DNS-PING No Response, IP OK

bsmither

I've been reading the books, the wiki, the forums, and do not yet have a solution. As such, I do not know what the real question is to ask (I don't know what I don't know). So please ask for what you need to see.

In a browser, I can http://(actual IP of amazon.com) and it works. This is important! Browsing by IP works. But http://www.amazon.com complains of a DNS non-response. I can't ping that address either.

Services: DNS Forwarder

Enable DNS Forwarder

Nothing else checked. I also have a number of records that override the results of the forwarders.

System: General Setup
DNS Server 68.87.85.98 None (or WAN - didn't make a difference)
DNS Server 68.87.69.146 None

Anything else I should be looking at in particular? I've been verifying and reverifying all settings according to what is advised in the books and wiki.

wallabybob

Why are you using 68.87.85.98 as a name server? When I try it I get "connection refused":```

$ dig www.amazon.com @68.87.85.98

; <<>> DiG 9.7.0-P1 <<>> www.amazon.com @68.87.85.98
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 25329
;; flags: qr rd ra; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; Query time: 232 msec
;; SERVER: 68.87.85.98#53(68.87.85.98)
;; WHEN: Tue Nov 22 07:57:48 2011
;; MSG SIZE  rcvd: 12

$ dig www.amazon.com @8.8.8.8

; <<>> DiG 9.7.0-P1 <<>> www.amazon.com @8.8.8.8
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 2824
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.amazon.com. IN A

;; ANSWER SECTION:
www.amazon.com. 59 IN A 72.21.214.128

;; Query time: 208 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Tue Nov 22 08:01:59 2011
;; MSG SIZE  rcvd: 48

$

bsmither

"Why are you using…?"

Because that's what the Comcast Gateway Router (CGR, an SMC model) gateway status page has on it. And these numbers have worked since I got the service.

"When I try it I get "connection refused": "

I got a response from pfSense that said (in DNS protocol-speak, as paraphrased by WireShark) "Standard Query Response, Refused". At this time, I was also packet capturing on the WAN and saw no packets on port 53. So I was/am blaming pfSense.

I gave up after working on this for a number of hours and reset all the network topology back to the way it was before I started. All was working fine.

However, earlier today the SMC's DNS service crashed. A laptop (DNS Server is the SMC gateway) connected directly to the SMC got no DNS service at all. Comcast had to hard reboot the SMC. They did try 75.75.75.75 and that didn't work. So they reloaded the SMC with the DNS numbers mentioned earlier and it now works. Comcast seems to think my area needs these numbers even though they said these numbers were "retired".

But I will try again to get the pfSense to have my public static IP on the WAN.

Would there be anything I should look for that would prevent port 53 packets from appearing on the WAN?

bsmither

Another attempt: same results.

SMC(70.x.y.50)<==>WAN(70.x.y.49/30)[pfSense]LAN(10.1.10.5/24)<==>(DHCP)LAPTOP
70.x.y.49 is my first (and only) public static IP address. I've been told the SMC gateway is 70.x.y.50.

On the laptop, PING 72.21.194.1 gets no response. NSLOOKUP amazon.com gets no response. Web browsing by IP (http://72.21.194.1) works.

On the pfSense box, Diagnostics: DNS Lookup amazon.com = 72.21.194.1 (and others). Resolution time per server: 68.87.85.98-13ms, 68.87.69.146-50ms (127.0.0.1-no response so I shut it off in System: General Setup). Diagnostics: Ping WAN google.com succeeds.

System: General Setup DNS Servers: 68.87.85.98 WAN, 68.87.69.146 WAN. (These DNS Servers exist and are functional.)

DNS Forwarder enabled. DHCP Server enabled. Firewall Rule LAN any->any logged. (It's interesting that the Status: System logs seem to not be logging anything - not even the DHCP lease issued an hour earlier.)

pfSense Packet Capture on WAN shows no DNS traffic when nslookup executed on laptop.
pfSense Packet Capture on LAN shows numerous DNS traffic but only queries, no replies.

Port 53 traffic is not crossing the LAN to WAN boundary. Why not?

Edit: Maybe amazon.com does not reply to pings. Issuing a PING test from the SMC (Comcast Gateway Device) to 72.21.194.1 didn't work, but a ping test to 173.194.64.103 did work. So, back on the laptop, a PING to 173.194.64.103 succeeded. However, NSLOOKUP google.com still failed.

wallabybob

@bsmither:

System: General Setup DNS Servers: 68.87.85.98 WAN, 68.87.69.146 WAN. (These DNS Servers exist and are functional.)

They don't seem functional to you. What is your evidence they are functional?

@bsmither:

DNS Forwarder enabled. DHCP Server enabled. Firewall Rule LAN any->any logged. (It's interesting that the Status: System logs seem to not be logging anything - not even the DHCP lease issued an hour earlier.)

It is often necessary to reset firewall states after rule changes. See Diagnostics -> States, click on Reset States tab.

@bsmither:

pfSense Packet Capture on WAN shows no DNS traffic when nslookup executed on laptop.
pfSense Packet Capture on LAN shows numerous DNS traffic but only queries, no replies.

Port 53 traffic is not crossing the LAN to WAN boundary. Why not?

DNS forwarder is still running and active? (maybe it died or its wedged.) What does pfSense shell command ps ax | grep dnsmasq show?

Your routing table is messed up? What does pfSense shell command netstat -rn show?

What is the IP address of the DNS your laptop is using?

bsmither

@wallabybob:

They don't seem functional to you. What is your evidence they are functional?

All other computers connected directly to the SMC(10.1.10.1/24) work. And before I started playing around with pfSense, it all worked.

It is often necessary to reset firewall states after rule changes. See Diagnostics -> States, click on Reset States tab.

I heard about that. Diagnostics: Reset state executed.

Back to the LAPTOP: NSLOOKUP google.com timeout.

What does pfSense shell command ps ax | grep dnsmasq show?

Diagnostics: Execute command results
$ ps ax | grep dnsmasq
36245 ?? S 0:00.01 sh -c ps ax | grep dnsmasq
36729 ?? R 0:00.01 grep dnsmasq
44710 ?? S 147:22.02 /usr/local/sbin/dnsmasq –local-ttl 1 --all-servers -

Your routing table is messed up? What does pfSense shell command netstat -rn show?

Diagnostics: Execute command results
$ netstat -rn
Routing tables
default | 70.x.y.50 | UGS | 0 | 401 | xl0
10.1.10.0/24 | link#1 | U | 0 | 12407 | fxp0
10.1.10.5 | link#1 | UHS | 0 | 0 | lo0
68.87.69.146 | 70.x.y.50 | UGHS | 0 | 5 | xl0
68.87.85.98 | 70.x.y.50 | UGHS | 0 | 35 | xl0
70.x.y.48/30 | link#3 | U | 0 | 9988 | xl0
70.x.y.49 | link#3 | UHS | 0 | 0 | lo0
127.0.0.1 | link#4 | UH | 0 | 3628 | lo0

(link#2 is OPT1 and edited from this list)

What is the IP address of the DNS your laptop is using?

ipconfig /all shows DNS Servers 10.1.10.5 (DHCP assigned)

Your assistance is very much appreciated.