Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Intermittent DNS Falure

    Scheduled Pinned Locked Moved
    DHCP and DNS
    3
    9
    1.0k
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      kenw
      last edited by

      Iโ€™m currently running 23.01-release on a Netgate SG-1100. I'm getting error DNS_PROBE_POSSIBLE when trying to reach sites using https. The error is intermittent and goes away after a few seconds. I can reach some sites using there FQDN while this is happening. I'm using Cloudflare for DNS (1.0.0.2/1.1.1.1) and have DNSSEC enabled.

      The problem is occurring often enough to be frustrating and annoying. Any suggestions would be appreciated. The error occurs on multiple sites and on different browsers.

      juanzelliJ S 2 Replies Last reply Reply Quote 0
      • juanzelliJ
        juanzelli @kenw
        last edited by

        @kenw I believe it's unnecessary to use DNSSEC when forwarding to a trusted resolvers like Cloudflare. I suggest disabling DNSSEC to see if the error ceases.

        Netgate 4100 and Aruba IO network at home

        1 Reply Last reply Reply Quote 0
        • S
          SteveITS Rebel Alliance @kenw
          last edited by

          @kenw I haven't seen a CloudFlare doc (haven't looked) but Quad9 specifically says using DNSSEC with forwarding may cause false failures.

          Also see long thread https://forum.netgate.com/topic/178413/major-dns-bug-23-01-with-quad9-on-ssl/ which is not just about Quad9.

          TL,DR: disable DNSSEC, if you still have issues disable DNS over TLS, if you still have issues try 23.05.

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote ๐Ÿ‘ helpful posts!

          K 1 Reply Last reply Reply Quote 0
          • K
            kenw @SteveITS
            last edited by

            @steveits Thank you for your help. I suspected that DNSSEC might be the problem. My current DNS Resolver settings are:

            1/ System Domain local Zone Type: Transparent
            2/ Enable DNSSEC Support: Checked
            3/ Enable Forwarding Mode: Unchecked
            4/ Use SSL/TLS for outgoing DNS Queries to Forwarding Servers: Unchecked
            5/ Regiser DHCP static mappings in DNS Resolver: checked

            After reading the response to my initial post, I think I my new config should be:
            1/ System Domain local Zone Type: Transparent (unchanged)
            2/ Enable DNSSEC Support: UnChecked (changed)
            3/ Enable Forwarding Mode: Checked (changed)
            4/ Use SSL/TLS for outgoing DNS Queries to Forwarding Servers: Checked (changed)
            5/ Regiser DHCP static mappings in DNS Resolver: checked (unchanged)

            Is this correct? If so, will #5 still resolve my DHCP static mappings properly?

            S 1 Reply Last reply Reply Quote 0
            • S
              SteveITS Rebel Alliance @kenw
              last edited by

              @kenw You mentioned you were using Cloudflare so I assumed you were forwarding. How are you using Cloudflare?

              If you forward you may need to uncheck DNS over TLS. It works for some people, not for others.

              Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
              When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
              Upvote ๐Ÿ‘ helpful posts!

              K 1 Reply Last reply Reply Quote 0
              • K
                kenw @SteveITS
                last edited by

                @steveits I put the Cloudflare servers in System>General Setup>DNS Servers thinking they would be used if a site could not be resolved by pfsense. I guess without checking Enable Forwarding mode that is NOT what is happening and instead the ISP DNS servers are used. Correct?

                S 1 Reply Last reply Reply Quote 0
                • S
                  SteveITS Rebel Alliance @kenw
                  last edited by

                  @kenw The DNS servers there are for pfSense to connect out to the Internet.

                  If devices on LAN are configured to use pfSense for DNS then they will ask Unbound, which by default resolves DNS direct with root servers.

                  If forwarding is not enabled in the DNS Resolver settings than what I said above about DNSSEC and DNS over TLS are not relevant.

                  If you are using "Register DHCP static mappings in DNS Resolver" then whenever a lease renews, Unbound will restart. If you have 30 PCs and a 1 hour DHCP lease time then on average a PC will renew every minute so Unbound restarts a lot. (30 PCs renewing every half hour) If you need that setting then one option is to lengthen the lease time.

                  Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                  When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                  Upvote ๐Ÿ‘ helpful posts!

                  K 1 Reply Last reply Reply Quote 1
                  • K
                    kenw @SteveITS
                    last edited by

                    @steveits Thank you so much for your help in better understanding how DNS in pfsense works!
                    I have made the following changes and will monitor the results over the next few days.

                    1/ System Domain local Zone Type: Transparent (unchanged)
                    2/ Enable DNSSEC Support: UnChecked (changed)
                    3/ Enable Forwarding Mode: Checked (changed)
                    4/ Use SSL/TLS for outgoing DNS Queries to Forwarding Servers: Checked (changed)
                    5/ Register DHCP static mappings in DNS Resolver: checked (unchanged)

                    I also checked system logs for unbound restarts and saw only 3 in the month of April.

                    K 1 Reply Last reply Reply Quote 0
                    • K
                      kenw @kenw
                      last edited by

                      @kenw said in Intermittent DNS Falure:

                      @steveits Thank you so much for your help in better understanding how DNS in pfsense works!
                      I have made the following changes and will monitor the results over the next few days.

                      1/ System Domain local Zone Type: Transparent (unchanged)
                      2/ Enable DNSSEC Support: UnChecked (changed)
                      3/ Enable Forwarding Mode: Checked (changed)
                      4/ Use SSL/TLS for outgoing DNS Queries to Forwarding Servers: Checked (changed)
                      5/ Register DHCP static mappings in DNS Resolver: checked (unchanged)

                      I also checked system logs for unbound restarts and saw only 3 in the month of April.

                      System has been running without problems for 2 weeks after applying the above changes. problem seems to be resolved.

                      1 Reply Last reply Reply Quote 1
                      • First post
                        Last post