Dhcp client DNS resolution not working



  • 1st time pfsense user here.

    I have downloaed and installed pfsense and have a vanilla setup.
    WAN: DHCP
    LAN: 192.168.1.x
    LAN-GW: 192.168.1.254

    Everything appears to be working other than client dns resolution.

    DHCP has set both the GW and DNS for the clients to the pfsense box as expected.

    user@pc:~$ping -c4 172.217.25.46
    PING 172.217.25.46 (172.217.25.46) 56(84) bytes of data.
    64 bytes from 172.217.25.46: icmp_seq=1 ttl=53 time=579 ms
    64 bytes from 172.217.25.46: icmp_seq=2 ttl=53 time=579 ms
    64 bytes from 172.217.25.46: icmp_seq=3 ttl=53 time=567 ms
    64 bytes from 172.217.25.46: icmp_seq=4 ttl=53 time=577 ms

    –- 172.217.25.46 ping statistics ---
    4 packets transmitted, 4 received, 0% packet loss, time 3003ms
    rtt min/avg/max/mdev = 567.312/575.911/579.763/5.164 ms
    user@pc:~$ping google.com
    ping: unknown host google.com
    user@pc:~$route -n
    Kernel IP routing table
    Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
    0.0.0.0        192.168.1.254  0.0.0.0        UG    0      0        0 wlan0
    192.168.1.0    0.0.0.0        255.255.255.0  U    9      0        0 wlan0
    192.168.122.0  0.0.0.0        255.255.255.0  U    0      0        0 virbr0
    user@pc:~$sudo nm-tool | grep DNS:
        DNS:            192.168.1.254
    user@pc:~$

    The pfsense box itself can perform DNS lookups under "Diagnostics".

    From the clients I can ping the DNS servers.


  • LAYER 8 Global Moderator

    LAN-GW: 192.168.1.254

    Why did you set a GW on your lan?  That should never be done.. Is 192.168.1.254 pfsense lan IP or do you have some downstream router that you need to get to??



  • LAN-GW: 192.168.1.254

    This is the GW address for the clients and is the IP of the pfsense box.

    user@pc:~$route -n
    Kernel IP routing table
    Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
    0.0.0.0        192.168.1.254  0.0.0.0        UG    0      0        0 wlan0
    192.168.1.0    0.0.0.0        255.255.255.0  U    9      0        0 wlan0
    192.168.122.0  0.0.0.0        255.255.255.0  U    0      0        0 virbr0

    No downstream router just a broadband modem.


  • LAYER 8 Global Moderator

    ok that is fine, but you did not set that on pfsense.. Ah that is route table from your pc.. Ok that is fine..

    So this client is multi homed with an connection to some 192.168.122/24 network?

    Anyhoo.  So your running the resolver on pfsense.  And your clients are asking pfsense and they get what back, time out, refused, servfail?  See your using linux so do a dig or drill or your fav query for something to pfsense..  What do you get back?  This is pfsense lan?  Or another interface like opt, ie looks like this is wifi from your client output showing wlan0

    example

    
    C:\>ssh user@ubuntu.local.lan
    Last login: Mon Aug 29 12:05:24 2016 from 10.0.8.100
    user@ubuntu:~$ dig www.pfsense.org
    
    ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> www.pfsense.org
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1499
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;www.pfsense.org.               IN      A
    
    ;; ANSWER SECTION:
    www.pfsense.org.        300     IN      A       208.123.73.69
    
    ;; AUTHORITY SECTION:
    pfsense.org.            300     IN      NS      ns2.netgate.com.
    pfsense.org.            300     IN      NS      ns1.netgate.com.
    
    ;; Query time: 95 msec
    ;; SERVER: 192.168.9.253#53(192.168.9.253)
    ;; WHEN: Mon Aug 29 16:37:45 CDT 2016
    ;; MSG SIZE  rcvd: 107
    
    user@ubuntu:~$
    
    

    What are the firewall ruls you have on the interface these clients are talking too?  if lan they should be any any did you change those?  If your connecting in via a wifi router used as AP you sure your not just double natting any you have the same 192.168.1/24 that your using for pfsense lan as the network on your wifi router?



  • user@pc:~$ route -n
    Kernel IP routing table
    Destination    Gateway        Genmask        Flags Metric Ref    Use Iface
    0.0.0.0        192.168.1.254  0.0.0.0        UG    0      0        0 wlan0
    192.168.1.0    0.0.0.0        255.255.255.0  U    9      0        0 wlan0
    192.168.122.0  0.0.0.0        255.255.255.0  U    0      0        0 virbr0
    user@pc:~$ ping www.pfsense.org
    ping: unknown host www.pfsense.org
    user@pc:~$ dig www.pfsense.org

    ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> www.pfsense.org
    ;; global options: +cmd
    ;; connection timed out; no servers could be reached
    user@pc:~$ sudo nm-tool | grep DNS:
        DNS:            192.168.1.254
    user@pc:~$ ping -c4 8.8.8.8
    PING 8.8.8.8 (8.8.8.8) 56(84) bytes of data.
    64 bytes from 8.8.8.8: icmp_seq=1 ttl=58 time=585 ms
    64 bytes from 8.8.8.8: icmp_seq=2 ttl=58 time=626 ms
    64 bytes from 8.8.8.8: icmp_seq=3 ttl=58 time=586 ms
    64 bytes from 8.8.8.8: icmp_seq=4 ttl=58 time=668 ms

    –- 8.8.8.8 ping statistics ---
    4 packets transmitted, 4 received, 0% packet loss, time 3000ms
    rtt min/avg/max/mdev = 585.774/616.730/668.416/34.029 ms
    user@pc:~$ ping -c4 8.8.4.4
    PING 8.8.4.4 (8.8.4.4) 56(84) bytes of data.
    64 bytes from 8.8.4.4: icmp_seq=1 ttl=58 time=614 ms
    64 bytes from 8.8.4.4: icmp_seq=2 ttl=58 time=612 ms
    64 bytes from 8.8.4.4: icmp_seq=3 ttl=58 time=615 ms
    64 bytes from 8.8.4.4: icmp_seq=4 ttl=58 time=693 ms

    --- 8.8.4.4 ping statistics ---
    4 packets transmitted, 4 received, 0% packet loss, time 2998ms
    rtt min/avg/max/mdev = 612.954/634.040/693.788/34.518 ms
    user@pc:~$

    dig reports "no servers can be reached"

    firewall rules are all defaults



  • Might be a good idea to send screenshots of your DNS forwarder settings (these are pretty basic, but it would be good to confirm this has been done). Also provide information of what DNS servers your PFS is using itself. From what you've shown so far, it looks like your firewall rules are (probably) ok, though you haven't provided those either. It's more likely that you either haven't enabled the DNS forwarder on your firewall or you have some kind of block in place in your ruleset preventing your clients from accessing the DNS service on the firewall.

    A quick test to see if this is the case might be to change your DHCP settings so that your clients get an external DNS server as their primary DNS provider (eg: 8.8.4.4) instead of 192.168.1.254.


  • LAYER 8 Global Moderator

    I curious why your ping times to 8.8.8.8 which is anycast is 600ms ??  That is the closest googledns to you??

    ping 8.8.8.8

    Pinging 8.8.8.8 with 32 bytes of data:
    Reply from 8.8.8.8: bytes=32 time=21ms TTL=47
    Reply from 8.8.8.8: bytes=32 time=20ms TTL=47
    Reply from 8.8.8.8: bytes=32 time=20ms TTL=47

    And yeah if your running forwarder or resolver on pfsense listening on 192.168.1.254 then you should get some sort of answer not timeout.  Can you ping pfsense interface IP, ie 192.168.1.254?

    You might putting up a traceroute to 8.8.8.8 or 8.8.4.4 you seem to be closer via hops because your ttl is 58 while mine is down to 47, maybe that is just your wifi sucking?



  • I have a vanilla setup so it appears to have configured the DNS resolver and not DNS forwarders. Screen shots attached. I have not configure any DNS forwarders.

    Changed client to manual and set 8.8.8.8 as DNS with pfsense as GW and it works perfectly.

    600ms ping is due to satellite broadband latency.

    Can ping 192.168.1.254

    Hope this helps, thanks…













  • LAYER 8 Global Moderator

    Well so your on sat.. Ok that explains the lets go around the globe twice latency on talking to googledns ;)

    I can tell you right now that if your on sat with that kind of latency to google you prob should just use the forwarder and the not the resolver.  The resolver walks the tree down from roots and asks the authoritative name server for the domain your looking up.  This until your cache is built up can increase some look up times a bit..  But with your latency going to be exaggerated

    Turn off the resolver and turn on the forwarder and just use that..



  • Perfect, thank you.

    Forwarder works whereas resolver doesn't.

    Switched back again to check and definitely only works with forwarder :)


  • LAYER 8 Global Moderator

    It could be  your provider blocking such access?  Resolve is going to walk down the tree talking to all the different name servers.. Its quite possible that a sat provider doesn't allow this and only allows dns to either its dns or major players like google or open, etc.

    You could try doing a directed query to the roots to see if they are working..

    So when you look up say www.pfsense.org your resolver does this

    
    root@ubuntu:/home/user# dig www.pfsense.org +trace +nodnssec
    
    ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> www.pfsense.org +trace +nodnssec
    ;; global options: +cmd
    .                       475600  IN      NS      a.root-servers.net.
    .                       475600  IN      NS      b.root-servers.net.
    .                       475600  IN      NS      c.root-servers.net.
    .                       475600  IN      NS      d.root-servers.net.
    .                       475600  IN      NS      e.root-servers.net.
    .                       475600  IN      NS      f.root-servers.net.
    .                       475600  IN      NS      g.root-servers.net.
    .                       475600  IN      NS      h.root-servers.net.
    .                       475600  IN      NS      i.root-servers.net.
    .                       475600  IN      NS      j.root-servers.net.
    .                       475600  IN      NS      k.root-servers.net.
    .                       475600  IN      NS      l.root-servers.net.
    .                       475600  IN      NS      m.root-servers.net.
    ;; Received 239 bytes from 192.168.9.253#53(192.168.9.253) in 1004 ms
    
    org.                    172800  IN      NS      a0.org.afilias-nst.info.
    org.                    172800  IN      NS      b2.org.afilias-nst.org.
    org.                    172800  IN      NS      c0.org.afilias-nst.info.
    org.                    172800  IN      NS      a2.org.afilias-nst.info.
    org.                    172800  IN      NS      d0.org.afilias-nst.org.
    org.                    172800  IN      NS      b0.org.afilias-nst.org.
    ;; Received 446 bytes from 199.7.91.13#53(d.root-servers.net) in 53 ms
    
    pfsense.org.            86400   IN      NS      ns1.netgate.com.
    pfsense.org.            86400   IN      NS      ns2.netgate.com.
    ;; Received 91 bytes from 199.249.112.1#53(a2.org.afilias-nst.info) in 833 ms
    
    www.pfsense.org.        300     IN      A       208.123.73.69
    pfsense.org.            300     IN      NS      ns2.netgate.com.
    pfsense.org.            300     IN      NS      ns1.netgate.com.
    ;; Received 139 bytes from 192.207.126.6#53(ns1.netgate.com) in 49 ms
    
    root@ubuntu:/home/user#
    
    

    I did it without dnssec to make it easier to read.. and a bit shorter.. So when looking up www.pfsense.org has to ask roots hey who is ns for .org, then goes and asks one of those, hey who is nameserver for pfsense.org, hey ns for pfsense.org what A record for www.pfsense.org

    So from that above list you could try doing directed queries to the roots and the ns for the different tlds.. so those above are for org..

    these are for .com

    
    ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> com. ns
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 52145
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 13, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;com.                           IN      NS
    
    ;; ANSWER SECTION:
    com.                    172800  IN      NS      m.gtld-servers.net.
    com.                    172800  IN      NS      a.gtld-servers.net.
    com.                    172800  IN      NS      j.gtld-servers.net.
    com.                    172800  IN      NS      h.gtld-servers.net.
    com.                    172800  IN      NS      c.gtld-servers.net.
    com.                    172800  IN      NS      g.gtld-servers.net.
    com.                    172800  IN      NS      e.gtld-servers.net.
    com.                    172800  IN      NS      b.gtld-servers.net.
    com.                    172800  IN      NS      k.gtld-servers.net.
    com.                    172800  IN      NS      l.gtld-servers.net.
    com.                    172800  IN      NS      f.gtld-servers.net.
    com.                    172800  IN      NS      i.gtld-servers.net.
    com.                    172800  IN      NS      d.gtld-servers.net.
    
    ;; Query time: 47 msec
    ;; SERVER: 192.168.9.253#53(192.168.9.253)
    ;; WHEN: Wed Aug 31 07:35:30 CDT 2016
    ;; MSG SIZE  rcvd: 256
    
    


  • I got the following, a LOT slower :)

    dig www.pfsense.org +trace +nodnssec

    ; <<>> DiG 9.9.5-3ubuntu0.8-Ubuntu <<>> www.pfsense.org +trace +nodnssec
    ;; global options: +cmd
    . 23674 IN NS m.root-servers.net.
    . 23674 IN NS a.root-servers.net.
    . 23674 IN NS h.root-servers.net.
    . 23674 IN NS f.root-servers.net.
    . 23674 IN NS i.root-servers.net.
    . 23674 IN NS l.root-servers.net.
    . 23674 IN NS j.root-servers.net.
    . 23674 IN NS d.root-servers.net.
    . 23674 IN NS c.root-servers.net.
    . 23674 IN NS e.root-servers.net.
    . 23674 IN NS g.root-servers.net.
    . 23674 IN NS k.root-servers.net.
    . 23674 IN NS b.root-servers.net.
    ;; Received 455 bytes from 127.0.1.1#53(127.0.1.1) in 10284 ms

    org. 172800 IN NS a0.org.afilias-nst.info.
    org. 172800 IN NS d0.org.afilias-nst.org.
    org. 172800 IN NS a2.org.afilias-nst.info.
    org. 172800 IN NS b2.org.afilias-nst.org.
    org. 172800 IN NS c0.org.afilias-nst.info.
    org. 172800 IN NS b0.org.afilias-nst.org.
    ;; Received 446 bytes from 192.33.4.12#53(c.root-servers.net) in 5699 ms

    pfsense.org. 86400 IN NS ns2.netgate.com.
    pfsense.org. 86400 IN NS ns1.netgate.com.
    ;; Received 91 bytes from 199.19.54.1#53(b0.org.afilias-nst.org) in 2486 ms

    www.pfsense.org. 300 IN A 208.123.73.69
    pfsense.org. 300 IN NS ns1.netgate.com.
    pfsense.org. 300 IN NS ns2.netgate.com.
    ;; Received 139 bytes from 192.207.126.6#53(ns1.netgate.com) in 803 ms


  • LAYER 8 Global Moderator

    ";; Received 446 bytes from 192.33.4.12#53(c.root-servers.net) in 5699 ms"

    So almost 6 seconds to get a response, yeah that is going to cause problems because many clients timeout after 2 seconds linux I think is 5?  So if you had a client asking for www.something.com and it was not cached and had to walk down the tree and your talking long long time to get a response its just going to give up.

    Shoot even with your 600ms response time from google, and it pulls from its large cache you could run into problems if anything causes a slow response, like what your looking for is not cached in google and it takes a while resolve.  You might want to look into increasing the timeout for dns queries on your clients.

    These 2 options could be increased from the defaults in resolv.conf

    timeout:n

    sets the amount of time the resolver will wait for a response from a remote name server before retrying the query via a different name server. Measured in seconds, the default is RES_TIMEOUT (currently 5, see <resolv.h>). The value for this option is silently capped to 30.

    attempts:n

    sets the number of times the resolver will send a query to its name servers before giving up and returning an error to the calling application. The default is RES_DFLRETRY (currently 2, see <resolv.h>). The value for this option is silently capped to 5.</resolv.h></resolv.h>


Log in to reply