Unable to resolve opensuse.org with pfSense DNS resolver
-
Hello,
I have a pfSense 2.4.5-RELEASE-p1 installation at home.
I was using DNS resolver in forwarding mode (resolving through 1.1.1.1 and 1.0.0.1) , but recently decided to disable forwarding mode.
I just removed "Enable Forwarding Mode" , saved the changes and everything is working just fine.
Today i wanted to download Opensuse but opensuse.org could not resolve. Indeed command nslookup opensuse.org fails from any computer at my home network, even from the pfsense itself:
From a Windows 10 computer
From the pfsense itself
From a CentOS 7 VM
If i do an nslookup from any of the above machines directly to any public nameserver (for example nslookup opensuse.org 1.1.1.1) , then opensuse.org resolves just fine.
Doing dig opensuse.org +trace from the pfsense itself, has the below results:
From the above results, i can understand that it can not find IP addresses for nsX.opensuse.org nameservers.
DNSSEC is disabled. I tried to enable it and restart the resolver, but i did not have any result. Rebooting also the pfsense, did not have any result.
The issue seems really strange, since i only face it with opensuse.org
There is no entry somewhere at the pfsense resolver for any subdomain of opensuse.org .
1.1.1.1 and 1.0.0.1 have been removed from System --> General Setup --> DNS Server Settings
I attach screenshots with the pfsense resolver settings.
Does anyone have an idea why this issue occurs?
-
Hello to all. I also made a test installation of the latest pfSense version (2.5.2) and exactly the same issue occurs.
Does anyone have an idea on why is this happening?
If someone using DNS Resolver without forwarding mode could test resolving opensuse.org , would be great. And if he can resolve it, it would be very useful to provide some screenshots with the DNS Resolver settings.
-
@dimangelid
have u restarted unbound service, after u made the change? -
Resolves fine here..
Did you do trace to see where its failing?
[21.05.1-RELEASE][admin@sg4860.local.lan]/root: dig opensuse.org +trace +nodnssec ; <<>> DiG 9.16.16 <<>> opensuse.org +trace +nodnssec ;; global options: +cmd . 29855 IN NS h.root-servers.net. . 29855 IN NS l.root-servers.net. . 29855 IN NS j.root-servers.net. . 29855 IN NS e.root-servers.net. . 29855 IN NS m.root-servers.net. . 29855 IN NS i.root-servers.net. . 29855 IN NS a.root-servers.net. . 29855 IN NS k.root-servers.net. . 29855 IN NS b.root-servers.net. . 29855 IN NS d.root-servers.net. . 29855 IN NS f.root-servers.net. . 29855 IN NS c.root-servers.net. . 29855 IN NS g.root-servers.net. ;; Received 239 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms org. 172800 IN NS a0.org.afilias-nst.info. org. 172800 IN NS a2.org.afilias-nst.info. org. 172800 IN NS b0.org.afilias-nst.org. org. 172800 IN NS b2.org.afilias-nst.org. org. 172800 IN NS c0.org.afilias-nst.info. org. 172800 IN NS d0.org.afilias-nst.org. ;; Received 443 bytes from 2001:500:a8::e#53(e.root-servers.net) in 13 ms opensuse.org. 86400 IN NS ns3.opensuse.org. opensuse.org. 86400 IN NS ns4.opensuse.org. opensuse.org. 86400 IN NS ns1.opensuse.org. opensuse.org. 86400 IN NS ns2.opensuse.org. ;; Received 289 bytes from 2001:500:f::1#53(d0.org.afilias-nst.org) in 27 ms opensuse.org. 1800 IN A 195.135.221.140 ;; Received 85 bytes from 195.135.221.195#53(ns4.opensuse.org) in 123 ms [21.05.1-RELEASE][admin@sg4860.local.lan]/root:
I did trace without dnssec just to keep the trace cleaner. But resoles just fine here, using dnssec.
[21.05.1-RELEASE][admin@sg4860.local.lan]/root: dig opensuse.org ; <<>> DiG 9.16.16 <<>> opensuse.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7893 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;opensuse.org. IN A ;; ANSWER SECTION: opensuse.org. 3043 IN A 195.135.221.140 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Fri Aug 27 00:09:34 CDT 2021 ;; MSG SIZE rcvd: 57 [21.05.1-RELEASE][admin@sg4860.local.lan]/root:
The problem is not related to your settings.. It would resolve with out of the box settings. So you have nothing in your custom options? Your not showing them.
works just fine without ipv6 as well.
[21.05.1-RELEASE][admin@sg4860.local.lan]/root: dig -4 opensuse.org +trace +nodnssec ; <<>> DiG 9.16.16 <<>> -4 opensuse.org +trace +nodnssec ;; global options: +cmd . 29622 IN NS c.root-servers.net. . 29622 IN NS g.root-servers.net. . 29622 IN NS h.root-servers.net. . 29622 IN NS l.root-servers.net. . 29622 IN NS j.root-servers.net. . 29622 IN NS e.root-servers.net. . 29622 IN NS m.root-servers.net. . 29622 IN NS i.root-servers.net. . 29622 IN NS a.root-servers.net. . 29622 IN NS k.root-servers.net. . 29622 IN NS b.root-servers.net. . 29622 IN NS d.root-servers.net. . 29622 IN NS f.root-servers.net. ;; Received 239 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms org. 172800 IN NS a2.org.afilias-nst.info. org. 172800 IN NS d0.org.afilias-nst.org. org. 172800 IN NS b0.org.afilias-nst.org. org. 172800 IN NS c0.org.afilias-nst.info. org. 172800 IN NS b2.org.afilias-nst.org. org. 172800 IN NS a0.org.afilias-nst.info. ;; Received 471 bytes from 192.33.4.12#53(c.root-servers.net) in 13 ms opensuse.org. 86400 IN NS ns1.opensuse.org. opensuse.org. 86400 IN NS ns3.opensuse.org. opensuse.org. 86400 IN NS ns2.opensuse.org. opensuse.org. 86400 IN NS ns4.opensuse.org. ;; Received 289 bytes from 199.19.56.1#53(a0.org.afilias-nst.info) in 90 ms opensuse.org. 1800 IN A 195.135.221.140 ;; Received 85 bytes from 195.135.221.195#53(ns4.opensuse.org) in 130 ms [21.05.1-RELEASE][admin@sg4860.local.lan]/root:
If your having trouble resolving - first thing to do is a trace to see where its failing. Oh your failing talking to the specific ns
couldn't get address for 'ns1.opensuse.org': not found couldn't get address for 'ns4.opensuse.org': not found couldn't get address for 'ns3.opensuse.org': not found couldn't get address for 'ns2.opensuse.org': not found
;; ADDITIONAL SECTION: ns1.opensuse.org. 86400 IN A 62.146.92.204 ns2.opensuse.org. 86400 IN A 195.135.221.196 ns3.opensuse.org. 86400 IN A 91.193.113.68 ns4.opensuse.org. 86400 IN A 195.135.221.195
Can you query one of them directly? can you talk to any of the afiliates?
;; AUTHORITY SECTION: org. 172800 IN NS a0.org.afilias-nst.info. org. 172800 IN NS a2.org.afilias-nst.info. org. 172800 IN NS b0.org.afilias-nst.org. org. 172800 IN NS b2.org.afilias-nst.org. org. 172800 IN NS c0.org.afilias-nst.info. org. 172800 IN NS d0.org.afilias-nst.org. ;; ADDITIONAL SECTION: a0.org.afilias-nst.info. 172800 IN A 199.19.56.1 a0.org.afilias-nst.info. 172800 IN AAAA 2001:500:e::1 a2.org.afilias-nst.info. 172800 IN A 199.249.112.1 a2.org.afilias-nst.info. 172800 IN AAAA 2001:500:40::1 b0.org.afilias-nst.org. 172800 IN A 199.19.54.1 b0.org.afilias-nst.org. 172800 IN AAAA 2001:500:c::1 b2.org.afilias-nst.org. 172800 IN A 199.249.120.1 b2.org.afilias-nst.org. 172800 IN AAAA 2001:500:48::1 c0.org.afilias-nst.info. 172800 IN A 199.19.53.1 c0.org.afilias-nst.info. 172800 IN AAAA 2001:500:b::1 d0.org.afilias-nst.org. 172800 IN A 199.19.57.1 d0.org.afilias-nst.org. 172800 IN AAAA 2001:500:f::1
Try asking one of them for ns1,2,3,4.opensuse.org, then can you talk to any of the ns for opensuse.org?
-
@dimangelid said in Unable to resolve opensuse.org with pfSense DNS resolver:
Does anyone have an idea on why is this happening?
It's always worked for me.
-
I have the same problem with a fresh install of pfSense v2.5.2 installed on a VM using VMware Workstation Pro. I installed it because I wanted to isolate some VMs behind a firewall from the rest of my LAN.
DNS Resolver simply does not work at all if DNS Forwarding is not on, which to me defeats the purpose all together of having a "resolver"...
I had to turn Resolver OFF and turn Forwarder ON to go around the issue but I have not found a solution that allows me to use Resolver or a reasonable explanation of what I am misinterpreting from DNS Resolver intended functionality.
-
Well resolver can not work if you can not talk to roots.. Its that simple - resolver directly talks to roots, and the gtld servers, then the authoritative name servers for the domain your looking up. If your having issues talking to these - then resolver is not going to work..
-
@johnpoz Thank you for your reply. Certainly appreciate it. Could this be then answered with a simple yes or no based on the following affirmation:
DNS Resolver will not resolve queries to google.com (for example) unless forwarders are ticked and properly configured under "System / General Setup / DNS Servers or DNS Server Override.
If your answer is yes, which to my understanding it should be; then how could you describe the difference between DNS Resolver and DNS Forwarder?
They both resolve queries to the outside world and they both can provide DHCP lease to DNS registration for LAN host resolution as well as manual hosts registration for static IP configurations.
All I'm saying is: Resolver and Forwarder are the same thing with different names. Could setup either and both will deliver same outcome/functionality.
Thanks again for your time and feedback, I'm sure its helpful to many.
-
@j03man said in Unable to resolve opensuse.org with pfSense DNS resolver:
DNS Resolver will not resolve queries to google.com (for example) unless forwarders are ticked and properly configured under "System / General Setup / DNS Servers or DNS Server Override.
Euh.... No.
Unbound using resolver mode doesn't need any settings.
It has the list with the 13 known Internet DNS root servers build in.It needs at least one working WAN uplink so it can make requests against those servers.
When you install pfSense, all this will "work out of the box" - no user configuration needed.
It doesn't work : great : some one is blocking your access to the main 13 Internet DNS servers. Change to another ISP ....
Resolving is needed if you want to make use of DNSSEC.
Forwarding has it own advantages, but is mostly something of the past.
-
@j03man said in Unable to resolve opensuse.org with pfSense DNS resolver:
All I'm saying is: Resolver and Forwarder are the same thing with different names
Not even close to the same thing.. You do not understand how a resolver works, if you think its anything like forwarding to googledns, which then resolves what you asked for.. There is always a resolver somewhere in the line.
-
@gertjan said in Unable to resolve opensuse.org with pfSense DNS resolver:
@j03man said in Unable to resolve opensuse.org with pfSense DNS resolver:
DNS Resolver will not resolve queries to google.com (for example) unless forwarders are ticked and properly configured under "System / General Setup / DNS Servers or DNS Server Override.
Euh.... No.
Unbound using resolver mode doesn't need any settings.
It has the list with the 13 known Internet DNS root servers build in.It needs at least one working WAN uplink so it can make requests against those servers.
When you install pfSense, all this will "work out of the box" - no user configuration needed.
It doesn't work : great : some one is blocking your access to the main 13 Internet DNS servers. Change to another ISP ....
Resolving is needed if you want to make use of DNSSEC.
Forwarding has it own advantages, but is mostly something of the past.
upon reading this reply, I'm thinking this is the problem with my current setup: https://forum.netgate.com/topic/166780/add-dns-in-dhcp-server-settings-required/8
-
@1ntr0v3rt3ch said in Unable to resolve opensuse.org with pfSense DNS resolver:
https://forum.netgate.com/topic/166780/add-dns-in-dhcp-server-settings-required/8
When you set up pfSense, there is no need to enter any where '8.8.8.8' or '8.8.4.4'.
These two - or any others - are mentioned no where in the Pfsense manual.Again : the default Resolver doesn't need any setting to be altered : it works out of the box.
But : if you have some sort of contract with Alphabet cooporation - (aka Google) that you have to hand over all your 'private' DNS request, then, ok, why not.I don't think an ISP exists that actually blocks you from accessing basic Internet servers like the 13 root servers. And even if they exist, because, after all, it's a free world, so why not. It will be the ISP without clients, that's for sure.