Finicky DNS - Resolver
-
I have recently switched over to DNS Resolver from DNS Forwarder. Current settings are:
Port: 53
Network Interfaces: All (I have Vlans)
Outgoing Interfaces: All
Local Zone type: Transparent
DNSSEC: disabled, will not work with OpenDNS
DNS Query Forwarding: Enabled (I am wanting to forward to OpenDNS, these servers are set in General Setup)
DHCP Registration:enabled
Static DHCP:enabledI have added host overrides for various network devices.
Under advanced everything is default. I did disabled DNSKEY support and Harden DNSSEC Data
I am currently on a Test vlan with one firewall rule to any any. The problem is I am having weird issues with DNS, sometimes my queries have timeouts or take awhile to resolve. A few examples below of nslookup.
Nslookup to outside domain:
C:\Users\Me>nslookup foxnews.com
Server: admin.syndicate.com
Address: 10.0.0.1DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
Non-authoritative answer:
Name: foxnews.com
Address: 104.68.123.149Nslookup to local host. This host has been added in host overrides.
C:\Users\Me>nslookup guest.syndicate.com
Server: admin.syndicate.com
Address: 10.0.0.1DNS request timed out.
timeout was 2 seconds.
DNS request timed out.
timeout was 2 seconds.
Name: guest.syndicate.com
Address: 10.0.3.1This comes back quicker:
C:\Users\Me>nslookup 10.0.3.1
Server: admin.syndicate.com
Address: 10.0.0.1Name: guest.syndicate.com
Address: 10.0.3.1Per the main page, DNS servers are as follows:
127.0.0.1
208.67.222.222
208.67.220.220Sometimes the queries time out all together and sometimes they are just slow to resolve. Is this just a limitation of the resolver?
Thanks for any input.
-
Take a look at your windows DNS servers configuration, maybe there is something in there that doesn't belong.
-
The only DNS servers in the Windows host is from the firewall itself. I do not have the delay or timeout when doing the nslookup from the console or the gui. Might just be a windows thing, I do not know. Looking at /etc/resolv.conf, I see the following:
nameserver 127.0.0.1
search syndicate.com (this is my domain)
208.67.222.222
208.67.220.220Which is what it should show.
-
On windows, do this:
nslookup set debug set d2 set type=a foxnews.comThere will be quite alot of output, but you will see exactly what questions are being asked and to whom, and what responses you are getting.
I should point out, that DNS works by initially appending the local host's domain name to the query, so the very first query will be foxnews.com.syndicate.com, which should result in an immediate not found error, but DNS will then try again with foxnews.com.
It is possible that this "error" condition is what's causing the issue.You can also try foxnews.com. (notice the trailing dot) to have it not append your domain name. If you get fast results, then the problem is with your config on pfsense, as it isn't returning a negative answer immediately.
-
Yeah, that makes sense now. Windows is appending the DNS suffix search list on all look ups. In my case, it is syndicate.com. I have corrected it by editing the DNS settings on the network card to Append DNS suffixes in order, starting with "." and then "syndicate.com" No issues now. Much Thanks
