Can not resolve a DNS
-
C:\Users\Chris>dig +trace +nodnssec melita.com
; <<>> DiG 9.11.0-P1 <<>> +trace +nodnssec melita.com
;; global options: +cmd
;; Received 12 bytes from 192.168.0.1#53(192.168.0.1) in 0 ms:) sorry
-
that is your full output??
Is 192.168.0.1 pfsense? And you have it resolver mode? It should of atleast given you the root servers.. You got something wrong..
Try it with just the +trace option
dig +trace melita.com
Also dig NS what does that give you back?
C:\>dig NS ; <<>> DiG 9.11.0-P1 <<>> NS ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33584 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;. IN NS ;; ANSWER SECTION: . 487240 IN NS j.root-servers.net. . 487240 IN NS m.root-servers.net. . 487240 IN NS a.root-servers.net. . 487240 IN NS c.root-servers.net. . 487240 IN NS e.root-servers.net. . 487240 IN NS d.root-servers.net. . 487240 IN NS k.root-servers.net. . 487240 IN NS h.root-servers.net. . 487240 IN NS f.root-servers.net. . 487240 IN NS i.root-servers.net. . 487240 IN NS b.root-servers.net. . 487240 IN NS l.root-servers.net. . 487240 IN NS g.root-servers.net. ;; Query time: 0 msec ;; SERVER: 192.168.9.253#53(192.168.9.253) ;; WHEN: Sun Nov 27 09:49:40 Central Standard Time 2016 ;; MSG SIZE rcvd: 239
-
yes 192.168.0.1 is my pfsense and left everything default
C:\Users\Chris>dig +trace melita.com
; <<>> DiG 9.11.0-P1 <<>> +trace melita.com
;; global options: +cmd
;; Received 12 bytes from 192.168.0.1#53(192.168.0.1) in 0 ms -
C:\Users\Chris>dig NS
; <<>> DiG 9.11.0-P1 <<>> NS
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65221
;; flags: qr rd ra ad; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;. IN NS;; ANSWER SECTION:
. 512472 IN NS l.root-servers.net.
. 512472 IN NS h.root-servers.net.
. 512472 IN NS d.root-servers.net.
. 512472 IN NS f.root-servers.net.
. 512472 IN NS m.root-servers.net.
. 512472 IN NS a.root-servers.net.
. 512472 IN NS b.root-servers.net.
. 512472 IN NS j.root-servers.net.
. 512472 IN NS k.root-servers.net.
. 512472 IN NS i.root-servers.net.
. 512472 IN NS c.root-servers.net.
. 512472 IN NS e.root-servers.net.
. 512472 IN NS g.root-servers.net.;; Query time: 0 msec
;; SERVER: 192.168.0.1#53(192.168.0.1)
;; WHEN: Sun Nov 27 16:57:10 W. Europe Standard Time 2016
;; MSG SIZE rcvd: 239 -
WTF???
So try the +trace +nodnssec command on some other domain that works..
say pfsense.org
C:\>dig +trace +nodnssec pfsense.org ; <<>> DiG 9.11.0-P1 <<>> +trace +nodnssec pfsense.org ;; global options: +cmd . 485772 IN NS j.root-servers.net. . 485772 IN NS m.root-servers.net. . 485772 IN NS a.root-servers.net. . 485772 IN NS c.root-servers.net. . 485772 IN NS e.root-servers.net. . 485772 IN NS d.root-servers.net. . 485772 IN NS k.root-servers.net. . 485772 IN NS h.root-servers.net. . 485772 IN NS f.root-servers.net. . 485772 IN NS i.root-servers.net. . 485772 IN NS b.root-servers.net. . 485772 IN NS l.root-servers.net. . 485772 IN NS g.root-servers.net. ;; Received 239 bytes from 192.168.9.253#53(192.168.9.253) in 0 ms org. 172800 IN NS b0.org.afilias-nst.org. org. 172800 IN NS a2.org.afilias-nst.info. org. 172800 IN NS c0.org.afilias-nst.info. org. 172800 IN NS a0.org.afilias-nst.info. org. 172800 IN NS d0.org.afilias-nst.org. org. 172800 IN NS b2.org.afilias-nst.org. ;; Received 442 bytes from 192.33.4.12#53(c.root-servers.net) in 13 ms pfsense.org. 86400 IN NS ns1.netgate.com. pfsense.org. 86400 IN NS ns2.netgate.com. ;; Received 87 bytes from 199.249.112.1#53(a2.org.afilias-nst.info) in 12 ms pfsense.org. 300 IN A 208.123.73.69 pfsense.org. 300 IN NS ns2.netgate.com. pfsense.org. 300 IN NS ns1.netgate.com. ;; Received 135 bytes from 192.207.126.6#53(ns1.netgate.com) in 54 ms
you didn't put in some domain overrides or anything for this melita.com did you???
Ok I was able to duplicate what you saw.. Your ACL is only set to allow vs allow snoop..
> dig +trace +nodnssec melita.com ; <<>> DiG 9.11.0-P1 <<>> +trace +nodnssec melita.com ;; global options: +cmd ;; Received 12 bytes from 192.168.9.253#53(192.168.9.253) in 1 ms
Go into your unbound acl and change to allow snoop vs allow.. Then try the +trace dig again.
-
sorry dude did the acl but same
C:\Users\Chris>dig +trace +nodnssec pfsense.org
; <<>> DiG 9.11.0-P1 <<>> +trace +nodnssec pfsense.org
;; global options: +cmd
;; Received 12 bytes from 192.168.0.1#53(192.168.0.1) in 0 ms -
I really really thank you for all your time and help. But if it is getting a headache for you please do not feel obligated in anyway to resolve this for me. Thanks again friend
-
I disabled resolver and enabled the forwarder, in forwarder the site resolves and works fine.
-
Are you using the ACL??
Did you turn off the auto ones?
Disable Auto-added Access ControlIn the advanced section of unbound?
Try the drill command from pfsense directly.. what we are looking for is where it fails in the resolve process for that domain.. Is it talking to their authoritative servers??
You could try that.. do say
> dig @212.56.128.196 melita.com. ; <<>> DiG 9.11.0-P1 <<>> @212.56.128.196 melita.com. ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 33157 ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 3 ;; WARNING: recursion requested but not available ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;melita.com. IN A ;; ANSWER SECTION: melita.com. 86400 IN A 212.56.128.204 ;; AUTHORITY SECTION: melita.com. 86400 IN NS ns1.melitacable.com. melita.com. 86400 IN NS ns.melitacable.com. ;; ADDITIONAL SECTION: ns.melitacable.com. 86400 IN A 212.56.128.132 ns1.melitacable.com. 86400 IN A 212.56.128.196 ;; Query time: 158 msec ;; SERVER: 212.56.128.196#53(212.56.128.196) ;; WHEN: Sun Nov 27 11:30:00 Central Standard Time 2016 ;; MSG SIZE rcvd: 134
Try the other NS if that one fails 212.56.128.196
-
Hi John sorry for the delay I will do drill command in pfsense and get back to you btw yes I disabled the auto ACL in advanced settings
-
if you have a ACL setup correctly then you for sure should be able to get the roots from pfsense and then your dig +trace command should work, or atleast return with the roots, it might fail after that but its shouldn't come back blank like you were seeing.
-
Is this it
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 8444
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; melita.com. IN A;; ANSWER SECTION:
melita.com. 79580 IN A 212.56.128.204;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 12 msec
;; SERVER: 212.56.129.228
;; WHEN: Mon Nov 28 18:44:37 2016
;; MSG SIZE rcvd: 44 -
when I Disable Auto-added Access Control nothing gets resolved I had to uncheck it
-
this is because if you don't use the auto, you have to create your own!!! Which you said you did, I posted a screen of mine as example..
-
you don't need the ipv6.. Shoot I should of hid thouse.. Could you please delete that pic, I will delete mine and repost with thos hidden.
You need to put in the network your using.. What network are you using - if for example 172.16/12 then my acl would not work for you..
Your using 192.168.0/24 right.. So if that is the only network you query pfsense from then that would be in your allow list. So if you put in 192.168/16 like I have then it should work.. So your still not getting the root servers when you do a +trace from your client on 192.168 network??
Do the drill command on pfsense then.. Lets see where its failing.
-
Sorry John for posting the pic I removed it from my pc and post. My network is 192.168.0.1/24
-
Oh not on you at all!!! It was my bad for not seeing I posted a global IPv6 address… Thanks for removing it.. I reposted with the ipv6 obfuscated. In the big picture prob not a issue at all.. Normally I wouldn't care.. but as you can see from my neg karma number. Some people don't always like my posts ;) And vs doing the -1 which would be their right.. They hit it an hit it and hit it.. I know for sure about 60 of those came from 2 guys..
So with the ability to rent the very large botnets, I wouldn't put it past some people to think its funny to run a ddos against.. Yes I have my tinfoil hat on while typing this..
192.168.0.1/24 is not a network btw, that is a host address the 192.168.0.0/24 ;) So if your putting in ACL you can put in 192.168.0.0/24 or 192.168.0.0/16 is the full 192.168 rfc1918 space.
-
DW John remember the guys that try to help in this world get the slapped back instead of thank you, I read a post with a guy admitting was longing to pick one out with you and accused you that you dont know what you are talking about llooolll Some should learn from you. Now sorry for asking but should I go to Command Prompt in pfsense and type drill melita.com?
-
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 59963
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; melita.com. IN A;; ANSWER SECTION:
melita.com. 36082 IN A 212.56.128.204;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 9 msec
;; SERVER: 212.56.132.20
;; WHEN: Mon Nov 28 20:00:06 2016
;; MSG SIZE rcvd: 44 -
yeah you need to -T with the drill command
drill -T melita.com
This should give you the full trace like dig would do..
So for example running it on my pfsense just now.
[2.3.2-RELEASE][root@pfsense.local.lan]/root: drill -T melita.com com. 172800 IN NS e.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS m.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. com. 172800 IN NS f.gtld-servers.net. com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS g.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS l.gtld-servers.net. com. 172800 IN NS k.gtld-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS d.gtld-servers.net. melita.com. 172800 IN NS ns.melitacable.com. melita.com. 172800 IN NS ns1.melitacable.com. melita.com. 86400 IN A 212.56.128.204 melita.com. 86400 IN NS ns1.melitacable.com. melita.com. 86400 IN NS ns.melitacable.com. [2.3.2-RELEASE][root@pfsense.local.lan]/root:
If fails try adding the -V 5 command so we get full details
drill -T -V 5 melita.com