Dns not working randomly
-
What would that have to do with accessing public websites, or doing queries to ns that take 808ms to resolve. Or domains not resolving at all?
Yeah that would block rfc1918 creating states through your wan firewalls. But don't see how that would have anything to do with your issue..
-
have no clue….stlll trying to understand...
-
Dude blocking rfc1918 to your want wouldn't have anything to do with resolving anything.. Do you have any states with rfc1918 through your wan connection?
-
from pfsesne cli i was able to solve all addresses, problem was it blocked some of them to reach LAN due to this rule.
-
NO dude it would NOT.. Do you even understand what a rfc1918 is?
I don't know what your problem was, but blocking rfc1918 to your wan sure wouldn't be it.. What possible public domain could you be looking up or trying to go to on the public internet what would be rfc1918?? Rfc1918 is the private ip space 10.x, 192.168, 172.16 – this addresses are not routable on the oublic internet... So how exactly would that have anything to do with you looking up freebsd.com ?
-
NO dude it would NOT.. Do you even understand what a rfc1918 is?
I don't know what your problem was, but blocking rfc1918 to your wan sure wouldn't be it.. What possible public domain could you be looking up or trying to go to on the public internet what would be rfc1918?? Rfc1918 is the private ip space 10.x, 192.168, 172.16 – this addresses are not routable on the oublic internet... So how exactly would that have anything to do with you looking up freebsd.com ?
I perfectly understand what you say….no need to be aggresive.
Will test again all the same from scratch and try to find out what the problem is. -
Not sure were you got aggressiveness out of my clear and precise statements that what you think was the problem could not have anything to do with the problem you were seeing. I for sure did not intend to come off that way.
Just trying to point out to you, that from the information given there is no way that could have been your problem.
Rfc1918 inbound to your wan could have nothing to do with anything to do with resolving or accessing public internet sites. That rule blocks INBOUND traffic to your wan, that is all. It does not even stop you from talking to rfc1918 outside your wan, as long as YOU created the connection outbound to them, the answer would be allowed.
If your curious, turn it back on.. Make sure you log it, what do you see in the firewall log for it? Now what could cause you grief for sure would be if you were blocking that on say a lan interface. But if that was the case really nothing would of worked at all. Unless you were not using rfc1918 on your lan side networks.
Lets get some more information.
I assume you have a public IP on pfsense wan, ie not rfc1918, your not behind a nat in anyway on your pfsense internet side connection.I would also assume your using normal rfc1918 addressing on your lan side networks, network behind pfsense. And that you nat these connections to your wan IP address. This is typical out of the box setup for pfsense.
Your not blocking bogon on lan side are you? Are you using ipv6? You could have problems maybe with your ipv6 connectivity, pfsense trying to resolve would attempt to use ipv6 out of the box first. This could cause problems if something wrong with the ipv6 connectivity either yours or the domains in question NS.
We also need to validate that your problem is dns based where you can not actually resolve where to go, or that its issue with talking to the actual website via http/https. Your sniff you posted, where was that taken? I assume your pfsense lan interface. It really is better to actual see the capture in wireshark, so if you want to post up another one.. Actually post up the pcap file so we can open it in wireshark. Possible you are having connection issues to some site, where you setting retrans and such.. Its hard to follow the streams in the output you posted to be honest. That is fine for quick and dirty hey am I seeing traffic from a specific IP, did I get an answer at all, etc. But to help troubleshoot what the issue might be, it much easier to have the actual cap that can open and view in say wireshark.
-
I just tested….and Yes...you're right!!!
I did something which I don't remember @ all and broke it...now it works as it should...
my bad was that i made several changes @ once and forgot the main one who made it work.thank you for all details & help.
-
If I had to make a guess, I would say you changed from resolver to forwarder mode. If you were having issues resolving stuff from root and talking to all the authoritative ns, or having large amounts of latency in looking the stuff up from them. Then moving to forwarder mode and asking a local ns for their cached info could for sure clear up any dns based issues.
-
Could be that too…i tried this too
-
I have the same issue on my mobile phone web view tell me more about the mobile web plz tell me I'm in trouble since last weak.
