Hi,
Haven't followed the whole thread and by just looking at the topic,
I have a similar setup (carped as well) for caching DNS.
2 servers, 2 carped IPs.
This is how it works:
unbound.conf:
interface: 127.0.0.1
port: 53
outgoing-interface: ext_ip
access-control: local_networks
do-not-query-localhost: no
include: "/var/unbound/etc/stub_zones_insecure"
include: "/var/unbound/etc/stub_zones"
stub_zones:
stub-zone:
name: "foo.example.com."
stub-addr: 127.0.0.1@5678
stub_zones_insecure:
domain-insecure: "foo.example.com."
insecure is for when you have network problems to be able to resolv
otherwrise it hungs at DNSSEC (if you have it enabled). This is for local zones
only.
resolv.conf:
nameserver 127.0.0.1
nsd.conf:
ip-address: 127.0.0.1@5678
zone:
name: foo.example.com
zonefile: /var/nsd/zones/slave/%s
request-xfr: master_DNS_IP NOKEY
allow-notify: master_DNS_IP NOKEY
pf.conf:
# requests from local dns server (unbound)
pass out quick on $dns1_if proto {tcp, udp} to $dns1_if:network port 53
modulate state (if-bound, no-sync) nat-to ($dns1_if)
pass out quick on $dns1_if proto {tcp, udp} to any port 53 modulate state
(if-bound, no-sync) route-to ($dns1_if $dns1_gw) nat-to ($dns1_if)
pass out quick on $dns2_if proto {tcp, udp} to $dns2_if:network port 53
modulate state (if-bound, no-sync) nat-to ($dns2_if)
pass out quick on $dns2_if proto {tcp, udp} to any port 53 modulate state
(if-bound, no-sync) route-to ($dns2_if $dns2_gw) nat-to ($dns2_if)
# requests from clients (unbound)
pass in quick on $dns1_if proto {tcp,udp} from $dns1_if:network to ($dns1_carp)
port 53 keep state rdr-to 127.0.0.1 reply-to $dns1_if
pass in quick on $dns2_if proto {tcp,udp} from $dns2_if:network to ($dns2_carp)
port 53 keep state rdr-to 127.0.0.1 reply-to $dns2_if
pass in quick on $dns1_if proto {tcp,udp} from <local_net> to ($dns1_carp) port
53 keep state rdr-to 127.0.0.1 reply-to ($dns1_if $dns1_gw)
pass in quick on $dns2_if proto {tcp,udp} from <local_net> to ($dns2_carp) port
53 keep state rdr-to 127.0.0.1 reply-to ($dns2_if $dns2_gw)
pass out quick on $dns1_if proto udp from 127.0.0.1 port 53 nat-to ($dns1_carp)
pass out quick on $dns2_if proto udp from 127.0.0.1 port 53 nat-to ($dns2_carp)
# nsd
pass in quick on $dns1_if proto udp from $master_DNS to ($dns1_if) port 5678
keep state rdr-to 127.0.0.1 reply-to $dns1_if
hope these help. For me they work the last 2 years. They only problem I haven't
solved so far which requires a different setup is when you make a change on the
master and the unbound has the previous entry in the cache... the cache has to
expire.
G
