Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Request to pfSense.localdomain timed-out

    Scheduled Pinned Locked Moved General pfSense Questions
    32 Posts 5 Posters 7.4k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • johnpozJ Offline
      johnpoz LAYER 8 Global Moderator
      last edited by

      Well ur linux box is most likly not asking pfsemse

      An intelligent man is sometimes forced to be drunk to spend time with his fools
      If you get confused: Listen to the Music Play
      Please don't Chat/PM me for help, unless mod related
      SG-4860 24.11 | Lab VMs 2.8, 24.11

      1 Reply Last reply Reply Quote 0
      • T Offline
        tushar
        last edited by

        any idea what i do now, because 127.0.0.1 not resolving domains…..... DNS look also keep searching but nothing

        NOTE:-- tested this - when i do DNS Query Forwarding - Enabled and put google DNS 8.8.8.8 in System/General setup eveything works normal. But before that i use to keep uncheck DNS Query and no DNS in System/General everything just works fine....

        1 Reply Last reply Reply Quote 0
        • johnpozJ Offline
          johnpoz LAYER 8 Global Moderator
          last edited by

          dude so when you query the pfsense directly??

          dig @pfsenseIP pfsense.localdomainname.tld

          does that respond or not?

          On pfsense using the resolver and pointing to itself, can it resolve other domains?

          Your problem is your linux is asking some service running local, that does what?  does it forward to what?

          Its possible pfsense resolver is having an issue talking to roots and the authoritative ns.  But it should be able to resolve its own name when asked by itself or other clients

          Its also possible you just don't have an Accesslist that allows your client to even query pfsense for anything that the resolver can resolve either your own local names or host overrides or outside.

          pfsensednslookup.jpg
          pfsensednslookup.jpg_thumb

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • T Offline
            tushar
            last edited by

            ; <<>> DiG 9.10.3-P4-Ubuntu <<>> pfsense.localdomain
            ;; global options: +cmd
            ;; Got answer:
            ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1336
            ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
            
            ;; OPT PSEUDOSECTION:
            ; EDNS: version: 0, flags:; udp: 4096
            ;; QUESTION SECTION:
            ;pfsense.localdomain.		IN	A
            
            ;; ANSWER SECTION:
            pfsense.localdomain.	3600	IN	A	192.168.2.1
            
            ;; Query time: 0 msec
            ;; SERVER: 127.0.1.1#53(127.0.1.1)
            ;; WHEN: Tue Oct 25 01:37:58 IST 2016
            ;; MSG SIZE  rcvd: 64
            
            

            screenshot--2016-10-25-01-23-52.png
            screenshot--2016-10-25-01-23-52.png_thumb
            screenshot--2016-10-25-01-27-57.png
            screenshot--2016-10-25-01-27-57.png_thumb
            screenshot-2016-10-25-01-27-05.png
            screenshot-2016-10-25-01-27-05.png_thumb
            screenshot-2016-10-25-01-30-25.png
            screenshot-2016-10-25-01-30-25.png_thumb
            screenshot-2016-10-25-01-32-42.png
            screenshot-2016-10-25-01-32-42.png_thumb
            screenshot-2016-10-25-01-34-41.png
            screenshot-2016-10-25-01-34-41.png_thumb

            1 Reply Last reply Reply Quote 0
            • johnpozJ Offline
              johnpoz LAYER 8 Global Moderator
              last edited by

              ok so you can query pfsense local name, and you can query some domains.

              You need to figure out why you can not query those…  Set up your debug level in unbound and try the queries again and see what it says?

              Do a query direct to the ns for facebook.com

              dig @a.ns.facebook.com www.facebook.com

              ; <<>> DiG 9.11.0 <<>> @a.ns.facebook.com www.facebook.com
              ; (1 server found)
              ;; global options: +cmd
              ;; Got answer:
              ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64707
              ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 4
              ;; WARNING: recursion requested but not available

              ;; QUESTION SECTION:
              ;www.facebook.com.              IN      A

              ;; ANSWER SECTION:
              www.facebook.com.      3600    IN      CNAME  star-mini.c10r.facebook.com.

              ;; AUTHORITY SECTION:
              facebook.com.          172800  IN      NS      a.ns.facebook.com.
              facebook.com.          172800  IN      NS      b.ns.facebook.com.

              ;; ADDITIONAL SECTION:
              a.ns.facebook.com.      172800  IN      AAAA    2a03:2880:fffe:c:face:b00c:0:35
              a.ns.facebook.com.      172800  IN      A      69.171.239.12
              b.ns.facebook.com.      172800  IN      AAAA    2a03:2880:ffff:c:face:b00c:0:35
              b.ns.facebook.com.      172800  IN      A      69.171.255.12

              ;; Query time: 15 msec
              ;; SERVER: 69.171.239.12#53(69.171.239.12)
              ;; WHEN: Mon Oct 24 17:30:50 Central Daylight Time 2016
              ;; MSG SIZE  rcvd: 186

              Maybe your having ipv6 issues?  Maybe your isp is doing something with your dns queries?

              Do a +trace with did to see what might be failing?  the resolver works completely different than forwarding.  You walk the tree down from roots too the authoritative server.  If your internet connection has problems to these authoritative servers then you can have issues.

              Change over to the forwarder if your having issues with resolving, or put the resolver in forwarder mode - most likely have to turn off dnssec if where you forward doesn't support it.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • T Offline
                tushar
                last edited by

                ; <<>> DiG 9.10.3-P4-Ubuntu <<>> www.facebook.com
                ;; global options: +cmd
                ;; Got answer:
                ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 42715
                ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
                
                ;; OPT PSEUDOSECTION:
                ; EDNS: version: 0, flags:; udp: 4096
                ;; QUESTION SECTION:
                ;www.facebook.com.		IN	A
                
                ;; Query time: 0 msec
                ;; SERVER: 127.0.1.1#53(127.0.1.1)
                ;; WHEN: Tue Oct 25 10:32:57 IST 2016
                ;; MSG SIZE  rcvd: 45
                
                
                lubuntu@lubuntu:~$ traceroute www.facebook.com
                www.facebook.com: Temporary failure in name resolution
                Cannot handle "host" cmdline arg `www.facebook.com' on position 1 (argc 1)
                
                
                lubuntu@lubuntu:~$ traceroute www.google.com
                traceroute to www.google.com (216.58.220.196), 30 hops max, 60 byte packets
                 1  pfSense.localdomain (192.168.2.1)  0.227 ms  0.248 ms  0.156 ms
                 2  192.168.1.1 (192.168.1.1)  2.080 ms  2.485 ms  2.654 ms
                 3  103.30.141.1 (103.30.141.1)  33.453 ms  33.419 ms  33.363 ms
                 4  172.25.24.66 (172.25.24.66)  33.535 ms  50.011 ms  49.956 ms
                 5  172.25.24.17 (172.25.24.17)  49.919 ms  49.871 ms  49.848 ms
                 6  172.25.24.78 (172.25.24.78)  49.344 ms  48.722 ms  49.034 ms
                 7  103.14.124.125 (103.14.124.125)  48.936 ms  47.614 ms  47.483 ms
                 8  108.170.238.13 (108.170.238.13)  46.678 ms  37.054 ms  36.928 ms
                 9  216.58.220.196 (216.58.220.196)  36.913 ms  18.125 ms  18.031 ms
                lubuntu@lubuntu:~$ 
                

                debug-level-5-2016-10-25-10-24-22.png
                debug-level-5-2016-10-25-10-24-22.png_thumb
                debug-level-4-2016-10-25-10-22-31.png
                debug-level-4-2016-10-25-10-22-31.png_thumb
                debug-level-2-2016-10-25-10-20-33.png
                debug-level-2-2016-10-25-10-20-33.png_thumb
                debug-level-2-2016-10-25-10-18-50.png
                debug-level-2-2016-10-25-10-18-50.png_thumb
                debug-level-2-2016-10-25-10-18-50.png
                debug-level-2-2016-10-25-10-18-50.png_thumb
                debug-level-1-2016-10-25-10-17-03.png
                debug-level-1-2016-10-25-10-17-03.png_thumb
                ![debug-level -1-2016-10-25-10-15-14.png](/public/imported_attachments/1/debug-level -1-2016-10-25-10-15-14.png)
                ![debug-level -1-2016-10-25-10-15-14.png_thumb](/public/imported_attachments/1/debug-level -1-2016-10-25-10-15-14.png_thumb)
                2016-10-25-10-30-49.png
                2016-10-25-10-30-49.png_thumb
                2016-10-25-10-14-06.png
                2016-10-25-10-14-06.png_thumb

                1 Reply Last reply Reply Quote 0
                • T Offline
                  tushar
                  last edited by

                  devs any idea about this why im not able to resolve domains,  only youtube and google.com working fine?

                  1 Reply Last reply Reply Quote 0
                  • johnpozJ Offline
                    johnpoz LAYER 8 Global Moderator
                    last edited by

                    Well lets track one specific thing that you say does not resolve..

                    So for example… How do you think this .localdomain is going to resolve???

                    tools.ietf.org.localdomain

                    Seems your tacking on .localdomain to your queries.. Yeah those are going to FAIL every time!!

                    Looks like your also trying to do ipv6 which is failing.

                    Also what part do you NOT get about doing a query to pfsense directly...  Your asking something running on your linux box.. your asking 127.0.1.1 which is loopback.. Where is it asking???  Pfsense?  Maybe something else?  You don't freaking know, etc..  So in your dig command directly query pfsense IP..

                    Dig @pfsenseIP what.yourlooking.for

                    Do a query direct to your pfsense IP for facebook..  If that fails, then look in your resolver log to why, etc.

                    fail.jpg
                    fail.jpg_thumb

                    An intelligent man is sometimes forced to be drunk to spend time with his fools
                    If you get confused: Listen to the Music Play
                    Please don't Chat/PM me for help, unless mod related
                    SG-4860 24.11 | Lab VMs 2.8, 24.11

                    1 Reply Last reply Reply Quote 0
                    • T Offline
                      tushar
                      last edited by

                      ; <<>> DiG 9.10.3-P4-Ubuntu <<>> 192.168.2.1 www.facebook.com
                      ;; global options: +cmd
                      ;; Got answer:
                      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3953
                      ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
                      
                      ;; OPT PSEUDOSECTION:
                      ; EDNS: version: 0, flags:; udp: 1280
                      ;; QUESTION SECTION:
                      ;192.168.2.1.			IN	A
                      
                      ;; ANSWER SECTION:
                      192.168.2.1.		0	IN	A	192.168.2.1
                      
                      ;; Query time: 0 msec
                      ;; SERVER: 127.0.1.1#53(127.0.1.1)
                      ;; WHEN: Thu Oct 27 10:29:33 IST 2016
                      ;; MSG SIZE  rcvd: 56
                      
                      ;; connection timed out; no servers could be reached
                      

                      After some R&D looks like my isp not allowing me to use any third party DNS other then there own Google 8.8.8.8 and there own 103.14.124.6. I tried putting opendns dns 208.67.222.222 dns forwarding mode still not able to resolve domains when i use 8.8.8.8 all works fine.

                      I cant even ping any IP or domain other then google services like youtube, plus google, google .com and google DNS.

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ Offline
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        Well if your ISP is that crappy I would change ISP to be honest ;)

                        If that is the case then NO you can not use a resolver, and can only forward.  To the ns they allow you to talk to, resolving will not work unless you can talk to ANY IP on the planet on udp/tcp 53.  Since you have no idea where the authoritative server for somedomain.tld will actually be.

                        Dude but your killing me.. Your posted dig was not to pfsense directly.. You asked yet again the local service running on your linux box 127.0.1.1 hey what is the A record for 192.168.2.1 – yeah that is not what I said to do.  I said to query pfsense directly!!!

                        so as I gave example use the @ in your dig command to tell it where to go..

                        Ie dig @192.168.2.1 what.yourlookking.for

                        If 192.168.2.1 is the IP of pfsense that unbound is listening on.

                        dig **@**192.168.9.253 www.facebook.com

                        
                        user@ubuntu:~$ dig [b]@[/b]192.168.9.253 www.facebook.com
                        
                        ; <<>> DiG 9.9.5-3ubuntu0.9-Ubuntu <<>> @192.168.9.253 www.facebook.com
                        ; (1 server found)
                        ;; global options: +cmd
                        ;; Got answer:
                        ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6660
                        ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 5
                        
                        ;; OPT PSEUDOSECTION:
                        ; EDNS: version: 0, flags:; udp: 4096
                        ;; QUESTION SECTION:
                        ;www.facebook.com.              IN      A
                        
                        ;; ANSWER SECTION:
                        www.facebook.com.       3600    IN      CNAME   star-mini.c10r.facebook.com.
                        star-mini.c10r.facebook.com. 60 IN      A       31.13.65.36
                        
                        ;; AUTHORITY SECTION:
                        c10r.facebook.com.      1651    IN      NS      a.ns.c10r.facebook.com.
                        c10r.facebook.com.      1651    IN      NS      b.ns.c10r.facebook.com.
                        
                        ;; ADDITIONAL SECTION:
                        a.ns.c10r.facebook.com. 1651    IN      AAAA    2a03:2880:fffe:b:face:b00c:0:99
                        a.ns.c10r.facebook.com. 1651    IN      A       69.171.239.11
                        b.ns.c10r.facebook.com. 1651    IN      AAAA    2a03:2880:ffff:b:face:b00c:0:99
                        b.ns.c10r.facebook.com. 1651    IN      A       69.171.255.11
                        
                        ;; Query time: 28 msec
                        ;; SERVER: 192.168.9.253#53(192.168.9.253)
                        ;; WHEN: Thu Oct 27 07:04:56 CDT 2016
                        ;; MSG SIZE  rcvd: 213
                        
                        

                        Notice the @192.168.9.253 in my command, notice dig tells me who I ask
                        ;; SERVER: 192.168.9.253#53(192.168.9.253)

                        Or you could do it this way

                        dig www.facebook.com **@**192.168.9.253

                        
                        user@ubuntu:~$ dig www.facebook.com @192.168.9.253
                        
                        ; <<>> DiG 9.9.5-3ubuntu0.9-Ubuntu <<>> www.facebook.com @192.168.9.253
                        ;; global options: +cmd
                        ;; Got answer:
                        ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17550
                        ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 5
                        
                        ;; OPT PSEUDOSECTION:
                        ; EDNS: version: 0, flags:; udp: 4096
                        ;; QUESTION SECTION:
                        ;www.facebook.com.              IN      A
                        
                        ;; ANSWER SECTION:
                        www.facebook.com.       3463    IN      CNAME   star-mini.c10r.facebook.com.
                        star-mini.c10r.facebook.com. 60 IN      A       31.13.65.36
                        
                        ;; AUTHORITY SECTION:
                        c10r.facebook.com.      1514    IN      NS      a.ns.c10r.facebook.com.
                        c10r.facebook.com.      1514    IN      NS      b.ns.c10r.facebook.com.
                        
                        ;; ADDITIONAL SECTION:
                        a.ns.c10r.facebook.com. 1514    IN      AAAA    2a03:2880:fffe:b:face:b00c:0:99
                        a.ns.c10r.facebook.com. 1514    IN      A       69.171.239.11
                        b.ns.c10r.facebook.com. 1514    IN      AAAA    2a03:2880:ffff:b:face:b00c:0:99
                        b.ns.c10r.facebook.com. 1514    IN      A       69.171.255.11
                        
                        ;; Query time: 17 msec
                        ;; SERVER: 192.168.9.253#53(192.168.9.253)
                        ;; WHEN: Thu Oct 27 07:07:13 CDT 2016
                        ;; MSG SIZE  rcvd: 213
                        
                        

                        Again notice the @ and the IP of who I want to ask.  192.168.9.253 in my case.

                        If your ISP is going to limit who you can ask for dns, then your prob best off using the forwarder and not the resolver..  And just putting in the IPs of the dns they let you ask.  Or I would really freaking complain to them - blocking you from asking a NS for something is just BS plain and simple.

                        You can use that command to ask some ns on the public internet for something directly.  this would validate if your isp is allowing or blocking you.  As long as your lan rules allow you outbound on 53..  You can even tell did to use TCP vs UDP..

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • T Offline
                          tushar
                          last edited by

                          my pfsense ip is 192.168.2.1

                          i tried using isp dns and google ip 8.8.8.8 all websites open perfect but one new problem cant ping any thing other then google dns and isp provided dns ip.

                          it looks like they are restricting us from using third party dns and not allowing us to ping any ip

                          what wrong dig :( im so frustrated you asked me for "dig @pfsenseIP www.whatever.com"

                          
                          lubuntu@lubuntu-:~$ dig @192.168.2.1 www.facebook.com
                          
                          ; <<>> DiG 9.10.3-P4-Ubuntu <<>> @192.168.2.1 www.facebook.com
                          ; (1 server found)
                          ;; global options: +cmd
                          ;; connection timed out; no servers could be reached
                          lubuntu@lubuntu-:~$ 
                          
                          
                          Tushars-MacBook-Pro:~ tushar$ ping 208.67.222.222
                          PING 208.67.222.222 (208.67.222.222): 56 data bytes
                          Request timeout for icmp_seq 0
                          Request timeout for icmp_seq 1
                          Request timeout for icmp_seq 2
                          Request timeout for icmp_seq 3
                          Request timeout for icmp_seq 4
                          ^C
                          --- 208.67.222.222 ping statistics ---
                          6 packets transmitted, 0 packets received, 100.0% packet loss
                          
                          
                          
                          Tushars-MacBook-Pro:~ tushar$ ping 8.8.8.8
                          PING 8.8.8.8 (8.8.8.8): 56 data bytes
                          64 bytes from 8.8.8.8: icmp_seq=0 ttl=58 time=8.675 ms
                          64 bytes from 8.8.8.8: icmp_seq=1 ttl=58 time=11.394 ms
                          64 bytes from 8.8.8.8: icmp_seq=2 ttl=58 time=10.896 ms
                          ^C
                          --- 8.8.8.8 ping statistics ---
                          3 packets transmitted, 3 packets received, 0.0% packet loss
                          round-trip min/avg/max/stddev = 8.675/10.322/11.394/1.182 ms
                          
                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.