Solved Failover and load-balancing DNS queries with Unbound

arabesc

Member

Reaction score: 4
Messages: 53

I would like to configure Unbound to support failover and load-balancing for DNS queries. I tried this (/etc/unbound/forward.conf):
Code:
forward-zone:
    name: "."
    forward-addr: 127.0.0.1@65053
    forward-addr: 127.0.0.1@65054
    forward-addr: 127.0.0.1@65055
    forward-addr: 127.0.0.1@65056
    forward-addr: 127.0.0.1@65057
Each entry represents a local dns/dnscrypt-proxy service which resolves DNS queries. In fact, it seems that Unbound uses only the last entry - if it fails, then all DNS queries to Unbound are failed. There's no fallback to another available service from the list and I don't see anything similar to load-balancing between available services. What's wrong with it?
 
Last edited:

Oko

Daemon

Reaction score: 796
Messages: 1,620

I am honestly not sure what you want to accomplish. Unbound is validating, recursive, and caching only DNS. Let's suppose that you have six Unbound servers in your local domain (the maximum number of DNS servers Linux supports in /etc/resolv.conf), each of which has the same forwar.conf file. And let's suppose you list all six in /etc/reslov.conf on your FreeBSD desktop.

Code:
search mydomain.org
nameserver 192.168.1.1
nameserver 192.168.1.2
nameserver 192.168.1.3
nameserver 192.168.1.4
nameserver 192.168.1.5
nameserver 192.168.1.6
lookup file bind

The first Unbound to return the query will win. It is not like you have to wait for 192.168.1.1 to fail before 192.168.1.2 can give the answer. It is a different situation with an authoritative server like NSD. Now BIND suffers bi-polar disorder and it thinks it is a caching and authoritative server in one so it needs failover.
 
Last edited by a moderator:
OP
arabesc

arabesc

Member

Reaction score: 4
Messages: 53

Unbound is validating, recursive, and caching only DNS.
Mainly, I need its caching functionality.

I am honestly not sure what you want to accomplish.

I want two things:
  1. spread/parallel DNS queries from the (local) Unbound between different (remote) DNS servers;
  2. if a (local->remote) DNS query fails or takes too much time, there should be fallback to other (remote) DNS data sources.
Let suppose that you have 6 Unbound servers in your local domain

No-no, I have only one (local) Unbound server and several (remote) DNS data sources for it. It would be great to configure Unbound to use all these data sources, but not just one of them.
 
Last edited by a moderator:
OP
arabesc

arabesc

Member

Reaction score: 4
Messages: 53

I have found this message here:
[I]W.C.A. Wijngaards[/I] said:
This is the way it is implemented today. Unbound can failover for stub-zones (and forward-zones) if nameservers do not respond and stops asking if they are down.
But I don't observe such behaviour. There are five local DNS resolvers which are specified in the forward-zone and it seems that dns/unbound uses only one (last) of them without failover or load balancing.
 
OP
arabesc

arabesc

Member

Reaction score: 4
Messages: 53

So, it's a bug and the fix will be included in the upcoming Unbound release (already fixed in the trunk). As a workaround, one can use different IP addresses instead of different ports. PR 194954.
 
Top