Intermittent DNS Issue
-
Hi,Had PfSense for some time and am on the latest version of the CE version. The way my system is set up is that I have a Nuc between my modem and my network. The Nuc has PfSense installed and PfSense supplies Internet via a VPN, DHCP and Unbound DNS. I have a PiHole server in a container on my NAS that filters DNS before it gets to PfSense and I'm currently planning to move that to PfBlockerNG but not beyond the paper stage.
At the weekend the DNS resolver stopped working and wouldn't resolve any addresses including internal ones set up on PfSense. I rebooted and it was fine then it stopped resolving external addresses but internel was OK. Then even that stopped. I've rebooted, I've restored the configuration and each time I worked for a bit and then stopped. I looked at how to reset the Unbound server data as I'm assuming it is corrupted but don't see how to do that besides just deleting everything in the DNS entries. Everything is working if I use the IP addresses. The Router is still routing traffic. It supplies DHCP and appears to be working via the control panel. Only the pfb_dnsbl and pfb_filter services are off as I've not even ran the wizard yet. The logs at the basic level show nothing strange.
Now as a temporary solution I changed piHole so instead of passing DNS requests to my PfSense it goes straight out the Internet. This means I type IPs in for my internal services. I could put the in PiHole but I want to move away from that.
Any ideas on what this is and what I can do to fix it?
-
@DaveP-0 If you have forwarding enabled in DNS Resolver, ensure DNSSEC is unchecked. That can cause random issues.
source: https://support.quad9.net/hc/en-us/articles/4433380601229-Setup-pfSense-and-DNS-over-TLS (and experience) -
@SteveITS DNSSEC was ticked. I unticked it, repointed to PfSense and tried again. It resolved the first query fine and then it stopped again. Thinking about it and testing. If I point to PfSense then test it resolves one DNS then fails the next. I then reset it to avoid PfSense. Somebody like yourself suggests something and I point to PfSense over an hour later at it works, for one DNS, then fails. I'm not touching the PfSense router at all. That makes no sense to me. Any timers or flushes taking place regularly clearing anything? I've left DNSSEC unticked for now to simplify testing.
-
@DaveP-0 DNSSEC will need to be off if forwarding. It worked fine AFAICT until I think 23.01 and then problematic in FreeBSD 14.
re: problems, check the DNS Resolver log or system log, any errors at the time?
Another thing that gets people is if they enable DHCP lease registration in DNS, that still/currently restarts Unbound at every lease renewal.
-
@SteveITS I set the logging to 2. Pointed to PfSense and typed www.google.com into a browser.
The log was limited to 500 lines and it looks like it generated more than that.
Mar 14 22:29:21 unbound 28332 [28332:3] info: response for . NS IN
Mar 14 22:29:21 unbound 28332 [28332:3] info: reply from <.> 192.203.230.10#53
Mar 14 22:29:21 unbound 28332 [28332:3] info: query response was THROWAWAY
It had a lot like the lines above and the final set then went
Mar 14 22:29:23 unbound 28332 [28332:0] info: service stopped (unbound 1.18.0).
Some more processing then it started unbound againI couldn't see anything that said there was an error. I've attached the 500 lines in the DNS part of the logs and reset the logging to 1 in PfSenseResolver Log.txt
-
@SteveITS said in Intermittent DNS Issue:
DNSSEC will need to be off if forwarding
It's even a condition stated upfront if you want to use Quand9 (actually : any resolver you want to forward to) : Quad9 :: Documentation :: pfSense (encrypted)
It would probably a good thing if this one was selected :
then this one auto de selects :
And like you, I've tested Quad9 for a month or last year. and I've been looking for issues. Found none.
I guess I'll do another test run soon, and looking even harder.
if there is an issue, I'll be motivated to find one, as I'm member of the club "I have already a resolver, so I don't need another resolver"; which is part of another club "keep it simple" (pfSense works out of the box without any chances or additions in DNS settings). And DNSSEC works and is available 'for free'.I'm using pfSense a bit over a decade, and since the resolver (unbound) became default, I never had to think/worry/maintain anything that is DNS related. No need to use the services of whatever company.
Maybe I'm lucky, but I have this feeling I use 'the Internet' as it was meant to be used. -
@Gertjan I didn't have DNS Query Forwarding ticked as I understood it meant I went to a third party DNS server and I wanted mine to resolve its own from the root servers. I did have DNSSEC ticked originally though.
I have unticked DNSSEC as previously said and ticked DNS Query Forwarding and it is now back working fine resolving both internal and external domains. I checked my notes and I never had DNS Query Forwarding ticked and always had DNSSEC ticked and it worked fine up till last week. I've racked my brains, all 64K of them, and don't remember making any mods in this area but as I'm always adding services and devices I'm asuming I made the mods that caused the issue by mistake. Thank you both for that.
However it is now sending my data to Quad9 when I wanted it to do its own resolving from the root servers. From what I can see if I unticked DNS Query Forwarding then it should resolve from the root servers but we know that doesn't work. Is there anything else I should change to get it to resolve from the root servers?
-
@DaveP-0 said in Intermittent DNS Issue:
then it should resolve from the root servers but we know that doesn't work
Not being able to use root servers is .... disturbing.
Not being able to contact (use) any (none) of these - one is already enough, means something of someone is crippling your connection. No ISP that I know of does that, as they would be out of business fast.Btw : A VPN can be your ISP. The actual ISP, in that case, is just the physical connection up until the VPN. From there on, your VPN will be your WAN as seen by everybody else on the internet.
If the VPN WAN IP was used previously, just before you got it, and this person was using the IP to "attack" (in random order) Russia, US, China and Nord Korea, and harassing "Anonymous" then I can image your VPN WAN IP start to be refused 'everywhere' for safety reasons.
Stop using a VPN, and you'll be fine ?Anyway, I'm just brainstorming out loud here.
-
@Gertjan Not sure what VPN @DaveP-0 is using, but it seems that Nord just started (without announcing to anyone) redirecting all DNS queries. Related post
-
Yeah, a not so nice example of paying for an ISP and then paying for another ISP=VPN and winding up with a complicated, not working situation.
It's sad. -
@Gertjan said in Intermittent DNS Issue:
It would probably a good thing if this one was selected :
...
then this one auto de selects :
I created a redmine to suggest that, and the answer was, paraphrasing, "we don't want to be turning off security settings on people's routers."
@TheNarc said in Intermittent DNS Issue:
it seems that Nord just started (without announcing to anyone) redirecting all DNS queries
That's OK, everyone fully trusts their VPN provider, right? ;)
-
@DaveP-0 if your resolving then dnssec is valid and viable - and a security feature. If you forward, its quite possible you could run into dns issues if your trying to validate dnssec. For starters when you forward you don't normally get dnssec info, just the record you ask for . And if your forwarding and you do ask for dnssec - and get responses they could be wrong, be cause you didn't actually talk to the authoritative NS to get that info.. Or you could maybe not get an answer, while your local dns knows there should be and cause failure, etc.
It might work without issue, but it could cause issues.. When you forward where you forward either does dnssec for you or they dont, because somewhere in the chain there will be a resolver.. Be it the next step from where you forwarded to, or a few upstream.. But for dns to actually function, there is a resolver at play somewhere..
Be it you - forwarder - resolver, or you - forwarder - forwarder - forwarder - forwarder - resolver..
At some point there will be a resolver, or dns would not function.
If you forward, and you want to make sure there are no issues, then disable dnssec.. Then again you could run 1000's of queries and never run into a problem, until you do..
Out of the box unbound resolves, and therefore should be doing dnssec for security reason. If you are going to change that then its up to the admin to know the proper setup.. If you are going to go out of your way to change the default, then you should hopefully understand what your doing and know the appropriate settings for your non default setup.
But what I am going to tell you is if you forward, and you leave dnssec enabled at some point your going to run into problems. Might be in 5 minutes, or shoot might be in 5 weeks, or 5 months or even 5 years. But forwarding and attempting to dnssec is not optimal setup.
-
@TheNarc said in Intermittent DNS Issue:
@Gertjan Not sure what VPN @DaveP-0 is using, but it seems that Nord just started (without announcing to anyone) redirecting all DNS queries. Related post
It may not surprise you to note that I am using Nord VPN. I've read the other thread and realised I missed it because it was talking about VLANs. Never mind. I have the same issue.
@johnpoz Thanks for that. It makes sense and now I know. You would think PfSense had a warning even if they don't want to automagically unset it. Which I understand. I like that policy.
I'm online to Nord Support now and my subscription expires in a few months so new VPN may be on the menu. Pity I like Nord. Lets see what they say to me.
I'd like to thank you all for the support it is appreciated and I'll close this thread and move to the already set Related post