Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Pfsense no DNS sometimes

    Scheduled Pinned Locked Moved General pfSense Questions
    4 Posts 2 Posters 737 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • V
      voxmagna1
      last edited by

      This is going to be a hard one for me to nail so any advice would be appreciated. I resolve DNS locally in the pfsense box and use open VPN. I used to schedule a daily reboot at 05:00 to refresh the VPN provided IP address. However I found browsers wouldn't connect afterwards even though pfsense dashboard showed the connections to WAN and VPN were good. A connection to my AV providers update server IP would get through, but only after forcing a pfsense reboot could I get web browsing and DNS resolved.

      In the past I've found changing firewall settings required a pfsense reboot. But in this case it seems that breaking a good connection then re-establishing it via VPN breaks DNS. Then after some time (whilst the VPN tunnel is being re-established?, I get routing and connections but no DNS resolved.

      Does anybody have any ideas, or suggest where in the logs I should be looking to try and understand what's going on? I've since removed the 05:00 Cron daily reboot. But I can still get the same problem if I manually select another openVPN server. The new routing then all looks good on the dashboard, but DNS isn't resolved until pfsense is rebooted.

      Thanks

      V 1 Reply Last reply Reply Quote 0
      • stephenw10S
        stephenw10 Netgate Administrator
        last edited by stephenw10

        So you have an OpenVPN client you're routing some traffic across? Are you using policy routing rules for that?

        Is that set as the default gateway for the system?

        How is DNS configured? Is Unbound using only the VPN interface for outbound connections?

        Steve

        1 Reply Last reply Reply Quote 0
        • V
          voxmagna1 @voxmagna1
          last edited by

          @voxmagna1
          Thanks, OpenVPN is set as the default gateway, all traffic goes to the VPN and I've set firewall rules to prevent traffic bypassing the VPN.

          I had a look at my Resolver and Forwarder settings. DNS forwarding is not enabled and I thought that should be sufficient. But when I look at my Resolver settings I see the option DNS Query forwarding is checked, I've now unchecked it.

          Also in Resolver, System domain local zone was set to static which I've now changed to transparent.

          The advice from VPN providers is to use their DNS servers. My VPN provider doesn't support TLS so I've got my router set to use TLS on Cloudflare servers.

          I have to admit this is all getting beyond my knowledge now and I'm more likely to break the box with so many setting options I could mis configure.

          I mentioned this once before as an idea to sharing and solving pfsense setup problems. My XML backup file (about 1.5Mb) contains all the pfsense settings. In the same way I might share a diagnostics scan from my car, exchanging a pfsense xml backup anonimised, might be helpful for those that can understand it? Even better, if there was a helper application or pfsense software emulator that could pull out the structure from a backup to help diagnose problems?

          1 Reply Last reply Reply Quote 0
          • stephenw10S
            stephenw10 Netgate Administrator
            last edited by

            If you had query forwarding enabled then Unbound (the resolver) would have been forwarding queries to whatever servers are set in System > General Setup. That could also include your ISPs DNS servers if you have it set to allow them to override the entered servers. The OpenVPN client can also add servers too.
            In a setup like that the important thing is that you have DNS queries be resolved at the same location as traffic is exiting. So using the VPN providers resolvers works well. It's debatable whether it makes any difference if the VPN providers servers support TLS or not since all traffic between you and them is over the VPN anyway.
            With Unbound in forwarding mode it sends queries to the defined servers using the system routing table which should mean over the VPN if it's set as the default gateway. However you might find the system opens states in the WAN if the VPN is down and if those states remain up pfSense may continue to try to use them.
            In resolving mode you need to either set the 'Outgoing Network Interfaces' to localhost (and rely on routing to use the correct interface) or set it to the OpenVPN interface directly.

            There is a diagnostic file you can retrieve via the unlinked page <your firewall>/status.php
            We use that in support and a lot of things are redacted. You still wouldn't want to post it publicly though.

            Steve

            1 Reply Last reply Reply Quote 0
            • First post
              Last post
            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.