DNS based rules requirements
-
So the table page for that alias is blank.
I can't see anything in the system log for filterdns :/
I do however see that IPSec tunnels fail to come up with an error that the remote endpoint hostname could not be resolved when the system reboots.
-
Well if you can not resolve whatever it is in your alias than your table is going to be empty and your rules using thos aliases not going to work.
You forward to what exactly? You point pfsense just to its loopback? your going t have to go into some more details of your setup.
-
Sorry, I had unbound set in "forwarder mode", I have unset that and it is having no impact.
nslookup for the hostname works as expected.
Tables entry for the WAN_ADMIN alias still show empty, even after adding 4 hostnames to the list.
-
Actually, I have aliases on another box that have both hostname and IP addresses, and only the IP addresses are showing in the list under diagnostics -> tables. It is also on 2.4.4.
On another SG-3100 I have the same wan-admin access rule. It is running 2.4.3 and under diagnostics -> tables it does list the resolved IP address.
-
@bruor said in DNS based rules requirements:
nslookup for the hostname works as expected.
From where to where? Is pfsense pointing to itself for dns?
-
PFsense is set to use the unbound instance on itself to resolve hostnames.
If I go to diagnostics -> dns lookup the names used in the rules resolve OK
-
And if you run
ps -ax | grep filterdns
[2.4.4-RELEASE][root@sg4860.local.lan]/root: ps -ax | grep filterdns 27088 - Is 0:00.00 /usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 300 -c /var/etc/filterdns.conf -d 1 6137 0 S+ 0:00.00 grep filterdns [2.4.4-RELEASE][root@sg4860.local.lan]/root:
You see filterdns running?
-
There's the issue, it's not starting after the upgrade it appears.
There is also no /var/etc/filterdns.conf file.
-
well if filterdns not running then no your aliases not going to resolve.
Sure your aliases set to hosts(s).. Your not seeing anything in the log about it failing to run?
-
Which log area would I even check for that?
-
I've confirmed that filterdns is not running on 3 of the system I administer that have been upgraded to 2.4.4. 2.4.3 systems seem to be fine.
/var/log/system.log has nothing in it for filterdns
-
Bump up the debug... Guess if not running could be related to
https://redmine.pfsense.org/issues/8758 -
I don't think so, I can't even manually start it...
[2.4.4-RELEASE][admin@pfsense]/root: /usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 30 -c /var/etc/filterdns.conf -d 1 filterdns: open file
-
s your .conf not here?
-
On a system that was running 2.4.3 previously there is a config on disk, on a 2.4.4 while setting up a fresh rule with a DNS based alias, no file exists. The config seems to just contain the table entries.
On that the system where the config file exists, a manual launch looks like this.
[2.4.4-RELEASE][adrien@pfsense]/: /usr/local/sbin/filterdns -p /var/run/filterdns.pid -i 30 -c /var/etc/filterdns.conf -d 1 filterdns: Could not open device.
-
flush your pid
-
ok, so on a VM instance I can manually launch the process and it'll generate a pid/conf, but the tables status page doesn't show the IP that should be resolved as part of the rule.
On my SG-3100 if I run touch to create the files, and try to run the process manually it still throws the "open file" error. Upon reboot the pid/conf files are gone.
-
On my CE install, the command actually running for filterdns looks like this on 2.4.4
/usr/local/sbin/filterlog -i pflog0 -p /var/run/filterlog.pid
any idea what where pflog0 ends up?
-
I found that these entries end up under system logs / system / DNS Resolver. On my CE instance on a VM it is working as exected. ON the SG-3100 it is not.
-
Opened a new issue for filterdns not working on 2.4.4 after upgrade.
https://redmine.pfsense.org/issues/8971?next_issue_id=8970&prev_issue_id=8972