[SOLVED]Fresh Install - DNS Issues.

xandcg

Hello,

I just installed pfsense and I am experiencing this behavior:

1 - if I use the pfsense IP as DNS server on my PC, I can't access web sites or anything that needs DNS - but sometimes work for a while.
2 - if I use a third party DNS server I have two possible results:

2a - if unbound is enabled I do not have DNS working;
2b - if unbound is disabled DNS work like a charm.

Testing from pfsense web interface, using DNS Lookup, the results are quite similar but the DNS almost always resolve but with +10000ms, when I have unbound enabled.

Intel E7400, 3GB RAM.

PS. I have very little experience with pfsense.
PS.2 Already updated to 2.3.1_1

The issue was caused by HDD failure.

Thanks!

johnpoz

why would you be using unbound and 3rd party dns??  Do you have unbound in forwarder mode?  It defaults to resolver mode, in this case you don't use any other specific dns.  It resolves from the roots down.

When you say using 3rd party dns do you mean pfsense has other dns listed or you put in say 8.8.8.8 into your client directly.

The most common setup is clients point to pfsense for dns, you use either the dns forwarder (dnsmasq) or you use the resolver (unbound) in pfsense.  Or you could use unbound in forwarder mode.

Out of the box pfsense uses unbound as actual resolver..

You should not have both forwarder and resolver both enabled at same time..

xandcg

I am not using DNS forwarder. The third party DNS (DNS Advantage) I configured on the client otherwise I do not had DNS working.

Having unbound as DNS Resolver is exactly what I want.

The box will restart because I installed suricata. I will configure the client to use pfsense IP as DNS server again to see if it work.

Thanks.

PS. Just to point out, the DNSs listed on pfsense box are localhost, and a pair of IPv6 and IPv4 from my ISP - configured by DHCP.

xandcg

It is working, but very slow.

Using unbound is taking several seconds, sometimes +10, to have a web page opened while when using DNS Advantage it opens near instantaneously. It is weird because I already had pfsense for a while some time ago, and using unbound on that time made things open really fast.

Testing 'DNS Lookup' on pfsense box, sometimes localhost take a few hundreds ms to resolve, but sometimes 0ms.  :o

johnpoz

Do you understand how the resolver works?  it talks roots down..  So if your looking for www.domainx.com it asks roots hey who is ns for .com, thanks ok ns .com what is ns for domainx.com, ok thanks domainx.com ns what is A record for www.domainx.com

So depending on your connectivity and where domainx.com ns is, it might take some time to do that query vs just asking your local isp dns hey what is www.domainx.com and it has that cached already because someone else looked it up 2 minutes ago..

As for as looking up local stuff?  Like what exactly?  lookup up pfsense record should be pretty much instant.. if its taking 100ms you have something major wrong either with pfsense or your network in general.  Are you wired or wireless to talk to pfsense IP?

dig pfsense.local.lan

; <<>> DiG 9.10.3-P4 <<>> pfsense.local.lan
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 298
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;pfsense.local.lan.            IN      A

;; ANSWER SECTION:
pfsense.local.lan.      3600    IN      A      192.168.9.253

;; Query time: 0 msec
;; SERVER: 192.168.9.253#53(192.168.9.253)
;; WHEN: Mon Jun 13 16:15:16 Central Daylight Time 2016
;; MSG SIZE  rcvd: 62

dig www.cnn.com

; <<>> DiG 9.10.3-P4 <<>> www.cnn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54605
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.cnn.com.                  IN      A

;; ANSWER SECTION:
www.cnn.com.            300    IN      CNAME  turner.map.fastly.net.
turner.map.fastly.net.  30      IN      A      23.235.46.73

;; AUTHORITY SECTION:
fastly.net.            47522  IN      NS      ns2.p04.dynect.net.
fastly.net.            47522  IN      NS      ns4.p04.dynect.net.
fastly.net.            47522  IN      NS      ns3.p04.dynect.net.
fastly.net.            47522  IN      NS      ns1.p04.dynect.net.

;; Query time: 109 msec
;; SERVER: 192.168.9.253#53(192.168.9.253)
;; WHEN: Mon Jun 13 16:15:28 Central Daylight Time 2016
;; MSG SIZE  rcvd: 174

So see how that took 109 ms, then I query it again and its instant

dig www.cnn.com

; <<>> DiG 9.10.3-P4 <<>> www.cnn.com
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9568
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 4, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
;; QUESTION SECTION:
;www.cnn.com.                  IN      A

;; ANSWER SECTION:
www.cnn.com.            295    IN      CNAME  turner.map.fastly.net.
turner.map.fastly.net.  25      IN      A      23.235.46.73

;; AUTHORITY SECTION:
fastly.net.            47517  IN      NS      ns2.p04.dynect.net.
fastly.net.            47517  IN      NS      ns4.p04.dynect.net.
fastly.net.            47517  IN      NS      ns3.p04.dynect.net.
fastly.net.            47517  IN      NS      ns1.p04.dynect.net.

;; Query time: 0 msec
;; SERVER: 192.168.9.253#53(192.168.9.253)
;; WHEN: Mon Jun 13 16:15:33 Central Daylight Time 2016
;; MSG SIZE  rcvd: 174

and notice how the ttl has begun counting down.

xandcg

Thanks!

I am installing pfsense again. I had to replace the HDD what seems to be failing.

The HDD should probably be the source of the problem indeed.

I update later.

xandcg

@johnpoz

I was suffering of slowness on everything, even if the same website was accessed two/three times in row.

Yes, replacing the HDD did the trick.

Thanks!  :D