DNS Headaches Since Switching to PFSense
-
@thiasaef said in DNS Headaches Since Switching to PFSense:
I agree that we do not know the root cause of the Unbound restarts @Ashkaan is seeing yet.
What we do know is that the "DNS Registration", ones disabled, will not restart unbound any more.
Btw : unbound will still restart. Here is mine does.
The restart are : Me, as I'm messing around with pfSense, It could be reboots, it could be pfBlockerNG-devel after feeds gets updates (ones a day or ones a week).
But the graphs show that this happens ones a day, or less.
earlier in the thread we saw a lot of "unbound stop". These should come with a 'start' :
grep 'start\|stop' /var/log/resolver.logSome one, or something, another process, is restarting unbound. This could be the pfSEnse package pfBlockerNG-devel, I know because I'm using that pfSense package.
It could also be a hardware 'link' event. I just ripped out the WAN cable of pfSense, and put it back in : unbound was restarted. For the LAN interface the behaviour would be identical (I didn't test) These events should be very rare.unbound does not restart itself, and I did not saw it crashing.
Btw : @Ashkaan :
This :
You've treated the "hostnames" column as some sort of comment field.
That's wrong.
A host name should be a host name. And not only that, it should be 'PTR' of the IP :
1.1.1.1 == one.one.one.one.
8.8.8.8 == dns.google. -
@gertjan said in DNS Headaches Since Switching to PFSense:
Btw : @Ashkaan :
This :You've treated the "hostnames" column as some sort of comment field.
That's wrong.
A host name should be a host name. And not only that, it should be 'PTR' of the IP :
1.1.1.1 == one.one.one.one.
8.8.8.8 == dns.google.Oh wow! Good thing I deleted both altogether once I was educated that those were not necessary when running Unbound.
-
@ashkaan
Assuming this is fixed now?
With the errant comments out of the TLS verification hostname section, the system should be actually accepting the responses from the upstream servers. -
@skogs Nope, still happening and I have no idea where to look. The good news is that I was able to try pinging during the outage and ping (and I assume DNS resolution) worked great. There's something else going on with the PFSense and I can't figure it out.
I popped in my EdgeRouter for a couple of days and the issue didn't happen once. I put PFSense back last night and it happened this morning. I'm lost.
-
@ashkaan said in DNS Headaches Since Switching to PFSense:
once I was educated that those were not necessary when running Unbound.
Unbound is a resolver like 8.8.8.8 or 1.1.1.1, these talk directly to Internet's main "13" root DNS servers.
All the processes in pfSense talk to 127.0.0.1 (not a LAN, or WAN), and unbound listens on that interface also.
So, yes, no need to enter any DNS servers in System > General Setup -
@ashkaan said in DNS Headaches Since Switching to PFSense:
I put PFSense back last night and it happened this morning. I'm lost.
What about the default setup (see message above) : Don't forward.
I guess Google and 1.1.1.1 and other don't bother if you do not hand over your DNS questions ;) -
@gertjan The DNS fields are blank just as you guys prescribed. Is that your question?
-
@ashkaan
Having a constant ping proves the outside line is up and route functioning, it doesn't do squat for anything that is suspected of being DNS related.@Gertjan yes it can be completely blank, but 99% of people will put something in there, and many will turn off the root dns servers.
I think this has been going on for 2 weeks and still no actual direct queries confirmed. :)
A week or so ago I was banging my head against the wall on a strange 'dead' website - direct nslookups to my normal outside 4 DNS servers responded with NXDOMAIN, couple of the root DNS servers NXDOMAIN, some rando DNS server that I've never used before that day (9.9.9.9) actually resolved it normally. Super whack. Strange things happen. My guess was something strange happening with the hosting company. Naturally I was questioning pfsense resolver at the time...but it certainly wasn't the source of the problem. Just took a lot of console work and head scratching.
-
@skogs Sorry, direct query confirmed (if I understand correctly). I could load google.com or (as a test) cnn.com in Safari on my phone, so I opened Fing and pinged google.com and it immediately resolved and pinged fast pings.
-
@skogs said in DNS Headaches Since Switching to PFSense:
but 99% of people will put something in there, and many will turn off the root dns servers.
99 ?
Keep in mind that most people can access Youtube these days.
It's easy to find some video that explains what DNS. Take one from some respectable school, like a prof from MIT, these guys do inspire normally some confidence .
They won't tell you to use any company"s DNS server, as these are not needed. They will explain why these exists ;) ( and it has nothing to do with giving a free service, it's about money - and yes, these might be a couple of ms faster and no, you will lose DNSSEC in the process ).But, I understand what you mean. The 'market' tries to learn us also that "VPNs" are needed for your protection and privacy. And Antivirus programs are also needed because you feel constantly the need to open every attached file (it was of course an executable) in your email because it told you that it contains the winning ticket of a lottery, or the instructions how to get your hands on the legacy of that African uncle that died, and "they" can't transfer you his fortune.
@skogs said in DNS Headaches Since Switching to PFSense:
couple of the root DNS servers NXDOMAIN,
I DNS doubts, use for example this https://www.zonemaster.net/domain_check and type in the domain name.
You'll be surprised how often a domain name has broken DNS info, so you have to wait.
For to often, me included, we start changing setting locally, with some serious head banging, to discover afterwards that the issue wasn't on our side.
For example : a year ( ? ) some one made a small error while changing some settings and the company domain name servers became unreachable. This was a big company, they had their own "AS" and now it was 'broken', and the entire thing vanished from the Internet.
Millions have restarted their routers, or worse.
It was the other side.
The company was facebook.
