I’m running Unbound on a VPS (Alpine Linux) with both Tailscale (/dev/tailscale0) and a WireGuard client to a commercial VPN (/dev/wg0). In short, it accepts connections from Tailscale and routes them over the VPN.
I have Unbound configured on the VPS responsible for sending DNS queries over TLS DNS. It queries through the VPN using outgoing-interface: with the client 172. IP from WireGuard.
The problem is I’d very much like to forward queries for a zone to my router at home. I’ve got it to work but only if I completely remove outgoing-interface. This is obviously not ideal.
It looks like Unbound isn’t in a hurry to support this — do any workarounds come to mind?
You’re describing split tunneling. If you’re unfamiliar, just look it up. It’s how most VPNs in workplaces are deployed when you only want specific access to specific things. Just need to change the route rules in your Wireguard config, and set the correct forwarding.
I know what split tunneling is, but I have my routing set up exactly as I’d like.
The issue here is that Unbound seems unable to send queries to one forwarding zone using a specific interface/IP address and sending queries to a second forwarding zone using a completely different interface/IP address.
How would it know what to send? Why are you bothering if Unbound if you know how all the networking works?