DNS query fails when it failovers

eeebbune

Hello Professionals,

My PFsense has two ISPs, and those are failover when Primary ISP down.
Users are having local DNS server's IP address(10.100.18.18) and it works well from Primary ISP connection, but it goes to Secondary ISP, it fails.

I think my firewall can't send/receive of public queries when it pass Secondary ISP. When it flows over Secondary ISP, when I tried 'nslookup google.com' from firewall, I got :

nslookup cnn.com
;; Got SERVFAIL reply from 127.0.0.1, trying next server
;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused
;; communications error to ::1#53: connection refused

my local DNS server is pointing the firewall for web filtering (pfBlocker)

When I changed PC's DNS from local to Google, I am able to reach internet over Secondary ISP.
Only outside queries can't be resolved, which means ping/traceroute are okay (routing/firewalling are okay).

Which part should I look carefully?

Thank you for your comments.

SteveITS

@eeebbune is pfSense’s DNS server set to forward? If do, to where?

eeebbune

@SteveITS Hello!

We do not use DNS forwarder from firewall, but we do DNS resolver.
Interface for Secondary ISP connection has been selected, and here's other configurations.

I have checked pfBlocker configs, but couldn't find specific settings related DNS..

Thank you for your time.

SteveITS

@eeebbune Forwarding mode is enabled there. If you have also used your DNS server's IP as your gateway monitoring IP, pfSense will create a static router for the gateway monitoring IP. Try failover with forwarding mode disabled, or use a non-DNS server as your gateway monitoring IP.

eeebbune

@SteveITS

Gateway of WAN1 (Primary), WAN2 (Secondary) are seeing different IP address such as Google DNS.

I am wondering if you could also check my 'Gateway Monitoring' configs from Advanced-Miscellaneous.

If my local DNS keep states, it may explain my issue.
Hopefully changing 'State killing on Gateway Failure' to be 'Kill states for all gateways which are down' could resolve my problem and make failover smoothly.

Is there other features I need to make change from the screen shot?

Thank you very much.

SteveITS

pfSense will create a static router for the gateway monitoring IP

@eeebbune said in DNS query fails when it failovers:

Gateway of WAN1 (Primary), WAN2 (Secondary) are seeing different IP address such as Google DNS.

If you have, for example, set 8.8.8.8 as the gateway monitoring on WAN1, it will not be reachable if WAN1 is down. Try a different monitoring IP or forward DNS to a different DNS server.

my 'Gateway Monitoring' configs
Those are the defaults so normally fine.

eeebbune

@SteveITS

I’m afraid I don’t fully understand the point. Should I interpret gateway monitoring as the address used to detect whether a line is down? For instance, if WAN1 cannot reach 8.8.8.8, the firewall would recognize that the line is down and fail over to WAN2.

I’m not entirely clear on why you suggested changing the monitoring address. Would you kindly explain once more why this adjustment is necessary?

Thank you very much for your time and guidance.

SteveITS

@eeebbune System > Routing > Gateways has a column for Monitoring IP. It defaults to the WAN gateway. If you change it to another IP like 8.8.8.8 then a static route is created for 8.8.8.8 to only use that WAN. (see Diagnostics > Routes)

If that WAN is down then you can't get to 8.8.8.8. Because if pfSense could get to it, then it wouldn't know that WAN as down.