DNS Resolver failing after 23.x to 24.03 upgrade
-
I lost DNS resolution after upgrading to 24.03 on my Netgate 4200. I had to add an ACL to allow requests from my internal network. This was not required prior.
-
I've a 4100 myself, with 24.03.
I totally forgot about these ACLs - I had several of them.
But I don't recall why I had to add them ....
I'm far more sure there is no official pfSEnse manual that says that I had to make some to make my networks work, or make DNS work.Can you tell me where it was said that ACL need to bet set ?
So, I'll testing right now these simple ACL settings :
Yep : none.
I took my phone, and several PCs and others devices - restarted some of them. Everything - DNS - still works just fine.Btw : my resolver settings are the default one : My resolver resolves.
-
@bchipman unless you have disabled creation of the auto acls, any networks that are directly attached would be in your auto acls.
I personally disable them, and create my own - I want to know exactly what the acls are, and might create specific ones that do different stuff.
You sure it was a acl thing that got it working, or maybe just the restart when you changed the acl?
I just recently updated to 24.03 from 23.09.1, kept putting it off because wanted to change to ssd vs emmc - but with everything going in on in RL, 24.08 would be out before I get to it.. So I just did a in place upgrade and I had zero issues with dns or dhcp.
-
@johnpoz
Where is that option?
I don't think I have changed it.BTW, I figured this out after 20+ years working in networking and security and programming at enterprises.
-
@johnpoz
Ok, I found it and that option was not selected.
The new ACL for DNS was the only change made before DNS resolution started working. I had previously turned the resolver off and back on - no impact. -
@bchipman well then your auto acls should work unless this network your clients are on not directly attached.
Here fired up one of my vms.. You can see the auto acls in the config.
Then I added a new network via a vlan, enabled it gave it an IP 192.168.42.1/24
Restarted unbound and you see it updated the access list to include my new 192.168.42 network
