2.1.4 Fresh Install DNS Not resolving
-
DNS Lookup for Google.com yields
Server Query time
8.8.8.8 No response
8.8.4.4 No response
208.67.222.222 No response
208.67.220.220 No responseI get the following in the Resolver log:
Oct 29 01:00:54 dnsmasq[94525]: exiting on receipt of SIGTERM
Oct 29 01:00:55 dnsmasq[1809]: started, version 2.68 cachesize 10000
Oct 29 01:00:55 dnsmasq[1809]: compile time options: IPv6 GNU-getopt no-DBus i18n IDN DHCP DHCPv6 no-Lua TFTP no-conntrack no-ipset auth
Oct 29 01:00:55 dnsmasq[1809]: reading /etc/resolv.conf
Oct 29 01:00:55 dnsmasq[1809]: using nameserver 208.67.220.220#53
Oct 29 01:00:55 dnsmasq[1809]: using nameserver 208.67.222.222#53
Oct 29 01:00:55 dnsmasq[1809]: using nameserver 8.8.4.4#53
Oct 29 01:00:55 dnsmasq[1809]: using nameserver 8.8.8.8#53
Oct 29 01:00:55 dnsmasq[1809]: read /etc/hosts - 2 addressesIn the routing table I see the routes for the DNS servers pointing out to the gateway using the WAN interface.
I also see the states are open from the WAN interface out to the DNS servers.
-
Can you ping your configured DNS servers? The symptoms match a basic network connectivity problem. There is no requirement to have DHCP or anything else enabled for DNS to function.
-
I'll check that when I login tonight.
Does pfSense attempt to ping the DNS servers before sending it's queries?
-
No.
-
Are you sure your WAN and gateway are properly configured?
-
Thinking that it was a FW rule issue, I've added rules on the WAN to PASS port 53 to\from my DNS servers.
Also you do not need to open anything on WAN for outgoing DNS queries to work. That rule will let the outside world use your DNS, which is not a good idea.
-
Thinking that it was a FW rule issue, I've added rules on the WAN to PASS port 53 to\from my DNS servers.
Also you do not need to open anything on WAN for outgoing DNS queries to work. That rule will let the outside world use your DNS, which is not a good idea.
Yeah, I recognize that but I was trying to grasp as straws.
@cmb:
Can you ping your configured DNS servers? The symptoms match a basic network connectivity problem. There is no requirement to have DHCP or anything else enabled for DNS to function.
I discounted that earlier due to some rules on the gw but I checked those and retested.
pfsense –> 8.8.8.8 == Failure
gateway --> 8.8.8.8 == Success
pfsense --> gateway == Success
gateway --> pfsense == Success
gateway --> next hop == Success
pfsense --> next hop == FailureUsing the Diagnostics: Routing Table I see that 8.8.8.8 uses the correct gateway.
I'm not trying to be difficult but I must be missing some obvious.. so I'll ask the question. How is the WAN and the gateway supposed to be configured?
-
Well - The gateway and wan IP should be on same subnet…
Your wan should match what your ISP is providing.
Example. If they provide a /24 and you enter /16 it wouldn't work well maybe.
Just little nit-noid things like that.
Also, try it with nothing more than basic default default WAN and LAN rules at first.
-
Example. If they provide a /24 and you enter /16 it wouldn't work well maybe.
Yeah, the WAN IP is using /24 and they are providing /16. I'll tinker with that and see what happens.
-
I can't tell if you are being serious or sarcastic. haha.
But I really do hope it works. I've seen typos like that on the wan before that people had missed.
Not trying to suggest you can't set up a WAN. I know I've made my share of mistakes. -
How is the WAN and the gateway supposed to be configured?
However your ISP tells you. Matching the IP, subnet mask, and gateway provided (for static IP connectivity, which sounds like what you have here).
-
Well - The gateway and wan IP should be on same subnet…
Example. If they provide a /24 and you enter /16 it wouldn't work well maybe.
Yes, the gateway was on /16 and the FW was on /24. After changing the GW to match still no dice.
I can't tell if you are being serious or sarcastic. haha.
No problem.. I've been banging my head against this with no luck for almost two weeks now.. so I'm more frustrated than anything else.
Is there an easy way to test DNS in pfsense to ensure that "before the FW" there is connectivity? I can not easily just plug in a computer on that port as it's remote.
-
Is there an easy way to test DNS in pfsense to ensure that "before the FW" there is connectivity?
Sure. Create a static DNS entry (Host Override) in Services->DNS Forwarder then:
dig @pfsenseip host_override_fqdn
From behind pfSense (ie from LAN)
If you don't have dig you'll need to use nslookup, or ping the hostname or something but you won't be specifically asking pfSense to resolve a name so you might not be testing what you want to be testing.
I can not easily just plug in a computer on that port as it's remote.
You might have to take a trip or get some remote hands going.
-
Cool, I'll try that.
Is there a better place to track\log the activity of the DNS REsolver? In my screwing around with it now I'm getting nothing in the REsolver tab of the System Logs after using the DNS Resolver in Diagnostics.
-
Is there an easy way to test DNS in pfsense to ensure that "before the FW" there is connectivity?
Sure. Create a static DNS entry (Host Override) in Services->DNS Forwarder then:
dig @pfsenseip host_override_fqdn
From behind pfSense (ie from LAN)
If you don't have dig you'll need to use nslookup, or ping the hostname or something but you won't be specifically asking pfSense to resolve a name so you might not be testing what you want to be testing.
Awesome, using the override I have confirmed that the resolver can work.. but only internally.
-
I was able to get a box on the outside of the PFsense and test the DNS… no dice. So this is looking like a gateway issue. I'll update when I know more.
-
Issue was found to be in the gateway. Thanks for all your help guys.
-
Cool - Hope its good now.
