DNS Resolver not working
-
Dear All,
DNS Resolver was working fine on a single subnet but as well as I created VLAN under LAN, it is not working and due to this some of the mobile apps not working properly. can anybody have a sound knowledge to resolve and fix it.
-
Check if unbound listens on all you interfaces :
[25.07.1-RELEASE][root@pfSense.bhf.tld]/root: sockstat | grep 'unbound' unbound unbound 64723 3 udp6 *:53 *:* unbound unbound 64723 4 tcp6 *:53 *:* unbound unbound 64723 5 udp4 *:53 *:* unbound unbound 64723 6 tcp4 *:53 *:* ....which means : all interfaces, UDP and TCP, port 53.
Also : the default LAN interfaces has to firewall rules to allow DNS traffic to enter.
For all other interfaces you create afterwards, did you add firewall rule(s) that allows DNS traffic ?Also, on a device connected to any of these (V)LAN : did the DHCP lease contain a DNS (= typically the pfSense IPv4 (and IPv6) of that interface ?)
Did you set up a DHCPv4 (and DHCPv6) for all these interfaces ? If not, devices can't get a lease = can't get an IP, gateway, DNS etc.
Before you ask : (incoming) DHCP traffic is always allowed by 'hidden' pfSense firewall rules.
This :
Hummm. That list can't be empty.
I've got thousands of entries in that list.
Did you transform the Resolver into 'dumb' a forwarder ? (so, technically, unbound doesn't do any resolving anymore, it just forwards to where ever you want to send your DNS traffic to = 8.8.8.8 etc) -
1- DNS Traffice allowed
2- DHCP v4 allowed while DHCP v6 is disable
3- Connected users getting the DNS
4- Did same setting in other pfsense where's only a single subnet and DNS-Resolver working fine
5- I did almost every setting but in multiple vlans DNS-Resolver not working
-
@ayansaari said in DNS Resolver not working:
1- DNS Traffice allowed
2- DHCP v4 allowed while DHCP v6 is disable
3- Connected users getting the DNSand what rules did you put on the specific vlan interfaces? The default lan has any any rule by default, but when create a new interface or vlan there would be no rules. dhcp would be allowed because when you enable dhcp server on an interface/vlan hidden rules are put into place to make sure dhcp works.
Are you pointing your client to pfsense address on the interface/vlan - or you pointing them to something else - like google?
If your pointing pfsense address on the interface, which is pfsense default. When you do a simple nslookup - you should get the name of the IP your talking to.. example
C:\>nslookup Default Server: pi.hole Address: 192.168.3.10 > server 192.168.9.253 Default Server: sg4860.home.arpa Address: 192.168.9.253If you do not get the name back - then yeah something is wrong. is it unknown? Do you get a timeout?
>server 192.168.9.41 DNS request timed out. timeout was 2 seconds. Default Server: [192.168.9.41] Address: 192.168.9.41 -
This one is not checked :
right ?
This is one of my extra LAN :
Can you show one of yours ?
On pfSense, my internal interface are :
127.0.0.1
192.168.1.1
192.168.2.1
192.168.3.1
192.18.100.1
( and WAN is 192.168.10.4)On pfSense, you get test the accessibility for DNS for every interface (except WAN? because blocked) like this :
[25.07.1-RELEASE][root@pfSense.bhf.tld]/root: dig @127.0.0.1 google.com +short 216.239.38.120 [25.07.1-RELEASE][root@pfSense.bhf.tld]/root: dig @192.168.1.1 google.com +short 216.239.38.120 [25.07.1-RELEASE][root@pfSense.bhf.tld]/root: dig @192.168.2.1 google.com +short 216.239.38.120 [25.07.1-RELEASE][root@pfSense.bhf.tld]/root: dig @192.168.3.1 google.com +short 216.239.38.120 [25.07.1-RELEASE][root@pfSense.bhf.tld]/root: dig @192.168.100.1 google.com +short 216.239.38.120This proofs that unbound (resolver) listens on all my 'internal' pfSense interfaces.
on the network device side of things, on any LAN or VLAN, hook up whatever device - I choose a Windows PC, and ask this question :
ipconfig /allAll the info is there :
Suffixe DNS propre à la connexion. . . : bhf.tld Description. . . . . . . . . . . . . . : Intel(R) Ethernet Connection (11) I219-LM Adresse physique . . . . . . . . . . . : A4-BB-6D-FE-16-A1 DHCP activé. . . . . . . . . . . . . . : Oui Configuration automatique activée. . . : Oui Adresse IPv6. . . . . . . . . . . . . .: 2a01:dead:beef:a6e2::c7(préféré) Bail obtenu. . . . . . . . . . . . . . : mercredi 12 novembre 2025 07:18:35 Bail expirant. . . . . . . . . . . . . : mercredi 12 novembre 2025 08:28:31 Adresse IPv6 de liaison locale. . . . .: fe80::a6bb:6dff:feba:16a1%5(préféré) Adresse IPv4. . . . . . . . . . . . . .: 192.168.1.6(préféré) Masque de sous-réseau. . . . . . . . . : 255.255.255.0 Bail obtenu. . . . . . . . . . . . . . : mercredi 12 novembre 2025 07:18:34 Bail expirant. . . . . . . . . . . . . : mercredi 12 novembre 2025 13:18:34 Passerelle par défaut. . . . . . . . . : fe80::92ec:77ff:fe29:392c%5 192.168.1.1 Serveur DHCP . . . . . . . . . . . . . : 192.168.1.1 IAID DHCPv6 . . . . . . . . . . . : 161790829 DUID de client DHCPv6. . . . . . . . : 00-01-00-01-26-59-DF-8D-A4-BB-6D-FE-16-A1 ** Serveurs DNS. . . . . . . . . . . . . : 2a01:dead:beef:a6e2:92ec:77ff:fe29:392c ** 192.168.1.1 NetBIOS sur Tcpip. . . . . . . . . . . : Activé Liste de recherche de suffixes DNS propres à la connexion : bhf.tldThe obtained DNS IPs, I marked them with **
and also the gateways (same IPs btw - and both IPv4 and IPv6 are the pfSense LAN interface IP)
That DHCP is active for IPv4 and IPv6 and both have an active lease.Btw : for some reasons my PC uses the french language.
So
Bail = lease
Passerelle = gateway -
@ayansaari Check your ACL configuration to see what IP Ranges are allowed to use the resolver service
