Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    certain website takling long to respond or erro nx dns

    Scheduled Pinned Locked Moved DHCP and DNS
    18 Posts 4 Posters 1.3k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      scorpoin
      last edited by

      Greetings.

      I'm using pfblockerng for blacklisting domains. I came across a strange issue of DNS resolving , indeed that domain isnot in black-list by pfblocker. But when I nslookup from my windows client machine

      nslookup portal.accaglobal.com
Server:  pfSense.local.landomain
Address:  172.x159.x  <== this my local-pfsense-IP

DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
DNS request timed out.
    timeout was 2 seconds.
*** Request to pfSense.local.landomain timed-out

      Trying to access portal.accaglobal.com via browser.

      This site can’t be reachedportal.accaglobal.com’s DNS address could not be found. Diagnosing the problem.
Try running Windows Network Diagnostics.
DNS_PROBE_STARTED

      This is from my linux clould server

      nslookup portal.accaglobal.com
Server:         185.12.64.1
Address:       185.12.64.1#53

Non-authoritative answer:
portal.accaglobal.com   canonical name = epflecw.x.incapdns.net.
Name:   epflecw.x.incapdns.net
Address: 45.60.73.34

      When I ping portal.accaglobal.com this is very unusual behavior

      ping portal.accaglobal.com
Ping request could not find host portal.accaglobal.com. Please check the name and try again.

Now again ping after a while

ping portal.accaglobal.com

Pinging epflecw.x.incapdns.net [45.60.79.34] with 32 bytes of data:
Reply from 45.60.79.34: bytes=32 time=80ms TTL=53
Reply from 45.60.79.34: bytes=32 time=83ms TTL=53
Reply from 45.60.79.34: bytes=32 time=80ms TTL=53
Reply from 45.60.79.34: bytes=32 time=80ms TTL=53

Ping statistics for 45.60.79.34:
    Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
    Minimum = 80ms, Maximum = 83ms, Average = 80ms

      Any one have any idea what could be an issue.

      Regards

      V johnpozJ 2 Replies Last reply Reply Quote 0
      • V
        viragomann @scorpoin
        last edited by

        @scorpoin
        Do you allow UDP access to pfSense at port 53?

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator @scorpoin
          last edited by johnpoz

          @scorpoin said in certain website takling long to respond or erro nx dns:

          portal.accaglobal.com

          its quite possible its taking longer to resolve than the client is willing to wait..

          Are you just resolving, or have you setup unbound to forward. If your just resolving which is out of the box how pfsense works.. Do a trace from pfsense to see where you might be running into a problem with the resolve process.

          Example

          [23.05.1-RELEASE][admin@sg4860.local.lan]/var/db: dig portal.accaglobal.com +trace

; <<>> DiG 9.18.13 <<>> portal.accaglobal.com +trace
;; global options: +cmd
.                       46790   IN      NS      g.root-servers.net.
.                       46790   IN      NS      h.root-servers.net.
.                       46790   IN      NS      i.root-servers.net.
.                       46790   IN      NS      j.root-servers.net.
.                       46790   IN      NS      k.root-servers.net.
.                       46790   IN      NS      l.root-servers.net.
.                       46790   IN      NS      m.root-servers.net.
.                       46790   IN      NS      a.root-servers.net.
.                       46790   IN      NS      b.root-servers.net.
.                       46790   IN      NS      c.root-servers.net.
.                       46790   IN      NS      d.root-servers.net.
.                       46790   IN      NS      e.root-servers.net.
.                       46790   IN      NS      f.root-servers.net.
.                       46790   IN      RRSIG   NS 8 0 518400 20231118170000 20231105160000 46780 . kI5bmOPd8KuD73TRLnMSFMqAiZkx9TjMxX7nToa3GZr4zzdR8QbKh+Tw ykMnJQgCsgwtnABMpZxch7akLp5G1bda6e54ityo9n//xkndR78yLLMv Pscyqgzn8KoX5pBOqyo9034Qj3qME4m026rxeJsk5DPZn0f10BXX7HZ7 Tnz/CiAWEMkFEFAmBRr2MVLx8jITwFn9CTxlPBNk508DvS2wEQ5plsKw B5q5nLqil9Jn07Ket2EeJ13WbluFRRqssu+y6kZlWkX4Bs8UCHK+8KPQ //o2oFnh3+9z+P98YJSGbKb5F/z7ui/cr9VYdpn95DB0DmCVHPtM4PWv eP7WlA==
;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

;; communications error to 2001:500:2::c#53: timed out
;; communications error to 2001:500:2::c#53: timed out
;; communications error to 2001:500:2::c#53: timed out
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    86400   IN      DS      30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.                    86400   IN      RRSIG   DS 8 1 86400 20231119050000 20231106040000 46780 . 0wIhUrS3YPBfsb/1Hp/vud5jAZ3Y+cLRNHgBNvhxK9YNW8IJvxrkoy5v g3bKG5hb92I0PN6oivHxJSFCo8xnDZZMJfkrflKRV4aHttI/2Z8/y7O6 kJxUKlbyd20qC0SaefjfYnwgU/CiFuSUGDpZ/MYUuUR6Cx2RtzEXYFoA cm8kbwS79tgxkhKkIL1GBOjyTnPKdv1YuFwNYed3g4dsPnICRVxjArZR A3/jo4esrRXRtedVd44MgWTmVmoUdbqC0ajO7cnryCL0S9j1FAw04lqc 1TLJ7/Fzka8XTvHI28NjWXgyV9Qe/yjw1XLOF+xhY5wd1Dk3VCcMmYyd 1+heNQ==
;; Received 1212 bytes from 192.112.36.4#53(g.root-servers.net) in 21 ms

accaglobal.com.         172800  IN      NS      ns-86.awsdns-10.com.
accaglobal.com.         172800  IN      NS      ns-718.awsdns-25.net.
accaglobal.com.         172800  IN      NS      ns-1677.awsdns-17.co.uk.
accaglobal.com.         172800  IN      NS      ns-1428.awsdns-50.org.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q2D6NI4I7EQH8NA30NS61O48UL8G5 NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20231111045959 20231104034959 63246 com. DHASN2jwlbAJwKBOIrFwFUDAievuxFffiPX8RB+kIg2yGGrPEytMrVqK fYQ6JP6rh+vCQbdYcfhFw102V6AtMvWJ/Waid6WeT9jmvuOpv4/ABkeH I5pDkCQLnNuVC75LPyu4+7O6ynJPa+K0yJd27uKWtcs9vPkhUD8b8Qnt laY9QUylU+L4PbnYFkqVNUxTy1MGN+HUQhNhSWQtZuADMA==
VMP677HU54PF7NMM1P8IFD7SQUTL5P8V.com. 86400 IN NSEC3 1 1 0 - VMP6D1HJAD95FV1LHBQPGSVNHCR5UR5V NS DS RRSIG
VMP677HU54PF7NMM1P8IFD7SQUTL5P8V.com. 86400 IN RRSIG NSEC3 8 2 86400 20231112052327 20231105041327 63246 com. go0WbkwaVF9mKRCqascQxZKF/9uTQ4lQmNUgCqUShrYFRgDIo5Bsyupa gdfqWXa+PT2fNmpkUqmkyN8mZ5672FoJmHeJzMVBztni1ANQaGN3ETKL k2pg9q/nTJta2kAaD9CoDewfXA0BGve7b7vCvJwLTdWr9Nx49SzW9UcG hk3Ir8APn4yCyRQdQJ1pJ8LQrdNvVJ42nrYv9Bf90yGpQg==
;; Received 751 bytes from 2001:503:39c1::30#53(i.gtld-servers.net) in 47 ms

portal.accaglobal.com.  3600    IN      NS      ns1.uk.atos.net.
portal.accaglobal.com.  3600    IN      NS      ns2.uk.atos.net.
portal.accaglobal.com.  3600    IN      NS      ns3.uk.atos.net.
;; Received 115 bytes from 205.251.194.206#53(ns-718.awsdns-25.net) in 32 ms

portal.accaglobal.com.  30      IN      CNAME   epflecw.x.incapdns.net.
;; Received 114 bytes from 157.203.177.100#53(ns1.uk.atos.net) in 113 ms

[23.05.1-RELEASE][admin@sg4860.local.lan]/var/db:

          ;; communications error to 2001:500:2::c#53: timed out
          ;; communications error to 2001:500:2::c#53: timed out
          ;; communications error to 2001:500:2::c#53: timed out

          For whatever reason looks like I was having problem with some IPv6 NS.. I have unbound set not to use IPv6, but with a trace that is not taken into account. If I want to do the trace with only IPv4 I see no such issue.

          [23.05.1-RELEASE][admin@sg4860.local.lan]/var/db: dig -4 portal.accaglobal.com +trace

; <<>> DiG 9.18.13 <<>> -4 portal.accaglobal.com +trace
;; global options: +cmd
.                       46637   IN      NS      g.root-servers.net.
.                       46637   IN      NS      h.root-servers.net.
.                       46637   IN      NS      i.root-servers.net.
.                       46637   IN      NS      j.root-servers.net.
.                       46637   IN      NS      k.root-servers.net.
.                       46637   IN      NS      l.root-servers.net.
.                       46637   IN      NS      m.root-servers.net.
.                       46637   IN      NS      a.root-servers.net.
.                       46637   IN      NS      b.root-servers.net.
.                       46637   IN      NS      c.root-servers.net.
.                       46637   IN      NS      d.root-servers.net.
.                       46637   IN      NS      e.root-servers.net.
.                       46637   IN      NS      f.root-servers.net.
.                       46637   IN      RRSIG   NS 8 0 518400 20231118170000 20231105160000 46780 . kI5bmOPd8KuD73TRLnMSFMqAiZkx9TjMxX7nToa3GZr4zzdR8QbKh+Tw ykMnJQgCsgwtnABMpZxch7akLp5G1bda6e54ityo9n//xkndR78yLLMv Pscyqgzn8KoX5pBOqyo9034Qj3qME4m026rxeJsk5DPZn0f10BXX7HZ7 Tnz/CiAWEMkFEFAmBRr2MVLx8jITwFn9CTxlPBNk508DvS2wEQ5plsKw B5q5nLqil9Jn07Ket2EeJ13WbluFRRqssu+y6kZlWkX4Bs8UCHK+8KPQ //o2oFnh3+9z+P98YJSGbKb5F/z7ui/cr9VYdpn95DB0DmCVHPtM4PWv eP7WlA==
;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
com.                    86400   IN      DS      30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.                    86400   IN      RRSIG   DS 8 1 86400 20231119050000 20231106040000 46780 . 0wIhUrS3YPBfsb/1Hp/vud5jAZ3Y+cLRNHgBNvhxK9YNW8IJvxrkoy5v g3bKG5hb92I0PN6oivHxJSFCo8xnDZZMJfkrflKRV4aHttI/2Z8/y7O6 kJxUKlbyd20qC0SaefjfYnwgU/CiFuSUGDpZ/MYUuUR6Cx2RtzEXYFoA cm8kbwS79tgxkhKkIL1GBOjyTnPKdv1YuFwNYed3g4dsPnICRVxjArZR A3/jo4esrRXRtedVd44MgWTmVmoUdbqC0ajO7cnryCL0S9j1FAw04lqc 1TLJ7/Fzka8XTvHI28NjWXgyV9Qe/yjw1XLOF+xhY5wd1Dk3VCcMmYyd 1+heNQ==
;; Received 1181 bytes from 198.97.190.53#53(h.root-servers.net) in 28 ms

accaglobal.com.         172800  IN      NS      ns-86.awsdns-10.com.
accaglobal.com.         172800  IN      NS      ns-718.awsdns-25.net.
accaglobal.com.         172800  IN      NS      ns-1677.awsdns-17.co.uk.
accaglobal.com.         172800  IN      NS      ns-1428.awsdns-50.org.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q2D6NI4I7EQH8NA30NS61O48UL8G5 NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20231111045959 20231104034959 63246 com. DHASN2jwlbAJwKBOIrFwFUDAievuxFffiPX8RB+kIg2yGGrPEytMrVqK fYQ6JP6rh+vCQbdYcfhFw102V6AtMvWJ/Waid6WeT9jmvuOpv4/ABkeH I5pDkCQLnNuVC75LPyu4+7O6ynJPa+K0yJd27uKWtcs9vPkhUD8b8Qnt laY9QUylU+L4PbnYFkqVNUxTy1MGN+HUQhNhSWQtZuADMA==
VMP677HU54PF7NMM1P8IFD7SQUTL5P8V.com. 86400 IN NSEC3 1 1 0 - VMP6D1HJAD95FV1LHBQPGSVNHCR5UR5V NS DS RRSIG
VMP677HU54PF7NMM1P8IFD7SQUTL5P8V.com. 86400 IN RRSIG NSEC3 8 2 86400 20231112052327 20231105041327 63246 com. go0WbkwaVF9mKRCqascQxZKF/9uTQ4lQmNUgCqUShrYFRgDIo5Bsyupa gdfqWXa+PT2fNmpkUqmkyN8mZ5672FoJmHeJzMVBztni1ANQaGN3ETKL k2pg9q/nTJta2kAaD9CoDewfXA0BGve7b7vCvJwLTdWr9Nx49SzW9UcG hk3Ir8APn4yCyRQdQJ1pJ8LQrdNvVJ42nrYv9Bf90yGpQg==
;; Received 751 bytes from 192.52.178.30#53(k.gtld-servers.net) in 8 ms

portal.accaglobal.com.  3600    IN      NS      ns1.uk.atos.net.
portal.accaglobal.com.  3600    IN      NS      ns2.uk.atos.net.
portal.accaglobal.com.  3600    IN      NS      ns3.uk.atos.net.
;; Received 115 bytes from 205.251.198.141#53(ns-1677.awsdns-17.co.uk) in 9 ms

portal.accaglobal.com.  30      IN      CNAME   epflecw.x.incapdns.net.
;; Received 114 bytes from 157.203.176.100#53(ns2.uk.atos.net) in 109 ms

[23.05.1-RELEASE][admin@sg4860.local.lan]/var/db:

          If you are using unbound in its default state of resolving, and you are having issues - good place to start to figure out "why" is to do the +trace from pfsense.

          also notice a very short ttl, that 30 seconds.. If you are having issues say talking to those authoritative NS, and the ttl is only 30 seconds.. Your not going to cache it very long even after you talk to it..

          Somethings you can do to help alleviate such issues.. Set the min ttl to something, yeah its not normally good practice to do that - but then again stupid domains didn't use to set ridiculously low like 30 seconds.. I have mine set to 3600 (1 hour) and I have yet to run into an issue where I couldn't get to something.. Another thing is to set serve zero - this will serve up the last known good, even if the ttl had expired, it will then in the background refresh the record..

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          S 1 Reply Last reply Reply Quote 0
          • S
            scorpoin @johnpoz
            last edited by scorpoin

            @johnpoz
            Thanks for you prompt response,

            [2.7.0-RELEASE][myuser@mypfsense]/var/db: dig portal.accaglobal.com +trace

; <<>> DiG 9.18.14 <<>> portal.accaglobal.com +trace
;; global options: +cmd
.                       57616   IN      NS      e.root-servers.net.
.                       57616   IN      NS      c.root-servers.net.
.                       57616   IN      NS      i.root-servers.net.
.                       57616   IN      NS      h.root-servers.net.
.                       57616   IN      NS      k.root-servers.net.
.                       57616   IN      NS      m.root-servers.net.
.                       57616   IN      NS      b.root-servers.net.
.                       57616   IN      NS      f.root-servers.net.
.                       57616   IN      NS      g.root-servers.net.
.                       57616   IN      NS      j.root-servers.net.
.                       57616   IN      NS      l.root-servers.net.
.                       57616   IN      NS      d.root-servers.net.
.                       57616   IN      NS      a.root-servers.net.
.                       57616   IN      RRSIG   NS 8 0 518400 20231120210000 20231107200000 46780 . AY+2ByyT/znyXYNeZ8nomAGyKwJKsfh/40WSIVy7T1n1e1+EFLeJ7CqK F+tkEF3+qOV5QJaoogC/hdQveiFdTUFtVh/L7oHCre5H+1f7MyIbcghO osIs0z+dJjq3tn/LXBBGbyNVEljkWlbJ7P5kEDuiW8zfRiT13pfNGf2u /5/iQQG7zLvTLmFpwzPgbvB8YvGTArY0VnCz0KEFlmX8Z4HfwnBg5WJY 87Op1bMbMoLcyiIvz7TbkjWaPhM81NMeL16DopaxkSU47JfmZb5quny/ ReTYaBqK3wV5L95C802YeUZ/RRrYmBT5V1oe9AawlwkqHO10y1nPZVVN 3SpWVg==
;; Received 1097 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
com.                    86400   IN      DS      30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.                    86400   IN      RRSIG   DS 8 1 86400 20231120210000 20231107200000 46780 . fE0SpcPK2lcIkWMqwWtoh3Q/C6f+nTi1Z8H+9WDfdK3aNmbSNs8xsHq3 L71Ph+yu+pzf3tDHYy4YqUmpirkpFQmBcevKO5hv0fwgPZsd4xrectpT ipEr9e/ZyawUwoMkH6hohZiH9BeGtbmAshOZRgED/ceOV7VurX3u1A4L o0BEmvCgt+As2OWbacGMG3/egu6vsxoWfpAwaBNZsTxO9zEa4DdWIVDJ JaF10Ax+KHna0tVPvu2U1QGOWpXO4vQyCLqNKejpicF0bQMXsUSC9cHX gxbJ5sZipuNIkQ7m6azvNODXHD5u0JtEP+yRpZ8qrCR1pMvU4et//3K8 59evqQ==
;; Received 1181 bytes from 192.58.128.30#53(j.root-servers.net) in 191 ms

accaglobal.com.         172800  IN      NS      ns-86.awsdns-10.com.
accaglobal.com.         172800  IN      NS      ns-718.awsdns-25.net.
accaglobal.com.         172800  IN      NS      ns-1677.awsdns-17.co.uk.
accaglobal.com.         172800  IN      NS      ns-1428.awsdns-50.org.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q2D6NI4I7EQH8NA30NS61O48UL8G5 NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20231114052550 20231107041550 63246 com. Qeg8YllC8KbvaizuSmn3Jlaro97H5qydstgnIDAE9qEXbMUxqrt5ZJ/x tlFiZ9Y9O1ep/ZuIhe5BAzPLMAPDUCzahuBq1VNN5BvQMwx53bMSij+V cPBLPd45H9yACQH0W6fw4Omy4Zj/De9a36P7Q/5+/P7f4ItDuWLsqakG 7qpeIkIS7CwJdpcS5hL8lomNNsaboST+YSCNtDptHRr4iA==
VMP677HU54PF7NMM1P8IFD7SQUTL5P8V.com. 86400 IN NSEC3 1 1 0 - VMP6D1HJAD95FV1LHBQPGSVNHCR5UR5V NS DS RRSIG
VMP677HU54PF7NMM1P8IFD7SQUTL5P8V.com. 86400 IN RRSIG NSEC3 8 2 86400 20231112052327 20231105041327 63246 com. go0WbkwaVF9mKRCqascQxZKF/9uTQ4lQmNUgCqUShrYFRgDIo5Bsyupa gdfqWXa+PT2fNmpkUqmkyN8mZ5672FoJmHeJzMVBztni1ANQaGN3ETKL k2pg9q/nTJta2kAaD9CoDewfXA0BGve7b7vCvJwLTdWr9Nx49SzW9UcG hk3Ir8APn4yCyRQdQJ1pJ8LQrdNvVJ42nrYv9Bf90yGpQg==
;; Received 751 bytes from 192.12.94.30#53(e.gtld-servers.net) in 117 ms

;; UDP setup with 2600:9000:5302:ce00::1#53(2600:9000:5302:ce00::1) for portal.accaglobal.com failed: host unreachable.
;; UDP setup with 2600:9000:5302:ce00::1#53(2600:9000:5302:ce00::1) for portal.accaglobal.com failed: host unreachable.
;; UDP setup with 2600:9000:5302:ce00::1#53(2600:9000:5302:ce00::1) for portal.accaglobal.com failed: host unreachable.
;; UDP setup with 2600:9000:5306:8d00::1#53(2600:9000:5306:8d00::1) for portal.accaglobal.com failed: host unreachable.
portal.accaglobal.com.  3600    IN      NS      ns1.uk.atos.net.
portal.accaglobal.com.  3600    IN      NS      ns2.uk.atos.net.
portal.accaglobal.com.  3600    IN      NS      ns3.uk.atos.net.
;; Received 115 bytes from 205.251.198.141#53(ns-1677.awsdns-17.co.uk) in 121 ms

portal.accaglobal.com.  30      IN      CNAME   epflecw.x.incapdns.net.
;; Received 114 bytes from 157.203.176.100#53(ns2.uk.atos.net) in 139 ms

            yes Im using unbound for resolve and forward as well. I have disabled ipv6 on pfsense only using ipv4 and also blocked port 53 udp for ipv6 :/ .

            Above is the dig result from pfsense.

            Regards

            johnpozJ 1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @scorpoin
              last edited by

              @scorpoin said in certain website takling long to respond or erro nx dns:

              portal.accaglobal.com. 30 IN CNAME epflecw.x.incapdns.net.

              So with a trace, you have to now do a trace to that cname epflecw.x.incapdns.net.

              But you were able to get that - so now you should do a trace to that fqdn.

              Does a client resolve it? Test from a machine on your network that uses pfsense for dns.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              maverickwsM 1 Reply Last reply Reply Quote 0
              • maverickwsM
                maverickws @johnpoz
                last edited by

                @johnpoz

                This is not an isolated issue.

                https://forum.netgate.com/topic/183918/unbound-resolver-failed-to-resolve-host/

                And there is another user on another topic talking about the same issues. This unbound dns looks like it's hanging with scotch tape

                johnpozJ 1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @maverickws
                  last edited by

                  @maverickws said in certain website takling long to respond or erro nx dns:

                  This unbound dns looks like it's hanging with scotch tape

                  I wouldn't say that - I have been using unbound on pfsense since its been just a package. And other than the whole restart on dhcp, which I have never used - I have never had any issues with it at all..

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • maverickwsM
                    maverickws
                    last edited by

                    Well, I understand what you're saying, but truth be told when I'm looking around about pfSense and DNS Resolver, I have to say (and this is a perception only, doesn't hold as true) but most topics have people configuring DNS Forwarding, and external DNS resolvers right off the bat.
                    So I would believe that masks the issues with unbound and a number of people won't come across said issues because of this.
                    Also, I'm not sure if this has anything to do with the DNS resolver settings, some combination that doesn't work well, could it be because I have 2 WAN's, I mean, really don't know. But it's been an awful experience. And it seems no one's paying much attention to these issues.

                    johnpozJ 1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator @maverickws
                      last edited by johnpoz

                      @maverickws said in certain website takling long to respond or erro nx dns:

                      people configuring DNS Forwarding

                      Yeah wouldn't be me - I don't have any use for that. The great thing when they brought unbound in was that it was a resolver, not a forwarder like dnsmasq..

                      If a user had choice between forwarding and resolving - I personally don't get why you would forward, why hand off your dns to any specific anyone. Now if you have some need be it real or not for forwarding over tls, then ok. Maybe I have never seen any issues because I don't foward be it in the clear or not. And when I have an issue with dns, I know how to troubleshoot it vs just blaming pfsense/unbound.

                      I can tell you for sure - if your going to forward, you shouldn't have dnssec enabled.. And maybe pfsense could of done a better job of stating that. But that is going to be problematic, and I have been saying it for years and years.

                      If me, if user enabled forwarding - the default should be to disable dnssec, and if user tried to re-enable it, should of been a big warning. But hey you can also take the stance - users of pfsense you would "hope" are not your typical user and understands such things. But then again we have a lot of users wanting to use pfsense, that really don't understand these protocols at say a level that you would hope.

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • maverickwsM
                        maverickws
                        last edited by

                        @johnpoz

                        Well, I'm really not looking to forward. If I were to forward, I'd set up a resolver and forward to my resolver. But having the unbound package right here, doesn't make much sense I believe.
                        So I completely agree on your comments on the DNS Forwarding part.

                        What tests do you suggest that can add to the debugging here?

                        johnpozJ 1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator @maverickws
                          last edited by

                          @maverickws if your resolving +trace is your friend, can you actually talk to all the ns in the line to get to the authoritative ns. If you can - then need to check that their dnssec is not messed up

                          great site for issues with dnssec is

                          https://dnsviz.net/

                          When you trace if it ends at a cname, you would then have to trace that cname, and sometimes that just ends up pointing to another cname, which you would have to evaluate the resolving with that, etc.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          maverickwsM 1 Reply Last reply Reply Quote 0
                          • maverickwsM
                            maverickws @johnpoz
                            last edited by maverickws

                            @johnpoz so the issue is intermittent, if you look at my topic you'l notice the issue resolves by itself, after a while.
                            I know dnsviz actually use it every so often, but my failure is not definitive, I mean, unbound doesn't resolve right away, takes a long time to respond or whatever, but after a few minutes those same domains that were failing before, are then working. Without any intervention.

                            So if it was an issue with DNSSEC, it wouldn't resolve by itself after a few minutes without intervention. Today these issues included even this forum address:

                            % host forum.netgate.com
;; connection timed out; no servers could be reached

                            If I do it using pfSense > Diagnostics > NS Lookup or what is, I get either an error or a huge response time.

                            Tracing is making me look for issues on the wrong place. I get your debugging options, but I don't think they apply here.

                            johnpozJ 1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator @maverickws
                              last edited by johnpoz

                              @maverickws said in certain website takling long to respond or erro nx dns:

                              Today these issues included even this forum address:

                              There was an outage earlier.. There was someone that is logging outages to the forums - another thread.. And I have just after this morning and couldn't get there added it to my monitoring.

                              You need to troubleshoot a specific issue, one site dns might not be working, another site dns might be working but you can not get there because another network issue along the path, or the site is just having an issue..

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              maverickwsM 1 Reply Last reply Reply Quote 0
                              • maverickwsM
                                maverickws @johnpoz
                                last edited by

                                @johnpoz this was actually maybe like 2 and half hours ago, but anyway forum outage means what?
                                Is it an outage on the web server/db or whatever, or is it a failure in resolving the DNS of the forum? Is the forum server also it's DNS server? Was the outage on Netgate's DNS?

                                johnpozJ 1 Reply Last reply Reply Quote 0
                                • johnpozJ
                                  johnpoz LAYER 8 Global Moderator @maverickws
                                  last edited by

                                  @maverickws all I remember, is this morning when I first went to go to forums it wasn't working.. Then a bit latter I checked and all working.. I then added it to my monitoring..

                                  So the issue was some time before when I first added it

                                  forum.jpg

                                  When first saw the problem, said oh maybe they still having issues from the other day when there was an extended one.. Not exactly sure when it was, but I know when looked at the page - it was showing the little error that lost connectivity, and tried to refresh and failed.. Went and got some coffee, looked at some other stuff and by that time it was working. Some time not long after that I decided to add it to my monitoring.

                                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                                  If you get confused: Listen to the Music Play
                                  Please don't Chat/PM me for help, unless mod related
                                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                                  maverickwsM 1 Reply Last reply Reply Quote 0
                                  • maverickwsM
                                    maverickws @johnpoz
                                    last edited by

                                    @johnpoz actually your description fits perfectly in my issue.
                                    The lost connectivity is because you were no longer resolving correctly "forum.netgate.com" - so it couldn't connect, didn't know where.

                                    You went for a coffee and when coming back already worked. Fits as a glove on my description:

                                    @maverickws said in certain website takling long to respond or erro nx dns:

                                    but my failure is not definitive, I mean, unbound doesn't resolve right away, takes a long time to respond or whatever, but after a few minutes those same domains that were failing before, are then working. Without any intervention.

                                    This is exactly the same, your unbound is failing, you went for a coffee and it worked. That's it.
                                    Did the forum actually have an outage? Was it a DNS outage? Was it a CDN outage? Was it your resolver?

                                    johnpozJ 1 Reply Last reply Reply Quote 0
                                    • johnpozJ
                                      johnpoz LAYER 8 Global Moderator @maverickws
                                      last edited by johnpoz

                                      @maverickws said in certain website takling long to respond or erro nx dns:

                                      your unbound is failing

                                      No my unbound is not failing - I have had zero issues with anything else.. Seems like without any sort of diagnoses your just jumping to the conclusion your unbound is the problem..

                                      If it happens again I will look into it before going to get a cup of coffee, but every other site looked at before going back to the forums worked just fine.

                                      as it a DNS outage? Was it a CDN outage? Was it your resolver?

                                      I am not sure - I wasn't too concerned.. All I can tell you is they had a major outage yesterday.. And this morning I did see a problem, but normally it is pretty solid.. But they do run into issues now and then.. If I see it happen again I will look into if unbound had any issues resolving it, or if was still in cache and changed, etc.

                                      You need to troubleshoot a specific issue, not just jump to well unbound is broke..

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                                      maverickwsM 1 Reply Last reply Reply Quote 0
                                      • maverickwsM
                                        maverickws @johnpoz
                                        last edited by maverickws

                                        @johnpoz said in certain website takling long to respond or erro nx dns:

                                        but every other site looked at before going back to the forums worked just fine.

                                        The every other sites that I visit also work fine, unless they don't. But the percentage is minimal, for sure.
                                        About jumping on conclusions, from an outage "yesterday", you're jumping to the conclusion there was a forum outage today, are you not?

                                        So why am I not entitled to relate your description of the issue to my description of the issue, since the behaviour fits perfectly in what I described earlier, and on the "taking long to respond" remarks of the other users? (notice the title says "certain websites" not "all websites at a given moment").

                                        We all can jump to conclusions at a given time, for sure. And that can make you overlook the actual issue, can it not?

                                        1 Reply Last reply Reply Quote 0
                                        • maverickwsM maverickws referenced this topic on
                                        • First post
                                          Last post
                                        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.