Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Dns resolver problem

    Scheduled Pinned Locked Moved DHCP and DNS
    10 Posts 4 Posters 593 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • W
      wifi75
      last edited by

      Hello I don't understand why but if I enable those two items, navigation, or rather the resolution of the dns becomes very slow, sometimes I have to refrash the page to open it correctly.
      in fact, if I disable them, navigation returns fast.
      what can i do to fix it?

      10d7537d-59c0-461a-8d35-76bf2f7bdc65-image.png

      GertjanG 1 Reply Last reply Reply Quote 0
      • bmeeksB
        bmeeks
        last edited by

        You appear to be running the pfBlockerNG package (likely with DNSBL enabled).

        When you check the DHCP Registration box, each time a DHCP client of the firewall renews its lease the unbound DNS Resolver will be restarted so it will read the DHCP leases file again (to obtain IP to hostname info).

        With DNSBL and large block lists enabled, it can take quite some time for unbound to restart. During the restart interval your system has no DNS functionality. LAN clients will see that as a sort of loss of connectivity because no domain name to IP resolution can happen.

        Some LAN devices (particularly smart home gadgets) will renew their DHCP lease quite often resulting in frequent DNS restarts. pfBlockerNG will also restart unbound each time it updates a downloaded list. Taken together these instances can result in a lot of unbound downtime.

        Until the pfSense developers rework the way dynamic DHCP hostnames are handled, it is best to leave the DHCP Registration box unchecked.

        W 1 Reply Last reply Reply Quote 1
        • W
          wifi75 @bmeeks
          last edited by

          @bmeeks Thank you so much for your professional response.
          Now at least I know the reason why everything slowed down.

          Thanks again

          1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @wifi75
            last edited by

            @wifi75

            7ff260e8-aba1-4bfe-86b4-9e0500dd64d5-image.png

            Because you're using pfBlockeng, activate the 'python' mode.

            ad3e3fb9-d3ea-47fd-97b1-1de9946fe285-image.png

            Right now, you saw that the resolver is often unavailable - and for a rather long duration.

            You understand it now : You did everything to create this situation, and to make the worse of it ;)

            This option :

            dcca130d-8a63-4ce7-a8e5-bf47ae513c27-image.png

            is by default not activated. '...... for reasons ....' (see the other 1000+ forum posts about the subject.
            You can activate it - and nothing will happen if you use one or two LAN devices, and all using Static IP settings ๐Ÿ˜Š This means there won't be any DHCP "leases" activity.
            Or use Static MAC DHCP leases for all your devices.
            This issue is being redesigned and rewritten right now, and soon, "DHCP Registration" won't have the 'resolver restart issue" any more.

            This option :
            b8316ff3-4710-4ec8-87a8-11bfefc22c82-image.png
            can be activate without any consequences.
            Static leases are read when the system start - or when, you (the admin) add/remove/modify one.
            That's normally a very rare event.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            W 1 Reply Last reply Reply Quote 0
            • W
              wifi75 @Gertjan
              last edited by

              @Gertjan and this how should i configure them?

              5aa28034-0ee0-44e3-a906-9f3edfe61f5c-image.png

              GertjanG 1 Reply Last reply Reply Quote 0
              • GertjanG
                Gertjan @wifi75
                last edited by

                @wifi75

                Python Control : Click on the 738b0ead-f2b1-4e36-b87f-74f1e1fdbd3e-image.png and read.
                If you say : "hey, I need that", then activate it.
                No nasty side consequences afaik.

                TLD Allow / IDN Blocking : like salt and pepper : add according to your taste.

                Regex blocking : be careful : very powerful and aggressive blocking. If the word 'regex' doesn't mean anything to you, stay away.

                NoAAAA : if you want to force IPv4 to certain hosts.

                Group Policy : These IPv4/IPv6 will not be filtered. Like : your PC isn't DNSBL filtered, everybody else (not listed) : they will be filtered.

                No "help me" PM's please. Use the forum, the community will thank you.
                Edit : and where are the logs ??

                W 1 Reply Last reply Reply Quote 0
                • W
                  wifi75 @Gertjan
                  last edited by

                  @Gertjan hi all clear, thanks again, for solving my problem.
                  one question, but is it possible to associate a web page that informs that the site has been blocked by pfsense? just to figure out who blocked what?

                  W 1 Reply Last reply Reply Quote 0
                  • W
                    wifi75 @wifi75
                    last edited by

                    why?

                    261fc657-0ec7-470b-8df9-bdab37bdc717-image.png

                    GertjanG 1 Reply Last reply Reply Quote 0
                    • GertjanG
                      Gertjan @wifi75
                      last edited by Gertjan

                      @wifi75

                      As you've discovered, "DHCP Registration" restarts unbound (the resolver) 'all the time'.
                      This was creating severe issues- memory loss, restart problems etc.

                      This was somewhat resolved with latest pfBlockerng and latest pfSense (23.05).
                      Make life easy on yourself : "DHCP Registration" => do not activate it.

                      @wifi75 said in Dns resolver problem:

                      one question, but is it possible to associate a web page that informs that the site has been blocked by pfsense? just to figure out who blocked what?

                      That's what

                      9bcb99a3-54c3-45a8-a09b-183bbbdb8aaf-image.png

                      is all about.

                      But ...... here it comes : this only works for http:// access.
                      Not https://.....
                      Better yet : you don't want it to work for https://....

                      So, again :

                      @wifi75 said in Dns resolver problem:

                      one question, but is it possible to associate a web page that informs that the site has been blocked by pfsense? just to figure out who blocked what?

                      This was working just fine in the good old days, when there was http://....
                      These days, http://.... is being abandoned fast - and in most case even impossible : there won't be any http:// site anymore very soon.
                      edit : and if you find one, run. Don't look back, run away from it. Don't go there. See it as driving on the wrong side of the road : it's, for a short moment' thrilling .... interesting .... strange .... and then your live stops.

                      test for yourself : connect to your bank using http://
                      facebook.com
                      twitter.com
                      etc etc etc.

                      Did it work ?
                      Noop, of course not.

                      Google doesn't even index http://, for many years now.

                      Now : the same question again :
                      If you could intercept https:// traffic, your neighbor could do also.
                      Your ISP.
                      All 3 letter agency could do also.
                      Etc.

                      Again : that's what you want ? ๐Ÿ˜Š

                      So, final words : having a nice page showing the user that he wanted to visit a blocked web site is impossible.

                      No "help me" PM's please. Use the forum, the community will thank you.
                      Edit : and where are the logs ??

                      johnpozJ 1 Reply Last reply Reply Quote 1
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator @Gertjan
                        last edited by johnpoz

                        @Gertjan said in Dns resolver problem:

                        showing the user that he wanted to visit a blocked web site is impossible

                        Never say that ;)

                        But yeah its pretty freaking difficult to do with https, you would have to generate on the fly a cert that matches where he was wanting to go www.somewhere.tld and also that browser would have to trust the CA that created said cert on the fly.

                        And if the site was using something like pinning, and he had been there before - again he prob going to scream at you that this cert isn't right, etc.

                        If it was easy it would really break the whole end to end trust thing ;) its not impossible but yeah the client is doing everything it can to know that the https connection is trusted and secure from the client to the server.. Now if you control the client and get him to trust certs you create, then sure pretty easy to do mitm.. But it also become resource hungry creating certs on the fly for any fqdn the client might be going to.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 1
                        • First post
                          Last post
                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.