Set source interface for DNS queries

Ventresca · April 11, 2022, 12:11pm

Hello,

is it possible to have the feature to set a specific source interface to perform DNS queries?

In a complex scenario not all router’s interfaces are permitted to access specific networks or to access Internet, and DNS queries, like other router’s functions, need to be sourced by a specific interface.

E.G. for management purposes the NTP server pools and DNSs should be on a specific network open only to specific addresses that are bound to the routers loopback interfaces.

Thank you.

Regards.

Fabio.

n.fort · April 11, 2022, 12:13pm

Maybe local-route policy is what you are looking for: Policy — VyOS 1.3.x (equuleus) documentation

Ventresca · April 11, 2022, 2:18pm

Thank you for your answer, but I think that PBR is not suitable in this case.

I set up a loopback interface (dummy interface dum0) with the address that I use to build BGP peerings, this loopback is also used for remote management, for dns queries and for ntp syncronization.

This loopback is also routed by an IGMP protocol into the local network via multiple links so anyway it should grant reachability to the router if one of the links fail.

If I set up a PBR on the address of the loopback interface (dum0) I would break the IGP routing and, moreover, I shouldn’t solve the DNS query problem because the queries still orignate from a different address (not the dum0 interface, in this case them use and ethernet interface).

I don’t know if i was able to explain my problem clearly.

Thank you.

Regards.

Fabio.

n.fort · April 11, 2022, 2:24pm

Yes, I understand. Maybe a turn around with source nat could do the trick

Ventresca · April 11, 2022, 4:46pm

Hello, in another forum of another linux based router someone told me to configure a local dns server/forwarder (in VyOS is the dns forwarding) and set the local dns/forwarder as the system name-server.

This worked fine.

My actual VyOS configuration for dns query source interface is like this:

set service dns forwarding allow-from '0.0.0.0/0'
set service dns forwarding cache-size '0'
set service dns forwarding listen-address '127.0.0.1'
set service dns forwarding name-server '8.8.8.8'
set service dns forwarding name-server '8.8.4.4'
set service dns forwarding source-address '10.0.0.2' <-- The address of my loopback dum0 interface
set system name-server '127.0.0.1'

marekm72 · June 7, 2022, 3:55pm

I was looking for the same thing. On a router connected to an IXP, where the IP addresses set on interfaces talking to eBGP peers are public but not necessarily globally routable, I want to always use my loopback IP (public, globally routable, from my own IP address space) for any non-eBGP traffic to/from the router itself. SSH server and NTP client have such options for example, but the built-in DNS resolver doesn’t - so it may have trouble reaching DNS servers if the wrong source IP is chosen automagically. It would be best to be able to specify query source address for the built-in resolver, but this workaround will do for now. Thanks for the hint!