Unable to resolve acb.netgate.com
-
HI,
I am running pfSense-CE 2.7.2-RELEASE (amd64) I am getting an error:
An error occurred while uploading the encrypted pfSense configuration to https://acb.netgate.com/save ( Unable to resolve acb.netgate.com ) @ 2024-04-17
This has been taking place for several days. I have even re installed pfSense from scratch an reloaded the basic configuration Interfaces, DNS Resolver, DHCP IPv4, and Rules. The error continues.
I have also noticed that I am experiencing intermittent DNS issues. DNS resolution. drops out for as long as 1-2 min at a time randomly. I am running DNS Over TLS with Quad9. Any help would be greatly appreciated. Any logs or screenshots I can provide please let me know.
Hardware information:
I am on a physical hardware a fan-less 4 port device
Intel(R) Pentium(R) Silver N6005 @ 2.00GHz
Current: 2386 MHz, Max: 1996 MHz
4 CPUs: 1 package(s) x 4 core(s)
AES-NI CPU Crypto: Yes (inactive)
QAT Crypto: No
16 GB Memory
256GB SS -
@VMlabman are you registering dhcp in unbound - this restarts unbound whenever there is a dhcp event
-
@johnpoz said in Unable to resolve acb.netgate.com:
registering dhcp in unbound
Yes, it sure looks as if I am. I guess I don't have to as this is a homelab and I can use static mappings where needed. I will give this a try and see how it goes.
Thank you,
-
After a few days of testing without registering DHCP host in DNS. I am still getting the error:
An error occurred while uploading the encrypted pfSense configuration to https://acb.netgate.com/save ( Unable to resolve acb.netgate.com ) @ 2024-04-19 11:56:03
What can I share with the community to help resolve the issue?
-
@VMlabman that could be problem on their end.. does that resolve?
$ dig acb.netgate.com ; <<>> DiG 9.16.50 <<>> acb.netgate.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 12919 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 1232 ;; QUESTION SECTION: ;acb.netgate.com. IN A ;; ANSWER SECTION: acb.netgate.com. 3600 IN A 208.123.73.69 ;; Query time: 40 msec ;; SERVER: 192.168.3.10#53(192.168.3.10) ;; WHEN: Sat Apr 20 10:42:45 Central Daylight Time 2024 ;; MSG SIZE rcvd: 60so you running pblocker - maybe that is blocking it?
Where you making changes when you got those alerts? I have seen those when make a change that restarts unbound - seems like a race condition to me where its restarting unbound and trying to save the config change all at the same time, etc.
-
@johnpoz
Hello,Yes, Running the dig command from my workstation does resolve with the output below. I am also running pfBlockerNG-devel. But I don't think it's blocking it because it happens for short periods of time and not as long as I have my blocked sites to be blocked for. This is also the case in Snort that I am running. It's blocking time period is longer than this time this seems to not resolve for. It's not happening 100% of the time. Are there logs that I should look at to see this error and check them against pfBlocker and Snort to verify? If so what Logs and where? I am new to dinging around in logs and how best to filter them.
dig abc.netgate.com
; <<>> DiG 9.18.18-0ubuntu0.22.04.2-Ubuntu <<>> abc.netgate.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 52553
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 65494
;; QUESTION SECTION:
;abc.netgate.com. IN A;; AUTHORITY SECTION:
netgate.com. 1432 IN SOA ns1.netgate.com. admin.netgate.com. 2024042005 3600 3600 604800 3600;; Query time: 3280 msec
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
;; WHEN: Sat Apr 20 11:27:19 CDT 2024
;; MSG SIZE rcvd: 90 -
@VMlabman said in Unable to resolve acb.netgate.com:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 52553
that is not resolving - that is NX.. but you did abc vs acb And where exactly is your client pointing to for dns, 127.0.0.53 is a typical IP clients that are using say netplan would use, because it points to local instance that forwards somewhere.
;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP)
see my ubuntu vm does that same thing
user@UC:~$ dig acb.netgate.com ; <<>> DiG 9.18.18-0ubuntu0.22.04.2-Ubuntu <<>> acb.netgate.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 55014 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 65494 ;; QUESTION SECTION: ;acb.netgate.com. IN A ;; ANSWER SECTION: acb.netgate.com. 3600 IN A 208.123.73.69 ;; Query time: 60 msec ;; SERVER: 127.0.0.53#53(127.0.0.53) (UDP) ;; WHEN: Sat Apr 20 14:17:41 CDT 2024 ;; MSG SIZE rcvd: 60 user@UC:~$You can normally see where exactly your client is pointing with
user@UC:~$ resolvectl status Global Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported resolv.conf mode: stub Link 2 (ens3) Current Scopes: DNS Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 192.168.3.10 DNS Servers: 192.168.3.10 DNS Domain: home.arpa user@UC:~$ -
I’m no longer resolving by default DHCP leases into DNS by default. I click that off a couple days ago but I’m still having the issue the ABC which is the gate back up is not resolving air come up any other ideas out there to help me out I’m stuck on this one it does resolve, the command, prompt or terminal
Thank you,
-
@VMlabman you sure using the correct name? Its acb.netgate.com not abc.
-
Thank you for your reply. Yes, I am sure I am as I have made no changes to that area of pfSense and it does work a lot of the time. Screenshot attached. What else can I check within the firewall? What do you suggest?
Reguards,
-
johnpoz LAYER 8 Global Moderatorlast edited by johnpoz Apr 23, 2024, 12:13 AM Apr 23, 2024, 12:10 AM
@VMlabman so seem to be odd ball times. Are you making a change when that happens, that would/could effect your connection or that resolving? I just had this happen to me as well... But it was because unbound was being restarted..
If you ask me they have a horrible short ttl on that record
;; QUESTION SECTION: ;acb.netgate.com. IN A ;; ANSWER SECTION: acb.netgate.com. 300 IN A 208.123.73.69So that is almost always going to have to be resolved on the spot.. Because its not cached for more than 5 minutes.. And if nothing is asking for it, it won't be prefetched etc.. And prefetch isn't even a default setting.
Let me call @stephenw10 for his take on that ttl, why would it be so low is beyond me.. I doubt that IP is going to be changing that often?
I might see it happen less often because I have a min ttl of 3600 set on my unbound.
-
@johnpoz said in Unable to resolve acb.netgate.com:
@stephenw10
How do I go about making the change to the ttl on pfSense? I am newer to this stuff and this is my first build I have dont more then basic browsing of the web with.Thanks
-
@VMlabman you can't change the ttl they hand out, but you can set min ttl in unbound.. So any record that it resolves if the ttl handed to you is lower than your min, it sets it to the min you have set..
Go to the unbound settings, advanced and scroll down.
Keep in mind this is an advanced setting, and could have issues.. I have used this setting for years and never ran into any issues. But its not considered good practice to alter the ttl set by some domain.. But then again ttls of 60 seconds, or 5 minutes or 10 minutes etc are just insane low.. Unless the IP was dynamic and changes all the time, or you are in the process of changing the record to a different IP..
And this might not help, but it will help in having to lookup that record every 5 minutes.. Since now it will be cached for an hour. You could set it higher even if you want.. But again its not good practice to alter the ttl that someone has set.. They normally set a ttl for a specific reason.. Then again they might not have a clue, and where they are hosting dns sets it default to low? Or maybe they changed it and didn't raise the ttl back to a sane value.
-
Mine at this point is set to 0. Is there a way to change this for a single domain ie. acb.netgate.com or make a atatic entry anyware and test it that way?
Thx,
-
I am trying to see if it helps. i don't know if this is even a good idea or not however it's easy to remove and doesn't affect any other domains.
I put a static entry in DNS Resolver Domain Overrides
-
@VMlabman yeah that should help unless the reason you can't resolve it is that unbound is not running.
-
I'll give you a list with exploitable ideas :
You've already met this one :
Uncheck :Also, when you installed pfSense, it was not "broken" : DNS worked just fine.
So, what about trusting Netgate :Always keep an eye on unbound : I use this.
Why ? Because a "always running" unbound is important for my DNS stability.
You'll say : Hey, your unbound is always restarting !! That's because restart it manually, as I try out things a lot while answering DNS questions here on the forum ^^
But basically, I use the settings Netgate gave me a decade ago. And oh boy, I never have DNS issues. I'm not wondering why ^^Take note : I use pfBlockerng, and pfBlocker tends to restart unbound.
I've set my dnsbl feeds to be re downloaded every week, not every hour. -
@VMlabman I just ran into this - but this seems more like just acb didn't answer quick enough, not that it didn't resolve
-
@Gertjan said in Unable to resolve acb.netgate.com:
I've set my dnsbl feeds to be re downloaded every week, not every hour.
Will trusting Netgate and checking DNS Query Forwarding break my DNS Over/TLS on 853 ?
Thanks,
-
I get it from the Auto Backup when I make a change to the firewall it uploads a configuration change / backup to Netgate. It's a real pain in the tush to keep seeing the error. I am going to try what @Gertjan suggested I give and shot and check DNS Query Forwarding to see if that helps.
Thank you,
