# Alternative nameserver



## aragats (Apr 3, 2017)

In a standard configuration with /etc/resolv.conf, e.g.:
	
	



```
nameserver a.b.c.d
nameserver w.x.y.z
```
if the first server _*a.b.c.d*_ is queried, and it responds, the second one won't be used.
What if _*a.b.c.d*_ is not able to resolve a hostname, but _*w.x.y.z*_ can?
What is the easiest mechanism to jump to the next nameserver in such case?

To avoid a possible XY-problem, here is the situation:
A local DNS (which is not under my control) does not do its job well, so I want my workstation to be able to try a different DNS (e.g. 8.8.8.8) if the "official" one cannot resolve the name.
However, the local DNS resolves the names within the local network (which, of course, cannot be resolved by an external one).


----------



## ShelLuser (Apr 4, 2017)

aragats said:


> A local DNS (which is not under my control) does not do its job well, so I want my workstation to be able to try a different DNS (e.g. 8.8.8.8) if the "official" one cannot resolve the name.



Probably not what you're looking for, but what about /etc/hosts? Assuming those local addresses aren't too extensive (and not constantly changing) you might be able to add those to your hosts file, so that your system could resolve the local addresses from there and the rest from a public DNS server such as 8.8.8.8.

Another option could be to install dns/bind911 and set it up as a caching nameserver.


----------



## Oko (Apr 4, 2017)

aragats said:


> In a standard configuration with /etc/resolv.conf, e.g.:
> 
> 
> 
> ...


If the first a.b.c.d is able to resolve hostname bit w.x.y.z can't you are trying to reach the site which uses misconfigured authoritative server. There is no such mechanism which will enable to jump to the second nameserver. Now I do get your question. What you need to do is to correctly set up local caching DNS unbound (if you are using FreeBSD use the one from ports as the one from base is following bad Linux practice) . You will need to edit the following section and make sure you forward the requests for to 8.8.8.8 for anything except the local zone.


```
# Use an upstream forwarder (recursive resolver) for specific zones.
# Example addresses given below are public resolvers valid as of 2014/03.
#
#forward-zone:
        name: "."
        use for ALL queries
        # forward-addr: 74.82.42.42
        # he.net # forward-addr: 2001:470:20::2
        # he.net v6
        forward-addr: 8.8.8.8
        # google.com
        # forward-addr: 2001:4860:4860::8888
        # google.com v6
        # forward-addr: 208.67.222.222
        # opendns.com
        # forward-first: yes
        # try direct if forwarder fails
```

Then you will edit the following section to serve your local zone files


```
# Serve zones authoritatively from Unbound to resolver clients.
        # Not for external service.
        #
        local-zone: "local." static
        local-data: "mycomputer.local. IN A 192.0.2.51"
        local-zone: "2.0.192.in-addr.arpa." static
        local-data-ptr: "192.0.2.51 mycomputer.local"
```

Finally the last but not the least make sure you have nothing except




```
nameserver 127.0.0.1
lookup file bind
```

in your /etc/resolv.conf file. If you are using dhcp to get IP address you will have to 
	
	



```
perpend domain-name-servers 127.0.0.1
```
in your dhclient.conf file.


I do have a similar set up in one of our remote location where 53 UDP is firewalled so I am forced to use "official" site DNS to resolve remote sites.


----------



## aragats (Apr 4, 2017)

ShelLuser said:


> but what about /etc/hosts?


Thanks! I'm already using it. However, there are several devices on the network which get IP addresses from DHCP, so there is no guarantee they won't change.


ShelLuser said:


> Another option could be to install dns/bind911


I think that will be an overkill solution  (maybe I'm wrong).


Oko said:


> ... you are trying to reach the site which uses misconfigured authoritative server


Like I said, it's not doing its job well, I have a couple of dynamic DNS, and set TTL to 600 sec, however, that local DNS won't update even in 2 days (MS W2012R2).


Oko said:


> What you need to do is to correctly set up local caching DNS unbound


Thanks! I'll give it a try!


----------



## Phishfry (Apr 4, 2017)

`dhclient` updates the resolv.conf file on lease acceptance on DHCP client connections I believe.

There are settings in dhclient.conf that might help you if your using a DHCP client.

prepend domain-name-servers x.x.x.x;


----------



## aragats (Apr 4, 2017)

Phishfry said:


> There are settings in dhclient.conf that might help you if your using a DHCP client.


Yeah... but I have a static IP address.


----------



## Oko (Apr 4, 2017)

aragats said:


> Yeah... but I have a static IP address.


That makes things much easier. Just edit /etc/resolv.conf per my post. Forgot about editing stupid /etc/dhclient.conf file. I am guessing your /etc/rc.conf file already contains your IP address and the default route. Even if you have local dhcp server learn how to use MAC addresses to assign always the same IP addresses to the same devices. Actually the guy who mentioned editing /etc/hosts file is correct in the sense that for few devices you can just edit that file. My solutions scales to large local subnets.


----------



## aragats (Apr 4, 2017)

Oko said:


> dhcp server learn how to use MAC addresses to assign always the same IP addresses to the same devices


Made me laugh  That DHCP server (the same MS W2012R2) works well only with Windows machines. It keeps assigning duplicate addresses to multiple devices running Debian Linux. At the same time the DNS won't register those devices' names.


----------



## Oko (Apr 4, 2017)

aragats said:


> Made me laugh  That DHCP server (the same MS W2012R2) works well only with Windows machines. It keeps assigning duplicate addresses to multiple devices running Debian Linux. At the same time the DNS won't register those devices' names.


I have no experience with WIndows. This is /etc/dhcpd.conf  of mine DHCP server running OpenBSD 6.0 and stock DHCP server (FreeBSD doesn't come with the one in its base).
Works like a charm.


```
$OpenBSD: dhcpd.conf,v 1.6 2016/03/24 22:36:39 root Exp $
#
# DHCP server options.
# See dhcpd.conf(5) and dhcpd(8) for more information.
#

# Network:              192.168.3.0/255.255.255.0
# Domain name:          bagdala2.net
# Name servers:         192.168.3.1
# Default router:       192.168.3.1
# Addresses:            192.168.3.2 - 192.168.3.16
#
option  domain-name "bagdala2.net";
option  domain-name-servers 192.168.3.1;

subnet 192.168.3.0 netmask 255.255.255.0 {
        option routers 192.168.3.1;

        range 192.168.3.3 192.168.3.9;

        host dfly {
                hardware ethernet b8:ae:ed:3c:ce:35;
                fixed-address 192.168.3.2;
        }
        host oko {
                hardware ethernet 00:02:b3:9d:02:47;
                fixed-address 192.168.3.10;
        }
        host d-link {
                hardware ethernet 00:15:e9:1d:93:57;
                fixed-address 192.168.3.11;
        }
        host mac {
                hardware ethernet 00:17:f2:d4:20:c3;
                fixed-address 192.168.3.12;
        }
        host roku {
                hardware ethernet b8:a1:75:3a:fd:84;
                fixed-address 192.168.3.13;
        }
        host netis {
                hardware ethernet 04:8d:38:a5:6c:a9;
                fixed-address 192.168.3.14;
        }
        host HL-5250DN {
                hardware ethernet 00:80:77:d3:1f:db;
                fixed-address 192.168.3.15;
        }
        host think-pad {
                hardware ethernet 5c:ff:35:06:cd:d6;
                fixed-address 192.168.3.16;
        }
}
```


----------



## aragats (Apr 4, 2017)

In another company I used to work for I set up 2 pfSense boxes (for 2 almost independent segments) and they worked perfectly for everything (except file sharing).
Here, since I cannot fix that issue with the duplicate IP addresses, I was thinking about an alternative DHCP server, however, it's not possible to have 2 servers on the same network. Maybe just with a whitelist of MAC addresses on one server and a blacklist on another.


----------

