I suspect you may be looking for a different package to do this. Perhaps dnsdist might fit this requirement, as it has the concept of “up” and “down” for forwarders. Unbound would still live in the path but would treat dnsdist as the “forwarder” and then dnsdist would select which subsequent forwarder to use based on a number of different tune-able metrics or tests.
Quad9 uses dnsdist in the opposite configuration, where users terminate on dnsdist and from there are sent to back-end resolvers of unbound, powerdns, or bind. JT On 10 May 2024, at 17:58, Howard Spindel via Unbound-users wrote: > Thank you for the reply, but I doubt if that suggestion would do what I was > looking for. > > The problem with creating forwards specific to certain local zones is that > the desired forward changes depending on whether the VPN is up or not. > > But I appreciate the reply. > > Howard > > On 5/10/2024 7:30 AM, Petr Menšík via Unbound-users wrote: >> Hello Howard, >> >> I do not think there is simple way to make it working. It should help if you >> configure forwarding per internal-only domains, which would always target >> internal VPN server. For general domains, it would forward everything to >> 9.9.9.9. >> >> We have made dnsconfd project [1] to configure unbound from Network Manager. >> One of things it should do is split tunelling, which I think you need here. >> I doubt pfSense would have UI for configuration of subdomain forwarders, but >> I do not know it. If you can configure your additional unbound snippets in >> console, then it might work. >> >> if you could have config file with: >> >> forward-zone: >> name: example.com >> forward-addr: 10.255.255.2 >> >> and repeated for all zones having special content in your VPN, then you >> could put just 9.9.9.9 into DNS general settings. >> >> Hope this helps. >> Petr >> >> 1. https://github.com/InfrastructureServices/dnsconfd >> >> On 29/03/2024 22:22, Howard Spindel via Unbound-users wrote: >>> I have unbound configured under pfSense+ on a Netgate 8200. I also have a >>> Wireguard VPN configured under pfSense. >>> >>> I have DNS forwarding configured under pfSense/DNS Resolver/General >>> Settings. That caused unbound to forward to the two DNS server configured >>> under pfSense General Setup. The two DNS servers I have configured there >>> are 10.255.255.2 (the DNS server recommended by my VPN provider) and >>> 9.9.9.9 (Quad 9 public server). >>> >>> What I want is that when the VPN is up for unbound to forward solely to >>> 10.255.255.2 and for unbound to fall back to using 9.9.9.9 only when the >>> VPN is down. >>> >>> What happens now, is that unbound is free to choose either DNS server, and >>> therefore sometimes chooses 9.9.9.9 when the VPN is up. When the VPN is >>> down now, I presume that unbound still tries to forward to 10.255.255.2 but >>> since that is not a routable address when the VPN is down the lookup will >>> fail and unbound will use 9.9.9.9 instead. >>> >>> Is there a way to tell unbound to use 10.255.255.2 if and only if the VPN >>> is up? I can't find it. >>> >>> Thank you. >>> >>> Howard >>> >>> >>>
