Resolve hostname stop working randomley on diffrent hosts

Gertjan

@avsion said in Resolve hostname stop working randomley on diffrent hosts:

How does the pfsense resolve the public IPs after i removed it from the DNS server list?

Because the one that does the resolving, the Resolver, is a resolver ;)
Now what is a resolver ?

A resolver uses the known 13 main Internet Root servers to do the DNS job for you. It doesn't need any upstream DNS server, it doesn't use them.
But if you have to give "8.8.8.8, 8.8.4.4" your private DNS queries, you're free to do so.

Have a look at the logs of the resolver. Is it (re) starting often ? And if so, check out one of the many forum threads about the subject.

Btw : I'm using the resolver with the default settings.
Except one : I unchecked also "DHCP Registration".
You can leave " Static DHCP Register DHCP static mappings in the DNS Resolver" checked because the IP is static, so DNS info stays static. These won't restart the resolver.

avsion

Hi @Gertjan ,

Thank you for your reply,

@Gertjan said in Resolve hostname stop working randomley on diffrent hosts:

A resolver uses the known 13 main Internet Root servers to do the DNS job for you. It doesn't need any upstream DNS server, it doesn't use them.
But if you have to give "8.8.8.8, 8.8.4.4" your private DNS queries, you're free to do so.

In general because of privacy reasons I prefer not to use google dns for outbound if I don’t need too. if the resolver will do the basic task of resolving dns queries without using my information for any other reasons. If so do I just use PFS DGW 192.168.1.1 in the general settings? And can I remove google DNS outbound from the DHCP server from all interfaces as well?

Regarding private queries as far as I understand any Public DNS server such as google cannot resolve RFC1908 ranges, I have use google dns only for the upstream queries, is there somthing i'm missing about the general dns settings?

The DNS Resolver does show 99 restarts over snapshot of 8 hours, see attached image
any tips how to resolve that issue? any thread you know i can check, had a look at the forum and tried the above as describe in the OP.

Thank you

Gertjan

@avsion said in Resolve hostname stop working randomley on diffrent hosts:

if the resolver will do the basic task of resolving dns queries without using my information for any other reasons.

No information from you is needed. Internet became autonomous a couple of days after his birth.

These are the default - and perfect - settings :

You saw it : nothing should be changed here.

@avsion said in Resolve hostname stop working randomley on diffrent hosts:

And can I remove google DNS outbound from the DHCP server from all interfaces as well?

If you want all your devices to have Google as their DNS, wjy not.
Normally it's the local router who's doing that job for you. In that case : put all settings back to default (== no DNS settings) which means your pfSense will resolve/cache/dnnsec/etc.

@avsion said in Resolve hostname stop working randomley on diffrent hosts:

The DNS Resolver does show 99 restarts over snapshot of 8 hours, see attached image
any tips how to resolve that issue? any thread you know i can check

Like Home > pfSense Software > DHCP and DNS Unbound > VERY frequent restarts (DNS Resolver Restarts) ?

First : this one :

is not checked, right ?

unbound, the resolver is also restarted when :
Interfaces go down and up (like a non stable WAN - example : you have a 60 second WAN lease - seen that recently) or a VPN-client connection that is not stable at all.
Bad LAN interface / cable ?
Or : look at this : https://forum.netgate.com/topic/150108/unbound-very-frequent-restarts-dns-resolver-restarts

Gave a look at the System log .... there is always useful info there.

avsion

@Gertjan said in Resolve hostname stop working randomley on diffrent hosts:

Normally it's the local router who's doing that job for you. In that case : put all settings back to default (== no DNS settings) which means your pfSense will resolve/cache/dnnsec/etc

Hi @Gertjan
i will factory default and start again no google dns let PFS do it all. in the wizared step 2
"Override DNS: Allow DNS servers to be overridden by DHCP/PPP on WAN"
should be enabled or disabled ?

Thank you

Gertjan

Disabled.

Whatever the upstream router proposes - pfSense doesn't need them.
The upstream router could be on your premises, or on the ISP side.

avsion

by default the pfsense wizared is enabled/ticked, just doublecheck it should be disabled correct? i didnt understand what does this setting do?

Thank you

Gertjan

@avsion said in Resolve hostname stop working randomley on diffrent hosts:

just doublecheck it should be disabled correct?

Never used the (a) wizard.
By looking at the description :

If this option is set, pfSense will use DNS servers assigned by a DHCP/PPP server on WAN for its own purposes (including the DNS Forwarder/DNS Resolver). However, they will not be assigned to DHCP clients.

I can't imagine a situation where this option has a sense.
Fort historical reasons ? A fact is, that, in the past, most ISP routers worked this way.
Probably because the ISP wanted to be in the DNS-chain ( so the router contained a light weight DNS forwarder), because it was exposing services to it's clients that were not accessible for the outside world. That's mostly a thing of the past now.

avsion

Hi @Gertjan

Thank you for your reply, I have Factory default the pfSense and set the following:

General settings - add hostname, domain, DNS Servers Leave blank and untick Override DNS, all the rest default.

Services
DHCP Servers - Leave blank.

DNS Resolver - Network Interfaces and Outgoing Network Interfaces set to ALL, DNSSEC and DHCP Static enabled, DHCP Registration disabled, upload XML hostnames.

NTP - added local NTP servers

UPnP & NAT-PMP - UPnP Port Mapping, NAT-PMP Port Mapping enabled for IoT VLAN Only.

LAN/IoT Interface - hardcoded Speed / Duplex to 1000BaseSX on both ends router and switch as the supermicro LAN/VLAN interface i use is SFP+ and the UniFi switch is SFP.

The system now running well can't see any errors or resolver restarts in the system log. i do feel bit of LAG when opening some app on the IoT VLAN compare to the Google DNS, maybe still caching.

Few questions:

DNS Resolver
Network Interfaces set to ALL, if i want the resolver to respond to all interfaces/IP on my network, correct?

Outgoing Network Interfaces is set to ALL however i only have one WAN interface, should i keep it ALL or select WAN to use WAN only? (not clear if the other interfaces are in use if i have one WAN interface).

ALL DHCP Servers - Leave blank to use the pfSense DNS Resolver correct?

LAN/IoT Interface - Do i need to set the speed/duplex on the IoT VLAN interface as well (Both) or just on the Main LAN interface?

Any other comments or recommended setting?

Thank you

Gertjan

Up, and above : ok to me.
But what do you mean with :

@avsion said in Resolve hostname stop working randomley on diffrent hosts:

upload XML hostnames.

@avsion said in Resolve hostname stop working randomley on diffrent hosts:

UPnP & NAT-PMP - UPnP Port Mapping, NAT-PMP Port Mapping enabled for IoT VLAN Only.

Whatever you want ^^
IMHO : UPNP should be avoided at all time. As you have to fully trust your devices .... and the entire Internet seeing them. You're right : put these on a seperate LAN - OPTx network.

The rest : I'm using identical settings so I tend to say : all ok for your usage.

This has an explanation :
@avsion said in Resolve hostname stop working randomley on diffrent hosts:

Outgoing Network Interfaces is set to ALL however i only have one WAN interface, should i keep it ALL or select WAN to use WAN only? (not clear if the other interfaces are in use if i have one WAN interface).

The resolver knows at hand the 13 IP (26 actually) addresses of the main root servers.
The router (pfSense) has a routing table - as it is a router, so it knows that these 13 addresses are not local. Using other words : it can not reach them on the network like LAN OPT1, etc. Only the WAN type interfaces offer a possible way to these 13 IP's.
The main 13 DNS root servers will return other remote DNS servers, up until the domain name server that servers the final DNS records.
So their is no real need to specify the outgoing interfaces, as the router already knows them.

This explains why you can leave both settings to "All : Resolver's outgoing and ingoing interfaces

avsion

@Gertjan said in Resolve hostname stop working randomley on diffrent hosts:

But what do you mean with :
@avsion said in Resolve hostname stop working randomley on diffrent hosts:

upload XML hostnames.

Before reset to factory default i backup the resolver that includes all the manual hostname data entries.

@Gertjan said in Resolve hostname stop working randomley on diffrent hosts:

IMHO : UPNP should be avoided at all time. As you have to fully trust your devices .... and the entire Internet seeing them. You're right : put these on a seperate LAN - OPTx network.

Agree will disable UPnP. IoT is already on a separted VLAN with all firewall rules blocking access to LAN.

Thank you for your help, i will monitor the system and see how we go