Changes in DNS?
-
Yes you would normally want to have atleast 1 dns server per wan connection.. In case your other connection goes down, etc.. If that name server is only available via that connection.
Here is the thing with ISP dns - they are normally only able to be queried from their NETWORK!! So if you have multiple wan connections, which path are you taking to the name servers IP? Since its unlikely the name server is on the same segment the connection is on. You could be taking any of your other connections paths to try and get to a specific IP - what is your default route, do you have specific routes setup for those dns IPs?
So if your having issues doing queries to ISP based dns – its quite possible your trying to hit them from a source IP that is not their network. And then yeah they most likely will not answer you.
Again - your lack of understanding does not mean a system is not robust ;)
-
Again - your lack of understanding does not mean a system is not robust ;)
Please, could you stop making a fool of yourself? I've set up RIP, OSPF, EIGRP, static and last, but not least BGP4 routing in the 90ies, I've built an ISP we sold in the year 2000 so you can guess I know some things about routing. I'm even capable of distinguishing between 'not reachable' and 'no dns service running'.
Anyway, even if my routing would be screwed up, having 2 DNS servers that are not reachable (never mind the reason) breaking pfsense couldn't be called robust, could it?No, don't answer, I already know the answer… My lack of understanding is responsible for every bug that ever had been in pfsense…
-
Oh, I see… My DNS servers are unreachable -> pfsense suxxxx, it does not resolve. Makes a lot of sense. facepalm
-
I tend to prefer public servers. I've been testing the OpenNIC servers for a while to see how reliable they are.
I usually give pfsense 4 geographically separated DNS servers not too far away and then point all the clients at pfsense only.
I think we should all have about 3 double espressos and chat this some more ;D
Maybe during a traffic jam on the way home… -
If I were OP I would turn off the DNS forwarder in pfSense and set up a couple or three local, caching name servers (with no forwarders configured) and point my local clients at them.
They would do recursion on behalf of the clients using whatever WAN links happen to be available at the time. They would only be seeking answers from authoritative servers so the "local queries only" problem with multiple WANs would not exist.
I would completely disregard the name servers the WAN links set.
-
Oh, I see… My DNS servers are unreachable -> pfsense suxxxx, it does not resolve. Makes a lot of sense. facepalm
Probably you had too many facepalms.
What do you have several DNS for? Redundancy? So, if 2 out of 8 don't work, of course it's normal that name resolution doesn't work anymore? -
I tend to prefer public servers. I've been testing the OpenNIC servers for a while to see how reliable they are.
I usually give pfsense 4 geographically separated DNS servers not too far away and then point all the clients at pfsense only.
I think we should all have about 3 double espressos and chat this some more ;D
Maybe during a traffic jam on the way home…My clients are pointing to pfsense, too (caching…). I still like to use the ISP nameservers when ever possible? Why? My internet connections aren't the fastest ones and no DNS can be nearer than the one of the ISP - possibly one with an overloaded upstream…
-
I am swilling coffee as we speak and also taking isoproterenol (an adrenaline antagonist).
I'll be ready to share my feelings on DNS forwarder function in pfsense momentarily.As far as "fast", I agree that the local ones ping faster but once the local ones have proven unreliable, fast doesn't matter.
I'd prefer reasonable ping time + reliability over speed. Especially once I realized that when one of my WAN links drop that DNS server is just going to become a big speed bump in my internet. -
If I were OP I would turn off the DNS forwarder in pfSense and set up a couple or three local, caching name servers (with no forwarders configured) and point my local clients at them.
They would do recursion on behalf of the clients using whatever WAN links happen to be available at the time. They would only be seeking answers from authoritative servers so the "local queries only" problem with multiple WANs would not exist.
I would completely disregard the name servers the WAN links set.
I do disregard them now. But don't you think your setup is somewhat an overkill for a private household? 3 additional nameservers? Disabling the DHCP provided DNS already solved my problems, I think that's good enough for me. By the way, WAN links weren't the problem, there the failover works. And there's no 'local queries only' problem, the routes are correct. Of course, I don't know wether pfsense is smart enough not to query over a gateway that is marked down… But I guess so.
Well I have one BIND running in my network already, of course I could use that one. On the other hand I have to reboot that machine from time to time… -
As far as "fast", I agree that the local ones ping faster but once the local ones have proven unreliable, fast doesn't matter.
I'd prefer reasonable ping time + reliability over speed. Especially once I realized that when one of my WAN links drop that DNS server is just going to become a big speed bump in my internet.Of course you're right. But in the last years the DNS never were a problem, the only problem was that 2 providers sent out 2 non working servers. The 'first' ones in the list always worked.
-
Well - Now that thats been solved…
On to new challenges.
-
Well - Now that thats been solved…
On to new challenges.Well, maybe you wish to share your thoughts on the forwarder?
-
The forwarder has always worked well for me. I did have one problem once but that was self inflicted. My list of DNS servers were pretty much co-located servers, so when the path to one went down, they were all down.
-
"So, if 2 out of 8 don't work, of course it's normal that name resolution doesn't work anymore?"
What part are you just not getting?? Who's the one making a fool out of themselves?
This is NOT the case, unless as I asked at the start of the thread you are doing sequential. Forwarder by default asks ALL your dns listed at the same time and uses the first one that answers.
Does not matter as long as 1 answers in a reasonable amount of time.. Now if they answer nxdomain - like in my first example then no they wont resolve at your client.. Is this what is happening? Don't know because you couldn't be bothered to take 2 seconds and actually see what pfsense was or was not doing, and what you were or were not getting back from the dns servers you had listed to use
So you can see, look how pfsense asked all the nameservers I have listed in etc/resolv.conf –- I added more so you could see ones that don't answer
[2.1-RC0][admin@pfsense.local.lan]/root(3): cat /etc/resolv.conf
domain local.lan
nameserver 127.0.0.1
nameserver 64.81.159.2
nameserver 129.250.35.250
nameserver 75.75.75.75
nameserver 1.1.1.1
nameserver 2.2.2.2
nameserver 3.3.3.3
nameserver 4.4.4.4
nameserver 5.5.5.5
nameserver 6.6.6.6See how pfsense asked them all! And 3 answered.. WAD!
Now in second example – I made sure I cleared my local client cache, and restarted dns forwarder so nothing cached on pfsense. Notice how it asks All of them again, but 1 answers first.. Answer that gets used, look that one straggler he answers but a bit latter than the rest. But what 6 our of the 9 i have set did not answer at all.. But resolution still worked.. Fancy that, not bad for such a non robust setup ;)
So what part of this do you just not get??
edit: BTW on side note - notice that my local isp dns, 75.75 comcast did not answer first in the nxdomain query. the x.ns.gin.ntt.net one did, you would think my local isp 1 should answer first ;) Not always the case as already mentioned.
-
"So, if 2 out of 8 don't work, of course it's normal that name resolution doesn't work anymore?"
What part are you just not getting?? Who's the one making a fool out of themselves?
This is NOT the case, unless as I asked at the start of the thread you are doing sequential. Forwarder by default asks ALL your dns listed at the same time and uses the first one that answers.
Which part are you not getting? That's not what has happened in my case! I know it should be like that, but it wasn't.
And i TOLD you sequential is not active. And I also told you the failing servers didn't answer nx dmain. There seems to be no DNS active at all (and NO, I was querying via the correct gateway, thank you)So what part of this do you just not get??
That it's not what happened in my case. Maybe something is handled differently when the servers are provided by DHCP?
I don't know, I just know it didn't work as expected. Maybe you could just for one second imagine that what I'm describing actually happened instead of trying to make a fool of me. -
I would love to see what you were seeing, why should I have to image it?
For such a tech guy, what you couldn't post a screenshot of your sniff of what pfsense was doing or not doing for dns?
And no I can not image what you described because that is NOT how it works.. So all those snaps you switched too all had the bad code? Come on dude really? Simple sniff would of shown everyone what was happening..
I don't have to try anything - anyone that jumps to multiple snaps without basic troubleshooting already painted a very clear picture ;)
-
I do disregard them now. But don't you think your setup is somewhat an overkill for a private household?
And 4 WAN links isn't? Never occurred to me we were talking about a private home network. Good luck.
-
I do disregard them now. But don't you think your setup is somewhat an overkill for a private household?
And 4 WAN links isn't? Never occurred to me we were talking about a private home network. Good luck.
Guess it is ;)
It were even 5 but I suspended one (and will probably cancel it). It's difficult to explain. First I had ADSL which is slow and flaky, then I added a WIFI link, then Sat, then a better WIFI link and then another WIFI Link that (because it's very cheap) should replace ADSL as a backup. I'll probably cancel the Sat link when the contract period is over…@Johnpoz: I just wanted to jump to the last known working version but I wasn't sure which one that was… so simple…
When I did this I wasn't even aware that it's a DNS problem. First idea was that it's an ISP problem. As you might know most websites load pics/ads/whatever from different servers and when one of the lookup fails that may cause problems that don't directly point to dns problems. -
When I did this I wasn't even aware that it's a DNS problem. First idea was that it's an ISP problem.
Broken DNS being served via DHCP by ISP sure like hell is ISP problem.
-
It were even 5 but I suspended one (and will probably cancel it). It's difficult to explain. First I had ADSL which is slow and flaky, then I added a WIFI link, then Sat, then a better WIFI link and then another WIFI Link that (because it's very cheap) should replace ADSL as a backup.
Makes me wonder…who operates the WiFi APs? You neighbor, or your landlord, or some idiot who forgot to enable security on his AP...? :-)
It might just be aomeone trying to perform an attack utlizing a fake DNS server (but obviously too incompetent to succeed).
Well, I might just be paranoid. But that doesn't mean that conspiracy theories must be all wrong, right? Seen anything suspicious lately? UFOs? Elvis? Any droids which weren't the droids you were looking for? ;-)
