DNS Headaches Since Switching to PFSense
-
Hi there,
Ever since switching to PFSense (from UniFi and Sonicwall before that), we are having constant DNS issues. On common example is that apps on our phones don't work and then we have to turn off WiFi and then they work perfectly.
We have tried both the DNS Resolver and DNS Forwarder services independently and get the same result. What might be going on? How can we troubleshoot this?
Thanks!
-
@ashkaan Did you program in any custom DNS servers anywhere on your system? I'm talking about in the general setup sequence, did you put anything in there (see below)? This is found in System -> General Setup
Also, what works most of the time, unless you require some funky stuff with DNS, is the built-in DNS Resolver (see below). This setting will tell your pfsense box to use the DNS root servers out on the internet and cache the results locally. This is found in Services -> DNS Resolver.
That's it. If you have added anything special, and it's still not working, a uncomfortable plan B might be to factory-reset your pfsense box, don't add anything for DNS during setup, and run it just like that.
-
@akuma1x Thank you! Yes, I added Google and Cloudflare.
I've tried both the Resolver and Forwarder and have the same issue. I factory reset pretty early on it with the same result. My first run with PFSense was almost completely default and I had the same issue. I'm totally baffled by this.
-
@ashkaan Are you sure your hosts on your network(s) are using those DNS servers you listed there? If these hosts are iPhones, you can check that in the wifi settings by selecting the "Configure DNS" menu. Do the settings actually say 8.8.8.8 and 1.1.1.1?
-
@akuma1x They're actually using the PFSense only and then the PFSense is either Resolving or Forwarding depending on which we're testing at the moment.
-
Your local domain doesn't end with .local perchance?
-
@iorx, why yes it does sir!
-
ROFL.. I'm just reading that it specifically says not to use that. OMG.. is THIS is the reason?
What should I use? I don't want to use a public address.
-
@ashkaan As it says blah.local.lan or .mylocal or .ashkaan or anything unlikely to be used. If you had your own domain, lan.example.com.
Devices can also use DoH for DNS.
-
@steveits Is this why some apps and websites don't resolve?
-
@ashkaan said in DNS Headaches Since Switching to PFSense:
Is this why some apps and websites don't resolve?
No while .local shouldn't be used, it wouldn't cause other fqdn to fail. But it could be causing you local issues?
The current recommend local domain to use would be something.home.arpa
https://datatracker.ietf.org/doc/html/rfc8375
Special-Use Domain 'home.arpa.'I have used unbound on pfsense, since before it was built in, and just a package.. While have extensive bind experience and have used that professionally since really it was a thing, and use to use it for my home dns.. Unbound is easy to use, it is very robust and more than capable of providing a recursive name services for most uses.. It is not really meant to authoritative, but more than enough for most uses in a small business or home setup. It doesn't have all the bells and whistles that bind does..
The only real problem I have seen, and most likely the problem you might be having when it just looks like some stuff doesn't resolve is registering dhcp - which causes unbound to restart, and when also used with pfblocker the restart can take longer than normal.
If you have an issue with something specific not resolving.. Troubleshoot that specific fqdn - if your resolving, you could have an issue talking to roots or gtld servers, or just not able to talk to the actual authoritative domain. Or maybe its high latency issue to the authoritative NS for that specific domain?
dig and +trace is very valuable tool in troubleshooting such an issue. If your forwarding - and not getting an answer, that is on where your forwarding to, or can not just talk to them?
When you have a problem next time - what is the specific fqdn? Do a directed query, use the dns lookup tool under diagnostics menu. Does it resolve? Use your fav tool, dig, host, nslookup to do some directed queries - does say unbound answer for something local, like pfsense fqdn? But not just this specific fqdn? etc..
But I would really first thing to check is if unbound is restarting - but if you were actually using dnsmasq (the forwarder) it doesn't have the dhcp restart issue that unbound has..
-
@johnpoz Thank you.
I don't think that I was having any local issues with the ".local" domain, but I switched to ".local.lan" anyway.
The challenge with testing the fqdn is that I have no idea what it is. Randomly (like once a day), an app on my phone won't work (different apps). I need it for work, so I just go off of WiFi and it immediately works. There's no network outage because I started running pings in the background and witnessed it happening while the pings looked great.
Is there an easy way to see DNS requests that haven't been fulfilled?
Again, this happens with Unbound AND the DNS forwarder in case that helps.
-
@ashkaan who says its anything to do with pfsense - sounds like a wireless issue to me.. Do you have any issues with wired devices and dns?
-
@johnpoz because these wireless devices work perfectly with other firewalls.
-
@ashkaan Well that logic flawless <rolleyes>
So again I will state do a directed query.. Does it fail? Did pfsense even see the query.
Simple enough to do - grab say hurricane electric network phone app, allows to do a directed query to a specific dns.. Or your other fav tool for your wireless device that allows you to do a directed query.
Now sniff on pfsense when your doing a query - does pfsense even see it?
example..
As you can see my client doesn't report answer - but can see that pfsense saw the query and did answer with nx..
If problem with pfsense (dns on pfsense) then you would see the query from your client in the sniff - but no answer at all..
Lets say that was the case - how would reconnecting the client to wifi fix that? Let me think - oh yeah it wouldn't have anything to do with it. ;)
An intelligent man is sometimes forced to be drunk to spend time with his fools
If you get confused: Listen to the Music Play
Please don't Chat/PM me for help, unless mod related
SG-4860 24.11 | Lab VMs 2.7.2, 24.11 -
I guess it's time for :
grep 'stop' /var/log/resolver.logDo you see one are two stops (and starts) a day - or less ? : that's ok.
You could look at the /var/log/resolver.log file, and check how long it takes between a 'stop' and a 'start', as that will be the time that DNS queries are not answered.
At that moment, only DNS resolving doesn't work, which is just a small subset of the entire Internet access experience, but for some reason it makes people think that the connection is 'out'.Or look here, as it is the same info : Status > System Logs > System > DNS Resolver
As Jonhpoz already proposed : test this : go to Services > DNS Resolver > General Settings and un check "DHCP Registration", Save and Apply.
Do the grep test again a couple of hours / days later. You should notice that unbound restarts less often. -
@johnpoz said in DNS Headaches Since Switching to PFSense:
@ashkaan Well that logic flawless <rolleyes>
So again I will state do a directed query.. Does it fail? Did pfsense even see the query.I cannot test the address because I do not know the address that the random app that fails is trying to reach. That's why I suggested that I search a log to try to find it, but I don't know how to do that or if it's even possible.
-
@gertjan I get the following when trying your command:
When I look through the GUI, I see a bunch of stops. Are you thinking that I'm running into issues with my devices only precisely when DNS is restarted? It seems like really tiny and infrequent windows for this to be going on.
-
For admin task you need the default admin account.
pfSense is a router firewall, no need to create multiple user accounts - the 'admin' account is needed for most if not all interactions.
Ok, your close.
With every 'stopped' there is also a "start". The time between them is the time the network has no DNS available.This :
is good news : no unbound restart for several days. So it's up and running.
If the LAN interfaces do not block DNS traffic; then there shouldn't be any DNS issues. No issues that are pfSense related..
Don't.
As you don't need them, except if you signed some sort of contract with them.
Unbound is a resolver - 8.8.8.8 is a resolver - 1.1.1.1 is a resolver. A resolver doesn't need a resolver to resolve. A resolvers uses the root DNS servers to work. -
@gertjan Thank you so much for the helpful reply. I have removed the external resolvers as they were unnecessary.
The challenge that I'm having is that everything works perfectly with other firewalls. It's only when I have PFSense running (again, as opposed to EdgeRouter or Sonicwall) that I randomly have the issue. I never had the issue with those other platforms.
I assumed that it was DNS related because it almost looks like the app can't resolve or isn't connecting to the internet, BUT I have a constant ping (to Google) running on a server that has no gaps. There's no internet outage here.
Does anyone have any other leads for me to chase down?
