Dhcp client DNS resolution not working
-
1st time pfsense user here.
I have downloaed and installed pfsense and have a vanilla setup.
WAN: DHCP
LAN: 192.168.1.x
LAN-GW: 192.168.1.254Everything appears to be working other than client dns resolution.
DHCP has set both the GW and DNS for the clients to the pfsense box as expected.
user@pc:~$ping -c4 172.217.25.46
PING 172.217.25.46 (172.217.25.46) 56(84) bytes of data.
64 bytes from 172.217.25.46: icmp_seq=1 ttl=53 time=579 ms
64 bytes from 172.217.25.46: icmp_seq=2 ttl=53 time=579 ms
64 bytes from 172.217.25.46: icmp_seq=3 ttl=53 time=567 ms
64 bytes from 172.217.25.46: icmp_seq=4 ttl=53 time=577 ms–- 172.217.25.46 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3003ms
rtt min/avg/max/mdev = 567.312/575.911/579.763/5.164 ms
user@pc:~$ping google.com
ping: unknown host google.com
user@pc:~$route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 wlan0
192.168.1.0 0.0.0.0 255.255.255.0 U 9 0 0 wlan0
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0
user@pc:~$sudo nm-tool | grep DNS:
DNS: 192.168.1.254
user@pc:~$The pfsense box itself can perform DNS lookups under "Diagnostics".
From the clients I can ping the DNS servers.
-
LAN-GW: 192.168.1.254
Why did you set a GW on your lan? That should never be done.. Is 192.168.1.254 pfsense lan IP or do you have some downstream router that you need to get to??
-
LAN-GW: 192.168.1.254
This is the GW address for the clients and is the IP of the pfsense box.
user@pc:~$route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 wlan0
192.168.1.0 0.0.0.0 255.255.255.0 U 9 0 0 wlan0
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0No downstream router just a broadband modem.
-
ok that is fine, but you did not set that on pfsense.. Ah that is route table from your pc.. Ok that is fine..
So this client is multi homed with an connection to some 192.168.122/24 network?
Anyhoo. So your running the resolver on pfsense. And your clients are asking pfsense and they get what back, time out, refused, servfail? See your using linux so do a dig or drill or your fav query for something to pfsense.. What do you get back? This is pfsense lan? Or another interface like opt, ie looks like this is wifi from your client output showing wlan0
example
C:\>ssh user@ubuntu.local.lan Last login: Mon Aug 29 12:05:24 2016 from 10.0.8.100 user@ubuntu:~$ dig www.pfsense.org ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> www.pfsense.org ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1499 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.pfsense.org. IN A ;; ANSWER SECTION: www.pfsense.org. 300 IN A 208.123.73.69 ;; AUTHORITY SECTION: pfsense.org. 300 IN NS ns2.netgate.com. pfsense.org. 300 IN NS ns1.netgate.com. ;; Query time: 95 msec ;; SERVER: 192.168.9.253#53(192.168.9.253) ;; WHEN: Mon Aug 29 16:37:45 CDT 2016 ;; MSG SIZE rcvd: 107 user@ubuntu:~$
What are the firewall ruls you have on the interface these clients are talking too? if lan they should be any any did you change those? If your connecting in via a wifi router used as AP you sure your not just double natting any you have the same 192.168.1/24 that your using for pfsense lan as the network on your wifi router?
-
user@pc:~$ route -n
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
0.0.0.0 192.168.1.254 0.0.0.0 UG 0 0 0 wlan0
192.168.1.0 0.0.0.0 255.255.255.0 U 9 0 0 wlan0
192.168.122.0 0.0.0.0 255.255.255.0 U 0 0 0 virbr0
user@pc:~$ ping www.pfsense.org
ping: unknown host www.pfsense.org
user@pc:~$ dig www.pfsense.org; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> www.pfsense.org
;; global options: +cmd
;; connection timed out; no servers could be reached
user@pc:~$ sudo nm-tool | grep DNS:
DNS: 192.168.1.254
user@pc:~$ ping -c4 8.8.8.8
PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
64 bytes from 8.8.8.8: icmp_seq=1 ttl=58 time=585 ms
64 bytes from 8.8.8.8: icmp_seq=2 ttl=58 time=626 ms
64 bytes from 8.8.8.8: icmp_seq=3 ttl=58 time=586 ms
64 bytes from 8.8.8.8: icmp_seq=4 ttl=58 time=668 ms–- 8.8.8.8 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 3000ms
rtt min/avg/max/mdev = 585.774/616.730/668.416/34.029 ms
user@pc:~$ ping -c4 8.8.4.4
PING 8.8.4.4 (8.8.4.4) 56(84) bytes of data.
64 bytes from 8.8.4.4: icmp_seq=1 ttl=58 time=614 ms
64 bytes from 8.8.4.4: icmp_seq=2 ttl=58 time=612 ms
64 bytes from 8.8.4.4: icmp_seq=3 ttl=58 time=615 ms
64 bytes from 8.8.4.4: icmp_seq=4 ttl=58 time=693 ms--- 8.8.4.4 ping statistics ---
4 packets transmitted, 4 received, 0% packet loss, time 2998ms
rtt min/avg/max/mdev = 612.954/634.040/693.788/34.518 ms
user@pc:~$dig reports "no servers can be reached"
firewall rules are all defaults
-
Might be a good idea to send screenshots of your DNS forwarder settings (these are pretty basic, but it would be good to confirm this has been done). Also provide information of what DNS servers your PFS is using itself. From what you've shown so far, it looks like your firewall rules are (probably) ok, though you haven't provided those either. It's more likely that you either haven't enabled the DNS forwarder on your firewall or you have some kind of block in place in your ruleset preventing your clients from accessing the DNS service on the firewall.
A quick test to see if this is the case might be to change your DHCP settings so that your clients get an external DNS server as their primary DNS provider (eg: 8.8.4.4) instead of 192.168.1.254.
-
I curious why your ping times to 8.8.8.8 which is anycast is 600ms ?? That is the closest googledns to you??
ping 8.8.8.8
Pinging 8.8.8.8 with 32 bytes of data:
Reply from 8.8.8.8: bytes=32 time=21ms TTL=47
Reply from 8.8.8.8: bytes=32 time=20ms TTL=47
Reply from 8.8.8.8: bytes=32 time=20ms TTL=47And yeah if your running forwarder or resolver on pfsense listening on 192.168.1.254 then you should get some sort of answer not timeout. Can you ping pfsense interface IP, ie 192.168.1.254?
You might putting up a traceroute to 8.8.8.8 or 8.8.4.4 you seem to be closer via hops because your ttl is 58 while mine is down to 47, maybe that is just your wifi sucking?
-
I have a vanilla setup so it appears to have configured the DNS resolver and not DNS forwarders. Screen shots attached. I have not configure any DNS forwarders.
Changed client to manual and set 8.8.8.8 as DNS with pfsense as GW and it works perfectly.
600ms ping is due to satellite broadband latency.
Can ping 192.168.1.254
Hope this helps, thanks…
-
Well so your on sat.. Ok that explains the lets go around the globe twice latency on talking to googledns ;)
I can tell you right now that if your on sat with that kind of latency to google you prob should just use the forwarder and the not the resolver. The resolver walks the tree down from roots and asks the authoritative name server for the domain your looking up. This until your cache is built up can increase some look up times a bit.. But with your latency going to be exaggerated
Turn off the resolver and turn on the forwarder and just use that..
-
Perfect, thank you.
Forwarder works whereas resolver doesn't.
Switched back again to check and definitely only works with forwarder :)
-
It could be your provider blocking such access? Resolve is going to walk down the tree talking to all the different name servers.. Its quite possible that a sat provider doesn't allow this and only allows dns to either its dns or major players like google or open, etc.
You could try doing a directed query to the roots to see if they are working..
So when you look up say www.pfsense.org your resolver does this
root@ubuntu:/home/user# dig www.pfsense.org +trace +nodnssec ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> www.pfsense.org +trace +nodnssec ;; global options: +cmd . 475600 IN NS a.root-servers.net. . 475600 IN NS b.root-servers.net. . 475600 IN NS c.root-servers.net. . 475600 IN NS d.root-servers.net. . 475600 IN NS e.root-servers.net. . 475600 IN NS f.root-servers.net. . 475600 IN NS g.root-servers.net. . 475600 IN NS h.root-servers.net. . 475600 IN NS i.root-servers.net. . 475600 IN NS j.root-servers.net. . 475600 IN NS k.root-servers.net. . 475600 IN NS l.root-servers.net. . 475600 IN NS m.root-servers.net. ;; Received 239 bytes from 192.168.9.253#53(192.168.9.253) in 1004 ms org. 172800 IN NS a0.org.afilias-nst.info. org. 172800 IN NS b2.org.afilias-nst.org. org. 172800 IN NS c0.org.afilias-nst.info. org. 172800 IN NS a2.org.afilias-nst.info. org. 172800 IN NS d0.org.afilias-nst.org. org. 172800 IN NS b0.org.afilias-nst.org. ;; Received 446 bytes from 199.7.91.13#53(d.root-servers.net) in 53 ms pfsense.org. 86400 IN NS ns1.netgate.com. pfsense.org. 86400 IN NS ns2.netgate.com. ;; Received 91 bytes from 199.249.112.1#53(a2.org.afilias-nst.info) in 833 ms www.pfsense.org. 300 IN A 208.123.73.69 pfsense.org. 300 IN NS ns2.netgate.com. pfsense.org. 300 IN NS ns1.netgate.com. ;; Received 139 bytes from 192.207.126.6#53(ns1.netgate.com) in 49 ms root@ubuntu:/home/user#
I did it without dnssec to make it easier to read.. and a bit shorter.. So when looking up www.pfsense.org has to ask roots hey who is ns for .org, then goes and asks one of those, hey who is nameserver for pfsense.org, hey ns for pfsense.org what A record for www.pfsense.org
So from that above list you could try doing directed queries to the roots and the ns for the different tlds.. so those above are for org..
these are for .com
; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> com. ns ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52145 ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;com. IN NS ;; ANSWER SECTION: com. 172800 IN NS m.gtld-servers.net. com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS g.gtld-servers.net. com. 172800 IN NS e.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. com. 172800 IN NS k.gtld-servers.net. com. 172800 IN NS l.gtld-servers.net. com. 172800 IN NS f.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. com. 172800 IN NS d.gtld-servers.net. ;; Query time: 47 msec ;; SERVER: 192.168.9.253#53(192.168.9.253) ;; WHEN: Wed Aug 31 07:35:30 CDT 2016 ;; MSG SIZE rcvd: 256
-
I got the following, a LOT slower :)
dig www.pfsense.org +trace +nodnssec
; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> www.pfsense.org +trace +nodnssec
;; global options: +cmd
. 23674 IN NS m.root-servers.net.
. 23674 IN NS a.root-servers.net.
. 23674 IN NS h.root-servers.net.
. 23674 IN NS f.root-servers.net.
. 23674 IN NS i.root-servers.net.
. 23674 IN NS l.root-servers.net.
. 23674 IN NS j.root-servers.net.
. 23674 IN NS d.root-servers.net.
. 23674 IN NS c.root-servers.net.
. 23674 IN NS e.root-servers.net.
. 23674 IN NS g.root-servers.net.
. 23674 IN NS k.root-servers.net.
. 23674 IN NS b.root-servers.net.
;; Received 455 bytes from 127.0.1.1#53(127.0.1.1) in 10284 msorg. 172800 IN NS a0.org.afilias-nst.info.
org. 172800 IN NS d0.org.afilias-nst.org.
org. 172800 IN NS a2.org.afilias-nst.info.
org. 172800 IN NS b2.org.afilias-nst.org.
org. 172800 IN NS c0.org.afilias-nst.info.
org. 172800 IN NS b0.org.afilias-nst.org.
;; Received 446 bytes from 192.33.4.12#53(c.root-servers.net) in 5699 mspfsense.org. 86400 IN NS ns2.netgate.com.
pfsense.org. 86400 IN NS ns1.netgate.com.
;; Received 91 bytes from 199.19.54.1#53(b0.org.afilias-nst.org) in 2486 mswww.pfsense.org. 300 IN A 208.123.73.69
pfsense.org. 300 IN NS ns1.netgate.com.
pfsense.org. 300 IN NS ns2.netgate.com.
;; Received 139 bytes from 192.207.126.6#53(ns1.netgate.com) in 803 ms -
";; Received 446 bytes from 192.33.4.12#53(c.root-servers.net) in 5699 ms"
So almost 6 seconds to get a response, yeah that is going to cause problems because many clients timeout after 2 seconds linux I think is 5? So if you had a client asking for www.something.com and it was not cached and had to walk down the tree and your talking long long time to get a response its just going to give up.
Shoot even with your 600ms response time from google, and it pulls from its large cache you could run into problems if anything causes a slow response, like what your looking for is not cached in google and it takes a while resolve. You might want to look into increasing the timeout for dns queries on your clients.
These 2 options could be increased from the defaults in resolv.conf
timeout:n
sets the amount of time the resolver will wait for a response from a remote name server before retrying the query via a different name server. Measured in seconds, the default is RES_TIMEOUT (currently 5, see <resolv.h>). The value for this option is silently capped to 30.
attempts:n
sets the number of times the resolver will send a query to its name servers before giving up and returning an error to the calling application. The default is RES_DFLRETRY (currently 2, see <resolv.h>). The value for this option is silently capped to 5.</resolv.h></resolv.h>