Issues after upgrade to 2.4.4 on all firewalls : Diagnostic ->Tables is empty

chriva

No, I noticed no error: just in case how is the DNS log enabled ?
Now I did a rollback of all of the installation except one.
I will try to keep an eye on it, but traffic through this device is very few. I don't even know if this firewall needed ever showed the problem.

stephenw10

It is enabled by default for errors and status information but you can turn up the logging level to see all dns requests if required. That's a setting in Services > DNS Resolver > Advanced Settings.

Steve

chriva

Hi,
should I set it up to maximum level? (I've just set it to lvl5)
What should I look for in clog /var/log/resolver.log ?
Can you give me an example?

Regards.

stephenw10

I wouldn't expect you to need to turn up the logging. For example here's what I see in the resolver logs if I add an IP to an alias but typo it:

Dec 4 12:53:14 	filterdns 		Adding Action: pf table: Test_Alias_2 host: 192.16810.10
Dec 4 12:53:14 	filterdns 		Adding host 192.16810.10
Dec 4 12:53:14 	filterdns 		failed to resolve host 192.16810.10 will retry later again. 

Steve

PC Medic

This post is deleted!

stephenw10

Yes it should. I deliberately typo'd it to show what happens.
It sees it as an FQDN as it's not a valid IP address and tries to resolve it. And of course that fails resulting in the errors shown.

Steve

Edit: Replying to a deleted post now.

PC Medic

yeah, deleted my post as I overlooked the mention of 'not a valid IP address' in your original

chriva

Thanks for your support and suggestions.
I have no filterdns entries in the logs until now.
I will keep an eye on it.

Remember that the same configuration on 2.4.3_p1 gives me no issues.

stephenw10

The most likely thing there is you're hitting something really obscure that passes in php 5.6 but not in php 7. I would have expected some error though but it may simply interpret it differently.

Steve

chriva

Hi to all,
I have an update: facing the same problem on 2.4.4_p1
I have an alias like
FQDN_Hamal
corrisponding to
hamal.intranet

The name is correctly resolved like
*drill hamal.intranet @127.0.0.1
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 9055
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; hamal.intranet.dynameeting.it. IN A

;; ANSWER SECTION:
hamal.intranet 16 IN A 192.168.212.135

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; SERVER: 127.0.0.1
;; WHEN: Thu Dec 27 11:36:32 2018
;; MSG SIZE rcvd: 63*

The corresponding table was empty, so the corresponding permit rule was never triggered (trafic dropped)

I tried adding via command line
pfctl -t FQDN_Hamal -T add hamal.intranet
it sometimes works giving
1/1 addresses added
sometimes does'nt work
0/1 addresses added
The corresponding log in filterdns is allways
filterdns: Adding Action: pf table: FQDN_Hamal host: hamal.intranet

I have no idea why this happens.
Can anyone help me?

jimp

First, you wouldn't inject an alias entry using pfctl that way for a hostname. The filterdns daemon manages that internally.

Second, if it works sometimes and not others, it could be either because the host can't be resolved, or that it's already in the table.

The adding action log entry means filterdns read that entry from the config, not that it successfully resolved the host.

chriva

Hi Jimp,
I know I should not add hostnames like this, I'm simply trying to make the problem clearer.
The table itself should hold only one entry (resolved to 192.168.212.135)
If I try to inject a non valid fqdn I get an error:
pfctl -t FQDN_Hamal -T add hamal2.intranet
no IP address found for hamal2.intranet

Grimson

So this is an internal domain, how are your DNS on pfSense configured. Make sure pfSense only uses name servers that can resolve those internal domains.

chriva

Hi Grimson,
sorry for the delay (and Happy New Year to all).
The DNS is configured to point
2 internal DNS server (reachables)
2 external DNS servers (google)

I 've just removed the google ones and I will let you know

Regards.

chriva

Hi,
Today the problem is back again: some table are void: non traffic allowed despite the dns pointing only internal servers.

stephenw10

And still no filterdns errors on the resolver log? Or system log?

Steve

chriva

No errors in system log.
No relevant errors in resolver log (only a few failed to resolve host : new_name.internal , due to devices that are already configured on the firewall but not on the dns server. Those entries have no concern with the void tables.)

Regards