LAN as a LAGG

stephenw10

It still resolves other addresses OK?

Does it just show no response for that if you test in Diag > DNS Lookup?

Do you see states open to the pi from pfSense when it fails?

Anything logged on the pi?

Anything in the pfSense resolver log?

Steve

kuschi

@stephenw10 said in LAN as a LAGG:

It still resolves other addresses OK?

Yes, all other addresses are resolved correctly.

Does it just show no response for that if you test in Diag > DNS Lookup?

No response! "Host "labap.local.lab" could not be resolved."

Do you see states open to the pi from pfSense when it fails?

No, no states when it fails.

Anything logged on the pi?

Nothing unusual

Anything in the pfSense resolver log?

Nothing unusual either (can't post the log, otherwise post is flagged as spam)

Steve

Thanks,
Martin

stephenw10

Hmm, odd.
If you run a pcap on WAN for port 53 traffic can you see it querying external DNS servers for that domain?

Steve

kuschi

Yes, it queries the external DNS for the local domain.

After restarting the unbound service, the queries go to the Raspberry Pi but after latest one minute, all queries go to the external DNS server.

Martin

stephenw10

Hmm, something must be causing it to do that. Rejecting the config perhps.

That should be logged though. It would at least log Unbound restarting or reloading it's config.

Steve

kuschi

Where can I find this kind of information? I checked the logs but I cannot find anything suspicious.

Martin

stephenw10

If it was rejecting the config you would see entries in the resolver and system logs.

Try increasing the logging level on Unbound on the Advanced Settings tab. I would start at 2 and go to 3 if you still don't see anything. At level 3 it logs a lot!

Steve

kuschi

I now get some strange results, after I increased the logging level.

A lookup for "labserver.mgk.local" is logged in unbound:
Feb 11 23:21:43 unbound 7870:0 info: validation success labserver.mgk.lab.mckusch.lab. CNAME IN

mckusch.local is my productive server AD domain....

Martin

stephenw10

Is that correctly a CNAME for that other FQDN?

Using .local for your domain can hit mDNS issues, using something else there would be preferable.

Steve

kuschi

Progress! After some setbacks, several re-installing of pfsense, I narrowed done the issue. Dnsmasq on the Raspberry Pi cannot handle DNSSEC properly. After I unchecked the "Enable DNSSEC Support" in Unbound, pfsense resolves the local domain successfully, every time. Now, I just have to figure out how to fix the Pi....

Thanks Steve for your support!

Martin

stephenw10

Ah, nice catch!