DNS Resolver

mattbunce

Thanks Phil

So do you not have a domain set, and therefore your clients are not applying the suffix?

In the log I provided, I only did one NSLOOKUP to server.vpn - so either the client sent a second request without the DNS suffix or pfSense dropped the local domain portion after not getting a response from the public DNS servers.

phil.davis

The client will have tried server.vpn and server.vpn.local on your behalf. So the server sees 2 different requests.
My pfSenses have their domain as the same as our internal Windows Server AD domain - e.g. internal.mycompany.com - and then a domain override to point internal.mycompany.com to the nearest Active Directory DNS Server.

Having just 1 internal domain will also resolve the issue you see - at the moment you have a ".vpn" domain and a ".local"domain happening. Then your domain override will be for the domain that pfSense itself is in.

amunrara

working fine for me

mattbunce

Hmm - strange. I have had to use Phil's trick of directing the server.vpn.local requests to a non-existant server and then letting the server.vpn request go to the correct server. Without this I couldn't avoid the public DNS server being queried.

Maybe the issue is that I am not using AD? amunrara could you describe your set-up?

M

nzimmers

I'm a pretty novice user but wanted to provide some feedback and see if there are any suggestions. I'm currently using 2.2-BETA (i386) built on Thu Dec 04 08:23:23 CST 2014

when I check Status->Services several times in a row I see Unbound DNS Resolver running and stopped at various times so it seems like it's constantly stopping and restarting.

in the general setup, I have Allow "DNS server list to be overridden by DHCP/PPP on WAN" unchecked and "Do not use the DNS Forwarder as a DNS server for the firewall" checked.

not sure if I have something configured wrong…..

Hugovsky

Check the posts near the end of previous page. Might be your issue.

MikeV7896

@Hugovsky:

Check the posts near the end of previous page. Might be your issue.

Specifically, this one…

https://forum.pfsense.org/index.php?topic=78356.msg464921#msg464921

xbipin

i started using the new dns resolver but im having one issue, i have set to reset the pppoe connection ever night so when this happens, unbound stops working, i get these errors in system log continuously

Dec 11 09:44:44 	unbound: [7669:0] error: can't bind socket: Can't assign requested address
Dec 11 09:44:44 	unbound: [7669:0] debug: failed address 92.98.234.229 port 61031
Dec 11 09:44:44 	unbound: [7669:0] error: can't bind socket: Can't assign requested address
Dec 11 09:44:44 	unbound: [7669:0] debug: failed address 92.98.234.229 port 19660
Dec 11 09:44:44 	unbound: [7669:0] error: can't bind socket: Can't assign requested address
Dec 11 09:44:44 	unbound: [7669:0] debug: failed address 92.98.234.229 port 26847
Dec 11 09:44:44 	unbound: [7669:0] error: can't bind socket: Can't assign requested address
Dec 11 09:44:44 	unbound: [7669:0] debug: failed address 92.98.234.229 port 26531
Dec 11 09:44:44 	unbound: [7669:0] error: can't bind socket: Can't assign requested address
Dec 11 09:44:44 	unbound: [7669:0] debug: failed address 92.98.234.229 port 65308
Dec 11 09:44:44 	unbound: [7669:0] error: can't bind socket: Can't assign requested address
Dec 11 09:44:44 	unbound: [7669:0] debug: failed address 92.98.234.229 port 19113

router_wang

Does the resolver also handle IPv6 dns requests?

cmb

@router_wang:

Does the resolver also handle IPv6 dns requests?

Of course.

NobodyHere

We're running the December 10th build. I can confirm issues with a new WAN address breaking unbound. When our PPPoE WAN link gets a new IP address, the resolver will reply with internal IPs set via DHCP clientIDs, but any external DNS lookup made via a system on the LAN fails.

DNS resolving on the firewall continues to work, so it's clearly an issue with unbound.

cmb

@NobodyHere:

We're running the December 10th build. I can confirm issues with a new WAN address breaking unbound. When our PPPoE WAN link gets a new IP address, the resolver will reply with internal IPs set via DHCP clientIDs, but any external DNS lookup made via a system on the LAN fails.

DNS resolving on the firewall continues to work, so it's clearly an issue with unbound.

https://redmine.pfsense.org/issues/4095

NobodyHere

I'm not sure what a message consisting solely of a link to a similar bug report means…

phil.davis

@NobodyHere:

I'm not sure what a message consisting solely of a link to a similar bug report means…

I think cmb means "it is a known issue and there is a bug report for it".
It does really need fixing - as you have described, DNS resolution can stop working on a WAN DHCP address change, if you have an "unfortunate" combination of Unbound in forwarder mode… settings.

cmb

@phil.davis:

@NobodyHere:

I'm not sure what a message consisting solely of a link to a similar bug report means…

I think cmb means "it is a known issue and there is a bug report for it".

Yes, figured that was clear.

dstroot

Latest version broke unbound for me - it did not start after the upgrade. I had to uncheck "Enable DNSSEC Support" to get it to come up.

jbc

I have DNS resolver setup to use opendns via dnscrypt-proxy.
I then have firewall rules setup to only allow lan clients to query lan address on port 53,
and block requests to remote DNS'; Everything works in this regard (no dns leaks).

But, if I query an unknown, none existant name, such as qwertyuiopas.dfghjklzxcvbnm
I get:
drill qwertyuiopas.dfghjklzxcvbnm
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 40495
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;; qwertyuiopas.dfghjklzxcvbnm. IN A

;; ANSWER SECTION:

;; AUTHORITY SECTION:
. 2918 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2014122700 1800 900 604800 86400

;; ADDITIONAL SECTION:

;; Query time: 28 msec
;; SERVER: 127.0.0.1
;; WHEN: Sat Dec 27 18:05:03 2014
;; MSG SIZE rcvd: 120

And if I ping qwertyuiopas.dfghjklzxcvbnm; It resolves to my WAN ip… (I would expect an unknown host response)

I have "NAT Reflection mode for port forwards" set to Pure NAT, could this be the culprit?

dstroot

I am trying to do the same - can your describe this further?

"I have DNS resolver setup to use opendns via dnscrypt-proxy.
I then have firewall rules setup to only allow lan clients to query lan address on port 53,
and block requests to remote DNS';"

Right now I have DNS (53) blocked outbound from the LAN and Resolver in forwarding mode using OpenDNS. However DNSSEC is giving me issues.

What was the process to get dnscrypt-proxy going properly?

Best,
Dan

firewall_home_lan_-_Services__DNS_Resolver.png_thumb

doktornotor

@dstroot:

"I have DNS resolver setup to use opendns via dnscrypt-proxy.
Right now I have DNS (53) blocked outbound from the LAN and Resolver in forwarding mode using OpenDNS. However DNSSEC is giving me issues.

DNSSEC != the OpenDNS nonsense that noone else uses. If you want DNSSEC, do not use OpenDNS.

jbc

I installed the dnscrypt-proxy package and setup unbound with a forward-zone to 127.0.0.1.
I then setup the dnscrypt-proxy, first using dnscrypt.eu-nl; which worked for a bit, but is unstable, so right now I have it querying opendns while I investigate the dnscrypt.eu issue…

btw. I have dnssec checked. no problem.