DNS Resolver and queries

fgalvan · Apr 19, 2021, 2:54 PM

Hi everyone,

My problem is turn me mad, because I don't to fix the problem. Ok, I'm using netgate firewall as firewall in my bussines, and it seems that sometimes, randomly but much more during the day firewall is not resolving the dns queries, but only sometimes. I'm using DNS resolve with port forwarding enable, disable DNSSec and SSL/TLS. Network interface in ALL and outgoing interface in WAN (my gateway) and in custom option I have

server:
private-domain: "mydomain.lan"

My pfSense version is 2.4.5-RELEASE-p1 (amd64)
built on Tue Jun 02 17:51:54 EDT 2020
FreeBSD 11.3-STABLE

My DNS servers are:

127.0.0.1
212.166.132.104
212.166.210.80

I saw that in DNS resolver logs I have some entries as this:

Apr 19 11:24:44 unbound 5349:0 info: 128.000000 256.000000 6
Apr 19 11:24:44 unbound 5349:0 info: 256.000000 512.000000 1
Apr 19 13:27:06 unbound 84482:1 notice: sendto failed: Permission denied
Apr 19 13:27:06 unbound 84482:1 notice: remote address is 212.166.210.80 port 53
Apr 19 13:28:12 unbound 84482:2 notice: sendto failed: Permission denied
Apr 19 13:28:12 unbound 84482:2 notice: remote address is 212.166.210.80 port 53
Apr 19 13:29:11 unbound 84482:2 notice: sendto failed: Permission denied
Apr 19 13:29:11 unbound 84482:2 notice: remote address is 212.166.210.80 port 53
Apr 19 14:42:33 unbound 84482:0 notice: sendto failed: Permission denied
Apr 19 14:42:33 unbound 84482:0 notice: remote address is 212.166.132.104 port 53

And in states I have that (A lot of no traffic in a port 53):

LAN udp 192.168.1.8:36295 -> 212.166.210.80:53 NO_TRAFFIC:SINGLE 1 / 0 70 B / 0 B
WAN udp 192.168.11.4:25639 (192.168.1.8:36295) -> 212.166.210.80:53 SINGLE:NO_TRAFFIC 1 / 0 70 B / 0 B
LAN udp 192.168.1.8:38169 -> 212.166.210.80:53 NO_TRAFFIC:SINGLE 1 / 0 70 B / 0 B
WAN udp 192.168.11.4:1241 (192.168.1.8:38169) -> 212.166.210.80:53 SINGLE:NO_TRAFFIC 1 / 0 70 B / 0 B
ovpns2 udp 192.168.15.24:54885 -> 192.168.1.10:53 NO_TRAFFIC:SINGLE 1 / 0 67 B / 0 B
LAN udp 192.168.15.24:54885 -> 192.168.1.10:53 SINGLE:NO_TRAFFIC 1 / 0 67 B / 0 B

Please, I need your help!!
Thank you so much in advanced

Gertjan · Apr 20, 2021, 7:08 AM

Use the default DNS settings, as that works fine.

You've added these :

@fgalvan said in DNS Resolver and queries:

212.166.132.104
212.166.210.80

so ... easy,
a) as you do not need them, and
b) you're in trouble now.

I propose : remove them.

Bonus : for even better performance, remove this check :

login-to-view

fgalvan · Apr 20, 2021, 7:32 AM

I've testing it in all ways, by the way, right now no more Permission denied message in DNS Resolver logs. I think it was because I deleted all unbound folder (with shell) and pFsense create again.

Sometime when a I lose the connection I do nslookup and I get a SERVFAIL from 127.0.0.1 and try next DNS server and its sometimes resolve and other I got a no response from DNS.

Test:

[2.4.5-RELEASE][admin@fw1.mondotvcanarias.lan]/root: nslookup 20minutos.es
;; Got SERVFAIL reply from 127.0.0.1, trying next server
Server: 212.166.132.104
Address: 212.166.132.104#53

Non-authoritative answer:
Name: 20minutos.es
Address: 13.32.128.129
Name: 20minutos.es
Address: 13.32.128.5
Name: 20minutos.es
Address: 13.32.128.2
Name: 20minutos.es
Address: 13.32.128.43

Gertjan · Apr 20, 2021, 8:52 AM

@fgalvan said in DNS Resolver and queries:

Sometime when a I lose the connection I do nslookup and I get a SERVFAIL from 127.0.0.1 and try next DNS server and its sometimes resolve and other I got a no response from DNS.

That's why I gave you the Bonus.
It's not much of an effort, and pays of right away.
As many times discussed on the forum.

The thing is : every time a DHCP lease treated or renew, unbound get 'restarted'.

Check out the Resolver logs yourself : you'll find answers there of the question you're about to formulate (the answers nearly always always in the logs, that's why they exist).

@fgalvan said in DNS Resolver and queries:

;; Got SERVFAIL reply from 127.0.0.1, trying next server

That means that at the moment of the request, unbound wasn't running == serving port 53 on 127.0.0.1
Is it running ?

I mean, don't look at the GUI.
Run

ps ax | grep 'unbound'

fgalvan · Apr 20, 2021, 9:23 AM

@gertjan Done that you recommend me, even bonus, but now I'm getting the message:

** server can't find 20minutos.es: SERVFAIL

and now it seems is not working anymore

Thank you!!

Gertjan · Apr 20, 2021, 9:59 AM

@fgalvan said in DNS Resolver and queries:

and now it seems is not working anymore

Why didn't you check ?

@gertjan said in DNS Resolver and queries:

I mean, don't look at the GUI.
Run
ps ax | grep 'unbound'

Btw :
Unchecking "Register DHCP leases in the DNS Resolver" just STOPS restarting unbound every xxxx seconds.

Edit :
You have pfSense packages installed ?
I wait until you come back with replies, but it might be possible that unbound doesn't run at all, and if started, it fails.
Can you show the unbound (== resolver) logs ?

Just to be sure : goto default and set all these to All :

login-to-view

@fgalvan said in DNS Resolver and queries:

I think it was because I deleted all unbound folder (with shell) and pFsense create again.

The unbound dir is special. It has many special file systems mounted in it.

Type

df

Look at what is says ...

Btw : my df' shows :

Filesystem                  1K-blocks    Used     Avail Capacity  Mounted on
/dev/ufsid/54ca20c41b3d50b0 298695208 6805008 267994584     2%    /
devfs                               1       1         0   100%    /dev
/dev/md0                         3484     180      3028     6%    /var/run
/lib                        298695208 6805008 267994584     2%    /var/unbound/lib
/var/log/pfblockerng        298695208 6805008 267994584     2%    /var/unbound/var/log/pfblockerng
/usr/local/share/GeoIP      298695208 6805008 267994584     2%    /var/unbound/usr/local/share/GeoIP
/usr/local/bin              298695208 6805008 267994584     2%    /var/unbound/usr/local/bin
/usr/local/lib              298695208 6805008 267994584     2%    /var/unbound/usr/local/lib
devfs                               1       1         0   100%    /var/dhcpd/dev
devfs                               1       1         0   100%    /var/unbound/dev
devfs                               1       1         0   100%    /var/unbound/dev

The unbound dir :

drwxr-xr-x   7 unbound  unbound  1024 Apr 20 12:07 unbound

Just to be sure, take the 5 minutes tour -> and re install. You'll be sure all is ok afterwards.

fgalvan · Apr 21, 2021, 7:42 AM

Hi @Gertjan, now it's working I don't need a reinstall, just left the configuration as you said to me, but I don't understand a thing, why doing a nslookup from shell in pfsense is not resolving?

[2.4.5-RELEASE][admin@fw1.mondotvcanarias.lan]/root: nslookup 20minutos.es
Server: 127.0.0.1
Address: 127.0.0.1#53

** server can't find 20minutos.es: SERVFAIL

But using other DNS server is working

[2.4.5-RELEASE][admin@fw1.mondotvcanarias.lan]/root: nslookup 20minutos.es 1.1.1.1
Server: 1.1.1.1
Address: 1.1.1.1#53

Non-authoritative answer:
Name: 20minutos.es
Address: 13.32.128.5
Name: 20minutos.es
Address: 13.32.128.43
Name: 20minutos.es
Address: 13.32.128.129
Name: 20minutos.es
Address: 13.32.128.2

Using a roots servers is special for pfsense or something like this?

Sorry for all of this, I'm new in pfsense and networking in general.

Thank you so so much!!

Gertjan · Apr 21, 2021, 9:35 AM

This is not good :

@fgalvan said in DNS Resolver and queries:

Address: 127.0.0.1#53
** server can't find 20minutos.es: SERVFAIL

normally, unbound should be running, and listening to "All" interfaces, and that includes espcially 127.0.0.1 (localhost).

[2.5.1-RELEASE][admin@pfsense.my-pfsense.net]/conf/acme: sockstat -4  | grep 'unbound'
unbound  unbound    79355 5  udp4   *:53                  *:*
unbound  unbound    79355 6  tcp4   *:53                  *:*
unbound  unbound    79355 7  tcp4   127.0.0.1:953         *:*

This command shows that there is a process called 'unbound' listening on All interface. All includes 127.0.0.1.
Unbound also listens on port 953 - only for 127.0.0.1

Do you have the same thing ?

nslookup 20minutos.es
net.c:536: probing sendmsg() with IPV6_TCLASS=b8 failed: No route to host
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
Name:   20minutos.es
Address: 99.86.242.36
Name:   20minutos.es
Address: 99.86.242.76
Name:   20minutos.es
Address: 99.86.242.13
Name:   20minutos.es
Address: 99.86.242.94

The line that shows net.c:536: probing sendmsg() with IPV6_TCLASS=b8 failed: No route to host is a know recent issue : See https://forum.netgate.com/topic/162791/dns-randomly-stops-working/13

fgalvan · Apr 21, 2021, 9:50 AM

I get this:

[2.4.5-RELEASE][admin@fw1.mondotvcanarias.lan]/root: sockstat -4 | grep 'unbound'
unbound unbound 48018 4 udp4 *:53 :
unbound unbound 48018 5 tcp4 *:53 :
unbound unbound 48018 6 tcp4 127.0.0.1:953 :

but when a I go with nslookup, I get this:

[2.4.5-RELEASE][admin@fw1.mondotvcanarias.lan]/root: nslookup 20minutos.es
Server: 127.0.0.1
Address: 127.0.0.1#53

** server can't find 20minutos.es: SERVFAIL

My config now is:

Network interfaces --> ALL
Outgoing Network interfaces --> WAN

And I have,
DNS forwarding mode enable, Could it be the reason? Probably I could disable it

Thank you

Gertjan · Apr 26, 2021, 7:57 AM

@fgalvan said in DNS Resolver and queries:

DNS forwarding mode enable, Could it be the reason? Probably I could disable it

Are you forwarding ? ( To where/who ?? )
To the servers 212.166.132 etc you removed earlier ?
( ohho)
Yes, please, use the default settings, and that is not 'forwarding'.
I guess you've nailed it now.

fgalvan · Apr 26, 2021, 7:57 AM

@gertjan Yesterday, I could change that, now it seems it's working how it should be. Thank you so much for your help.