DNS resolve problem

qwertz

I have a problem with resolving DNS records:

When clients try to browse to a website the IP address cannot be resolved in 50% of the requests.
Sometimes it works when reloading the page a few times, sometimes it works after a few hours, some names don't get resolved ever.

My setup is:

Outer pfsense doing multiwan DSL, failover for https, load balancing for http. DNS is enabled, no DHCP running, NTP running, Zabbix agent running and working.
Inner pfsense is two machines configured redundant via CARP. (I have the outer one because with CARP I cannot do DSL on WAN side)
DHCP server and DNS running. DNS Servers is (each) localhost, the outer pfsense router plus two public servers from Telekom.
No special DNS Server set in DHCP, clients get the real interface IP of the inner pfsense routers.
Internal name resolving seem to work fine.

Does anyone have an idea about this problem ?

johnpoz

So you have this

So are your internal pfsense doing nat, along with your outer 1?

So you have your inner pfsense asking out pfsense for dns - who then asks who?  And your inners are asking telekom ns as well?  Do you have your pfsense to ask all dns at once or just in order?

Seems kind of pointless to have inner ask out pfsense for dns, if they are also asking telkom name servers?

I would suggest you pick a site that does not resolve and troubleshoot resolving it from an actual query vs refreshing a browser that gives you no info to work with.

simple nslookup or dig on the clients with either debug or +trace will give you loads of info.

Then move up your tree to see where your failing.  I would also suggest you simplify what name servers your clients should use.  I don't see much point in inner pfsense to ask outer pfsense if they are also asking external name servers at same time, etc.

Either let inner ask who you want to use on the public side for dns, or just have them forward to your outer and let him ask.

qwertz

@johnpoz:

So are your internal pfsense doing nat, along with your outer 1?

Yes, both are doing nat: the inner ones are the ones I originally planned, the outer I had to add because of CARP+PPPoE impossible. So on the outer one nat could be disabled.

So you have your inner pfsense asking out pfsense for dns - who then asks who?  And your inners are asking telekom ns as well?  Do you have your pfsense to ask all dns at once or just in order?

Seems kind of pointless to have inner ask out pfsense for dns, if they are also asking telkom name servers?

You are right. Changed this: inner now only ask Telekom, not the outer pf. Clients ask master virtual IP now, tried before to have them ask both inner ones.
No change, same behaviour.

I would suggest you pick a site that does not resolve and troubleshoot resolving it from an actual query vs refreshing a browser that gives you no info to work with.

simple nslookup or dig on the clients with either debug or +trace will give you loads of info.

Then move up your tree to see where your failing.  I would also suggest you simplify what name servers your clients should use.  I don't see much point in inner pfsense to ask outer pfsense if they are also asking external name servers at same time, etc.

Either let inner ask who you want to use on the public side for dns, or just have them forward to your outer and let him ask.

I did some dns resolves from the built in tool: the inner backup pf fails many times, but is currently not considered by clients. The inner master pf is fine 95% of dns requests.
The outer one also sometimes fail and I have to resolve an name multiple times to get it resolved - but the outer dns is currently no more in the chain.
Then I did some packet capture inside, between the firewalls and outside.

Is it normal that clients extend a query for e.g. www.atmel.com to www.atmel.com.mydomain.de  given my domain is mydomain.de ?

doktornotor

@qwertz:

Is it normal that clients extend a query for e.g. www.atmel.com to www.atmel.com.mydomain.de  given my domain is mydomain.de ?

Errr… suggests your DNS records are missing a trailing .

qwertz

@doktornotor:

Errr… suggests your DNS records are missing a trailing .

I am using the DNS forwarder, not tinydns plugin, have only four static dhcp entries.
Clients have not changed, used to have an endian fw before, also using dnsmasq.
So what should I change ?

qwertz

Just saw that most packets send to the inner pfs have a bad checksum on the header.
WAN side of outer pf everything is fine,
all packets from inner pfs to outer are fine,
massive packets from outer to inner are bad …

Explains why there is not really a scheme and happens unpredictably.

qwertz

Seems Disable hardware checksum offload in Advanced settings was my friend.
The outer pf has a Realtek GB chipset on the LAN side.
So far it seems to work fine.

Thx for replies.

johnpoz

"Is it normal that clients extend a query for e.g. www.atmel.com to www.atmel.com.mydomain.de  given my domain is mydomain.de ?"

Yup – its suffix search, it can be your friend but to be honest it can cause unwanted queries..  If you don't like your clients doing it -- you might want to turn it off on the clients.  Its only really helpful when your trying to do a dns query via only host name, your local domain gets added for you auto, etc.

Glad you got it sorted, so not a dns issue but network problem.