DNS Headaches Since Switching to PFSense
-
@johnpoz I was in a work emergency so I didn't have time to try a direct query, but it was google.com of all sites! Google wouldn't load in Safari. On cell, it loaded immediately. The WiFi desktop didn't lose a ping to 8.8.8.8.
It's been up since midnight of the prior day, so it wasn't stopped at the issue times.
I was using Resolving, then I tested Forwarding for a couple of weeks, then I went back to Resolving about a week ago. No DoH. Only IPv4.
-
@johnpoz, with https://redmine.pfsense.org/issues/12613 still not being fixed I would honestly be more surprised if it did work in a typical home setup then when it did not ... and while we're at it - please fix it properly!
-
@thiasaef said in DNS Headaches Since Switching to PFSense:
https://redmine.pfsense.org/issues/12613
He would be able to tell if that was what he was running into - by simple query for something. And he is never restarting dns - so how would that be the issue. Just flipping a client wifi on off wouldn't restart unbound, etc.
I don't see how there is enough info to say what is going on one way or the other.
What I can say is I have not run into any issues, nor that specific issue at all.. I don't use a vpn for vpn traffic, nor have unbound bound to the test vpn connection I leave up. I don't have multiple interfaces that could be going up or down.
And I bind unbound only to loopback anyway, and just let it nat outbound, etc. So even if my wan went offline I should be fine, but my wan connection is pretty rock solid as well.
What needs to happen to move forward here is some actual specifics of what is not working, and when. I get it you don't always have time to troubleshoot when something goes wrong, and you just want it back up now.. But if want to get to the bottom of the actual problem - going to need to actually get some details when it happens..
-
@johnpoz Ok, so I'll try to resolve the site I'm trying to resolve on mobile on my server? Or, where should I attempt to resolve?
-
@ashkaan yes you should do a directed query to unbound on pfsense (this is what is providing you dns?).. From sure your wifi device, and also from something else on your network.
Does unbound on pfsense provide a response - if so what, the IP, some sort of failure or refused, etc.
For the actual fqdn that is failing, and as well something else. Do nothing non local resolve - just this one site, or sites that are failing. What about something local like pfsense fqdn, etc.
-
@johnpoz said in DNS Headaches Since Switching to PFSense:
I don't see how there is enough info to say what is going on one way or the other.
Neither do I, but I also did not say that the above problem was necessarily his problem.
@johnpoz said in DNS Headaches Since Switching to PFSense:
What I can say is I have not run into any issues, nor that specific issue at all.. I don't use a vpn for vpn traffic, nor have unbound bound to the test vpn connection I leave up. I don't have multiple interfaces that could be going up or down.
And I bind unbound only to loopback anyway, and just let it nat outbound, etc. So even if my wan went offline I should be fine, but my wan connection is pretty rock solid as well.
This mentality is what is driving me crazy right now. Answers like this feel like being slapped in the face.
-
@thiasaef said in DNS Headaches Since Switching to PFSense:
. Answers like this feel like being slapped in the face.
huh? What does an issue with an interface going down and no longer bound to a service have to do with this issue?
You said a typical home setup right - well I am in a home, and what am I doing that is not typical for someone using pfsense in their home? From your comment - you make it sound like that specific issue would be causing everyone with a home setup issue. I don't see how that could be the case really..
I have not seen that issue, I have no input to them fixing it how ever they are going to fix it - be it "properly" enough for you or not, etc..
Not even sure why you brought it up here - since I don't see how it could have anything to do with the current threads issue.. Unless I am missing something? Where has he stated that when his problem starts after an interface outage, and he has to restart it to get anything working?
-
@johnpoz said in DNS Headaches Since Switching to PFSense:
What does an issue with an interface going down and no longer bound to a service have to do with this issue?
I agree that we do not know the root cause of the Unbound restarts @Ashkaan is seeing yet.
From your comment - you make it sound like that specific issue would be causing everyone with a home setup issue.
That's not what I said, sorry.
Not even sure why you brought it up here
Because it is possible that his problems are related to the bug and because other people with other Unbound issues will likely stumble across this thread and probably be happy if they find a solution.
@johnpoz said in DNS Headaches Since Switching to PFSense:
be it "properly" enough for you or not, etc..
It did work perfectly fine on 2.4.5-p1, so all I am asking for is a regression bug being fixed instead of being swept under the carpet.
since I don't see how it could have anything to do with the current threads issue..
The symptoms do match and there are Unbound restarts in his screenshots that are not caused by the DHCP registration bug.
Where has he stated that when his problem starts after an interface outage
Never, but how likely is it, that someone will see a connection between the two things without knowing that this bug exists in the first place?
-
@thiasaef said in DNS Headaches Since Switching to PFSense:
I agree that we do not know the root cause of the Unbound restarts @Ashkaan is seeing yet.
What we do know is that the "DNS Registration", ones disabled, will not restart unbound any more.
Btw : unbound will still restart. Here is mine does.
The restart are : Me, as I'm messing around with pfSense, It could be reboots, it could be pfBlockerNG-devel after feeds gets updates (ones a day or ones a week).
But the graphs show that this happens ones a day, or less.
earlier in the thread we saw a lot of "unbound stop". These should come with a 'start' :
grep 'start\|stop' /var/log/resolver.logSome one, or something, another process, is restarting unbound. This could be the pfSEnse package pfBlockerNG-devel, I know because I'm using that pfSense package.
It could also be a hardware 'link' event. I just ripped out the WAN cable of pfSense, and put it back in : unbound was restarted. For the LAN interface the behaviour would be identical (I didn't test) These events should be very rare.unbound does not restart itself, and I did not saw it crashing.
Btw : @Ashkaan :
This :
You've treated the "hostnames" column as some sort of comment field.
That's wrong.
A host name should be a host name. And not only that, it should be 'PTR' of the IP :
1.1.1.1 == one.one.one.one.
8.8.8.8 == dns.google. -
@gertjan said in DNS Headaches Since Switching to PFSense:
Btw : @Ashkaan :
This :You've treated the "hostnames" column as some sort of comment field.
That's wrong.
A host name should be a host name. And not only that, it should be 'PTR' of the IP :
1.1.1.1 == one.one.one.one.
8.8.8.8 == dns.google.Oh wow! Good thing I deleted both altogether once I was educated that those were not necessary when running Unbound.
-
@ashkaan
Assuming this is fixed now?
With the errant comments out of the TLS verification hostname section, the system should be actually accepting the responses from the upstream servers. -
@skogs Nope, still happening and I have no idea where to look. The good news is that I was able to try pinging during the outage and ping (and I assume DNS resolution) worked great. There's something else going on with the PFSense and I can't figure it out.
I popped in my EdgeRouter for a couple of days and the issue didn't happen once. I put PFSense back last night and it happened this morning. I'm lost.
-
@ashkaan said in DNS Headaches Since Switching to PFSense:
once I was educated that those were not necessary when running Unbound.
Unbound is a resolver like 8.8.8.8 or 1.1.1.1, these talk directly to Internet's main "13" root DNS servers.
All the processes in pfSense talk to 127.0.0.1 (not a LAN, or WAN), and unbound listens on that interface also.
So, yes, no need to enter any DNS servers in System > General Setup -
@ashkaan said in DNS Headaches Since Switching to PFSense:
I put PFSense back last night and it happened this morning. I'm lost.
What about the default setup (see message above) : Don't forward.
I guess Google and 1.1.1.1 and other don't bother if you do not hand over your DNS questions ;) -
@gertjan The DNS fields are blank just as you guys prescribed. Is that your question?
-
@ashkaan
Having a constant ping proves the outside line is up and route functioning, it doesn't do squat for anything that is suspected of being DNS related.@Gertjan yes it can be completely blank, but 99% of people will put something in there, and many will turn off the root dns servers.
I think this has been going on for 2 weeks and still no actual direct queries confirmed. :)
A week or so ago I was banging my head against the wall on a strange 'dead' website - direct nslookups to my normal outside 4 DNS servers responded with NXDOMAIN, couple of the root DNS servers NXDOMAIN, some rando DNS server that I've never used before that day (9.9.9.9) actually resolved it normally. Super whack. Strange things happen. My guess was something strange happening with the hosting company. Naturally I was questioning pfsense resolver at the time...but it certainly wasn't the source of the problem. Just took a lot of console work and head scratching.
-
@skogs Sorry, direct query confirmed (if I understand correctly). I could load google.com or (as a test) cnn.com in Safari on my phone, so I opened Fing and pinged google.com and it immediately resolved and pinged fast pings.
-
@skogs said in DNS Headaches Since Switching to PFSense:
but 99% of people will put something in there, and many will turn off the root dns servers.
99 ?
Keep in mind that most people can access Youtube these days.
It's easy to find some video that explains what DNS. Take one from some respectable school, like a prof from MIT, these guys do inspire normally some confidence .
They won't tell you to use any company"s DNS server, as these are not needed. They will explain why these exists ;) ( and it has nothing to do with giving a free service, it's about money - and yes, these might be a couple of ms faster and no, you will lose DNSSEC in the process ).But, I understand what you mean. The 'market' tries to learn us also that "VPNs" are needed for your protection and privacy. And Antivirus programs are also needed because you feel constantly the need to open every attached file (it was of course an executable) in your email because it told you that it contains the winning ticket of a lottery, or the instructions how to get your hands on the legacy of that African uncle that died, and "they" can't transfer you his fortune.
@skogs said in DNS Headaches Since Switching to PFSense:
couple of the root DNS servers NXDOMAIN,
I DNS doubts, use for example this https://www.zonemaster.net/domain_check and type in the domain name.
You'll be surprised how often a domain name has broken DNS info, so you have to wait.
For to often, me included, we start changing setting locally, with some serious head banging, to discover afterwards that the issue wasn't on our side.
For example : a year ( ? ) some one made a small error while changing some settings and the company domain name servers became unreachable. This was a big company, they had their own "AS" and now it was 'broken', and the entire thing vanished from the Internet.
Millions have restarted their routers, or worse.
It was the other side.
The company was facebook.
