DNS periodic failure - with pfblocker installed.

reberhar

I am not onsite now. Tomorrow I will do a dig + trace. And post it. I am in southern Mexico.

I see that you saw my freebsd posts with and without forwarding. I will make sure forwarding is disabled when I run the dig +trace. The users will have to tolerate it for a few minutes while I do that.

reberhar

I have done dig plus with the CBC and Google. It is somewhat better now in the morning so I don't know how diagnostic this will be. I will try to add others during the day.

Here is the dig plus

digplus.txt

reberhar

I choose the cbc because I knew it was not in the cache. The Google is.

reberhar

Here is a timeout.

timeout.txt

reberhar

I have done the necessary research to remind me how DNS works. As dig URL plus does not reveal any helpful information other than a timeout, and because of the way this cycles predictable, I am going to assume that the ISP has some kind of filter in place and use forwarding which only impacts us slightly.

Not all questions can be answered on a forum. Thanks for your help.

drewsaur

I have had an issue for the last few days where certain domains, like wikipedia.org, are not able to be looked up successfully by unbound when using DNS Resolver. If I use forwarding to 1.1.1.1, dns lookups are fine. This happens whether or not pfBlockerNG is enabled. Any ideas?

Gertjan

@drewsaur said in DNS periodic failure - with pfblocker installed.:

like wikipedia.org, are not able to be looked up successfully by unbound when using DNS Resolver.

That's close to not to be able to find facebook neither.
Be assured : both sites can be resolved.
Knowing that the Internet works well today, it's more your Resolver or the connection between the Resolver and needed root, tld and name servers that isn't working good for you.

@drewsaur said in DNS periodic failure - with pfblocker installed.:

Any ideas?

Set the resolver to log 'more details' .... and reading this log to find 'strange' things.

drewsaur

I should add - it is all .org domains for the last few days. No other changes in my pfSense configuration. I started another thread: https://forum.netgate.com/topic/148252/sudden-issue-with-org-dns-lookups-using-dns-resolver

johnpoz

We have already gone into great detail on how to troubleshoot this and how a resolver works.

if you are having issues resolving all .org domains... Then your isp is having issues talking to one of the NS for that tld

;; QUESTION SECTION:
;org.                           IN      NS

;; ANSWER SECTION:
org.                    86400   IN      NS      a0.org.afilias-nst.info.
org.                    86400   IN      NS      a2.org.afilias-nst.info.
org.                    86400   IN      NS      b0.org.afilias-nst.org.
org.                    86400   IN      NS      b2.org.afilias-nst.org.
org.                    86400   IN      NS      c0.org.afilias-nst.info.
org.                    86400   IN      NS      d0.org.afilias-nst.org.

Seems odd that you would have issues talking to all of them? So query them directly for what your looking for.. Does it work?

If your having issues resolve 1 org or a few of them then maybe you have issues just talking to the NS for those domains.

If your having problems with your internet and resolving - then just freaking forward.l Or get another Isp, or bitch them that your connection sucks...

Log your queries.. log your responses.. When you have a problem with domain X, what does your log show?

server:
log-queries: yes
log-replies: yes

reberhar

For us of the original post we are relatively sure that the ISP is playing a part is this. We have rebuilt our systems and in the process were able to observe that the DNS problems did not really appear to be from any pfSense server. What's more we use the same ISP in another location. They have no pfSense server and they still suffer with DNS resolution problems.

Thanks johnpoz.

drewsaur

@reberhar That appears to be my case as well. The ISPs really seem to be playing DNS games to prepare themselves for the upcoming legislative activities.

reberhar

@reberhar There was an off comment about the traffic shaper in one post. I went through the traffic shaper today and found some odd items, some legacy things and some things that were probably changed as the mouse went by. There were a couple of conflicting items in all this. It now does appear that unbound in functioning well. I will answer back if this turns out not to be the case. I did bump up the DNS priority, but I am unsure if this works when Unbound is not forwarding.

reberhar

@reberhar Yes indeed my DNS is now reliable and fast. My problem with DNS was not the service provider or indeed in the DNS, but an error in the traffic shaper.