Forcing clients to route through a specific gateway to specific ISP DNS servers?

[jibun no kage]

Wondering if the following is the best way to force clients to route through a specific gateway? Here is the scenario, we have two routers, that are not bridged and can't be. Each router is connected to a given ISP. Our internal DHCP servers are configured to be local authoritative, so each client gets two router IP addresses, for discussion 192.168.1.1 and 192.168.1.2. Our DNS servers forward non local resolves to the ISP DNS servers. This works until the ISP DNS servers for a given ISP stop responding, stop resolving. The given ISP DNS servers are not down, just stop resolving once in a while. This effectively blinds our internal DNS servers. Because the router is pingable, and the ISP DNS servers are pingable, we have an issue since no DNS resolution is working. Now if we could some how test the DNS 'path' and then block the broken path, this would be the best of both worlds, so to speak. In any other environment, we would just bridge the routers, setup cross over to each ISP, and call it done. But in this case, we can't, so we need to do something creative.

For example... In a full working scenario...
Route 1, workstation 1, local DNS 1 forward, using gateway 1, transports to router 1, then ISP 1 DNS responds
Route 2, workstation 1 local DNS forward, using gateway 2, transports to router 2, then ISP 2 DNS responds

But if say ISP1 DNS does not respond or resolve but is still pingable, the DNS query fails. How can I force workstation 1 to use then use IPS 2 DNS? The first thought was to have a watch dog service, test a DNS query and if it fails, just delete the route 1 entry from the routing table on local DNS 1, so that it can't use or see the non-responding ISP 1 DNS source. But is that the only way? Again the routers are limited, we can't use any of the usual fancy features or methods, enterprise routers have, since they are very simple routers.

 

[dos2unix]

typically this is simply done in the dns config on each client.

Is the DHCP? You can set the DNS server in the dhcp config.

If these are old network.d type servers, edit you /etc/resolv.conf like this

nameserver 1.2.3.4
nameserver 1.2.3.5

If it can't reach .4, it'll use .5

If you have newer NetworkManager type systems.

nmcli con mod eno1 ipv4.dns '1.2.3.4,1.2.3.5'

(You may have to bounce the interface or reboot to take effect)
again, if it can't reach .4 it will use .5

The routing table shouldn't matter as long as I can reach the IP.

 

[gvisoc]

Two questions to understand a bit more:

1. Do your local DNS servers support cache? If so, is it active? That is designed for the cases other DNS servers stop resolving and could fix your problem by just configuration.
2. Can you consider switching from ISP DNS Servers to other companies', like clouldflare or OpenDNS?

 

[jibun no kage]

@dos2unix, the problem is... the cascade from .4 to .5 will not happen, or does not happen because .4 is still online, i.e. pings but is not handling DNS resolution. I know this sounds odd but it happened just in the last 24 hours ago. We could live with a short outage, i.e. while bounding for example.

@gvisoc, good question I need to check what the cache is doing, so to speak. Using other DNS sources is also an option, but we wanted to consider what we could do directly to address the issue rather than establish dependency on yet another resource.

 

[gvisoc]

@jibun no kage the idea was not to add another dependency, but to fix a dependency you already have. I was entertaining the idea of stop using ISP DNS servers and work with a DNS provider that has better availability. There must be times when cloudflare resolvers don't resolve, but they have a very good track on outages. I have been using them behind a pi-hole for 3 years without any problem in my timezone.

Sometimes, ISP are more focused on the information they can get from your DNS queries, than in the service they provide!

 

[jibun no kage]

@gvisoc, yes, valid points. And begs the question, is not every (free/public) DNS provider not information gathering? Oh, well.

 

[TheProf]

I think some DNS providers are better than others when it comes to data collection, but Cloudflare is a pretty good service.

 

[gvisoc]

@gvisoc, yes, valid points. And begs the question, is not every (free/public) DNS provider not information gathering? Oh, well.

Instead of vouching for cloudflare (I could) or any other DNS provider, I'd encourage you to check their privacy policy and public records. I bet you won't be disappointed but you have to make your own choice.

 

[KGIII]

This one is hard to discuss without getting into politics and I will do my best, but there's also stuff like this:

https://blog.cloudflare.com/why-we-terminated-daily-stormer/

Where I think it's very important to note *why* they actually pulled the plug. (Daily Stormer is a white-supremacists/neo-Nazi site that has content that promotes hate and violence.) Basically, DS said that CF supported their cause because they provided services to DS. CF said, "Like hell we do." Then they kicked 'em to the curb.

As a mostly-not-white person, I'm glad they did so.

As a rational and intellectual person, I'm also glad they did so. Tolerance of intolerance is not tolerance. (See the 'tolerance paradox' for more information.)

(The rest of that last bit would be political in nature, discussing freedom of speech and the rights of private parties. So, I'll skip that.)

Anyhow, to a subset of people, this makes Cloudflare a no-go company. I also use this example here because of *how* Cloudflare responded. To do so, they "... stopped answering DNS requests for their sites."

On a personal level, that choice doesn't bother me any. It does show the power the wield and it does show how there are no/few checks and balances to their choices.

 

[jibun no kage]

I ways remind myself... Follow the money. This is not to say that I am not a capitalist, more over a financial conservative, I am. But when you look at why or when or how someone or some entity does something, you never should ignore the money question. As an example, why does Google do what they do? To a significant, if not extreme extent, they are out to make profit, that is the bed rock of every decision they make, that is why they exist. To ignore that fact, no matter what they do, that is of positive social benefit, is to ignore reality. There are many companies that do good things, offer good services, are socially responsible, and more. Why? Because they believe it is just the right thing to do, but what allows these firms to even consider doing good things... somewhere somehow they gained profit to do so. As for so called, bad actors? Well karma, for want of a better word, is a hammer no one escapes in the long run.