Intermittently losing DNS
-
I using pfsense 2.4.4 and just recently noticed intermittently I'm loosing my DNS. When I ping www.google.com from my computer I get Host name lookup failure. I'm using Quad9 DNS servers over TLS. Adding 208.67.220.220 to the System/General setup/DNS Server Settings will fix it.
I've tried upgrading to 2.4.4_1 and getting the same problem. I believe this problem started after trying to migrate to new hardware but I'm back on the original pfsense box without any configuration changes.
I have no idea what the issue is. -
I've noticed that sometimes some of the public servers intermittently fail when using DNS over TLS or DNSSEC.
-
I'm not sure but I think the intermittent loss of DNS was due to running out of memory. After I removed snort which was eating up my memory the intermittent nature resolved. Does that sound like that issue would cause that problem?
My DNS stops working when I enable Quad9 DNS servers over TLS. Here are my settings.
Firewall/rules/LAN
System/General Setup/DNS Server Settings
Error in web browser
Intel(R) Core(TM)2 Duo CPU E7500 @ 2.93GHz
2 CPUs: 1 package(s) x 2 core(s)
AES-NI CPU Crypto: No
2 Gigs Ram
SSD with ver 2.4.0
IBM Intel Pro PCI-E Quad Port 10/100/1000 Server Adapter 39Y6138 (K210320) -
Could a problem with the ntp server cause dns issues?
I reset my system clock to the correct time and changed the NTP server to the WAN interface.
So far DNS is working.
Is the best way to check looking at the DNS resolver log and seeing entries with "A IN NOERROR 0.057908 0 58" in it? -
Quad9 appears to have issue resolving when using DNSSEC from recent testing I and others have done recently. Sometimes a refresh or two is required to load the page.
-
A correct time is very important for DNSSEC.
-
@xentrk said in Intermittently losing DNS:
Quad9 appears to have issue resolving when using DNSSEC from recent testing I and others have done recently. Sometimes a refresh or two is required to load the page.
Would I be better off switching to Cloudflare’s DNS service?
@gertjan said in Intermittently losing DNS:
A correct time is very important for DNSSEC.
Can you have DNSSEC and Use SSL/TLS for outgoing DNS Queries to forwarding servers? -
@naskar
Yes, Cloudflare was the other DNS we tested with and it had no issues like Quad 9. It seems to play better. Just note that the Cloudflare help site https://1.1.1.1/help does not support DNSSEC and will fail the DoT test if you have DNSSEC turned on. -
@xentrk said in Intermittently losing DNS:
@naskar
Yes, Cloudflare was the other DNS we tested with and it had no issues like Quad 9. It seems to play better. Just note that the Cloudflare help site https://1.1.1.1/help does not support DNSSEC and will fail the DoT test if you have DNSSEC turned on.I changed to Cloudfare and have DNSSEC enabled and it seems to be working. But after going to your link I realized that DoT wasn't working. After turning it off DoT works. Is DNSSSEC not important? Is it ok to not use it?
Or are you just saying leave DNSSEC on and ignore what the https://1.1.1.1/help says about DoT?
-
I don't have a good answer for you about enabling DNSSEC when using Cloudflare DoT. The sites that do support DNSSEC are few. I saw something the other day that DNSSEC sites are in the single digit percentage of all sites on the internet. I added the DNSSEC detector add-on on Firefox and I can confirm from my own experience that not too many sites I visit support DNSSEC. With DNSSEC disabled on the DNS Resolver, I still pass all of the DNSSEC tests on these sites:
- https://rootcanary.org/test.html
- http://dnssec.vs.uni-due.de/
- http://en.conn.internet.nl/connection/
- http://0skar.cz/dns/en/
This thread does shed some light on the topic.
