Organizing and Designating DNS Pathway for primary and fallback

Follow

w m

• July 19, 2023 01:18

Setup: network is firewalla gold running a dockerized adguard home with LAN and sperate VLANs

 

 

Maybe I'm (and most very likely am) over thinking this; however, the DNS flow I was envisioning was to use NextDNS as my primary service with all traffic flowing through a local AdDuard Home instance which I have been able to successfully implement. Now I am trying to evolve and advance my architecture, to include a fallback pathway to cloudlfare should nextdns become unavailable; however, it doesn't seem like there is a way to designate DNS traffic to run this way. (meaning if  I add both nextdns and cloudflare IPs to firewalla gold and adguard home interface it seems like traffic kind of gets mish mashed and goes wherever it may land)

 

Question: In order to really ensure traffic is going along the designated desired path is it best that the fall back be it's own speerate local resolver to upstream service that i would just switch settings in the gold box? i.e. primary service be solely to nextdns with a backup on a separate (probably on a single board computer) instance pointing to cloudflare?

 

Or if I'm totally overthinking this please say so would love to learn about other folks setup for how the organize their DNS services!

0

• 

  Michael Bierman

  • July 19, 2023 07:53
  • Edited

  In my opinion, you are way over engineering this. You have layers of duplication: 

  1. nextDNS
  2. Firewalla
  3. AdGuard Home
  4. cloudflare... 

  This will make it very difficult to diagnose issues with DNS, performance, and blocking. All of these providers/solutions, in my view, have enough redundancy to feel pretty confident about them. If you want a DNS service for additional blocking, then just pick the one you like best. Easiest to integrate through Firewalla (e.g. DoH), but for nextDNS I prefer nextdns CLI (github.com/mbierman/Firewalla-NextDNS-CLI-install installer for Firewalla Purple and Gold series) 

  Personally I've been running nextDNS along with Firewalla and on the whole, I like it. I don't max out on nextDNS for blocking to try to avoid the earlier concern. Before that, I used cloudflare which was very robust and before that OpenDNS which was also very solid. 

  If you do want to go with something like you describe, be sure to consider what trade offs may be necessary. I gave up on pihole because I didn't like the trade offs required, for example. 

  0

  Comment actions Permalink
• 

  James Willhoite

  • July 19, 2023 11:54

  I'm actually going through DNS issues right now. I have mine set up with primary DNS to a local instance of Pi-Hole which forwards requests to my Windows 2012 R2 Server, which will forward requests to Google, and if Pi-hole is not available at all, the 2nd DNS was set to my Firewalla Gold+..... I have since taken all out of the loop and have Firewalla Gold+ as the primary. I'm having issues with getting random server fail responses.

  0

  Comment actions Permalink
• 

  Michael Bierman

  • July 19, 2023 17:17

  Hi James,

  1. What are your WAN and LAN DNS settings pointing to? 
  2. Do you have DNS Booster enabled? 
  3. Am I understanding correctly that you removed pi-hole from the picture? 

   

  0

  Comment actions Permalink
• 

  James Willhoite

  • July 19, 2023 17:50

  WAN are specified from Spectrum, LAN was pointed to my Pi-Hole at first, then I removed that and had it pointed at just the Windows 2012 R2 DNS server, now removed that and just to the FWG+ and all seems well .... so far. I think I did find the issue though. Looking through the DNS logs on my Windows Server, it was receiving requests via IPv6 although I don't have IPv6 set up ...... I'm still looking into that side of things though ......

  0

  Comment actions Permalink
• 

  w m

  • July 19, 2023 18:48

  @michael thank you for the sanity check i figured i've WAAAY over engineered this....I've tried nextdns cli, the only thing is doing everything via command line is just too nerve racking and something i'm not as comfortable with as opposed to a gui. So does this then make sense. (have everything point to adguardhome, which is setup solely to coodrinate with nextdns?) the main purpose of adguardhome is a local server cause I like to monitor queries etc more as an educational practice

  0

  Comment actions Permalink
• 

  w m

  • July 19, 2023 18:49

  btw @michael i've poked around your github it's amazing so thank you for sharing!

  1

  Comment actions Permalink
• 

  w m

  • July 19, 2023 19:45

  @michael so i'm giving nextdns cli a try... i'm a just a bit confused on setting vlans with different profiles in the initial setup do i just write in additional IP=x and PROFILE=asdf ? Also with VPN profiles where does the profile IDs come from? apologies if this is super basic but i'm fairly new to all of this.

  0

  Comment actions Permalink
• 

  Michael Bierman

  • July 19, 2023 20:12
  • Edited

  @w m 
  
  You can't reuse the same variable for more than one LAN or VLAN. you could do this at the top of the script (e.g. ~ line 20)

  VLAN1IP=[fill in the IP of the VLAN or LAN]
  VLAN1ID=[fill in the nextDNS prifle you want to use]
  VLAN2IP=[fill in the IP of the VLAN or LAN]
  VLAN2ID=[fill in the nextDNS prifle you want to use]
  # etc

  Then modify this part from:

  sudo nextdns install \
  -config $id \
  -report-client-info -cache-size=10MB -max-ttl=5s -discovery-dns ${IP} -listen ${IP}:5555

  to

  sudo nextdns install \
  -config $id \ # this will be the default config. I don't know if you absolutely have to have this. 
  -config $VLAN1IP/24=$VLAN1ID \
  -config $VLAN2IP/24=$VLAN2ID \
  -report-client-info -cache-size=10MB -max-ttl=5s -discovery-dns ${IP} -listen ${IP}:5555

  
  If you get stuck post your modified script and I can have a look. 

  0

  Comment actions Permalink
• 

  Michael Bierman

  • July 19, 2023 20:14

  @w m

  I don't see the point of adguard home. Between Firewalla and nextDNS you will have total visibility about every lookup. 

  0

  Comment actions Permalink
• 

  Michael Bierman

  • July 19, 2023 20:16

  @James

  WAN are specified from Spectrum, LAN was pointed to my Pi-Hole at first, then I removed that and had it pointed at just the Windows 2012 R2 DNS server, now removed that and just to the FWG+ and all seems well .... so far. I think I did find the issue though. Looking through the DNS logs on my Windows Server, it was receiving requests via IPv6 although I don't have IPv6 set up ...... I'm still looking into that side of things though ......

  Yeah, If you don't have IPv6 maybe disable on the WAN/LAN and on the Windows R2 server and you will probably be fine. Pi-hole can work but I found it annoying because it doesn't play well with Firewalla in my opinion. 

  0

  Comment actions Permalink
• 

  James Willhoite

  • July 19, 2023 20:24

  @Michael

  Yeah, If you don't have IPv6 maybe disable on the WAN/LAN and on the Windows R2 server and you will probably be fine. Pi-hole can work but I found it annoying because it doesn't play well with Firewalla in my opinion. 

  I did have IPv6 disabled and it was not ticked in the windows 2012 R2 so not sure how the request was sent (Pi-Hole forward maybe?). I have since enabled IPv6 because Spectrum just added IPv6 address to my modem.... maybe that is why ??? Not sure.

  Pi-hole can work but I found it annoying because it doesn't play well with Firewalla in my opinion. 

  I had Pi-Hole for the added block lists ..... but honestly the Wifey didn't like it and I added her devices to an exception list .... so I'll most likely just remove it completely and not worry about it.

  0

  Comment actions Permalink
• 

  Michael Bierman

  • July 19, 2023 20:29

  If I recall, pi-hole has IPv6 settings that can be enabled/disabled as well. 
  
  When in doubt on these things, go back to a baseline config that you know works and then make necessary changes once you have a plan in place. 

  0

  Comment actions Permalink

Please sign in to leave a comment.