Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Dhcp client DNS resolution not working

    Scheduled Pinned Locked Moved Problems Installing or Upgrading pfSense Software
    13 Posts 3 Posters 11.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • M
      McMurphy
      last edited by

      1st time pfsense user here.

      I have downloaed and installed pfsense and have a vanilla setup.
      WAN: DHCP
      LAN: 192.168.1.x
      LAN-GW: 192.168.1.254

      Everything appears to be working other than client dns resolution.

      DHCP has set both the GW and DNS for the clients to the pfsense box as expected.

      user@pc:~$ping -c4 172.217.25.46
      PING 172.217.25.46 (172.217.25.46) 56(84) bytes of data.
      64 bytes from 172.217.25.46: icmp_seq=1 ttl=53 time=579 ms
      64 bytes from 172.217.25.46: icmp_seq=2 ttl=53 time=579 ms
      64 bytes from 172.217.25.46: icmp_seq=3 ttl=53 time=567 ms
      64 bytes from 172.217.25.46: icmp_seq=4 ttl=53 time=577 ms

      –- 172.217.25.46 ping statistics ---
      4 packets transmitted, 4 received, 0% packet loss, time 3003ms
      rtt min/avg/max/mdev = 567.312/575.911/579.763/5.164 ms
      user@pc:~$ping google.com
      ping: unknown host google.com
      user@pc:~$route -n
      Kernel IP routing table
      Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
      0.0.0.0        192.168.1.254  0.0.0.0        UG    0      0        0 wlan0
      192.168.1.0    0.0.0.0        255.255.255.0  U    9      0        0 wlan0
      192.168.122.0  0.0.0.0        255.255.255.0  U    0      0        0 virbr0
      user@pc:~$sudo nm-tool | grep DNS:
          DNS:            192.168.1.254
      user@pc:~$

      The pfsense box itself can perform DNS lookups under "Diagnostics".

      From the clients I can ping the DNS servers.

      1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator
        last edited by

        LAN-GW: 192.168.1.254

        Why did you set a GW on your lan?  That should never be done.. Is 192.168.1.254 pfsense lan IP or do you have some downstream router that you need to get to??

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.8, 24.11

        1 Reply Last reply Reply Quote 0
        • M
          McMurphy
          last edited by

          LAN-GW: 192.168.1.254

          This is the GW address for the clients and is the IP of the pfsense box.

          user@pc:~$route -n
          Kernel IP routing table
          Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
          0.0.0.0        192.168.1.254  0.0.0.0        UG    0      0        0 wlan0
          192.168.1.0    0.0.0.0        255.255.255.0  U    9      0        0 wlan0
          192.168.122.0  0.0.0.0        255.255.255.0  U    0      0        0 virbr0

          No downstream router just a broadband modem.

          1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator
            last edited by

            ok that is fine, but you did not set that on pfsense.. Ah that is route table from your pc.. Ok that is fine..

            So this client is multi homed with an connection to some 192.168.122/24 network?

            Anyhoo.  So your running the resolver on pfsense.  And your clients are asking pfsense and they get what back, time out, refused, servfail?  See your using linux so do a dig or drill or your fav query for something to pfsense..  What do you get back?  This is pfsense lan?  Or another interface like opt, ie looks like this is wifi from your client output showing wlan0

            example

            
            C:\>ssh user@ubuntu.local.lan
            Last login: Mon Aug 29 12:05:24 2016 from 10.0.8.100
            user@ubuntu:~$ dig www.pfsense.org
            
            ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> www.pfsense.org
            ;; global options: +cmd
            ;; Got answer:
            ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1499
            ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
            
            ;; OPT PSEUDOSECTION:
            ; EDNS: version: 0, flags:; udp: 4096
            ;; QUESTION SECTION:
            ;www.pfsense.org.               IN      A
            
            ;; ANSWER SECTION:
            www.pfsense.org.        300     IN      A       208.123.73.69
            
            ;; AUTHORITY SECTION:
            pfsense.org.            300     IN      NS      ns2.netgate.com.
            pfsense.org.            300     IN      NS      ns1.netgate.com.
            
            ;; Query time: 95 msec
            ;; SERVER: 192.168.9.253#53(192.168.9.253)
            ;; WHEN: Mon Aug 29 16:37:45 CDT 2016
            ;; MSG SIZE  rcvd: 107
            
            user@ubuntu:~$
            
            

            What are the firewall ruls you have on the interface these clients are talking too?  if lan they should be any any did you change those?  If your connecting in via a wifi router used as AP you sure your not just double natting any you have the same 192.168.1/24 that your using for pfsense lan as the network on your wifi router?

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • M
              McMurphy
              last edited by

              user@pc:~$ route -n
              Kernel IP routing table
              Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
              0.0.0.0        192.168.1.254  0.0.0.0        UG    0      0        0 wlan0
              192.168.1.0    0.0.0.0        255.255.255.0  U    9      0        0 wlan0
              192.168.122.0  0.0.0.0        255.255.255.0  U    0      0        0 virbr0
              user@pc:~$ ping www.pfsense.org
              ping: unknown host www.pfsense.org
              user@pc:~$ dig www.pfsense.org

              ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> www.pfsense.org
              ;; global options: +cmd
              ;; connection timed out; no servers could be reached
              user@pc:~$ sudo nm-tool | grep DNS:
                  DNS:            192.168.1.254
              user@pc:~$ ping -c4 8.8.8.8
              PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
              64 bytes from 8.8.8.8: icmp_seq=1 ttl=58 time=585 ms
              64 bytes from 8.8.8.8: icmp_seq=2 ttl=58 time=626 ms
              64 bytes from 8.8.8.8: icmp_seq=3 ttl=58 time=586 ms
              64 bytes from 8.8.8.8: icmp_seq=4 ttl=58 time=668 ms

              –- 8.8.8.8 ping statistics ---
              4 packets transmitted, 4 received, 0% packet loss, time 3000ms
              rtt min/avg/max/mdev = 585.774/616.730/668.416/34.029 ms
              user@pc:~$ ping -c4 8.8.4.4
              PING 8.8.4.4 (8.8.4.4) 56(84) bytes of data.
              64 bytes from 8.8.4.4: icmp_seq=1 ttl=58 time=614 ms
              64 bytes from 8.8.4.4: icmp_seq=2 ttl=58 time=612 ms
              64 bytes from 8.8.4.4: icmp_seq=3 ttl=58 time=615 ms
              64 bytes from 8.8.4.4: icmp_seq=4 ttl=58 time=693 ms

              --- 8.8.4.4 ping statistics ---
              4 packets transmitted, 4 received, 0% packet loss, time 2998ms
              rtt min/avg/max/mdev = 612.954/634.040/693.788/34.518 ms
              user@pc:~$

              dig reports "no servers can be reached"

              firewall rules are all defaults

              1 Reply Last reply Reply Quote 0
              • M
                muswellhillbilly
                last edited by

                Might be a good idea to send screenshots of your DNS forwarder settings (these are pretty basic, but it would be good to confirm this has been done). Also provide information of what DNS servers your PFS is using itself. From what you've shown so far, it looks like your firewall rules are (probably) ok, though you haven't provided those either. It's more likely that you either haven't enabled the DNS forwarder on your firewall or you have some kind of block in place in your ruleset preventing your clients from accessing the DNS service on the firewall.

                A quick test to see if this is the case might be to change your DHCP settings so that your clients get an external DNS server as their primary DNS provider (eg: 8.8.4.4) instead of 192.168.1.254.

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  I curious why your ping times to 8.8.8.8 which is anycast is 600ms ??  That is the closest googledns to you??

                  ping 8.8.8.8

                  Pinging 8.8.8.8 with 32 bytes of data:
                  Reply from 8.8.8.8: bytes=32 time=21ms TTL=47
                  Reply from 8.8.8.8: bytes=32 time=20ms TTL=47
                  Reply from 8.8.8.8: bytes=32 time=20ms TTL=47

                  And yeah if your running forwarder or resolver on pfsense listening on 192.168.1.254 then you should get some sort of answer not timeout.  Can you ping pfsense interface IP, ie 192.168.1.254?

                  You might putting up a traceroute to 8.8.8.8 or 8.8.4.4 you seem to be closer via hops because your ttl is 58 while mine is down to 47, maybe that is just your wifi sucking?

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • M
                    McMurphy
                    last edited by

                    I have a vanilla setup so it appears to have configured the DNS resolver and not DNS forwarders. Screen shots attached. I have not configure any DNS forwarders.

                    Changed client to manual and set 8.8.8.8 as DNS with pfsense as GW and it works perfectly.

                    600ms ping is due to satellite broadband latency.

                    Can ping 192.168.1.254

                    Hope this helps, thanks…

                    dashboard.png
                    dashboard.png_thumb
                    dns_resolver.png
                    dns_resolver.png_thumb
                    dns_forwarder.png
                    dns_forwarder.png_thumb
                    firewall_rules2.png
                    firewall_rules2.png_thumb
                    firewall_rules.png
                    firewall_rules.png_thumb
                    General_Setup.png
                    General_Setup.png_thumb

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      Well so your on sat.. Ok that explains the lets go around the globe twice latency on talking to googledns ;)

                      I can tell you right now that if your on sat with that kind of latency to google you prob should just use the forwarder and the not the resolver.  The resolver walks the tree down from roots and asks the authoritative name server for the domain your looking up.  This until your cache is built up can increase some look up times a bit..  But with your latency going to be exaggerated

                      Turn off the resolver and turn on the forwarder and just use that..

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • M
                        McMurphy
                        last edited by

                        Perfect, thank you.

                        Forwarder works whereas resolver doesn't.

                        Switched back again to check and definitely only works with forwarder :)

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by

                          It could be  your provider blocking such access?  Resolve is going to walk down the tree talking to all the different name servers.. Its quite possible that a sat provider doesn't allow this and only allows dns to either its dns or major players like google or open, etc.

                          You could try doing a directed query to the roots to see if they are working..

                          So when you look up say www.pfsense.org your resolver does this

                          
                          root@ubuntu:/home/user# dig www.pfsense.org +trace +nodnssec
                          
                          ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> www.pfsense.org +trace +nodnssec
                          ;; global options: +cmd
                          .                       475600  IN      NS      a.root-servers.net.
                          .                       475600  IN      NS      b.root-servers.net.
                          .                       475600  IN      NS      c.root-servers.net.
                          .                       475600  IN      NS      d.root-servers.net.
                          .                       475600  IN      NS      e.root-servers.net.
                          .                       475600  IN      NS      f.root-servers.net.
                          .                       475600  IN      NS      g.root-servers.net.
                          .                       475600  IN      NS      h.root-servers.net.
                          .                       475600  IN      NS      i.root-servers.net.
                          .                       475600  IN      NS      j.root-servers.net.
                          .                       475600  IN      NS      k.root-servers.net.
                          .                       475600  IN      NS      l.root-servers.net.
                          .                       475600  IN      NS      m.root-servers.net.
                          ;; Received 239 bytes from 192.168.9.253#53(192.168.9.253) in 1004 ms
                          
                          org.                    172800  IN      NS      a0.org.afilias-nst.info.
                          org.                    172800  IN      NS      b2.org.afilias-nst.org.
                          org.                    172800  IN      NS      c0.org.afilias-nst.info.
                          org.                    172800  IN      NS      a2.org.afilias-nst.info.
                          org.                    172800  IN      NS      d0.org.afilias-nst.org.
                          org.                    172800  IN      NS      b0.org.afilias-nst.org.
                          ;; Received 446 bytes from 199.7.91.13#53(d.root-servers.net) in 53 ms
                          
                          pfsense.org.            86400   IN      NS      ns1.netgate.com.
                          pfsense.org.            86400   IN      NS      ns2.netgate.com.
                          ;; Received 91 bytes from 199.249.112.1#53(a2.org.afilias-nst.info) in 833 ms
                          
                          www.pfsense.org.        300     IN      A       208.123.73.69
                          pfsense.org.            300     IN      NS      ns2.netgate.com.
                          pfsense.org.            300     IN      NS      ns1.netgate.com.
                          ;; Received 139 bytes from 192.207.126.6#53(ns1.netgate.com) in 49 ms
                          
                          root@ubuntu:/home/user#
                          
                          

                          I did it without dnssec to make it easier to read.. and a bit shorter.. So when looking up www.pfsense.org has to ask roots hey who is ns for .org, then goes and asks one of those, hey who is nameserver for pfsense.org, hey ns for pfsense.org what A record for www.pfsense.org

                          So from that above list you could try doing directed queries to the roots and the ns for the different tlds.. so those above are for org..

                          these are for .com

                          
                          ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> com. ns
                          ;; global options: +cmd
                          ;; Got answer:
                          ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52145
                          ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1
                          
                          ;; OPT PSEUDOSECTION:
                          ; EDNS: version: 0, flags:; udp: 4096
                          ;; QUESTION SECTION:
                          ;com.                           IN      NS
                          
                          ;; ANSWER SECTION:
                          com.                    172800  IN      NS      m.gtld-servers.net.
                          com.                    172800  IN      NS      a.gtld-servers.net.
                          com.                    172800  IN      NS      j.gtld-servers.net.
                          com.                    172800  IN      NS      h.gtld-servers.net.
                          com.                    172800  IN      NS      c.gtld-servers.net.
                          com.                    172800  IN      NS      g.gtld-servers.net.
                          com.                    172800  IN      NS      e.gtld-servers.net.
                          com.                    172800  IN      NS      b.gtld-servers.net.
                          com.                    172800  IN      NS      k.gtld-servers.net.
                          com.                    172800  IN      NS      l.gtld-servers.net.
                          com.                    172800  IN      NS      f.gtld-servers.net.
                          com.                    172800  IN      NS      i.gtld-servers.net.
                          com.                    172800  IN      NS      d.gtld-servers.net.
                          
                          ;; Query time: 47 msec
                          ;; SERVER: 192.168.9.253#53(192.168.9.253)
                          ;; WHEN: Wed Aug 31 07:35:30 CDT 2016
                          ;; MSG SIZE  rcvd: 256
                          
                          

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • M
                            McMurphy
                            last edited by

                            I got the following, a LOT slower :)

                            dig www.pfsense.org +trace +nodnssec

                            ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> www.pfsense.org +trace +nodnssec
                            ;; global options: +cmd
                            . 23674 IN NS m.root-servers.net.
                            . 23674 IN NS a.root-servers.net.
                            . 23674 IN NS h.root-servers.net.
                            . 23674 IN NS f.root-servers.net.
                            . 23674 IN NS i.root-servers.net.
                            . 23674 IN NS l.root-servers.net.
                            . 23674 IN NS j.root-servers.net.
                            . 23674 IN NS d.root-servers.net.
                            . 23674 IN NS c.root-servers.net.
                            . 23674 IN NS e.root-servers.net.
                            . 23674 IN NS g.root-servers.net.
                            . 23674 IN NS k.root-servers.net.
                            . 23674 IN NS b.root-servers.net.
                            ;; Received 455 bytes from 127.0.1.1#53(127.0.1.1) in 10284 ms

                            org. 172800 IN NS a0.org.afilias-nst.info.
                            org. 172800 IN NS d0.org.afilias-nst.org.
                            org. 172800 IN NS a2.org.afilias-nst.info.
                            org. 172800 IN NS b2.org.afilias-nst.org.
                            org. 172800 IN NS c0.org.afilias-nst.info.
                            org. 172800 IN NS b0.org.afilias-nst.org.
                            ;; Received 446 bytes from 192.33.4.12#53(c.root-servers.net) in 5699 ms

                            pfsense.org. 86400 IN NS ns2.netgate.com.
                            pfsense.org. 86400 IN NS ns1.netgate.com.
                            ;; Received 91 bytes from 199.19.54.1#53(b0.org.afilias-nst.org) in 2486 ms

                            www.pfsense.org. 300 IN A 208.123.73.69
                            pfsense.org. 300 IN NS ns1.netgate.com.
                            pfsense.org. 300 IN NS ns2.netgate.com.
                            ;; Received 139 bytes from 192.207.126.6#53(ns1.netgate.com) in 803 ms

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              ";; Received 446 bytes from 192.33.4.12#53(c.root-servers.net) in 5699 ms"

                              So almost 6 seconds to get a response, yeah that is going to cause problems because many clients timeout after 2 seconds linux I think is 5?  So if you had a client asking for www.something.com and it was not cached and had to walk down the tree and your talking long long time to get a response its just going to give up.

                              Shoot even with your 600ms response time from google, and it pulls from its large cache you could run into problems if anything causes a slow response, like what your looking for is not cached in google and it takes a while resolve.  You might want to look into increasing the timeout for dns queries on your clients.

                              These 2 options could be increased from the defaults in resolv.conf

                              timeout:n

                              sets the amount of time the resolver will wait for a response from a remote name server before retrying the query via a different name server. Measured in seconds, the default is RES_TIMEOUT (currently 5, see <resolv.h>). The value for this option is silently capped to 30.

                              attempts:n

                              sets the number of times the resolver will send a query to its name servers before giving up and returning an error to the calling application. The default is RES_DFLRETRY (currently 2, see <resolv.h>). The value for this option is silently capped to 5.</resolv.h></resolv.h>

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 0
                              • First post
                                Last post
                              Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.