Brandon (and any others)
I read with earnest your recent post regarding Techitium DNS (tDNS) clustering. I currently have tDNS on 3 separate instances with zone transfers between the master and two secondary instances. I'm likely to convert to clustering soon but just haven't had time to convert the setup.
My question is in regards to network design particularly when there is a tDNS or separate DNS server involved. Let me explain. My current homelab has 5 separate VLANS with a pfsense router. pfsense with it's unbound DNS used to be my main DNS server for the LAN. It worked well, however it became an issue when adding a second external home through a WG VPN. The external site ran its own pfsense server with its DNS records and I wanted to keep all the DNS records in sync so hence the switch to other DNS software that is capable of zone transfers and synchronization.
In making this decision however I wasn't aware that I would run into issues with asymmetric routing between VLANS, particularly with computers on the LAN that have multiple virtual NICs. My question is regards specifically how to design the network with a DNS server -- that is external to pfsense -- to try to avoid asymmetric routing. In the professional world do you put the DNS server on it's own separate LAN and all DNS requests are routed? As my tDNS server is virtualized on proxmox, I tried making my tDNS server a "multihome" device where it has attached a virtual network card for each of the various VLANs. This works well if the client has a single network interface, but I start running into issues when the client has possible two virtual NICS in place for two different VLANs. When there are multiple network cards in place, sometimes the request may leave out of one interface and pass through the router, but tDNS replies via a different networking card with a direct non-routable ressponse where the card might have the same broadcast address space. This scenario could also go the other way where the request goes directly to tDNS but the response is through a different networking card and is routed through pfSense. I've unfortunately delved into the world of trying policy based routing (PBS) and I've been working with AI to try to resolve some of the asymmetric routing issues but it's been a long slog and filled with some unexpected findings.
What's the best way to design VMs and tDNS if there are multiple networks or VLANs involved? Just trying to figure out what is done in the real world as I'm guessing this might be a common problem.
@kevinhilton, Great question and I think you are already driving at the right answer here to your question. The short answer I can give you is that multi-homing invariably always opens a can of worms outside of DNS in general. DNS servers or other services you might run with multi-homed configurations are almost always subject to these types of asymmetric routing problems. It works on paper so to speak, but in practice it causes a lot of issues to multi-home machines unless you have a very specific reason to do so, like a machine has to have layer 2 line of sight access to a particular VLAN.
In most enterprise environments I have managed and this includes my home lab, DNS servers are typically single-homed and placed on a dedicated infrastructure or server VLAN. All other VLANs simply route DNS traffic to them. This is how my home lab functions today. I have a servers VLAN where my DNS servers reside and then I forward DNS requests to these servers from many other VLANs. This keeps request and reply paths consistent and avoids the asymmetric problem you have described here.
Realistically, all you need is a clean routed environment for your multiple VLANs which pfSense can do, and then have your firewall rules setup so that port 53 UDP and TCP traffic is allowed from any source that you want to be able to communicate with your self-hosted DNS configuration.
So, here is what I would do:
-
Configure one NIC on the DNS server
-
One VLAN for infrastructure or servers
-
pfSense routing DNS from all VLANs to that DNS IP or requests from the clients you want to have trusted for this DNS configuration
-
DHCP handing out the same DNS servers everywhere
This keeps things simple and avoids policy-based routing, asymmetric replies, and weird behavior. I try to avoid multi-homing again unless I need this for a specific reason.
If you need redundancy, I would always have multiple DNS servers and use clustering, but keep them single-homed. Let me know if this helps Kevin. Thanks again for the question and let me know if you run into any hurdles here and we can work through them.
Brandon