Right !

I saw the same thing.
After a clean boot - using dnsmasq : /etc/hosts seems ok - all my static DHCP are present.

Restarting it, and ...

[2.4.4-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: cat /etc/hosts 127.0.0.1 localhost localhost.brit-hotel-fumel.net ::1 localhost localhost.brit-hotel-fumel.net 192.168.1.1 pfsense.brit-hotel-fumel.net pfsense ....... 2001:470:1f13:5c0:2::c4 Tactile1.brit-hotel-fumel.net Tactile1 2001:470:1f13:5c0:2::c5 Tactile2.brit-hotel-fumel.net Tactile2 # dhcpleases automatically entered 192.168.1.95 iPhonevanDiane.brit-hotel-fumel.net iPhonevanDiane # dynamic entry from dhcpd.leases 192.168.1.94 iPhonevanPieter.brit-hotel-fumel.net iPhonevanPieter # dynamic entry from dhcpd.leases 192.168.1.98 iPhonevebruiker.brit-hotel-fumel.net iPhonevebruiker # dynamic entry from dhcpd.leases 192.168.2.148 Galaxy-J3.brit-hotel-fumel.net Galaxy-J3 # dynamic entry from dhcpd.leases 192.168.2.207 Galaxy-A5-2016.brit-hotel-fumel.net Galaxy-A5-2016 # dynamic entry from dhcpd.leases # dhcpleases automatically entered 192.168.1.95 iPhonevanDiane.brit-hotel-fumel.net iPhonevanDiane # dynamic entry from dhcpd.leases 192.168.1.94 iPhonevanPieter.brit-hotel-fumel.net iPhonevanPieter # dynamic entry from dhcpd.leases 192.168.1.98 iPhonevebruiker.brit-hotel-fumel.net iPhonevebruiker # dynamic entry from dhcpd.leases 192.168.2.148 Galaxy-J3.brit-hotel-fumel.net Galaxy-J3 # dynamic entry from dhcpd.leases 192.168.2.207 Galaxy-A5-2016.brit-hotel-fumel.net Galaxy-A5-2016 # dynamic entry from dhcpd.leases # dhcpleases automatically entered 192.168.1.95 iPhonevanDiane.brit-hotel-fumel.net iPhonevanDiane # dynamic entry from dhcpd.leases 192.168.1.94 iPhonevanPieter.brit-hotel-fumel.net iPhonevanPieter # dynamic entry from dhcpd.leases 192.168.1.98 iPhonevebruiker.brit-hotel-fumel.net iPhonevebruiker # dynamic entry from dhcpd.leases 192.168.2.148 Galaxy-J3.brit-hotel-fumel.net Galaxy-J3 # dynamic entry from dhcpd.leases 192.168.2.207 Galaxy-A5-2016.brit-hotel-fumel.net Galaxy-A5-2016 # dynamic entry from dhcpd.leases

All my LAN network devices have static mapped IP's (all are trusted devices).
Only devices that have no static DHCP map will multiply in the /etc/hosts file.

I have found a work around : I'm using the default resolver (unbound) for the last 2 years ;)

Btw : It's /usr/local/sbin/dhcpleases who is responsible for the host file updating.

eth0: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc pfifo_fast state UP group default qlen 1000
link/ether 44:37:e6:c0:44:94 brd ff:ff:ff:ff:ff:ff
inet 192.168.30.204/24 brd 192.168.30.255 scope global eth0
valid_lft forever preferred_lft forever
inet 192.168.30.102/24 brd 192.168.30.255 scope global secondary eth0
valid_lft forever preferred_lft forever
inet6 fe80::4637:e6ff:fec0:4494/64 scope link
valid_lft forever preferred_lft forever

yes use reservation, thats what I meant by static DHCP.

Once this is done, unbound will resolve the hostnames and without the restarts.

@johnpoz said in DNS Resolver won't resolve georgesriver.nsw.gov.au:

georgesriver.nsw.gov.au

When I do dig with +trace I just get back. What to do?

;; global options: +cmd

I was on 2.4.4-p1 but only started experiencing this issue after I upgraded. To avoid investing too much time into troubleshooting, I did a quick backup and re-imaged and haven't had any issues since. Thanks!

By trying it, perhaps? I don't know what other answer you might be expecting.

I have the same issue on my mobile phone web view tell me more about the mobile web plz tell me I'm in trouble since last weak.

Thanks. Network Interfaces is set to ALL so I think it must be working.

SSL has nothing to do with DNS per se. You may have a couple of issues that you're conflating as one.

Are you using any web proxy packages like Squid? Also, please provide more robust descriptions of the problem's symptoms because 'it doesn't work' isn't that helpful. Error messages? Timeouts? Incorrect data? Some details of your network configuration might also be useful.

Hi,

Frequent unbound restarts can be an issue.
Check out this part of the forum (DHCP/DNS) for suggestions and solutions.

Make sure the interface is enabled Make sure it has a proper subnet mask, if you put in /32 for the mask, it can't do DHCP so it won't offer a tab.

@johnpoz

John,

Found it, the original config was correct, had a firewall on the Mac that was preventing this. My apologies for taking up your time on this matter. As soon as this was disabled all worked.

Regards,

Mike

Perfect. Thanks for that. I guess I could just create an alias to those 3 and then insert that into the redirect the following instead of selecting 127.0.0.1 which would send all my lan traffic.

Or create a VLAN for these 3 devices and apply rule to that

@akuma1x Thanks for the information that did work. I got the vlan setup and the device is working great. Which I just removed the last extra wap device. I am running everything off of the unifi ap.

When I say MTA, I mean the BOX your MTA is running on.. Not the process that will actually do the query..

But again its is NOT the responsibility of unbound to hand back the A record of the MX record.. That is the responsibility of the client asking for the MX to also query for the A if it needs it..

Set your zone to be static if you do not want pfsense to do querys for stuff it has no records or cache of.. This wold be done in the same box where you add the MX and A records that your trying to override..

Where is the query that your seeing this come back from pfsense... List the cache records in pfsense that show this external IP.. Simple enough to view records in the cache for any specific domain just do a grep on the dump_cache command. And then show the query to pfsense where it hands back this info..

As I brought up over 2 years ago... You sure this box running MTA just doesn't list another NS for dns that is might be asking and getting this other info you are wanting to override?

Here is example... Unbound out of the box has min response default as yes.

I do a query for the MX records of netgate.com to SOA ns of netgate.. I get back additional records..

E:\>dig @ns1.netgate.com netgate.com mx ; <<>> DiG 9.12.3 <<>> @ns1.netgate.com netgate.com mx ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 5860 ;; flags: qr aa rd; QUERY: 1, ANSWER: 7, AUTHORITY: 2, ADDITIONAL: 5 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;netgate.com. IN MX ;; ANSWER SECTION: netgate.com. 3600 IN MX 30 aspmx5.googlemail.com. netgate.com. 3600 IN MX 10 aspmx.l.google.com. netgate.com. 3600 IN MX 20 alt2.aspmx.l.google.com. netgate.com. 3600 IN MX 20 alt1.aspmx.l.google.com. netgate.com. 3600 IN MX 30 aspmx2.googlemail.com. netgate.com. 3600 IN MX 30 aspmx4.googlemail.com. netgate.com. 3600 IN MX 30 aspmx3.googlemail.com. ;; AUTHORITY SECTION: netgate.com. 3600 IN NS ns2.netgate.com. netgate.com. 3600 IN NS ns1.netgate.com. ;; ADDITIONAL SECTION: ns1.netgate.com. 3600 IN A 208.123.73.80 ns1.netgate.com. 3600 IN AAAA 2610:160:11:11::80 ns2.netgate.com. 3600 IN A 162.208.119.38 ns2.netgate.com. 3600 IN AAAA 2610:1c1:3::108 ;; Query time: 37 msec ;; SERVER: 208.123.73.80#53(208.123.73.80) ;; WHEN: Tue Dec 11 04:15:32 Central Standard Time 2018 ;; MSG SIZE rcvd: 340 E:\>

If I ask pfsense for the same mx - the additional are not given..

E:\>dig @192.168.9.253 netgate.com mx ; <<>> DiG 9.12.3 <<>> @192.168.9.253 netgate.com mx ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6624 ;; flags: qr rd ra; QUERY: 1, ANSWER: 7, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;netgate.com. IN MX ;; ANSWER SECTION: netgate.com. 3445 IN MX 20 alt1.aspmx.l.google.com. netgate.com. 3445 IN MX 10 aspmx.l.google.com. netgate.com. 3445 IN MX 30 aspmx5.googlemail.com. netgate.com. 3445 IN MX 30 aspmx4.googlemail.com. netgate.com. 3445 IN MX 20 alt2.aspmx.l.google.com. netgate.com. 3445 IN MX 30 aspmx3.googlemail.com. netgate.com. 3445 IN MX 30 aspmx2.googlemail.com. ;; Query time: 0 msec ;; SERVER: 192.168.9.253#53(192.168.9.253) ;; WHEN: Tue Dec 11 04:20:33 Central Standard Time 2018 ;; MSG SIZE rcvd: 216 E:\>

So lets see this query or cache from unbound showing you the wrong info..

BTW you also Notice that while I got back additional info from ns1.netgate.com - it is NOT the A records of the MX records!!! Since the A records the MX point to it is not authoritative for... But if I ask ns1.google.com for gmail.com mx it does send back the A records.

E:\>dig @ns1.google.com gmail.com MX ; <<>> DiG 9.12.3 <<>> @ns1.google.com gmail.com MX ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 22942 ;; flags: qr aa rd; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 10 ;; WARNING: recursion requested but not available ;; QUESTION SECTION: ;gmail.com. IN MX ;; ANSWER SECTION: gmail.com. 3600 IN MX 40 alt4.gmail-smtp-in.l.google.com. gmail.com. 3600 IN MX 20 alt2.gmail-smtp-in.l.google.com. gmail.com. 3600 IN MX 5 gmail-smtp-in.l.google.com. gmail.com. 3600 IN MX 10 alt1.gmail-smtp-in.l.google.com. gmail.com. 3600 IN MX 30 alt3.gmail-smtp-in.l.google.com. ;; ADDITIONAL SECTION: alt4.gmail-smtp-in.l.google.com. 300 IN A 74.125.193.27 alt4.gmail-smtp-in.l.google.com. 300 IN AAAA 2a00:1450:400b:c01::1b alt2.gmail-smtp-in.l.google.com. 300 IN A 172.217.204.27 alt2.gmail-smtp-in.l.google.com. 300 IN AAAA 2607:f8b0:400c:c15::1a gmail-smtp-in.l.google.com. 300 IN A 173.194.197.27 gmail-smtp-in.l.google.com. 300 IN AAAA 2607:f8b0:4001:c1b::1b alt1.gmail-smtp-in.l.google.com. 300 IN A 173.194.66.27 alt1.gmail-smtp-in.l.google.com. 300 IN AAAA 2607:f8b0:400d:c01::1b alt3.gmail-smtp-in.l.google.com. 300 IN A 172.217.192.27 alt3.gmail-smtp-in.l.google.com. 300 IN AAAA 2800:3f0:4003:c02::1a ;; Query time: 21 msec ;; SERVER: 216.239.32.10#53(216.239.32.10) ;; WHEN: Tue Dec 11 04:21:55 Central Standard Time 2018 ;; MSG SIZE rcvd: 370 E:\>

But if I then ask unbound the same.. No additional records given.

E:\>dig @192.168.9.253 gmail.com MX ; <<>> DiG 9.12.3 <<>> @192.168.9.253 gmail.com MX ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46825 ;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;gmail.com. IN MX ;; ANSWER SECTION: gmail.com. 3069 IN MX 10 alt1.gmail-smtp-in.l.google.com. gmail.com. 3069 IN MX 40 alt4.gmail-smtp-in.l.google.com. gmail.com. 3069 IN MX 5 gmail-smtp-in.l.google.com. gmail.com. 3069 IN MX 20 alt2.gmail-smtp-in.l.google.com. gmail.com. 3069 IN MX 30 alt3.gmail-smtp-in.l.google.com. ;; Query time: 0 msec ;; SERVER: 192.168.9.253#53(192.168.9.253) ;; WHEN: Tue Dec 11 04:23:49 Central Standard Time 2018 ;; MSG SIZE rcvd: 161 E:\>

BTW you also left in the actual domain your trying to override in your dig command... Which testing with asking outside dns like 8888 or quad9 or 1111 does not return additional for... ONLY when you ask the authoritative NS do you get back additional... And again if I ask unbound for this - even without any overrides you do not get back the additional... Even when its cached!!!

0_1544525152437_unboundquery.png

It would be much easier to talk about your overrides and what gets returned from the SOA of the domain and what gets returned by unbound if we could just actually use the domain... But since you have be hiding it - I kept it hidden as well, even though you missed it in your dig ;)

edit
Your running 2.4.4 release.. Unbound was UPDATED in 2.4.4p1 -- maybe there was issue with previous unbound not using the default of yes with min-responses?

@oguruma said in DNS not updating?:

I am using 8.8.8.8 and 8.8.4.4 for DNS servers.

Then ask them what these guys have for you ?!?

[2.4.4-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: dig @8.8.4.4 boosterclubnetwork.com +short 45.56.84.90 [2.4.4-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: dig @8.8.8.8 boosterclubnetwork.com +short 45.56.84.90

Looks good to me.

I have to mention that you could flush the local DNS cache on pfsense.

And does this mean anything to you :

ipconfig /flushdns

? (for Windows devices, every OS has a comparable command)