@bmeeks said in What am I missing here? Google and CF DNS empty response?: @casperette said in What am I missing here? Google and CF DNS empty response?: @bmeeks said in What am I missing here? Google and CF DNS empty response?: Satellite Internet, due to the nature of the signal path, is going to already have a very high latency as compared to land-based Internet technologies. Negotiating a TLS connection over that slow pathway is going to take a while due to the inherent link latency. I seriously doubt the SG-1000 hardware has anything to do with the performance issue. My guess is your ISP is in fact perhaps redirecting DNS lookups to their own server (most likely to take advantage of local caching on their end of the link). As a test to see if their statement about allowing public DNS servers is true, reconfigure pfSense to use unbound in resolver mode (not forwarder), restart unbound or reboot your pfSense box, and then attempt DNS lookups. Also drop the use of DNS over TLS for now. Just test simple DNS lookups. If those don't succeed either, then that would point to your ISP not really allowing true public DNS settings. You also state you are in a forced double-NAT situation. I assume by that you mean you must use the ISP-supplied satellite modem in your setup. Maybe the ISP's modem is doing something funky with DNS? Thanks for the reply! I realize satellite internet is by nature high latency, however for the last 2-3 years we have been managing to get decent DNS response times in the 500-800ms range. Its just a recent issue where I'm getting these empty responses. I should also note I've used multiple routers and laptops to troubleshoot this issue initially, but I keep coming back to PFSense since I'm most comfortable with it for troubleshooting network issues. I tried using unbound without forwarding, restarted the service (stopped and started), I don't see any indication of errors or problems in the unbound startup log. I see pf pulling the root server records as expected, then still get: x.x.x.x.48431 > 199.7.91.13.53: [udp sum ok] 35213% [1au] A? ubuntu.com. ar: . OPT UDPsize=4096 DO (39) 00:24:10.931919 00:80:ae:b2:ff:07 > 0c:b2:b7:af:44:37, ethertype IPv4 (0x0800), length 70: (tos 0x0, ttl 64, id 16579, offset 0, flags [none], proto UDP (17), length 56) 199.7.91.13.53 > x.x.x.x.48431: [udp sum ok] 35213 q: A? ubuntu.com. 0/0/0 (28) 00:24:10.932759 0c:b2:b7:af:44:37 > 00:80:ae:b2:ff:07, ethertype IPv4 (0x0800), length 81: (tos 0x0, ttl 64, id 19857, offset 0, flags [none], proto UDP (17), length 67) root@server:~# dig ubuntu.com ; <<>> DiG 9.10.3-P4-Ubuntu <<>> ubuntu.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35641 ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;ubuntu.com. IN A ;; Query time: 12 msec ;; SERVER: 192.168.12.1#53(192.168.12.1) ;; WHEN: Fri Jan 31 14:24:22 EST 2020 ;; MSG SIZE rcvd: 39 I've also set up a virtual environment with the same configuration (same DNS config at least) so I can test at another location with a different internet connection and all works as expected. Considering this all appears like unencrypted DNS is being manipulated upstream, do you have any suggestions to get around it aside from the DNS over TLS that has a 4000ms response? thanks! Sorry, but no I don't. When providers manipulate DNS you are somewhat screwed. Sure you can sometimes switch to something like DNS over TLS or even DNS over HTTPS (DOH), but that has its own hazards over certain types of links. I assume the answer is "no", but do you maybe have a choice of another terrestrial Internet service provider? Are things OK when you use the DNS server suggested or provided by the ISP? If so, you might just be stuck with using their configuration. There are other resellers, but I don't believe there's another distinct provider. I am currently providing DNS over an IPSec VPN to another physical location, and it appears to be stable. I cant remember if I tried the default DNS servers I get over DHCP, but this whole incident has me not wanting to use it out of principle. I'll probably test with other hardware this weekend and see what happens. Thanks for your help!

Well that is what would happen if transparent... if one is failing is because it tried to resolve normally and it failed. PM me the details of domains and example what you queried that did not fail on one, etc local domain sub.domain.tld, transparent. And you query something.sub.domain.tld and no record of that locally then it will try and resolve that normally.. Which may or maynot get you a response. If you do not want anything to be resolved normally in this domain your using locally then you would set the zone type to static. Using a domain locally that is public as well can lead to unwanted sort of responses.. Especially if you do not control the public NS for this domain.

Unbound can only follow the default route or server-specific routes in the routing table (if you have forwarders setup). It doesn't know about active or inactive WANs. If you are in forwarding mode with multiple servers configured and some using each WAN, then it is normal for unbound to query them all. Again, it doesn't know about active or inactive WANs, it just queries the forwarders and tracks their quality at all times. If you are in non-forwarding mode, then you may want to change the option under System > Routing so the default gateway follows your chosen gateway group.

No, that is not possible.

I had this same (or at least very similar) problem. What worked for me was simply switching from "DNS Resolver" to "DNS Forwarder". Using "DNS Resolver", if I did an "ANY" query for my locally-defined DHCP host name, there would be no answer. After I switched to "DNS Forwarder", it responded with the "A" record for the VDP host.

@bmeeks Thank you for this tip, so cool that pfsense is prepared for everything! I have APC, will try apcupsd.

@lifespeed said in local host (domain) name lookup from outside LAN?: OK, I'll revisit this tonight. I guess I should make both A (IPv4) and AAAA (IPv6) records? The A record would specify subdomain, a port for NAT and the mydomain.com, while the AAAA would specify subdomain, port and mydomain.com? No. A records are for IPv4 addresses and AAAA for IPv6. You'd create an A record for every IPv4 address that can be reached directly, not hiding behind NAT. You'd also create AAAA records for IPv6 addresses, but you don't have NAT getting in the way. Also, a DNS server returns only an IP address to match the host name. It does not return port numbers. If you have NAT on IPv4, you could create an A record for the address and then rely on port forwarding to get to the correct local device. One other possibility is that for http & https, the headers can be read to determine what the original URL was and then forward accordingly. Again, unless you have your own authoritative DNS, the public DNS records must contain the FQDN for each server on your network. It cannot break down between domain and subdomain.

Sorry for the long time to response because i was very busy and i take a time to understand wireshark and a little ipv6 . The problem come from another router that i disabled his dhcp service to use it as AP (wireless). Then i disabled its ipv6 to resolve the problem.

@Mats, I knew that one was coming, which is why I said "dropping the Windows server is not an option. I know that will be suggested, so please don't bother." I see now that I should have written "not using the Windows server and RRAS is not an option". It's because of a proprietary company application running on the main office's server that has to have an outgoing connection from the main office through my server's IKEv2 to work. @johnpoz Thanks! I'll keep it on the server then.

@bimmerdriver said in DNSSEC Not Working: I don't think there are any clock issues or upstream connectivity issues. Do not assume. Check.

Awesome

@firedemon said in DHCP issuing wrong ip's for wrong VLANs: I deleted the bridge as I had all VLANs as members of 1 bridge. Huh.. Yeah that is Borked for sure!! Yeah do your span on your switch.. Grab whatever vlans you want.

@bmeeks I think i found the problem. In slave state the zone file didnt get generated. If i sate the state on my secondary node to master to zone file get generated, and mxtoolbox query workes. Someone can give advise about this?

Thanks for your response @NogBadTheBad . I was thinking more like a command to add an host overides from pfsense developper shell (option 12). Like you suggested, I will use custom options, I tested with 250 lines local-data: "foo A x.x.x.x" I can backup and restore without touching file systems Regards

@Derelict Okie, i'll give it a try!

Thanks for your input @johnpoz. I will look into that later.