DNS_PROBE_FINISHED_NXDOMAIN sporadically for anywhere from 30secs to 10min. works flawlessly at all other times
-
@SteveITS you can still get dig for windows... Its just a bit behind what is current version.. And yeah they are not going to provide it past the 9.16 branch.
I use it all the time, but you can install on wsl on windows so there is that which is on the 9.18 branch and underdevelopment
user@i9-win:~$ dig ; <<>> DiG 9.18.26-1+ubuntu22.04.1+deb.sury.org+1-Ubuntu <<>>Latest for windows is 9.16.50
$ dig ; <<>> DiG 9.16.50 <<>>side note, how to say you don't know anything about dns without stating you don't know anything about dns..
"I've actually never heard of dig before." hahahah
-
@johnpoz said in DNS_PROBE_FINISHED_NXDOMAIN sporadically for anywhere from 30secs to 10min. works flawlessly at all other times:
side note, how to say you don't know anything about dns without stating you don't know anything about dns..
"I've actually never heard of dig before." hahahah
o i never claimed to know anything about DNS. or much of anything for that matter. I'll be honest, a bit out of my depth with dig. Downloaded the zip from isc.org and installed it but i'm really not sure how to execute it.
I'm likewise a bit out of my depth with the logs. I've navigated to the DHCP subsection of the systemlogs and see the restarts you were referring to from before I disabled "Register DHCP" but nothing alarming just after it. But i have no idea what to be looking for. Can I upload the log for more expert eyes to see if anything jumps out?
-
@RickyBaker said in DNS_PROBE_FINISHED_NXDOMAIN sporadically for anywhere from 30secs to 10min. works flawlessly at all other times:
but i'm really not sure how to execute it.
type dig ;) at a command prompt
$ dig -h Usage: dig [@global-server] [domain] [q-type] [q-class] {q-opt} {global-d-opt} host [@local-server] {local-d-opt} [ host [@local-server] {local-d-opt} [...]] Where: domain is in the Domain Name System q-class is one of (in,hs,ch,...) [default: in] q-type is one of (a,any,mx,ns,soa,hinfo,axfr,txt,...) [default:a] (Use ixfr=version for type ixfr) q-opt is one of: -4 (use IPv4 query transport only) -6 (use IPv6 query transport only) -b address[#port] (bind to source address/port) -c class (specify query class) -f filename (batch mode) -k keyfile (specify tsig key file) -m (enable memory usage debugging) -p port (specify port number) -q name (specify query name) -r (do not read ~/.digrc) -t type (specify query type) -u (display times in usec instead of msec) -x dot-notation (shortcut for reverse lookups) -y [hmac:]name:key (specify named base64 tsig key) d-opt is of the form +keyword[=value], where keyword is: +[no]aaflag (Set AA flag in query (+[no]aaflag)) +[no]aaonly (Set AA flag in query (+[no]aaflag)) +[no]additional (Control display of additional section) +[no]adflag (Set AD flag in query (default on)) +[no]all (Set or clear all display flags) +[no]answer (Control display of answer section) +[no]authority (Control display of authority section) +[no]badcookie (Retry BADCOOKIE responses) +[no]besteffort (Try to parse even illegal messages) +bufsize[=###] (Set EDNS0 Max UDP packet size) +[no]cdflag (Set checking disabled flag in query) +[no]class (Control display of class in records) +[no]cmd (Control display of command line - global option) +[no]comments (Control display of packet header and section name comments) +[no]cookie (Add a COOKIE option to the request) +[no]crypto (Control display of cryptographic fields in records) +[no]defname (Use search list (+[no]search)) +[no]dnssec (Request DNSSEC records) +domain=### (Set default domainname) +[no]dscp[=###] (Set the DSCP value to ### [0..63]) +[no]edns[=###] (Set EDNS version) [0] +ednsflags=### (Set EDNS flag bits) +[no]ednsnegotiation (Set EDNS version negotiation) +ednsopt=###[:value] (Send specified EDNS option) +noednsopt (Clear list of +ednsopt options) +[no]expandaaaa (Expand AAAA records) +[no]expire (Request time to expire) +[no]fail (Don't try next server on SERVFAIL) +[no]header-only (Send query without a question section) +[no]identify (ID responders in short answers) +[no]ignore (Don't revert to TCP for TC responses.) +[no]keepalive (Request EDNS TCP keepalive) +[no]keepopen (Keep the TCP socket open between queries) +[no]mapped (Allow mapped IPv4 over IPv6) +[no]multiline (Print records in an expanded format) +ndots=### (Set search NDOTS value) +[no]nsid (Request Name Server ID) +[no]nssearch (Search all authoritative nameservers) +[no]onesoa (AXFR prints only one soa record) +[no]opcode=### (Set the opcode of the request) +padding=### (Set padding block size [0]) +[no]qr (Print question before sending) +[no]question (Control display of question section) +[no]raflag (Set RA flag in query (+[no]raflag)) +[no]rdflag (Recursive mode (+[no]recurse)) +[no]recurse (Recursive mode (+[no]rdflag)) +retry=### (Set number of UDP retries) [2] +[no]rrcomments (Control display of per-record comments) +[no]search (Set whether to use searchlist) +[no]short (Display nothing except short form of answers - global option) +[no]showsearch (Search with intermediate results) +[no]split=## (Split hex/base64 fields into chunks) +[no]stats (Control display of statistics) +subnet=addr (Set edns-client-subnet option) +[no]tcflag (Set TC flag in query (+[no]tcflag)) +[no]tcp (TCP mode (+[no]vc)) +timeout=### (Set query timeout) [5] +[no]trace (Trace delegation down from root [+dnssec]) +tries=### (Set number of UDP attempts) [3] +[no]ttlid (Control display of ttls in records) +[no]ttlunits (Display TTLs in human-readable units) +[no]unexpected (Print replies from unexpected sources default=off) +[no]unknownformat (Print RDATA in RFC 3597 "unknown" format) +[no]vc (TCP mode (+[no]tcp)) +[no]yaml (Present the results as YAML) +[no]zflag (Set Z flag in query) global d-opts and servers (before host name) affect all queries. local d-opts and servers (after host name) affect only that lookup. -h (print help and exit) -v (print version and exit)Sure you can upload stuff.. There are some file size limits and such
-
@johnpoz said in DNS_PROBE_FINISHED_NXDOMAIN sporadically for anywhere from 30secs to 10min. works flawlessly at all other times:
type dig ;) at a command prompt
lol yeah obviously not in the windows cmd prompt i was trying it in. I thought installing the package from isc.org would install the command into the PATH but i guess not. I will try on a linux machine.
as for the logs, took me a while but here's some logs
dhcp: https://pastebin.com/3RuMUSc2
resolver: https://pastebin.com/3GFsYCE7 (not sure why this stopped updating on saturday, probably from one of the changes i instituted)
system: https://pastebin.com/1c6PwRu2let me know if any others would be useful. fwiw my wife experienced the error around 8:24am today (4.23.24
-
@johnpoz said in DNS_PROBE_FINISHED_NXDOMAIN sporadically for anywhere from 30secs to 10min. works flawlessly at all other times:
type dig ;) at a command prompt
well i'll be...
tried to paste as code like you but kept identifying as spam. Running the same command while ssh'ed into the pfsense box though:
-
@RickyBaker said in DNS_PROBE_FINISHED_NXDOMAIN sporadically for anywhere from 30secs to 10min. works flawlessly at all other times:
resolver: https://pastebin.com/3GFsYCE7
Unbound restarted 32 times in the ~1.5 days of log you posted. Looks like your DHCP is set for a 2 hour lease (meaning 1 hour renewal). You could try extending that to say 8 or 12 hours.
I don't see whether you posted you tried with DNSSEC disabled. Are you actually forwarding or not?
-
@SteveITS said in DNS_PROBE_FINISHED_NXDOMAIN sporadically for anywhere from 30secs to 10min. works flawlessly at all other times:
Looks like your DHCP is set for a 2 hour lease (meaning 1 hour renewal). You could try extending that to say 8 or 12 hours.
thanks, i'll look for that option and change it to 8
@SteveITS said in DNS_PROBE_FINISHED_NXDOMAIN sporadically for anywhere from 30secs to 10min. works flawlessly at all other times:
I don't see whether you posted you tried with DNSSEC disabled. Are you actually forwarding or not?
is this option not showing up unticked in the logs? or is this screenshot suffice to say it's disabled.
I don't think I'm forwarding?
-
@RickyBaker said in DNS_PROBE_FINISHED_NXDOMAIN sporadically for anywhere from 30secs to 10min. works flawlessly at all other times:
or is this screenshot suffice to say it's disabled.
That's fine, I just didn't see a response above. Before 23.01 forwarding + DNSSEC didn't seem to be a problem but after 23.01 it often is.
There's a checkbox in the resolver settings to forward but if DNSSEC is disabled that point is irrelevant.
-
@SteveITS Happened again this morning. Though just for my wife. She got DNS_PROBE_FINISHED_NXDOMAIN error in chrome but said the amazon link worked (so weird) but I did not experience any issues by the time i got a browser opened. This is the log for around that time:
I did notice that attack from 180.101.88.225 with a Level 10 a LOT in the logs, is it possible my firewall has misidentified some of my devices as attackers? But then quickly resolves that's wrong before making the same mistake again soon?
-
@RickyBaker said in DNS_PROBE_FINISHED_NXDOMAIN sporadically for anywhere from 30secs to 10min. works flawlessly at all other times:
180.101.88.225 with a Level 10 a LOT in the logs, is it possible my firewall has misidentified some of my devices as attackers?
misidentified ?
It's 180.101.88.225. No doubt about it.
It that IP coming from your LAN ? Disconnect it, have it cleaned. Do have a talk with the owner.
Is the IP coming from the Internet ? Empty the WAN firewall rule list, and you're good. I would fire the pfSense admin
edit : no LAN IP, whois told me "180.101.88.225" is Chinese allocated.
Rip out your WAN cable now. We'll talk later ^^ -
@RickyBaker the “now monitoring attacks” is logged whenever a log file rotates so is normal.
The logged attacks though do indicate you have port 22 open on WAN, and check for other ports too, as that’s a good way to get hacked.
-
@SteveITS so close port 22 immediately?
-
@RickyBaker I'd close all ports on WAN that are not needed. By default WAN has no rules so all incoming traffic from the Internet is blocked.
-
@SteveITS I certainly did not intentionally leave any ports open...Am firing up my VPN now...These logs are saying this IP is TRYING to access my network, not accessing it though right?
-
@RickyBaker
Not "closing".
Don't use any firewall rules that allow SSH access (port 22) or actually any access on the WAN interface.
Exactly like the way you found it, when installing pfSense.
No rules on WAN = safe.
Opening port 22 = "China" (the entire planet in reality) is lining up for you to 'try'.There is an exception (as always) :
If you activate a VPN server (on pfSense), this will, by default, allow UDP traffic on port 1194 on the WAN interface.
If you need to access resources from the outside = WAN, use a VPN, or comparable. -
@Gertjan said in DNS_PROBE_FINISHED_NXDOMAIN sporadically for anywhere from 30secs to 10min. works flawlessly at all other times:
There is an exception (as always) :
If you activate a VPN server (on pfSense), this will, by default, allow UDP traffic on port 1194 on the WAN interface.
If you need to access resources from the outside = WAN, use a VPN, or comparable.I do! there's always the concern i messed up during set up, but that was the intention. checking now
-
f#$k this looks wide open. i dunno how that happened it says it comes from OpenVPN wizard. Is this wrong? Should Destination port be changed from asterix to 1194?
-
@RickyBaker
also, DEF didn't put in this rule, that ip address is my Synology box, think it added this rule via UPNP? -
@RickyBaker I would guess, it was edited at some point and the description remained. If you look at the rule without saving it, it will show a created and last saved date at the bottom.
Yes it should be 1194 UDP.
The floating rule could be from traffic shaping? (per the m_P2P text)
-
@SteveITS this look right then?
disabled the floating rule and made this change and still have access to the pfsense remotely so seems to not have broken the openvpn connection, thank you for the confirmation.
I would LOVE to do traffic shaping but I have not actually attempted it in many years and recently redid all the rules to add VLANs so i'm very puzzled by this (I also don't even use the Synology really) but you are absolutely right that qP2P sure looks like a traffic shaping effort...very disconcerting
