
>
-- 
Petr Menšík
Software Engineer, RHEL
Red Hat, https://www.redhat.com/
PGP: DFCF908DB7C87E8E529925BC4931CA5B6C9FC5CB

More information about the Unbound-users mailing list