Unbound Not Resolving ANYTHING
-
@csit-0 Does it work if you manually restart the unbound service after the device has booted up ? (From Status -> Services)
Also try this - SSH into the PFSense box and then run:
nslookup www.google.com 127.0.0.1Does this work ? What about:
nslookup www.google.com 192.168.1.1Does this work ? (replace 192.168.1.1 with the actual LAN IP address of your PFSense box)
-
@dbmandrake said in Unbound Not Resolving ANYTHING:
nslookup www.google.com 127.0.0.1
Server: 127.0.0.1
Address: 127.0.0.1#53** server can't find www.google.com: SERVFAIL
-
We do have VLANS, and we have changed the default subnet. We moved everything from .1 to .198, so there should be no conflicts there.
Tracert indicates a single NAT.
LAN Devices can ping the interface just fine and login to it.
We are using a Netgate 6100 with the install it came with.
We have installed pfblockerNG with default settings, but it can't block anything because unbound doesn't seem to work. Does not make a difference on or off.
Output:
2001:500:12::d0d . 258 0 94 376 376 0 0 0
2001:503:ba3e::2:30 . 701 0 94 376 376 0 0 0
199.9.14.201 . 257 9 89 365 365 0 0 0
2001:500:200::b . 257 0 94 376 376 0 0 0
192.33.4.12 . 257 8 88 360 360 0 0 0
192.112.36.4 . 257 4 79 320 320 0 0 0
2001:500:9f::42 . 258 0 94 376 376 0 0 0
199.7.91.13 . 258 8 88 360 360 0 0 0
2001:500:2f::f . 257 0 94 376 376 0 0 0
2001:dc3::35 . 257 0 94 376 376 0 0 0
202.12.27.33 . 257 8 88 360 360 0 0 0
192.203.230.10 . 257 8 88 360 360 0 0 0
198.41.0.4 . 257 8 88 360 360 0 0 0
2001:7fd::1 . 258 0 94 376 376 0 0 0
DNS Resolver Infrastructure Cache Stats
2001:500:12::d0d . 0 0 0 0 0 0 0
2001:503:ba3e::2:30 . 0 0 0 0 0 0 0
199.9.14.201 . 1 0 0 0 1 0 0
2001:500:200::b . 0 0 0 0 0 0 0
192.33.4.12 . 1 0 0 0 1 0 0
192.112.36.4 . 1 0 0 0 1 0 0
2001:500:9f::42 . 0 0 0 0 0 0 0
199.7.91.13 . 1 0 0 0 1 0 0
2001:500:2f::f . 0 0 0 0 0 0 0
2001:dc3::35 . 0 0 0 0 0 0 0
202.12.27.33 . 1 0 0 0 1 0 0
192.203.230.10 . 1 0 0 0 1 0 0
198.41.0.4 . 1 0 0 0 1 0 0
2001:7fd::1 . 0 0 0 0 0 0 0 -
@csit-0 Which interfaces do you have selected for "Network Interfaces" and "Outgoing Network Interfaces" in the DNS Resolver configuration ?
Are they still both on the default "All" or have you changed them ?
If you are logged into the PFSense box directly with SSH and
nslookup www.google.com 127.0.0.1fails, (and assuming you have either All or Localhost enabled in "Network Interfaces") then unbound is not working at all and you can immediately rule out anything on the LAN side of your network or any clients.Do you get anything from the same SSH session if you try
nslookup www.google.com x.x.x.xwhere x.x.x.x is your configured upstream DNS server ?Also, do you have "DNS Query Forwarding" ticked ? If not then unbound is NOT using your upstream DNS server, instead it will be trying to query the root servers directly. Make sure you tick this box if you want to forward all your queries to a specific upstream server.
Also to rule it out as a possible problem, disable the PFBlockerNG service for now. When I was playing around with PFBlockerNG I found misconfiguring it could break unbound completely.
-
They are both set to all. Fails on localhost and works on external.
Enabled DNS Query Forwarding, seemed to have missed that. Still not resolving, Server Fail.
pfblocker is disabled.
:/
-
@csit-0 I have experienced this issue several times when the admin accidentally sets the pfSense host name in a .local domain name: fx. pfsense.domain.local
The .local part seems to mess up unbound under most cirumstances. (Yes, I know it's a problematic name and is both reserved and used in MDNS). But still.....
-
@keyser It is not set to .local domain or anything like that.
DNS Resolver set to forwarding (not DNS Forwarder) seems to have randomly started working. But setting it back to the resolver mode, servfail every time.
-
@csit-0
If you have DNSBL on in pfBlockerNG try to disable it. Disabling pfBlockerNG is not sufficient. -
My unbound stopped resolving all remote addresses while local addresses worked fine just because the computer date was reset to it's factory default 20 years ago. I changed the BIOS date and the resolver works again. No log on this issue so this problem took me a day until I quickly discovered the solution from using telepathic meditation.
-
What do you have configured for ACLs in the firewall?
Is port 53, 853 allowed to pass your lan interface? If your using DOT port 853 needs to be allowed to pass.
Do you have NAT rules in place for your port 53? If so you need to add both loopback and firewall IP for the NAT rule with it negated, meaning anything not going to the firewall or the loopback redirect that traffic to the firewall.
Have you attempted a trace route and run a ping to your DNS?
Has it ever worked before?
Does your ISP give you an IPv6 address also?
-
i was having similar symptoms for months after an isp change. elusive, intermittent failures. certain sites faring well, others almost unusable. then a day later, seemingly random redistribution of problematic sites and working sites.
figured out my isp was handing out ip6 and ip4 addresses to dhcp clients, while only allowing port 53 traffic over ip4 for some ungodly reason.
SOLVED: putting "do-ip6: no" in unbound.conf cleared everything right up. AAAA records still come back but everything port 53 up and downstream of my resolver now happens over ip4.
sadly i guess i cannot access any of the zero domains known to me with their authoritative nameservers only available via ip6 unless i use my isps cache (lazy bums actually only offer up google's in the dhcp response anyway; no thank you)
-
@Gawzirabaws said in Unbound Not Resolving ANYTHING:
sadly i guess i cannot access any of the zero domains known to me with their authoritative nameservers only available via ip6
I guess these exist only for testing purposes.
