DNS Stops working

Gertjan

192.168.40.1 is pfsense box ip

Tip : use the build in alias "Firewall itself" (the first in the list).

it's like once a week it occurs.

At that moment, check if unbound, the DNS resolver on pfSense is actually running.
The best way to do that is using console or SSH access, and type

[2.4.4-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: ps ax | grep unbound
76224  -  S         0:55.87 /usr/local/sbin/lighttpd_pfb -f /var/unbound/pfb_dnsbl_lighty.conf
83945  -  Ss       17:13.80 /usr/local/sbin/unbound -c /var/unbound/unbound.conf
66966  0  S+        0:00.00 grep unbound

As you can see, mine is running for** 17 hours and 13 minutes.

Also, check the GUI DNS logs : was unbound restarted ? How long did it take ?

** edit : see remark @johnpoz below

johnpoz

That is showing you cpu time, not elapsed clock time ;)

If you want to see etime you have to call that out..

example - find the pid

[2.4.4-RELEASE][admin@sg4860.local.lan]/root: ps ax | grep unbound
33787  -  Is        0:41.49 /usr/local/sbin/unbound -c /var/unbound/unbound.conf
25758  0  S+        0:00.00 grep unbound
[2.4.4-RELEASE][admin@sg4860.local.lan]/root: ps -p 33787 -o etime
     ELAPSED
  1-23:27:48
[2.4.4-RELEASE][admin@sg4860.local.lan]/root: ps -p 33787 -o etimes
ELAPSED
 170882
[2.4.4-RELEASE][admin@sg4860.local.lan]/root:

Then ask for etime or etimes (which will be in seconds)

Gertjan

Nice - thanks.

[2.4.4-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: ps ax | grep unbound
76224  -  S         0:55.96 /usr/local/sbin/lighttpd_pfb -f /var/unbound/pfb_dnsbl_lighty.conf
83945  -  Ss       17:22.86 /usr/local/sbin/unbound -c /var/unbound/unbound.conf
98238  0  S+        0:00.00 grep unbound
[2.4.4-RELEASE][admin@pfsense.brit-hotel-fumel.net]/root: ps -p 83945 -o etime
     ELAPSED
  4-00:48:20

4 days .... ok for me.

manjotsc

@johnpoz @Gertjan This is what I got,

Annotation 2020-01-14 114508.png

manjotsc

@Gertjan @johnpoz My pfsense box uptime 2 Days 5 Hours and outbound is for been running for 17 mintues, is that wierd?

johnpoz

well in means its restarting - do you have it registering dhcp? Did you just make a change to host or domain overrides... Did pfblocker update, etc..

Problem is when restarts cache is lost, while its restarting nothing can respond to dns, etc.

manjotsc

@johnpoz @Gertjan Maybe because it set to every hour, for update what's why maybe. And I didn't understand this part " do you have it registering dhcp?" can you tell you check about this, thanks.

Annotation 2020-01-15 125319.png

manjotsc

@Gertjan @johnpoz It started happing again, Now when I start downloading something file large files, DNS stops working.

Thanks,

Gertjan

@manjotsc said in DNS Stops working:

" do you have it registering dhcp?

Do you have checked this one :

If so, when a new lease is asked and granted, the Resolver is restarted.
Compare DHCP logs and DNS Resolver log. You can see it happen.

If you have a device that insists in asking a new DHCP lease every xx minutes, then yes, your Resolver get's restarted every xx minutes. Something you do not want at all ...

@manjotsc said in DNS Stops working:

Maybe because it set to every hour,

So you get what you want : a guaranteed Resolver restart every hour.
And the risk that feed servers are blacklisting your download attempts.

@manjotsc said in DNS Stops working:

Now when I start downloading something file large files, DNS stops working.

Loading some file from the net doesn't use the DNS.
In the beginningt, the URL of the file is resolved. The IP connection is made, and packets just stream through the router/firewall.
Whatever the Resolver is doing at that moment, it has nothing to do with this data stream.

If you want to look for system instability :
Remove ALL packages.
Check for 'strange' system messages : enter the console, option 8 and type "dmesg". See if new logs are added. Are they NIC related ?

manjotsc

@Gertjan DHCP Registration, is not checked.

manjotsc

@Gertjan This is what I am getting on logs,

----------------------------------------------- Before Reboot ---------------------------------------------

Screenshot_2020-06-05 pfSense manjot net - Status Dashboard1.png

alt text

--------------------------------------------- After Reboot -------------------------------------------------

alt text

Gertjan

@manjotsc said in DNS Stops working:

This is what I am getting on logs,

Both logs show a lot of what happens during DNS resolving.
Logging as much info - note that both logs images show lines that all took please in 1 second (!!).
Logging this much info really takes a hit on the system.
DNS resolving over port 853 (TLS) implies huge processing, because everything has to be encrypted - en of course decrypted - re encrypted on the other side. Reply times like 0.120 seconds or 120 milliseconds become 'normal'.
You do have AES-NI, but, still SDNS takes more time then classic DNS.

Do you have to supply 8.8.8.8 and 1.1.1.1 your private DNS info ? Please remember : these are companies. The fact that they don't bill you is because you gave them valuable info. Do you have to ? Did you try other DNS sources, like the official Internet DNS root servers ?

Another thing : do the http://www.dslreports.com/speedtest test.

No A's means : .... would you experience right now .... the WAN connection gets congested.

manjotsc

@Gertjan Can you help me find Root DNS servers, I made searchg, couln't find.

Annotation 2020-06-05 221423.png

Thanks,

SteveITS

@manjotsc said in DNS Stops working:

Can you help me find Root DNS servers

If you don't enable "DNS Query Forwarding" in the DNS resolver settings, then pfSense will query Internet root servers by default.
https://docs.netgate.com/pfsense/en/latest/book/services/dns-resolver.html

Gertjan

@manjotsc said in DNS Stops working:

Can you help me find Root DNS servers, I made searchg, couln't find.

As @teamits said : you, and unbound do not nedd to find them.
These 13 servers are exceptional : their host name and IP adrresses (IPv4 and IPv6 ) are build into unbound.
Here they are : https://www.iana.org/domains/root/servers (install Google and use these words : DNS root servers)

Use this command on pfSense to see them :

dig . ns

manjotsc

@Gertjan @johnpoz I'll try alternative dns servers and monitor.

Thanks, for your help and time.

manjotsc

@Gertjan @johnpoz I tried few other dns servers, same issue. DNS stops working and went to pfsense Diagnostics then ping, for exemple i tried ping 1.1.1.1 from WAN it pings but from lan side and guest side it does not ping. It looks like something is blocking on lan and guest from reaching dns servers.

Gertjan

@manjotsc said in DNS Stops working:

blocking on lan

That something is called a firewall rule. The default one works just fine.
Or you've busted the routing.

manjotsc

@Gertjan ok, that's right I have setup pfsense to block any dns server other than 192.168.40.1 on lan side see screenshot, all my lan devices ae set to use pfsense box as DNS server(192.168.40.1). Still I can't figure out the problem. Also I noticed one thing more DNS starts working fine if pfsense or modem is rebooted.

Annotation 2020-06-16 043532.png

Gertjan

Your doing some DNS related things with your firewall rules on LAN - all have a destination port of '53'.

DNS uses UDP and can use TCP.

Your not blocking ICMP - the protocol ping is using - so it will pass using the last, pass all rule for IPv4 stuff.
ICMP does not use the concept of 'ports'.

Ping to 1.1.1.1 should be possible from your LAN.

Thse are my LAN rule :

which is 100 % identical to your rules - I'm not blocking any DNS things. Just a big pass all.
And I also use IPv6 .... (not related to your question).

I can ping 1.1.1.1 just fine.