DNS Resolve Domain Overrides do not work after pfsense restart
-
@kevindd992002 said in DNS Resolve Domain Overrides do not work after pfsense restart:
If you point your override to a lan IP that is on the other side of the tunnel (a remote IP), how will unbound bind to it if the vpn is not yet
Your not Binding to anything.. its just the IP your pointing your domain override too...
Its the other sides unbound that needs to bind to something to LISTEN on for queries.. when unbound starts up on that side B, and the vpn is not up... How does it bind to listen... But have to assume if pfsense is up and running that the LAN ip is up.. So then unbound can bind and listen to this interface..
-
@johnpoz said in DNS Resolve Domain Overrides do not work after pfsense restart:
@kevindd992002 said in DNS Resolve Domain Overrides do not work after pfsense restart:
If you point your override to a lan IP that is on the other side of the tunnel (a remote IP), how will unbound bind to it if the vpn is not yet
Your not Binding to anything.. its just the IP your pointing your domain override too...
Its the other sides unbound that needs to bind to something to LISTEN on for queries.. when unbound starts up on that side B, and the vpn is not up... How does it bind to listen... But have to assume if pfsense is up and running that the LAN ip is up.. So then unbound can bind and listen to this interface..
Gotcha!! I understand what you mean now. Thanks.
-
Ok think we can call this solved then ;) Going to leave my vms... I can use these to lab almost anything ;)
Proof is in the pudding though.. Let us know how it works out after your next reboot..
-
So far so good until I noticed that the unbound service of one of my pfsense boxes is down, just this morning. I'm not really sure what happened but this is what I saw in the system logs:
May 7 07:36:24 unbound 29511:0 fatal error: Could not read config file: /unbound.conf. Maybe try unbound -dd, it stays on the commandline to see more errors, or unbound-checkconfIs there a reason for this?
Also, there are a lot of restarts during normal unbound operation like so:
ay 7 05:12:20 unbound 29511:0 info: start of service (unbound 1.8.1). May 7 05:12:20 unbound 29511:0 info: service stopped (unbound 1.8.1). May 7 05:12:20 unbound 29511:0 info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting May 7 05:12:20 unbound 29511:0 info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0 May 7 05:12:20 unbound 29511:0 info: server stats for thread 1: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting May 7 05:12:20 unbound 29511:0 info: server stats for thread 1: requestlist max 0 avg 0 exceeded 0 jostled 0 May 7 05:12:20 unbound 29511:0 info: server stats for thread 2: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting May 7 05:12:20 unbound 29511:0 info: server stats for thread 2: requestlist max 0 avg 0 exceeded 0 jostled 0 May 7 05:12:20 unbound 29511:0 info: server stats for thread 3: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting May 7 05:12:20 unbound 29511:0 info: server stats for thread 3: requestlist max 0 avg 0 exceeded 0 jostled 0 May 7 05:12:20 unbound 29511:0 notice: Restart of unbound 1.8.1.Is this also normal?
-
Restart of unbound... Do you have it register dhcp? Do you have pfblocker?
-
-
well yes register dhcp will restart unbound.
-
@johnpoz said in DNS Resolve Domain Overrides do not work after pfsense restart:
well yes register dhcp will restart unbound.
Ok. Any ideas why the service stopped suddenly though? This is the first time, in many years, that I had unbound stopped without me doing anything.
-
because there was a new dhcp lease/renew or a vpn client.. If you have it register clients (other than static) then yes unbound will be stopped and restarted now and then.
If you don't want that to happen then don't have dhcp clients registered.. I don't really get why you need to do that - how many clients you have? Just setup reservations for those that you "need" to be able to resolve name of.
-
@johnpoz said in DNS Resolve Domain Overrides do not work after pfsense restart:
because there was a new dhcp lease/renew or a vpn client.. If you have it register clients (other than static) then yes unbound will be stopped and restarted now and then.
If you don't want that to happen then don't have dhcp clients registered.. I don't really get why you need to do that - how many clients you have? Just setup reservations for those that you "need" to be able to resolve name of.
I understand but this time it stopped indefinitely (since this morning) until I went it and saw that the service is stopped. I've had those settings since a few years ago and never had the service stopped. I understand that it restarts if you have dhcp register enabled, but it shouldn't stay stopped.
This is the error in question:
May 7 07:36:24 unbound 29511:0 fatal error: Could not read config file: /unbound.conf. Maybe try unbound -dd, it stays on the commandline to see more errors, or unbound-checkconfunbound-checkconf resulted to:
unbound-checkconf: no errors in /usr/local/etc/unbound/unbound.conf
-
@kevindd992002 said in DNS Resolve Domain Overrides do not work after pfsense restart:
fatal error: Could not read config file: /unbound.conf.
did you have pfblocker installed at one time? Where you playing with it?
Your disk full? Disk errors?
Did a vpn user vpn at that time? Maybe the command is wrong to restart it when that happens? If you see it happening more up your log level in unbound.
-
@johnpoz said in DNS Resolve Domain Overrides do not work after pfsense restart:
@kevindd992002 said in DNS Resolve Domain Overrides do not work after pfsense restart:
fatal error: Could not read config file: /unbound.conf.
did you have pfblocker installed at one time? Where you playing with it?
Your disk full? Disk errors?
Did a vpn user vpn at that time? Maybe the command is wrong to restart it when that happens? If you see it happening more up your log level in unbound.
No, never.
I don't see my disk being full anytime soon:
My VPN is only set for s2s VPN. Ok, hopefully this does not repeat.
-
It happened again today. I'm turning logging up to level 2, is that enough?
Also, is there a way for pfsense to notify when a service goes down?
-
So I'm not sure if this issue was caused by my change of the Outgoing Network Interfaces to Localhost as per your suggestion but please check my issue stated here.
I thought this was isolated to one of my Windows 10 machines so I posted in the tenforums website. But it looks like it's happening to two Win10 machines that I tested now. It's not always happening but it does frequently, mostly after restarts. Here are some tests I've done with both my machines and they have the same exact results:
One machine was after a restart and the other is after resuming from sleep.
In example 1, I've ping'ed google and it already had a resolved IP (probably because of the machine's cache) but did not respond properly. In example 2, I wasn't able to resolve yahoo during the first ping but it did during the second ping, although it wasn't also responding. Both servers started to respond properly at the same time.
Any ideas here? I could only think of pfsense causing this because it is experienced by more than one machine.
-
@kevindd992002 said in DNS Resolve Domain Overrides do not work after pfsense restart:
but it does frequently, mostly after restarts
Looks more like just connectivity issue then dns related problem.
In your first you have an ip but it just not get a response.. So where was the communication breakdown, did you ping even make it to pfsense, and that is where the ball got dropped, or did not even make it to pfsense..
The 2nd one is odder since looks like you could not resolve, but then you did - so would seem to say you could talk to pfsense and get an answer to your dns query.. But then your pings take a while to get answered?
Windows has always been know to have issues with coming out of standby and network connectivity, or even taking a while for the network stack to fully start.
-
@johnpoz said in DNS Resolve Domain Overrides do not work after pfsense restart:
@kevindd992002 said in DNS Resolve Domain Overrides do not work after pfsense restart:
but it does frequently, mostly after restarts
Looks more like just connectivity issue then dns related problem.
In your first you have an ip but it just not get a response.. So where was the communication breakdown, did you ping even make it to pfsense, and that is where the ball got dropped, or did not even make it to pfsense..
The 2nd one is odder since looks like you could not resolve, but then you did - so would seem to say you could talk to pfsense and get an answer to your dns query.. But then your pings take a while to get answered?
Windows has always been know to have issues with coming out of standby and network connectivity, or even taking a while for the network stack to fully start.
I should've done a tracert to make sure. Well, before these two tests I did an nslookup which points to pfsense by default. And it also fails there, which made me think it's a DNS issue in the first place. But then the first test in the screenshot above doesn't really point to a DNS issue because if it was then I would get responses right away.
-
But where did you get the IP from in your ping if after a "restart" there would be no cache at all.
Are these clients wireless?
-
Ohh, I didn't know that. Then I guess it isn't DNS after all.
No, one is wired and one is wireless. I just tested again just now, I updated the wired one with Win 10 1903, so naturally it restarted, and I see the same issue. Although now I get both google and yahoo resolve right away but got the same initial RTO responses.
-
When outgoing interfaces is set to Localhost as we discussed, DNS queries will still follow the routing table that pfsense has, correct? So in my specific use case, the query will route through the openvpn tunnel if and only if it is destined for the domain override that I set, correct?
Also, since we set an Outbound NAT rule for the domain override, would it make sense to add the tunnel network to the Access Lists of DNS resolver in both sides of the tunnel?
