Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Clients cant resolve DNS names.

    Scheduled Pinned Locked Moved DHCP and DNS
    6 Posts 3 Posters 615 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • K
      Kolvert
      last edited by Kolvert

      Hi everyone,

      I just installed my first pfsense systeme ever. I followed several YT videos, included NetworkChuck's and referred to the DNS Resolution Issues website https://docs.netgate.com/pfsense/en/latest/troubleshooting/dns.html .
      Following all the steps and going through all the test I've concluded it's a DNS resolution Issue from the PfSense machine to the clients.
      So here is my context:
      I've installed PfSense as a Virtual machine on Proxmox on a Server with 4 nics.
      I've set one of the nics as WAN with a DHCP Ip from my ISP cablemodem/router.
      I/ve set another nic as LAN with a 10.x.x.1 IP.
      DNS Forwarder and Resolver are disabled.
      I've got a Pi-hole and I'm using it as primary server (It works great on any machine not routed through PfSense).
      As secondary DNS server I've set 1.1.1.1.
      DNS lookup from PfSense works great, Pi-hole resolves even faster than Cloudfare.

      Clients, get their Ip's from DHCP set on LAN, and can ping all sorts of IPs, DNS Servers, outside servers, WAN, LAN, ISP modem-router, etc. The problem comes the moment I ping a url. The error is pretty clear to me: "Temporary failure in name resolution."

      I really need your help here guys, I'm hoping to use PfSense as a Vlan manager to split my IOT devices in a different network for obvious reasons, but I've been banging my head on this issue for the past 3 hours and I still cant get what I've done wrong.

      Thank you to all of you in advance for your help.

      johnpozJ GertjanG 2 Replies Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @Kolvert
        last edited by johnpoz

        @Kolvert said in Clients cant resolve DNS names.:

        DNS Forwarder and Resolver are disabled.

        When then how would dns work?

        Ask pihole what your doing wrong.. Out of the box the lan rules are any any.. Did you change those? Then pfsense would have zero to do with pihole talking to any dns server it wants.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        K 1 Reply Last reply Reply Quote 0
        • K
          Kolvert @johnpoz
          last edited by

          @johnpoz Hi,

          As you already know, Resolver was enabled by default, and it didn't help even when dns servers where Cloudfare and Google. I tried enabling Forwarder, and nothing. Firewall rules for LAN are PASS for any to any. I also tried PASS on WAN any to any.

          I can tell for sure that once I decided to try Pi-hole PfSense used it for queries successfully, but still didn't pass the url's to the clients.

          So basically default settings didn't resolve DNS, and custom neither. So I checked the guide and the forum, tried and tested for hours and after failing on every attempt I asked for help.

          johnpozJ 1 Reply Last reply Reply Quote 0
          • GertjanG
            Gertjan @Kolvert
            last edited by

            @Kolvert said in Clients cant resolve DNS names.:

            Clients, get their Ip's from DHCP set on LAN, and can ping all sorts of IPs, DNS Servers, outside servers, WAN, LAN, ISP modem-router, etc. The problem comes the moment I ping a url. The error is pretty clear to me: "Temporary failure in name resolution.

            Your clients get a LAN IP. But they got more then then that.
            Did they got a network (network mask), a gateway IP and most important : a DNS IP.
            So, on one of these 'clients', use

            ipconfig /all
            

            and check that DNS IP.

            Does it 'points' to the IP that is used by your DNS = Pi-Hole.

            Also : can it reach the Pi-Hiole ? If the piHome is on the same LAN as the clients, the there will be no problem.
            Another LAN, then a firewall rule on the Clienst LAN has to authorize the DNS traffic.

            You could use the 'nslookup' command to check if the client actually can and uses pi-Hole for its DNS needs.

            @Kolvert said in Clients cant resolve DNS names.:

            DNS Forwarder and Resolver are disabled.

            Better check and be sure that pfSense itself still has a working DNS then.

            No "help me" PM's please. Use the forum, the community will thank you.
            Edit : and where are the logs ??

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator @Kolvert
              last edited by

              @Kolvert said in Clients cant resolve DNS names.:

              Resolver was enabled by default, and it didn't help even when dns servers where Cloudfare and Google

              Because setting dns has zero to do with anything when you resolving..

              So in the diagnostic menu, dns lookup with unbound enabled.. Can you look up say www.netgate.com ?

              This is with default settings of pfsense.

              dns.jpg

              If that fails, from cmd line on pfsense do a trace..

              Enter an option: 8
              
              [23.09-RELEASE][admin@sg4860.local.lan]/root: dig www.netgate.com +trace
              
              ; <<>> DiG 9.18.16 <<>> www.netgate.com +trace
              ;; global options: +cmd
              .                       82332   IN      NS      f.root-servers.net.
              .                       82332   IN      NS      e.root-servers.net.
              .                       82332   IN      NS      d.root-servers.net.
              .                       82332   IN      NS      a.root-servers.net.
              .                       82332   IN      NS      b.root-servers.net.
              .                       82332   IN      NS      j.root-servers.net.
              .                       82332   IN      NS      c.root-servers.net.
              .                       82332   IN      NS      i.root-servers.net.
              .                       82332   IN      NS      g.root-servers.net.
              .                       82332   IN      NS      h.root-servers.net.
              .                       82332   IN      NS      k.root-servers.net.
              .                       82332   IN      NS      m.root-servers.net.
              .                       82332   IN      NS      l.root-servers.net.
              .                       82332   IN      RRSIG   NS 8 0 518400 20231126050000 20231113040000 46780 . eDfXq+KZzto5xFLKorHYdE1QL6Sia8J0MiBn6f4jba2Ti8dOxLIylTzE f4UaLMMPM+PVml2jgjgL0dcCFhU4/9yO/kKNtQWW5XzGFm7yQoYbkl5u +DEJ4IUqb/UfU35v6rklV7DuLdARv2+hoPw5nX6ncLMa6F5IXnTFJoW6 KwDrYVvh/wNTHCLbbecMg2OcrCgJ+GvYxt1nkbKrWC7LiAohnpwyg4Wc LkT+o+8ogK3CtTbPs72vnqOqEuUn9oB/I0RCOvg1qkdjuVvzh+R4gN4G fOcn4j9phCYwdF8XBDpJG/w8Z4rT78N8J28wSx37nZbMucHvU687+fvI 0fodKQ==
              ;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms
              
              com.                    172800  IN      NS      e.gtld-servers.net.
              com.                    172800  IN      NS      b.gtld-servers.net.
              com.                    172800  IN      NS      j.gtld-servers.net.
              com.                    172800  IN      NS      m.gtld-servers.net.
              com.                    172800  IN      NS      i.gtld-servers.net.
              com.                    172800  IN      NS      f.gtld-servers.net.
              com.                    172800  IN      NS      a.gtld-servers.net.
              com.                    172800  IN      NS      g.gtld-servers.net.
              com.                    172800  IN      NS      h.gtld-servers.net.
              com.                    172800  IN      NS      l.gtld-servers.net.
              com.                    172800  IN      NS      k.gtld-servers.net.
              com.                    172800  IN      NS      c.gtld-servers.net.
              com.                    172800  IN      NS      d.gtld-servers.net.
              com.                    86400   IN      DS      30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
              com.                    86400   IN      RRSIG   DS 8 1 86400 20231126050000 20231113040000 46780 . JaEUR+R7peut6yFM1LbPkXRSFAIyU0RR88Qgj24mIos4woIP2xZ+vVC/ mVK775YUIf9laz9F2OcDHq6RpJNp4IwKxEGw+Dd33DQgWi+zzSFiZoK9 KvI27vAsuSuK33J2lUAdTR68HjG7CBX7XtDtHqTmM/guLusd07r9rrzp /HrgSncZ6gVblrooUTadoIO8wGV4875c2rof4G2WeUA3Fpg13iydgM4f oZrLZKfnbbEhhOzq6FKHKBeGOWfdOXYIAGePGcr954eUtLIJE8M9KQMY IPhNPyVLgSr/VsAFfxEoPA5GHfuSrF3I2EEXDOF99id4OOr26H4pxSG1 N1DOrg==
              ;; Received 1175 bytes from 198.41.0.4#53(a.root-servers.net) in 9 ms
              
              netgate.com.            172800  IN      NS      ns1.netgate.com.
              netgate.com.            172800  IN      NS      ns2.netgate.com.
              netgate.com.            172800  IN      NS      ns3.netgate.com.
              CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q2D6NI4I7EQH8NA30NS61O48UL8G5 NS SOA RRSIG DNSKEY NSEC3PARAM
              CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20231118052525 20231111041525 63246 com. HHilTlIgM2bBSkNCrfIYydeweb7FpcSd/HCPjoMq9cDoI45LnU1trxYf GtncYfSgPxd01lt7BuBdTBRjFX2kHEWQNAjqKR+wj9ohk9mqvk3naenD eWVPwSEZjYdV+LPjL7rXvMWq6GRZXFG2OC0oR37mS4PCPT/pWYTARo7m 66PiR/ixIP8UPkUbxjZTHFuDsR+lywg8Od0OsTopTj5+rw==
              2U53SUOKS8OJJV178M90A8BMNI9USDVJ.com. 86400 IN NSEC3 1 1 0 - 2U546JK1TS9KBOQUQCUA3NNLO26FTDRN NS DS RRSIG
              2U53SUOKS8OJJV178M90A8BMNI9USDVJ.com. 86400 IN RRSIG NSEC3 8 2 86400 20231119051632 20231112040632 63246 com. OacVZDM5N9+s5oGr+dXi0mHEWEjsnkEvnLh/D7JRl0SeqOGl8DT4Gw4t XGfhVZ2qp3fbe3mFtSrpk8ptK76sw3gCvohniFT9+Wn4Er/7n/qEpAKX jCqdKGGFiwYWl/Ivav3UntPJGHGRZhMRdPfFReewNRhOjAMKKI1zCx5V SByKJiUTTfEaC5MEp8BXEzVAt/iQrk229m8KZf2O5RPVeg==
              ;; Received 779 bytes from 192.5.6.30#53(a.gtld-servers.net) in 42 ms
              
              www.netgate.com.        60      IN      CNAME   1826203.group3.sites.hubspot.net.
              ;; Received 118 bytes from 208.123.73.90#53(ns2.netgate.com) in 33 ms
              
              [23.09-RELEASE][admin@sg4860.local.lan]/root: 
              

              This is how resolver would resolve..

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 1
              • K
                Kolvert
                last edited by

                Hi, sorry everyone for the delay, I really thought I posted here that I found the solution to this problem.
                The problem was, on Proxmox, I had set static IP on the NIC and it was way out of the one I was using into PfSense.
                As said I'm just dipping my toes on network management and on virtualization, so please excuse my ignorance.

                Thank you everyone for your help.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.