I recently migrated to a Unifi Cloud Gateway from a Lenovo M90q Gen 3, and while everything works, I have issues with DNS, essentially with DNS Strict Forwarding. I haven’t been able to find any option or some config file fnagling that would allow me to enable Strict Forwarding on the DNS.
Do you have any ideas?
I found the answer literally after a couple of days of not finding the right term:
https://community.ui.com/questions/dnsmasq-for-dns-forwarding/790c2b45-ff3e-44df-8c3f-b51da43612fa
The right command to run inside the Gateway (or Unifi controller of the day) is:
set service dns forwarding options strict-order
I still need to tinker with how to add the DNS servers manually as configuring dnsmasq within the controller vs from the UI may be different.
I don’t believe anything you configure via the command line will stick after reboot. While you can access extra options that way, it is not intended for the end user to normally use. Some people have made scripts that allow some settings to stick between reboots, but it still get wiped from an update.
DNS Strict Forwarding just means the gateway will only allow the manually entered DNS servers to be used, and not overwrite with any DNS servers received by the WAN DHCP info right? Doesnt simply turning off “auto” on the DNS Server for configuring the WAN settings allow you to do the same thing?
Nope! DNS Strict Forwarding is that if you configure DNS A, DNS B, and DNS C your device will only communicate with DNS A, until it becomes unavailable, then DNS B, and then DNS C. Very useful for me because when I am doing server maintenance and Pihole goes offline, I don’t want the internet to go out and ruining my SO’s weekend.
More often than not, routers will use whatever DNS configured because of no rhyme or reason. It was happening to me with Unifi even though I had configured my own DNS servers (I use my own instance of Pihole, and Quad9, the latter shows ads, and for a while I was able to see ads inside my network)
I’d agree with you, if I was running Linux commands, but these are provided by Ubiquiti within their OS. I’ve seen that some commands are persistent, like the ones you use to change the name of a device, so maybe it will stick! But definitely needs some more testing!
If you are running your own DNS server, you really need 2 of them for redundancy.
Alternatively, Unifi does have a rudimentary adblock option under the Security → Protection tab. Not as comprehensive as PiHole or AdGuardHome, but functional.
My goal is to have one local DNS, and rely on Quad9 for when this local DNS is offline - more often than not, if the DNS is offline in this setup, everything else is offline.
I’ve seen the Ad Block option, but I ended up configuring the strict-forwarding option through the command line and is still sticking. I will continue to test it and update if it doesn’t work eventually.