DNS resolver fails to work when pfSense has an IPv6 address

SamB

It appears the issue is caused by unbound (or dnsmasq) entering a restart loop and being unable to respond to DNS queries.

The problem only occurs with IPv6 enabled. Both options for registering DHCP/static leases are turned off. pfBlockerNG DNSBL is disabled.

RonpfS

@samb said in DNS resolver fails to work when pfSense has an IPv6 address:

pfBlockerNG DNSBL is disabled.

With DNSBL disabled, you ran a Force Update ?
and the

server:include: /var/unbound/pfb_dnsbl.*conf

is gone from Resolver Custom options ?

SamB

@RonpfS yes, I did run an update and remove that line from settings (can't remember whether I had to do it manually or not)

However most of my testing has been on a fresh install and restore of pfSense 2.4.4-p1 that has never had DNSBL enabled at all.

On the fresh install without DNSBL, unbound and dnsmasq both crash repeatedly if IPv6 is enabled.

As soon as I disable IPv6, they work correctly, even with DNSBL and everything else turned back on.

Grimson

@samb said in DNS resolver fails to work when pfSense has an IPv6 address:

On the fresh install without DNSBL, unbound and dnsmasq both crash repeatedly if IPv6 is enabled.

What makes you think they crash?

It's much more likely they get restarted because your IPv6 config is flawed. So if you actually want help you'll need to post the system logs and screenshots of your config, otherwise you are on your own.

SamB

@grimson

Crash was not the right word, they continually restart. When I re-enabled IPv6 today to investigate it looks like it's because the IPv6 address keeps "changing" (although the address itself does not change):

The DNS Resolver log shows that unbound is repeatedly starting and stopping, presumably each time the IPv6 address "changes"

My IPv6 settings at the moment are:

WAN Interface:
(I have also tried with "Do not allow PD/Address release" enabled)

LAN Interface:

DHCPv6 Server:

Is there a way to find out why my IPv6 keeps "changing"? I don't know what's triggering it or where to look to find out.

JKnott

@samb said in DNS resolver fails to work when pfSense has an IPv6 address:

Is there a way to find out why my IPv6 keeps "changing"? I don't know what's triggering it or where to look to find out.

Do you have "Do not allow PD/Address release" selected on the WAN page?

SamB

@jknott Yes, I currently have "Do not allow PD/Address release" enabled and the following is still being repeatedly logged:

Jan 14 12:05:26 	php-fpm 	12023 	/rc.newwanipv6: Removing static route for monitor fe80::9000:b:1 and adding a new route through fe80::9000:b:1%pppoe0
Jan 14 12:05:27 	check_reload_status 		Reloading filter
Jan 14 12:05:27 	php-fpm 	12023 	/rc.newwanipv6: rc.newwanipv6: Info: starting on pppoe0.
Jan 14 12:05:27 	php-fpm 	12023 	/rc.newwanipv6: rc.newwanipv6: on (IP address: 2406:1e00:9b10:22:208:a2ff:fe0b:c703) (interface: wan) (real interface: pppoe0).

I turned gateway monitoring off for the default IPv6 gateway and the first line is no longer logged, but the remaining lines are. The logs don't seem to indicate why rc.newwanipv6 is being triggered every 10 sec or so.

jp.otto

Hi,
did you ever solve that issue? I seem to have the very same problem and don't know, where to start looking. Especially, since I'm unsure whether the dhcp6 settings of my wan interface are correct...

whoamib2

I finally figured out why my DNS resolver was restarting every 2 seconds, it was because my WAN interface had a IPv6 address which appears to be some kind of pfSense bug, as soon as I remove the IPv6 from the WAN interface it stopped restarting the Unbound resolver:

As you can see below I changed it from DHCP6 to None:

JKnott

@whoamib2 said in DNS resolver fails to work when pfSense has an IPv6 address:

I finally figured out why my DNS resolver was restarting every 2 seconds, it was because my WAN interface had a IPv6 address which appears to be some kind of pfSense bug, as soon as I remove the IPv6 from the WAN interface it stopped restarting the Unbound resolver:

What do you mean by bug? What address were you getting? Also, the WAN address is likely not being used for routing. You haven't fixed the problem by disabling IPv6, only masked it.

ManuA

Hi guys,

maybe I've found a solution.
I replaced my router (AVM Fritbox) with a Draytek Vigor 165. This way I avoid double NAT. The Vigor is delivered with the settings for modem operation. VLAN tagging (VLAN 7) is also enabled by default.
With these settings (no VLAN tagging in the pfsense) I also received permanently the messages from newwanipv6. After two days of searching and shortly before giving up, I -as a last try- deactivated the tagging in the modem and configured it in the pfsense.

Hooray! No more messages from newwanipv6 and the DNS resolver works fine again.

Maybe it will help you further...

septer012

I had a similar problem and I don't believe I had this problem before updating to pfsense 2.4.5-RC (arm64). I noticed some websites were not loading, or were really slow. On my third party VPN, things were normal, so I suspected something DNS related.

nslookup connected to VPN worked fine,
With the VPN disconnected, my expectation was to query pfsense box unbound, however I had two DNS servers show in ipconfig.

DNS Servers . . . . . . . . . . . : 2600:1700:31e0:3048:f2ad:4eff:fe09:bf25
                                       10.0.0.1

After reading this thread about IPV6 on the WAN I disabled the interface and restarted and now I get:

DNS Servers . . . . . . . . . . . : 10.0.0.1

It is again working. I am not sure if it is related to that IPV6 DNS entry or simply that I disabled the WAN IPV6. I was initially just going to try to downgrade to the Latest stable version (2.4.x), but I could not figure out how to through the GUI. Perhaps its not something you can do.

JKnott

@septer012 said in DNS resolver fails to work when pfSense has an IPv6 address:

It is again working. I am not sure if it is related to that IPV6 DNS entry or simply that I disabled the WAN IPV6. I was initially just going to try to downgrade to the Latest stable version (2.4.x), but I could not figure out how to through the GUI. Perhaps its not something you can do.

It should make no difference whether IPv4 or IPv6 is used for DNS. You get the same info no matter which is used. I use resolver here and it works fine. On my LAN both IPv4 & IPv6 DNS are available and either may be used, depending on the device. If you suspect a DNS problem then try pinging the problem address. You can ping with both IPv4 and IPv6. If there are only one or a few bad addresses, then it's a problem at the original DNS.