DNS Stops working

Gertjan

This is what I am getting on logs,

Both logs show a lot of what happens during DNS resolving.
Logging as much info - note that both logs images show lines that all took please in 1 second (!!).
Logging this much info really takes a hit on the system.
DNS resolving over port 853 (TLS) implies huge processing, because everything has to be encrypted - en of course decrypted - re encrypted on the other side. Reply times like 0.120 seconds or 120 milliseconds become 'normal'.
You do have AES-NI, but, still SDNS takes more time then classic DNS.

Do you have to supply 8.8.8.8 and 1.1.1.1 your private DNS info ? Please remember : these are companies. The fact that they don't bill you is because you gave them valuable info. Do you have to ? Did you try other DNS sources, like the official Internet DNS root servers ?

Another thing : do the http://www.dslreports.com/speedtest test.

No A's means : .... would you experience right now .... the WAN connection gets congested.

manjotsc

@Gertjan Can you help me find Root DNS servers, I made searchg, couln't find.

Annotation 2020-06-05 221423.png

Thanks,

SteveITS

@manjotsc said in DNS Stops working:

Can you help me find Root DNS servers

If you don't enable "DNS Query Forwarding" in the DNS resolver settings, then pfSense will query Internet root servers by default.
https://docs.netgate.com/pfsense/en/latest/book/services/dns-resolver.html

Gertjan

@manjotsc said in DNS Stops working:

Can you help me find Root DNS servers, I made searchg, couln't find.

As @teamits said : you, and unbound do not nedd to find them.
These 13 servers are exceptional : their host name and IP adrresses (IPv4 and IPv6 ) are build into unbound.
Here they are : https://www.iana.org/domains/root/servers (install Google and use these words : DNS root servers)

Use this command on pfSense to see them :

dig . ns

manjotsc

@Gertjan @johnpoz I'll try alternative dns servers and monitor.

Thanks, for your help and time.

manjotsc

@Gertjan @johnpoz I tried few other dns servers, same issue. DNS stops working and went to pfsense Diagnostics then ping, for exemple i tried ping 1.1.1.1 from WAN it pings but from lan side and guest side it does not ping. It looks like something is blocking on lan and guest from reaching dns servers.

Gertjan

@manjotsc said in DNS Stops working:

blocking on lan

That something is called a firewall rule. The default one works just fine.
Or you've busted the routing.

manjotsc

@Gertjan ok, that's right I have setup pfsense to block any dns server other than 192.168.40.1 on lan side see screenshot, all my lan devices ae set to use pfsense box as DNS server(192.168.40.1). Still I can't figure out the problem. Also I noticed one thing more DNS starts working fine if pfsense or modem is rebooted.

Annotation 2020-06-16 043532.png

Gertjan

Your doing some DNS related things with your firewall rules on LAN - all have a destination port of '53'.

DNS uses UDP and can use TCP.

Your not blocking ICMP - the protocol ping is using - so it will pass using the last, pass all rule for IPv4 stuff.
ICMP does not use the concept of 'ports'.

Ping to 1.1.1.1 should be possible from your LAN.

Thse are my LAN rule :

which is 100 % identical to your rules - I'm not blocking any DNS things. Just a big pass all.
And I also use IPv6 .... (not related to your question).

I can ping 1.1.1.1 just fine.

manjotsc

@Gertjan When DNS is working I am able ping 1.1.1.1, but not when DNS stops. It's been months I trying figure this out and I dont have any dns rule on guest, still causes problem.
thanks,

Annotation 2020-06-16 045618.png

Gertjan

@manjotsc said in DNS Stops working:

When DNS is working I am able ping 1.1.1.1, but not when DNS stops.

And what if 'DNS' (the resolver / unbound) is still working and your issue is the connection between the two devices ? NIC ? Cables ? switches ?

Such a question would last a couple of minutes normally. You can be sure right away :

When your 'ping 1.1.1.1' on a LAN based device "doesn't work", does it work on pfSense at that very moment (use the console ssh access, option 8) and execute the same command over there.
To test DNS on pfSense, do a

dig one.one.one.one +trace

which will resolve from top to bottom.

If ping using an IP, and using a host name, and the proposed DNS works on pfSense, you know now where to look ...

Btw : DNS never stops working by itself, except :
Bad uplink (WAN) connection.
Some packages can receive settings that totally 'kill' pfSense, DNS, or the entire system. - The combination pfBlockerNG-devel <-> Unbound is very known.
etc etc.

manjotsc

@Gertjan Alright I'll give a try when It goes down again, thanks.

serbus

Hello!

Just a shot in the dark....

In addition to pfb, are you running snort/suricata...with blocking turned on...and maybe some ET DNS type rules...?

John

manjotsc

@serbus I am not using snort or surcata,

manjotsc

@johnpoz @Gertjan @teamits @serbus It started happening again, this time instead of reboot pfsense or modem, I unplugged the Ethernet cable from wan port and plugged back in, everything start working again, so I replaced the cable just in case. But the issue remains, I have unplug and plug back the Ethernet cable from my modem to pfsense, to restore connectivity. The Internet cuts off on pfsense not only dns, when downloading large files.

Gertjan

You said 'modem' : is it really a modem ?
What is your pfSense WAN IP ? An RFC1918 or a "real Internet IP" ?

When you loose DNS, the resolver is still running ? You can, for example, use Diagnostics > DNS Lookup and lookup a local host like printer.localdomain.local (or whaterer your local domain is).

manjotsc

@Gertjan I am extremely sorry about delayed reponse.

Annotation 2020-07-03 164730.png Annotation 2020-07-03 164507.png Annotation 2020-07-03 164435.png Annotation 2020-07-03 164241.png

Gertjan

Several questions back :

Why all the packages ? All the VPN's ?
Who is the user setup ? This is a router/firewall : the build user 'admin' will do just fine. A router is not a central meeting place.
As you can see, the "127.0.0.1" has no answer for any existing hostname, For me, all your test hostnames resolved just fine.

I advise you to tack a huge step back.
Save your config, and go back to default.
Take the initial setup as a reference : as it has one huge advantage : everything works. Especially DNS.
You do not need / should not add 24.225.128.24 / 24.200.0.2 / 24.55.0.19 / 1.1.1.1 / 1.0.0.1 except if you have your very special private reasons (making you an expert - the one that never asks questions because he "knows").

When all works fine, add, for example, one - just one - VPN. Test it, leave it some days. Check the logs for any entries you can't explain for yourself.
Then, do a next step. And again, take your time.

As soon as something goes bad, you will have that one-click solution to get back to a stable, working situational.

Btw : stay away form 'heavy' packages.

Btw : check your ISP / ISP equipment, like the upstream router.
this is bad to start with :