New Install Odd DNS issues
-
I am not 100% sure where to start after I ripped the cables out the back of my pfsense box. lol
Here is our network..
Verizon 5 IPs from them 71.251.9x.xx going to gateway / Wan
BrightHouse 13 ips 97.76.4x.xxx going to gateway / WanLan 192.168.0.0/24
Lan1 10.2.1.0/24All this works fine for at least 10 minutes to 15 minutes. Then DNS just stops resolving. We have 4 AD servers 2 on the 192.168 network our main network and 2 on 10.2 network. After 10 min I can ping them by name say dc and dc1 but no where on the network can I ping google.com it just stops resolving.
When I do nslookup google.com DNSSERVER it can't resolve it any longer.
Our AD box does DHCP so pfsense is not handing any of this out. I can still ping out to say 8.8.8.8 from any computer but I can't resolve domains.
Its very odd because for the first 10 miunutes it works fine then stops and I cant figure out why. Now the pfsense box can big out as I have its IPs set as 8.8.8.8 and 8.8.4.4
Our DNS should be going to the root DNS servers to get the IPs for any domain it does not have but its not doing this. I am so lost as to what could cause this very odd issue..
I am going to hook my pfsense backup on test network because it worked for days like that with no issues. We do have medium size network 100 hyper-v VM's 10 servers, 20-30 computers but we have pfsense on a dual xeon box with 16gb of ram and 6 gb nics so I am 100% sure its not hardware as cpu was 0% and memory was 8%.
I am hoping someone here can make sense of this mess and I tried to explain it best I could here.
-
Could this cause DNS servers to stop being able to resolve DNS?
https://doc.pfsense.org/index.php/Tuning_and_Troubleshooting_Network_Cards
Only thing I have come up with before trying to switch over again. Is there a tips tricks of tweeaks page some where lol
-
So dns issue, yet nowhere do you state where your clients point to dns.. Guessing your AD box which one you state you have multiple DCs, since you say they are suppose to look up from roots..
"When I do nslookup google.com DNSSERVER"
So your not running forwarder or resolver on pfsense? Or do you point your AD dns to pfsense in forward mode, and also allow AD to talk to roots??
New version of pfsense uses resolver not forwarder, which is completely different..
-
We have 2 DNS servers on our two main AD servers all clients point to them for DNS. The DNS servers point to 127.0.0.1 so if they can't resolve a name they use root hints/servers.
Problem is after 10 min or so all nslookup fail DNS no longer resolves network seems to slow.
-
So trouble shoot your query, you seem to have multiple wan connections.. So what controls connecting going out what specific network and their return.
Why you just sniff and see what is happening..Doesn't matter what the OS itself points to for dns - you can setup the dns server to either forward or resolver, or forward and if fail then resolve, etc..
-
We do have multi wan, shouldn't it return the same as it came in?
We do have nat inbound rules maybe 40 or so for web sites exchange etc. But every thing seemed to work as I said for the first 10-15 min. That's what was odd then sent down hill.
-
How do you know it worked for 10-15 and you were not just getting something cached.
When you have a query that doesn't work - then follow it, its really pretty basic stuff.. You query AD server 192.168.1.100 for example. If it doesn't have it cached it will walk the tree of roots down to the authoritative server for whatever domain your doing a query of..
Simple enough to sniff on the lan interface server is connected to and validate pfsense sees the queries to allow out to the network.. Look on the wan side, do you get anything back??
