Logging DNS queries
-
@johnpoz Like I said, I will simply reinstall the entire thing from scratch and redo all the settings manually when I find the motivation to lose several hours of my life, lol.
-
@Octopuss or you could install the patches in like 2 minutes and do a reboot and see if you don't have to reinstall.. And more than likely whatever issue your running into - not sure how a reinstall is going to correct the problem.. This is freebsd, this not windows me ;)
In all the years I have been using pfsense, on all kinds of different hardware.. Have only once had to do a reinstall.. And that was crashed update.. So I had to do a clean install.
-
@Octopuss Please keep us updated. I will be curious about your final resolution. I understand, from what I interpret.........your frustration.
-
@johnpoz said in Logging DNS queries:
or you could install the patches in like 2 minutes and do a reboot and see if you don't have to reinstall
You seem to have missed the edited part of my post where I said it made no difference.
@johnpoz said in Logging DNS queries:
not sure how a reinstall is going to correct the problem.. This is freebsd, this not windows me ;)
Assuming it's a combination of settings, reinstall will solve it, because there's so much stuff that can be combined together and is possibly interconnected one way or another that there's no way to troubleshoot this. -
@Uglybrian said in Logging DNS queries:
@Octopuss Please keep us updated. I will be curious about your final resolution. I understand, from what I interpret.........your frustration.
I really don't know what to make of this. It could be some obscure bug or it could be a combination of settings or some black magic.
-
I have been following along and was surprised by-your unbound behavior by simply turning off DNSSEC.
Since johnpoz could not replicate what was happening . I would determine it to be black magic.
There are some great suggestions in this post to help minimize your DNS lookups with your ISP. Even though they are in the range of normal.
The minimum TTL for RR sets to be set at 3600 is something I changed a couple of years ago when I read about it in a previous johnpoz post. Like him, I also have not ran into any issues.
I also think you should try resolving instead of forwarding. I believe you will find it just as fast as forwarding and not notice the difference.If you do determine you would just rather reinstall. I would take a back up copy and instead of reinstalling go to diagnostics and click on factory defaults.
Can’t wait to see what happens next.
-
@Octopuss what does your log say when you reboot and unbound isn't working? Is the service not running at all? ie it didn't start or did it start and is just not bound to something? If its running lets see output of
[24.11-RELEASE][admin@sg4860.home.arpa]/root: unbound-control -c /var/unbound/unbound.conf status version: 1.22.0 verbosity: 2 threads: 4 modules: 2 [ validator iterator ] uptime: 20638 seconds options: control(ssl) unbound (pid 65878) is running...and this
[24.11-RELEASE][admin@sg4860.home.arpa]/root: netstat -anl | grep -w '53' tcp4 0 0 127.0.0.1.53 *.* LISTEN tcp4 0 0 192.168.7.253.53 *.* LISTEN tcp4 0 0 192.168.4.253.53 *.* LISTEN tcp4 0 0 192.168.6.253.53 *.* LISTEN tcp4 0 0 192.168.2.253.53 *.* LISTEN tcp4 0 0 192.168.110.253.53 *.* LISTEN tcp4 0 0 192.168.9.253.53 *.* LISTEN tcp4 0 0 192.168.3.253.53 *.* LISTEN tcp4 0 0 10.1.1.253.53 *.* LISTEN udp4 0 0 127.0.0.1.53 *.* udp4 0 0 192.168.7.253.53 *.* udp4 0 0 192.168.4.253.53 *.* udp4 0 0 192.168.6.253.53 *.* udp4 0 0 192.168.2.253.53 *.* udp4 0 0 192.168.110.253.53 *.* udp4 0 0 192.168.9.253.53 *.* udp4 0 0 192.168.3.253.53 *.* udp4 0 0 10.1.1.253.53 *.* [24.11-RELEASE][admin@sg4860.home.arpa]/root:That will show you what IPs is listening on.. If you do not see it listening on anything - then yeah its never going to work..
If it fails to start completely there should be something in the logs saying why it didn't start.
-
@johnpoz said in Logging DNS queries:
@Octopuss what does your log say when you reboot and unbound isn't working? Is the service not running at all? ie it didn't start or did it start and is just not bound to something? If its running lets see output of
[24.11-RELEASE][admin@sg4860.home.arpa]/root: unbound-control -c /var/unbound/unbound.conf status version: 1.22.0 verbosity: 2 threads: 4 modules: 2 [ validator iterator ] uptime: 20638 seconds options: control(ssl) unbound (pid 65878) is running...and this
[24.11-RELEASE][admin@sg4860.home.arpa]/root: netstat -anl | grep -w '53' tcp4 0 0 127.0.0.1.53 *.* LISTEN tcp4 0 0 192.168.7.253.53 *.* LISTEN tcp4 0 0 192.168.4.253.53 *.* LISTEN tcp4 0 0 192.168.6.253.53 *.* LISTEN tcp4 0 0 192.168.2.253.53 *.* LISTEN tcp4 0 0 192.168.110.253.53 *.* LISTEN tcp4 0 0 192.168.9.253.53 *.* LISTEN tcp4 0 0 192.168.3.253.53 *.* LISTEN tcp4 0 0 10.1.1.253.53 *.* LISTEN udp4 0 0 127.0.0.1.53 *.* udp4 0 0 192.168.7.253.53 *.* udp4 0 0 192.168.4.253.53 *.* udp4 0 0 192.168.6.253.53 *.* udp4 0 0 192.168.2.253.53 *.* udp4 0 0 192.168.110.253.53 *.* udp4 0 0 192.168.9.253.53 *.* udp4 0 0 192.168.3.253.53 *.* udp4 0 0 10.1.1.253.53 *.* [24.11-RELEASE][admin@sg4860.home.arpa]/root:That will show you what IPs is listening on.. If you do not see it listening on anything - then yeah its never going to work..
If it fails to start completely there should be something in the logs saying why it didn't start.
[2.7.2-RELEASE][admin@rozcestnik.lan]/root: unbound-control -c /var/unbound/unbound.conf status version: 1.18.0 verbosity: 1 threads: 4 modules: 1 [ iterator ] uptime: 69 seconds options: control(ssl) unbound (pid 333) is running...[2.7.2-RELEASE][admin@rozcestnik.lan]/root: netstat -anl | grep -w '53' tcp4 0 0 127.0.0.1.53 *.* LISTEN udp4 0 0 127.0.0.1.53 *.* -
@Uglybrian said in Logging DNS queries:
There are some great suggestions in this post to help minimize your DNS lookups with your ISP.
Honestly I don't care about that anymore. At most I am curious what kind of other clients they have, because any PC with enough tabs open and some online services running should generate plenty.
-
@Octopuss well if its only listening loopback that would explain why its not working, your clients talking to its lan port, its not listening on.
Do you have say a vpn or something.. This is hardware, not a vm right? You have it set to listen on what interface(s) Just your lan? For some reason your lan is taking longer to come up than when unbound starts?
But yeah there is clearly why its not working.. unbound never sees your clients queries because its not listening on the lan IP.
-
@johnpoz said in Logging DNS queries:
@Octopuss well if its only listening loopback that would explain why its not working, your clients talking to its lan port, its not listening on.
Do you have say a vpn or something.. This is hardware, not a vm right? You have it set to listen on what interface(s) Just your lan? For some reason your lan is taking longer to come up than when unbound starts?
But yeah there is clearly why its not working.. unbound never sees your clients queries because its not listening on the lan IP.
I don't have any VPN.
And yes it's standalone hardware. I ran it virtualized for a few years until I realized what horrible pain in the arse it was when something stopped working on the server, so in the end I said fuckit and bought one of those... what are they called ,appliances? It's basically a micro PC of sorts.And yes it also has localhost in the interfaces, because it throws an error when I try to remove it. It's somehow related to the forwarding mode option being checked.
login-to-view -
@Octopuss can you do a test and not have it listen on your wifi.. And just the lan.. And also try it with all selected. its odd that its not listening on any.. other than local host..
But if you click to do dnssec it boots just fine and everything is up?
-
@johnpoz Like I already wrote, I cannot select just LAN. When I do that, I get this
login-to-view@johnpoz said in Logging DNS queries:
But if you click to do dnssec it boots just fine and everything is up?
Yes, that's the only weird thing that happens when I disable DNSSEC.
The bottom line is I want to figure out why, not that it's a problem with any functionality (as far as I can tell). Everything works with it enabled, but you (I think) wrote I wasn't supposed to use it with forwarding mode for reasons I forgot, and I guess I want to do things properly since I don't know anything about all this.
Worst case when I don't figure it out and don't want to do a reinstall, I'll just use DNSSEC DNS servers from some regional internet organization or whatever they are: https://www.nic.cz/odvr/
-
@johnpoz So, if I select all in the network intefaces, it works right after boot.
If I select (seemingly) anything else, it just doesn't.
But then despite not having internet on my PC, DNS lookup on pfSense works
login-to-view
And ping as well!
But my PC has no internet. -
@Octopuss well if it is only listening on localhost for clients to talk to then yeah clients wouldn't be able to talk to it. But pfsense would be able to lookup stuff. And pinging an IP from client wouldn't need to lookup a name to know what to ping.
What is this setting?
What I mean is lan and localhost - my bad for not being specific.
For it to work, it has to be listening on an interface that clients can talk to.. What doesn't make any sense is what you show there is lan,wifi,wifi_sep and localhost.. So it should be listening on all of those - notice in mine it lists all the ips of my different interfaces its listening on.. If one of them wasn't coming up fast enough when unbound starts, why is not listening on the others..
But if it comes up when you have it set to all - that option works too. I would set network to all, and set outgoing to only the localhost.
If your set to all on network, you can turn off use dnssec and it works? I didn't try that in my 2.7.2.. I should of opened up the window when I posted the settings of my 2.7.2 - it is lan and localhost selected, not just lan.
-
@johnpoz said in Logging DNS queries:
@Octopuss well if it is only listening on localhost for clients to talk to then yeah clients wouldn't be able to talk to it. But pfsense would be able to lookup stuff. And pinging an IP from client wouldn't need to lookup a name to know what to ping.
What is this setting?
What I mean is lan and localhost - my bad for not being specific.
For it to work, it has to be listening on an interface that clients can talk to.. What doesn't make any sense is what you show there is lan,wifi,wifi_sep and localhost.. So it should be listening on all of those - notice in mine it lists all the ips of my different interfaces its listening on.. If one of them wasn't coming up fast enough when unbound starts, why is not listening on the others..
But if it comes up when you have it set to all - that option works too. I would set network to all, and set outgoing to only the localhost.
If your set to all on network, you can turn off use dnssec and it works? I didn't try that in my 2.7.2.. I should of opened up the window when I posted the settings of my 2.7.2 - it is lan and localhost selected, not just lan.
I have that set to default, that is local, fall back to remote. I presume this is conceptually better since it will use cached entries when it can instead of always asking remote servers?
I would set network to all, and set outgoing to only the localhost.
What do you mean? I thought outgoing must be WAN, otherwise
there would be no internet?@johnpoz said in Logging DNS queries:
If your set to all on network, you can turn off use dnssec and it works?
Yes.
-
@Octopuss so these settings are my 2.7.2 I just rebooted it and working fine comes up right away..
That 192.168.3.253 is my real pfsense upstream of the vm, so that would be like your isp dns.
edit:
No outbound can just be localhost, because it would nat to your wan when it tries to talk to something out on the internet.. This setting can help when your internet side takes a bit longer to come up. -
@johnpoz I have accidentally set outgoing to WAN and localhost instead of just localhost and it still didn't work, lol.
edit: Just localhost like you suggested doesn't work either.
The only thing that works with DNSSEC disabled is setting interfaces to all. -
@Octopuss really odd.
But if you set to all on network and either just all or wan on outbound it works?
edit: if network set to all, and it works or both set to all - that is a viable setup. And what it is out of the box. So if that works, and you can turn off dnssec that no need to reinstall that is for sure.
edit2: btw I just connected to my screen copy of dnstop I am running on my wan interface.. So still have about 8 hours til 24 hours.. And currently showing hair under 11k total outbound queries from box..
Your isp saying your too high with 16k in a day is just nuts. Maybe all his other users have 1 pc and turn it off when they are not using it? ;)
-
@johnpoz Network on all and outgoing on WAN works.
I'm just curious why is it acting like that. I know for a fact I didn't enable DNSSEC in past and the settings were otherwise the same.