DNS resolver stops working after a while
-
pfSense 23.01 on Netgate 6100
Running DNS Resolver
Running pfBlockerNGI have been running this configuration for about a year (upgraded to 23.01 when released).
I have my windows 11 computer configured to use DHCP and automatic DNS.
After reboot of my computer it works perfectly fine, but after some time (hours) I am unable to resolve hosts.If I try nslookup <target URL> <DNS IP> it times out.
When I inspect the DNS resolver logs I find that the domain name I use for the Netgate box is added as a suffix:info: resolving netgate.com.<domain>. A IN
ipconfig /all on my computer lists that domain as DNS Suffix Search List (but not Primary Dns Suffix) and the adapter has it as Connection-specific DNS Suffix. I have not configured this on my computer and it is a member of a workgroup, not a domain.
I did not have this issue before upgrading to 23.01, but I have also tinkered a bit with pfBlocker after that so it may not be the cause.
I don't understand why the nslookup times out, but maybe it is recursive when that suffix (same as the box) is added? Chrome displays DNS_BAD_CONFIG when it cannot resolve.
Is the added suffix the problem? If so how do I get rid of it?
Thank you
-
@etoel There are several DNS threads … https://forum.netgate.com/topic/178413/major-dns-bug-23-01-with-quad9-on-ssl/ for example.
If you are forwarding, disable DNSSEC, and maybe DNS over TLS.
I’d expect the DNS search list to get appended if the first query fails…? I’d guess your issue is probably the above.
-
@etoel said in DNS resolver stops working after a while:
Is the added suffix the problem? If so how do I get rid of it?
The problem is ..... we - that is you me and nearly everybody else is doing it wrong.
Launch this in a pfSense SSH or console :
tail -f /var/log/pfblockerng/dns_reply.logNow you have a nice view on what the resolver does.
On a 'dos' command prompt, do a
nslookup google.comYou will see 2, 3 requests for google.com in the log, the first with the "Connection-specific DNS Suffix" appended.
Now, again :
nslookup google.com.Did you see the dot at the end ? That is the correct way of spelling a host name.
Now, nslookup will not insist by adding the local "Connection-specific DNS Suffix". As the final dot means : this is the end, nothing comes after this. You'll see just on or two google.com. DNS requests in the log. No more "Connection-specific DNS Suffix" added.
One, or two, A and/or AAAA is asked.Btw :
Enter nslookup without options, and then type help + enter.
Type set d2 + Enterand now do a test again, like
google.comand now you can see what happened as you have debug mode level 2 activated..
Btw : I'm running 23.01 and 4100 (that's a small 6100 ;) ) - with the latest pfB 3.2.0_3.
Resolver settings are 'vanilla', which means I'm resolving.
My DNS resolver never dies on me.
Btw : DNSSEC is activated. Works great ..... I guess, as I never noticed an issue.
