Request to pfSense.localdomain timed-out

tushar

what  "without accesslist not going to be able to use resolver"

im using internet without any modification since one month. i didn't added or removed anything from access list.

KOM

http://arstechnica.com/security/2016/10/dos-attack-on-major-dns-provider-brings-internet-to-morning-crawl/

tushar

Sir KOM,

here if i put 8.8.8.8 on machine manually FB open flawlessly but on 192.168.1.1 pfsense ip nothing server not found. only youtube working fine fine

KOM

Yes, I understood that the first time you said it.  You are either having a DNS problem with your upstream or your configuration is somehow broken.  Since a couple of people are complaining about DNS today, I thought it might be related to the DDoS of DynDNS.

johnpoz

Yeah there is a major ddos to a major dns provider going on right now.  If they are hosting the authoritative servers for domains your interested in looking up then you going to have a problem.

Looking up pfsense own name has nothing to do with outside dns though.  You have to have a access list to be able to query resolver.  I you can not query pfsense own name, then resolver not running, your not allowed because of accesslist or you have connectivity issue or something broke in the resolver.

user@ubuntu:~$ dig pfsense.local.lan

; <<>> DiG 9.9.5-3ubuntu0.9-Ubuntu <<>> pfsense.local.lan
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4439
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;pfsense.local.lan.             IN      A

;; ANSWER SECTION:
pfsense.local.lan.      3600    IN      A       192.168.9.253

;; Query time: 2 msec
;; SERVER: 192.168.9.253#53(192.168.9.253)
;; WHEN: Fri Oct 21 11:00:03 CDT 2016
;; MSG SIZE  rcvd: 62

I pulled my local network out of the access list

user@ubuntu:~$ dig pfsense.local.lan

; <<>> DiG 9.9.5-3ubuntu0.9-Ubuntu <<>> pfsense.local.lan
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 24649
;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; WARNING: recursion requested but not available

;; Query time: 1 msec
;; SERVER: 192.168.9.253#53(192.168.9.253)
;; WHEN: Fri Oct 21 11:01:21 CDT 2016
;; MSG SIZE  rcvd: 12

I upped the logging level in my resolver.

Oct 21 11:03:29 	unbound 	71253:1 	debug: refused query from ip4 192.168.9.8 port 57371 (len 16)
Oct 21 11:03:29 	unbound 	71253:1 	debug: refuse[41:0] 5C7C010000010000000000000C7361666562726F7773696E6706676F6F676C6503636F6D0000010001
Oct 21 11:03:29 	unbound 	71253:1 	debug: refused query from ip4 192.168.9.8 port 57371 (len 16)
Oct 21 11:03:29 	unbound 	71253:1 	debug: refuse[41:0] 5C7C010000010000000000000C7361666562726F7773696E6706676F6F676C6503636F6D0000010001
Oct 21 11:03:29 	unbound 	71253:1 	debug: refused query from ip4 192.168.9.8 port 57371 (len 16)
Oct 21 11:03:24 	unbound 	71253:0 	debug: refuse[50:0] 6BE4010000010000000000000F6C6F672D72747332342D69616430310764657669636573046E65737403636F6D0000010001
Oct 21 11:03:24 	unbound 	71253:0 	debug: refused query from ip4 192.168.4.96 port 47019 (len 16) 

You can see it refusing queries from my local network.

Do you have this checked or unchecked?

NOYB

For me resolver is unable to resolve at least these two domans:
github.com
twitter.com

johnpoz

yeah those are listed as two of the domains that are hosted there..

github.com.            172800  IN      NS      ns1.p16.dynect.net.
github.com.            172800  IN      NS      ns3.p16.dynect.net.
github.com.            172800  IN      NS      ns2.p16.dynect.net.
github.com.            172800  IN      NS      ns4.p16.dynect.net.

twitter.com.            172800  IN      NS      ns1.p34.dynect.net.
twitter.com.            172800  IN      NS      ns2.p34.dynect.net.
twitter.com.            172800  IN      NS      ns3.p34.dynect.net.
twitter.com.            172800  IN      NS      ns4.p34.dynect.net.

dynect.net is what is under ddos.

tushar

its unchecked no modification done on this page.

only youtube is working properly…. How to correct my dns resolver if it get corrupted

tushar

I plugged Linksys RV042 everything working fine. just pfSense having problem unbound DNS resolving…

Any hope for broken Unbound DNS resolver or fresh install again?? :-\

JeGr

Yet again. Nothing todo with Unbound per se. Just try some different upstream DNS servers to test. I had problems a few days ago, too and adding e.g. an opendns and another local free dns server in addition to 8.8.8.8 helped solving it as even the Google DNS couldn't resolve twitter and github anymore. A few others had other cache timings etc. so could still resolve them. That helped.

Also restart/refresh unbound so it resolves the domains again and doesn't use negative caching against you.
Use "ipconfig /flushdns" as you're using windows. That caches negative DNS, too.
Not everything is simply a pfSense problem ;)

tushar

@JeGr:

Yet again. Nothing todo with Unbound per se. Just try some different upstream DNS servers to test. I had problems a few days ago, too and adding e.g. an opendns and another local free dns server in addition to 8.8.8.8 helped solving it as even the Google DNS couldn't resolve twitter and github anymore. A few others had other cache timings etc. so could still resolve them. That helped.

Also restart/refresh unbound so it resolves the domains again and doesn't use negative caching against you.
Use "ipconfig /flushdns" as you're using windows. That caches negative DNS, too.
Not everything is simply a pfSense problem ;)

i did what you said still same. check screenshots what settings i do more….

johnpoz

Ya think maybe your pfblocker dns might have something to do it it ;)

lets go over this again..  Can you query pfsense own name from something on your network?

example

dig pfsense.local.lan

; <<>> DiG 9.11.0 <<>> pfsense.local.lan                                 
;; global options: +cmd                                                   
;; Got answer:                                                           
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51432                 
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:                                                     
; EDNS: version: 0, flags:; udp: 4096                                     
;; QUESTION SECTION:                                                     
;pfsense.local.lan.            IN      A

;; ANSWER SECTION:                                                       
pfsense.local.lan.      3600    IN      A      192.168.9.253

;; Query time: 1 msec                                                     
;; SERVER: 192.168.9.253#53(192.168.9.253)                               
;; WHEN: Mon Oct 24 06:24:07 Central Daylight Time 2016                   
;; MSG SIZE  rcvd: 62

nslookup pfsense.local.lan
Server:  pfsense.local.lan
Address:  192.168.9.253

Name:    pfsense.local.lan
Addresses:  2001:470:snipped::1
          192.168.9.253

tushar

Yes Sir,

lubuntu@lubuntu:~$ dig pfsense.local.lan

; <<>> DiG 9.10.3-P4-Ubuntu <<>> pfsense.local.lan
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 7057
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;pfsense.local.lan.		IN	A

;; AUTHORITY SECTION:
.			3559	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2016102400 1800 900 604800 86400

;; Query time: 46 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Mon Oct 24 17:03:25 IST 2016
;; MSG SIZE  rcvd: 121

lubuntu@lubuntu:~$ dig pfsense.local.lan

; <<>> DiG 9.10.3-P4-Ubuntu <<>> pfsense.local.lan
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11851
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;pfsense.local.lan.		IN	A

;; AUTHORITY SECTION:
.			3499	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2016102400 1800 900 604800 86400

;; Query time: 0 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Mon Oct 24 17:08:44 IST 2016
;; MSG SIZE  rcvd: 121

lubuntu@lubuntu:~$ nslookup pfsense.local.lan
Server:		127.0.1.1
Address:	127.0.1.1#53

** server can't find pfsense.local.lan: NXDOMAIN

See only youtube working very fine only….

lubuntu@lubuntu:~$ dig www.youtube.com

; <<>> DiG 9.10.3-P4-Ubuntu <<>> www.youtube.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42624
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.youtube.com.		IN	A

;; ANSWER SECTION:
www.youtube.com.	86385	IN	CNAME	youtube-ui.l.google.com.
youtube-ui.l.google.com. 286	IN	A	216.58.220.206

;; Query time: 0 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Mon Oct 24 17:25:42 IST 2016
;; MSG SIZE  rcvd: 94

johnpoz

And u are doing query to loopback 127.0.1.1 not pfsense where is ur linix box sending tahat query?

tushar

@johnpoz:

And u are doing query to loopback 127.0.1.1 not pfsense where is ur linix box sending tahat query?

; <<>> DiG 9.10.3-P4-Ubuntu <<>> pfsense.localdomain
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19430
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;pfsense.localdomain.		IN	A

;; ANSWER SECTION:
pfsense.localdomain.	3600	IN	A	192.168.2.1

;; Query time: 0 msec
;; SERVER: 127.0.1.1#53(127.0.1.1)
;; WHEN: Mon Oct 24 20:43:19 IST 2016
;; MSG SIZE  rcvd: 64

lubuntu@lubuntu:~$ nslookup pfsense.localdomain
Server:		127.0.1.1
Address:	127.0.1.1#53

Name:	pfsense.localdomain
Address: 192.168.2.1

Small correction pfsense.localdomain not pfsense.local.lan. This  is all what i get dig output, using same configuration since 16days no reboot. suddenly stopped resolving hostnames,  somehow only youtube working fine without any problem.

should i need to specify dns ip also - System/General Setup/ DNS Server setting

also using some packages like SNORT, pfblockerNG, squid proxy transparent mode. ClamAV.

johnpoz

U need to query pfsense directly with ur dig command because where is linux actualy sending that quer? U are doing query to itself

tushar

i dont know why 127.0.0.1 unbound unable to resolve domain names. only youtube working. Do i need to update some kind of cache of unbound DNS?

johnpoz

Well ur linux box is most likly not asking pfsemse

tushar

any idea what i do now, because 127.0.0.1 not resolving domains…..... DNS look also keep searching but nothing

NOTE:-- tested this - when i do DNS Query Forwarding - Enabled and put google DNS 8.8.8.8 in System/General setup eveything works normal. But before that i use to keep uncheck DNS Query and no DNS in System/General everything just works fine....

johnpoz

dude so when you query the pfsense directly??

dig @pfsenseIP pfsense.localdomainname.tld

does that respond or not?

On pfsense using the resolver and pointing to itself, can it resolve other domains?

Your problem is your linux is asking some service running local, that does what?  does it forward to what?

Its possible pfsense resolver is having an issue talking to roots and the authoritative ns.  But it should be able to resolve its own name when asked by itself or other clients

Its also possible you just don't have an Accesslist that allows your client to even query pfsense for anything that the resolver can resolve either your own local names or host overrides or outside.