Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unable to resolve opensuse.org with pfSense DNS resolver

    Scheduled Pinned Locked Moved DHCP and DNS
    12 Posts 7 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • mr.roshM
      mr.rosh @dimangelid
      last edited by

      @dimangelid
      have u restarted unbound service, after u made the change?

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @mr.rosh
        last edited by johnpoz

        Resolves fine here..

        Did you do trace to see where its failing?

        [21.05.1-RELEASE][admin@sg4860.local.lan]/root: dig opensuse.org +trace +nodnssec
             
             ; <<>> DiG 9.16.16 <<>> opensuse.org +trace +nodnssec
             ;; global options: +cmd
             .                       29855   IN      NS      h.root-servers.net.
             .                       29855   IN      NS      l.root-servers.net.
             .                       29855   IN      NS      j.root-servers.net.
             .                       29855   IN      NS      e.root-servers.net.
             .                       29855   IN      NS      m.root-servers.net.
             .                       29855   IN      NS      i.root-servers.net.
             .                       29855   IN      NS      a.root-servers.net.
             .                       29855   IN      NS      k.root-servers.net.
             .                       29855   IN      NS      b.root-servers.net.
             .                       29855   IN      NS      d.root-servers.net.
             .                       29855   IN      NS      f.root-servers.net.
             .                       29855   IN      NS      c.root-servers.net.
             .                       29855   IN      NS      g.root-servers.net.
             ;; Received 239 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms
             
             org.                    172800  IN      NS      a0.org.afilias-nst.info.
             org.                    172800  IN      NS      a2.org.afilias-nst.info.
             org.                    172800  IN      NS      b0.org.afilias-nst.org.
             org.                    172800  IN      NS      b2.org.afilias-nst.org.
             org.                    172800  IN      NS      c0.org.afilias-nst.info.
             org.                    172800  IN      NS      d0.org.afilias-nst.org.
             ;; Received 443 bytes from 2001:500:a8::e#53(e.root-servers.net) in 13 ms
             
             opensuse.org.           86400   IN      NS      ns3.opensuse.org.
             opensuse.org.           86400   IN      NS      ns4.opensuse.org.
             opensuse.org.           86400   IN      NS      ns1.opensuse.org.
             opensuse.org.           86400   IN      NS      ns2.opensuse.org.
             ;; Received 289 bytes from 2001:500:f::1#53(d0.org.afilias-nst.org) in 27 ms
             
             opensuse.org.           1800    IN      A       195.135.221.140
             ;; Received 85 bytes from 195.135.221.195#53(ns4.opensuse.org) in 123 ms
             
             [21.05.1-RELEASE][admin@sg4860.local.lan]/root:      
                                                                                         
        

        I did trace without dnssec just to keep the trace cleaner. But resoles just fine here, using dnssec.

        [21.05.1-RELEASE][admin@sg4860.local.lan]/root: dig opensuse.org 
        
        ; <<>> DiG 9.16.16 <<>> opensuse.org
        ;; global options: +cmd
        ;; Got answer:
        ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7893
        ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
        
        ;; OPT PSEUDOSECTION:
        ; EDNS: version: 0, flags:; udp: 4096
        ;; QUESTION SECTION:
        ;opensuse.org.                  IN      A
        
        ;; ANSWER SECTION:
        opensuse.org.           3043    IN      A       195.135.221.140
        
        ;; Query time: 0 msec
        ;; SERVER: 127.0.0.1#53(127.0.0.1)
        ;; WHEN: Fri Aug 27 00:09:34 CDT 2021
        ;; MSG SIZE  rcvd: 57
        
        [21.05.1-RELEASE][admin@sg4860.local.lan]/root: 
        

        The problem is not related to your settings.. It would resolve with out of the box settings. So you have nothing in your custom options? Your not showing them.

        works just fine without ipv6 as well.

        [21.05.1-RELEASE][admin@sg4860.local.lan]/root: dig -4 opensuse.org +trace +nodnssec
        
        ; <<>> DiG 9.16.16 <<>> -4 opensuse.org +trace +nodnssec
        ;; global options: +cmd
        .                       29622   IN      NS      c.root-servers.net.
        .                       29622   IN      NS      g.root-servers.net.
        .                       29622   IN      NS      h.root-servers.net.
        .                       29622   IN      NS      l.root-servers.net.
        .                       29622   IN      NS      j.root-servers.net.
        .                       29622   IN      NS      e.root-servers.net.
        .                       29622   IN      NS      m.root-servers.net.
        .                       29622   IN      NS      i.root-servers.net.
        .                       29622   IN      NS      a.root-servers.net.
        .                       29622   IN      NS      k.root-servers.net.
        .                       29622   IN      NS      b.root-servers.net.
        .                       29622   IN      NS      d.root-servers.net.
        .                       29622   IN      NS      f.root-servers.net.
        ;; Received 239 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms
        
        org.                    172800  IN      NS      a2.org.afilias-nst.info.
        org.                    172800  IN      NS      d0.org.afilias-nst.org.
        org.                    172800  IN      NS      b0.org.afilias-nst.org.
        org.                    172800  IN      NS      c0.org.afilias-nst.info.
        org.                    172800  IN      NS      b2.org.afilias-nst.org.
        org.                    172800  IN      NS      a0.org.afilias-nst.info.
        ;; Received 471 bytes from 192.33.4.12#53(c.root-servers.net) in 13 ms
        
        opensuse.org.           86400   IN      NS      ns1.opensuse.org.
        opensuse.org.           86400   IN      NS      ns3.opensuse.org.
        opensuse.org.           86400   IN      NS      ns2.opensuse.org.
        opensuse.org.           86400   IN      NS      ns4.opensuse.org.
        ;; Received 289 bytes from 199.19.56.1#53(a0.org.afilias-nst.info) in 90 ms
        
        opensuse.org.           1800    IN      A       195.135.221.140
        ;; Received 85 bytes from 195.135.221.195#53(ns4.opensuse.org) in 130 ms
        
        [21.05.1-RELEASE][admin@sg4860.local.lan]/root: 
        

        If your having trouble resolving - first thing to do is a trace to see where its failing. Oh your failing talking to the specific ns

        couldn't get address for 'ns1.opensuse.org': not found
        couldn't get address for 'ns4.opensuse.org': not found
        couldn't get address for 'ns3.opensuse.org': not found
        couldn't get address for 'ns2.opensuse.org': not found
        
        ;; ADDITIONAL SECTION:
        ns1.opensuse.org.       86400   IN      A       62.146.92.204
        ns2.opensuse.org.       86400   IN      A       195.135.221.196
        ns3.opensuse.org.       86400   IN      A       91.193.113.68
        ns4.opensuse.org.       86400   IN      A       195.135.221.195
        

        Can you query one of them directly? can you talk to any of the afiliates?

        ;; AUTHORITY SECTION:
        org.                    172800  IN      NS      a0.org.afilias-nst.info.
        org.                    172800  IN      NS      a2.org.afilias-nst.info.
        org.                    172800  IN      NS      b0.org.afilias-nst.org.
        org.                    172800  IN      NS      b2.org.afilias-nst.org.
        org.                    172800  IN      NS      c0.org.afilias-nst.info.
        org.                    172800  IN      NS      d0.org.afilias-nst.org.
        
        ;; ADDITIONAL SECTION:
        a0.org.afilias-nst.info. 172800 IN      A       199.19.56.1
        a0.org.afilias-nst.info. 172800 IN      AAAA    2001:500:e::1
        a2.org.afilias-nst.info. 172800 IN      A       199.249.112.1
        a2.org.afilias-nst.info. 172800 IN      AAAA    2001:500:40::1
        b0.org.afilias-nst.org. 172800  IN      A       199.19.54.1
        b0.org.afilias-nst.org. 172800  IN      AAAA    2001:500:c::1
        b2.org.afilias-nst.org. 172800  IN      A       199.249.120.1
        b2.org.afilias-nst.org. 172800  IN      AAAA    2001:500:48::1
        c0.org.afilias-nst.info. 172800 IN      A       199.19.53.1
        c0.org.afilias-nst.info. 172800 IN      AAAA    2001:500:b::1
        d0.org.afilias-nst.org. 172800  IN      A       199.19.57.1
        d0.org.afilias-nst.org. 172800  IN      AAAA    2001:500:f::1
        

        Try asking one of them for ns1,2,3,4.opensuse.org, then can you talk to any of the ns for opensuse.org?

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • JKnottJ
          JKnott @dimangelid
          last edited by

          @dimangelid said in Unable to resolve opensuse.org with pfSense DNS resolver:

          Does anyone have an idea on why is this happening?

          It's always worked for me.

          PfSense running on Qotom mini PC
          i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
          UniFi AC-Lite access point

          I haven't lost my mind. It's around here...somewhere...

          1 Reply Last reply Reply Quote 0
          • J
            j03man
            last edited by

            I have the same problem with a fresh install of pfSense v2.5.2 installed on a VM using VMware Workstation Pro. I installed it because I wanted to isolate some VMs behind a firewall from the rest of my LAN.

            DNS Resolver simply does not work at all if DNS Forwarding is not on, which to me defeats the purpose all together of having a "resolver"...

            I had to turn Resolver OFF and turn Forwarder ON to go around the issue but I have not found a solution that allows me to use Resolver or a reasonable explanation of what I am misinterpreting from DNS Resolver intended functionality.

            johnpozJ 1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @j03man
              last edited by

              Well resolver can not work if you can not talk to roots.. Its that simple - resolver directly talks to roots, and the gtld servers, then the authoritative name servers for the domain your looking up. If your having issues talking to these - then resolver is not going to work..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              J 1 Reply Last reply Reply Quote 1
              • J
                j03man @johnpoz
                last edited by j03man

                @johnpoz Thank you for your reply. Certainly appreciate it. Could this be then answered with a simple yes or no based on the following affirmation:

                DNS Resolver will not resolve queries to google.com (for example) unless forwarders are ticked and properly configured under "System / General Setup / DNS Servers or DNS Server Override.

                If your answer is yes, which to my understanding it should be; then how could you describe the difference between DNS Resolver and DNS Forwarder?

                They both resolve queries to the outside world and they both can provide DHCP lease to DNS registration for LAN host resolution as well as manual hosts registration for static IP configurations.

                All I'm saying is: Resolver and Forwarder are the same thing with different names. Could setup either and both will deliver same outcome/functionality.

                Thanks again for your time and feedback, I'm sure its helpful to many. 🙂

                GertjanG johnpozJ 2 Replies Last reply Reply Quote 0
                • GertjanG
                  Gertjan @j03man
                  last edited by

                  @j03man said in Unable to resolve opensuse.org with pfSense DNS resolver:

                  DNS Resolver will not resolve queries to google.com (for example) unless forwarders are ticked and properly configured under "System / General Setup / DNS Servers or DNS Server Override.

                  Euh.... No.

                  Unbound using resolver mode doesn't need any settings.
                  It has the list with the 13 known Internet DNS root servers build in.

                  It needs at least one working WAN uplink so it can make requests against those servers.

                  When you install pfSense, all this will "work out of the box" - no user configuration needed.

                  It doesn't work : great : some one is blocking your access to the main 13 Internet DNS servers. Change to another ISP ....

                  Resolving is needed if you want to make use of DNSSEC.

                  Forwarding has it own advantages, but is mostly something of the past.

                  No "help me" PM's please. Use the forum, the community will thank you.
                  Edit : and where are the logs ??

                  1 1 Reply Last reply Reply Quote 1
                  • johnpozJ
                    johnpoz LAYER 8 Global Moderator @j03man
                    last edited by

                    @j03man said in Unable to resolve opensuse.org with pfSense DNS resolver:

                    All I'm saying is: Resolver and Forwarder are the same thing with different names

                    Not even close to the same thing.. You do not understand how a resolver works, if you think its anything like forwarding to googledns, which then resolves what you asked for.. There is always a resolver somewhere in the line.

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 1
                    • 1
                      1ntr0v3rt3ch @Gertjan
                      last edited by

                      @gertjan said in Unable to resolve opensuse.org with pfSense DNS resolver:

                      @j03man said in Unable to resolve opensuse.org with pfSense DNS resolver:

                      DNS Resolver will not resolve queries to google.com (for example) unless forwarders are ticked and properly configured under "System / General Setup / DNS Servers or DNS Server Override.

                      Euh.... No.

                      Unbound using resolver mode doesn't need any settings.
                      It has the list with the 13 known Internet DNS root servers build in.

                      It needs at least one working WAN uplink so it can make requests against those servers.

                      When you install pfSense, all this will "work out of the box" - no user configuration needed.

                      It doesn't work : great : some one is blocking your access to the main 13 Internet DNS servers. Change to another ISP ....

                      Resolving is needed if you want to make use of DNSSEC.

                      Forwarding has it own advantages, but is mostly something of the past.

                      upon reading this reply, I'm thinking this is the problem with my current setup: https://forum.netgate.com/topic/166780/add-dns-in-dhcp-server-settings-required/8

                      GertjanG 1 Reply Last reply Reply Quote 1
                      • GertjanG
                        Gertjan @1ntr0v3rt3ch
                        last edited by

                        @1ntr0v3rt3ch said in Unable to resolve opensuse.org with pfSense DNS resolver:

                        https://forum.netgate.com/topic/166780/add-dns-in-dhcp-server-settings-required/8

                        When you set up pfSense, there is no need to enter any where '8.8.8.8' or '8.8.4.4'.
                        These two - or any others - are mentioned no where in the Pfsense manual.

                        Again : the default Resolver doesn't need any setting to be altered : it works out of the box.
                        But : if you have some sort of contract with Alphabet cooporation - (aka Google) that you have to hand over all your 'private' DNS request, then, ok, why not.

                        I don't think an ISP exists that actually blocks you from accessing basic Internet servers like the 13 root servers. And even if they exist, because, after all, it's a free world, so why not. It will be the ISP without clients, that's for sure.

                        No "help me" PM's please. Use the forum, the community will thank you.
                        Edit : and where are the logs ??

                        1 Reply Last reply Reply Quote 3
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.