2.4.1: local DNS not working
-
- under general settings, i have the local DNS server set (10.180.x.x)
- in dnsresolver, i have static mappings for a couple linux servers. I also have dhcp and static ips being registered in dnsresolver. dnssec is checked
3) in dhcp server, the dns value is blank (should default to #1 right) - in dhcp server i have a few static leases defined
No. It defaults to the interface address the DHCP Server is running on.
Leave blank to use the system default DNS servers: this interface's IP if DNS Forwarder or Resolver is enabled, otherwise the servers configured on the System / General Setup page.
Look at the client that was configured using DHCP. What are its configured name servers? What happens when it tries to use them to resolve names? Then look at why that might be. Using tools like dig/drill to solve this instead of the silly windows tools helps a lot.
-
So - this sounds similar to the other person talking above about pfsense using google and ignoring dns settings.
No, it's not pfSense using Google DNS. It's my computer, which has pfSense configured as the first DNS to try and Google as the 2nd, should the first fail. PfSense resolver fails, so the computer falls through to use Google. This accounts for the delay when I first go to a web site. Dig proves it. When resolver is configured, it uses Google, when forwarder, pfSense.
Here's what happens on my computer. The first time is with resolver enabled and the 2nd, with resolver. The firewall address has been changed to protect the guilty. ;)
$ dig google.com
; <<>> DiG 9.9.9-P1 <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 46476
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com. IN A;; ANSWER SECTION:
google.com. 299 IN A 172.217.0.238;; Query time: 48 msec
;; SERVER: 2001:4860:4860::8888#53(2001:4860:4860::8888)
;; WHEN: Sun Nov 05 15:19:58 EST 2017
;; MSG SIZE rcvd: 55$ dig google.com
; <<>> DiG 9.9.9-P1 <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9659
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com. IN A;; ANSWER SECTION:
google.com. 199 IN A 172.217.2.174;; Query time: 13 msec
;; SERVER: 2607:fea8:4cdf216:17ff:fea7:xyz#53(2607:fea8:4cdf216:17ff:fea7:xyz)
;; WHEN: Sun Nov 05 15:21:33 EST 2017
;; MSG SIZE rcvd: 55 -
No, it's not pfSense using Google DNS. It's my computer, which has pfSense configured as the first DNS to try and Google as the 2nd, should the first fail.
Common mistake.
ALL configured client name servers MUST return the same answers to the same questions. This is ESPECIALLY true if you want to use local overrides.
There is NO guarantee which configured name server will be used first by the client.
-
No, it's not pfSense using Google DNS. It's my computer, which has pfSense configured as the first DNS to try and Google as the 2nd, should the first fail.
Common mistake.
ALL configured client name servers MUST return the same answers to the same questions. This is ESPECIALLY true if you want to use local overrides.
There is NO guarantee which configured name server will be used first by the client.
Not according to the Linux man pages:
nameserver Name server IP address
Internet address of a name server that the resolver should
query, either an IPv4 address (in dot notation), or an IPv6
address in colon (and possibly dot) notation as per RFC 2373.
Up to MAXNS (currently 3, see <resolv.h>) name servers may be
listed, one per keyword. If there are multiple servers, the
resolver library queries them in the order listed. If no
nameserver entries are present, the default is to use the name
server on the local machine. (The algorithm used is to try a
name server, and if the query times out, try the next, until
out of name servers, then repeat trying all the name servers
until a maximum number of retries are made.)http://man7.org/linux/man-pages/man5/resolv.conf.5.html
So, since pfSense is listed first in /etc/resolv.conf, followed by Google, then pfSense will be tried first and if it fails, then Google.</resolv.h>
-
OK don't listen to years of experience.
-
Try to dig from command line in pfsense. If it works, its not the same Issue I'm having.
-
Try to dig from command line in pfsense. If it works, its not the same Issue I'm having.
Dig shows 127.0.0.1 with either forwarder or resolver.
-
Show the output please. I have NO IDEA what "dig shows 127.0.0.1" means. Shows where? There is no context.
-
Show the output please. I have NO IDEA what "dig shows 127.0.0.1" means. Shows where? There is no context.
/root: dig google.com
; <<>> DiG 9.11.2 <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63302
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com. IN A;; ANSWER SECTION:
google.com. 300 IN A 172.217.0.238;; Query time: 310 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Nov 05 18:31:26 EST 2017
;; MSG SIZE rcvd: 55 -
;; SERVER: 2001:4860:4860::8888#53(2001:4860:4860::8888)
;; WHEN: Sun Nov 05 15:19:58 EST 2017
;; MSG SIZE rcvd: 55snipped
;; SERVER: 2607:fea8:4cdf216:17ff:fea7:xyz#53(2607:fea8:4cdf216:17ff:fea7:xyz)
;; WHEN: Sun Nov 05 15:21:33 EST 2017
;; MSG SIZE rcvd: 55How are your addresses IPv6 and Global ?
-
How are your addresses IPv6 and Global ?
???
I have valid global unicast addresses on IPv6. That's never been the issue. The problem is when pfSense is configured to use resolver for DNS, it fails, but works with forwarder. Nothing else changed when I updated from 2.4.0.
-
/root: dig google.com
; <<>> DiG 9.11.2 <<>> google.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 63302
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;google.com. IN A;; ANSWER SECTION:
google.com. 300 IN A 172.217.0.238;; Query time: 310 msec
;; SERVER: 127.0.0.1#53(127.0.0.1)
;; WHEN: Sun Nov 05 18:31:26 EST 2017
;; MSG SIZE rcvd: 55If that was taken on pfSense then the local resolver is working fine. You asked localhost for an answer and got one.
-
I have valid global unicast addresses on IPv6.
Me too… and to say, dual stack IPv6 & (IPv4 NAT) on LAN's.
A host on LAN reports as the DNS server the IPv4 pfSense-LAN address.
You have a special home config I now believe ;) Single stack, IPv6 ?
-
Nonsense… Resolver works just fine in 2.4.. If it broke then the boards would be under ddos attack with people complaining..
Well, without logs there isn't much point in arguing. But I will say based on the very general sense its not nonsense. I have seen resolver break two other times (once in 2.3.x and once in 2.4.0). Both were shown to me after a level 1 tech tried upgrading or something. Both times I saw security errors in the logs and disabled DNSSEC support and the problem was fixed.
I've never reported the issue because it was a quick hack fix, but the point is without diagnosing, anything is possible.
-
DNSSEC being broken is not necessarily the fault of the resolver. Particularly if the resolver is in forwarding mode.
Anyone who claims "it's broken" needs to be able to show what isn't working in some way that people on a forum can see.
"It's broken" when it is working for tens of thousands of sites is nonsense. Or at least points to a local configuration error at that site which, again, would require some evidence presented for evaluation.
-
If that was taken on pfSense then the local resolver is working fine. You asked localhost for an answer and got one.
I noticed that too. But it does not work for a computer behind pfSense. I included dig examples in an earlier message, that showed pfSense works with forwarder, but not resolver, for that computer.
-
@hda:
I have valid global unicast addresses on IPv6.
Me too… and to say, dual stack IPv6 & (IPv4 NAT) on LAN's.
A host on LAN reports as the DNS server the IPv4 pfSense-LAN address.
You have a special home config I now believe ;) Single stack, IPv6 ?
I always get an IPv6 address as shown in dig. My network is dual stack, with everything capable of IPv6 getting both IPv4 & IPv6 addresses. My main computer uses static configuration for DNS, with IPv6 addresses for pfSense and Google DNS servers. Devices that connect via DHCP get the IPv4 address for pfSense DNS for the 1st DNS server and 8.8.8.8 & 4.4.4.4 for 2nd & 3rd.
-
Dude.
Enable the resolver.
Go to the client that doesn't work.
What are the configured name servers on that client? Probably in /etc/resolv.conf. There is a lot of disparity in how this is done now. In ubuntu it's all generated by resolvconf, YDMV.
Query each of them individually as in:
dig @192.168.1.1 www.google.com A
dig @192.168.1.1 www.google.com AAAA
dig @8.8.8.8 www.google.com A
dig @8.8.8.8 www.google.com AAAA
dig @8.8.4.4 www.google.com A
dig @8.8.4.4 www.google.com AAAASee if you can see where the problem is.
-
Here's the relevant lines from /etc/resolv.conf
nameserver 2607:fea8:4cdf216:17ff:fea7:xyz
nameserver 2001:4860:4860::8888
nameserver 2001:4860:4860::8844The first is my firewall, with address changed to protect the guilty and the other 2 are Google.
With resolver enabled.
To pfSense DNS
$ dig @2607:fea8:4cdf216:17ff:fea7:xyz google.com A
; <<>> DiG 9.9.9-P1 <<>> @2607:fea8:4cdf216:17ff:fea7:xyz google.com A
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached$ dig @2607:fea8:4cdf216:17ff:fea7:xyz google.com AAAA
; <<>> DiG 9.9.9-P1 <<>> @2607:fea8:4cdf216:17ff:fea7:xyz google.com AAAA
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reachedTo Google DNS
$ dig @2001:4860:4860::8888 google.com A; <<>> DiG 9.9.9-P1 <<>> @2001:4860:4860::8888 google.com A
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65367
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com. IN A;; ANSWER SECTION:
google.com. 299 IN A 172.217.0.238;; Query time: 48 msec
;; SERVER: 2001:4860:4860::8888#53(2001:4860:4860::8888)
;; WHEN: Sun Nov 05 22:19:49 EST 2017
;; MSG SIZE rcvd: 55$ dig @2001:4860:4860::8888 google.com AAAA
; <<>> DiG 9.9.9-P1 <<>> @2001:4860:4860::8888 google.com AAAA
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 990
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;google.com. IN AAAA;; ANSWER SECTION:
google.com. 299 IN AAAA 2607:f8b0:400b:808::200e;; Query time: 84 msec
;; SERVER: 2001:4860:4860::8888#53(2001:4860:4860::8888)
;; WHEN: Sun Nov 05 22:20:34 EST 2017
;; MSG SIZE rcvd: 67As you can see in the above, pfSense fails and Google works. When I switch pfSense to forwarder, it works fine.
BTW, I run openSUSE Leap 42.3.
-
Are you passing IPv6 DNS into that interface?
Are you listening for DNS on that interface? Meaning does the resolver have that interface or All interfaces selected?
What is the output of this command run on the firewall?
netstat -an | grep LISTEN | grep 53
Does the DNS Resolver log show anything interesting?
When I switch pfSense to forwarder, it works fine.
And the forwarder is probably configured to forward to IPv4 name servers. So there might be a problem with IPv6 traffic from the firewall itself or maybe something else. Really hard to say with the information that has been provided. It is generally pretty difficult when someone has it set in their head that pfSense is the broken component and not a misconfiguration of the same..