Weird DNS resolver issue



  • Hello,

    I'm facing an issue with my DNS resolver on pfSense.
    Everything works fine except for one internet site that can't get resolved on LAN computers.

    In System > General, two DNS servers are setup, 8.8.8.8 and 8.8.4.4, assigned both to the same WAN.
    DNS Server Override and Disable DNS Forwarder are both unchecked.

    My DNS Resolver config is vanilla.

    Now here is what happens:

    On the pfSense via ssh:

    
    nslookup pc21.fr
    Server:		8.8.8.8
    Address:	8.8.8.8#53
    
    Non-authoritative answer:
    Name:	pc21.fr
    Address: 212.73.221.110
    
    

    On a LAN computer:

    
    nslookup pc21.fr
    Server:		192.168.50.254
    Address:	192.168.50.254#53
    
    ** server can't find pc21.fr: SERVFAIL
    
    nslookup google.fr
    Server:		192.168.50.254
    Address:	192.168.50.254#53
    
    Non-authoritative answer:
    Name:	google.fr
    Address: 216.58.211.99
    
    

    The LAN computer's /etc/resolv.conf is setup with the pfSense IP.
    Every internet site works except for pc21.fr

    I'm totally clueless here.
    This behavior was tested with 2 LAN computers. Enabled the default pass all rule on LAN at first position too.
    Btw, this behavior survived a pfSense reboot.


  • LAYER 8 Global Moderator

    I don't show any issues with looking that up via resolver

    user@ubuntu:~$ dig pc21.fr

    ; <<>> DiG 9.9.5-3ubuntu0.9-Ubuntu <<>> pc21.fr
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 26100
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;pc21.fr.                      IN      A

    ;; ANSWER SECTION:
    pc21.fr.                180    IN      A      212.73.221.110

    ;; Query time: 399 msec
    ;; SERVER: 192.168.9.253#53(192.168.9.253)
    ;; WHEN: Mon Oct 03 10:59:08 CDT 2016

    Are you using the RESOLVER (unbound) or not.. If you are using the resolver then having pfsense setting of googledns is completely pointless.

    "DNS Server Override and Disable DNS Forwarder are both unchecked."

    Where is disable dns forwarder unchecked??  You mean enable forwarder mode in the resolver settings?  Or in the general settings - see attached.

    I would suggest you go to diag, dns lookup on the pfsense ui what does that report.  It will tell you want it used to resolve.  It is quite possible your setup doesn't play nice with actually resolving vs forwarding.  There are some shitty ISPs out there that block resolving, or maybe your connectivity has high latency to where these authoritative ns for pc21.fr are.  They have a really really low ttl set, so your not going to be able to cache that more more than 3 minutes without having to query them again.

    Their ns are listed as ns2 and ns0 - where ns2 doesn't even seem to be responding.  And the TTL on even their ns is only 180 seconds.  3 minutes - that is simply moronic sort of setup.. Unless they were in the middle of a migration to new NS.

    
    user@ubuntu:~$ dig pc21.fr NS
    
    ; <<>> DiG 9.9.5-3ubuntu0.9-Ubuntu <<>> pc21.fr NS
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 43524
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;pc21.fr.                       IN      NS
    
    ;; ANSWER SECTION:
    pc21.fr.                180     IN      NS      ns2.toutlehardware.com.
    pc21.fr.                180     IN      NS      ns0.toutlehardware.com.
    
    ;; Query time: 896 msec
    ;; SERVER: 192.168.9.253#53(192.168.9.253)
    ;; WHEN: Mon Oct 03 11:09:08 CDT 2016
    ;; MSG SIZE  rcvd: 90
    
    user@ubuntu:~$ dig @ns2.toutlehardware.com pc21.fr
    
    ; <<>> DiG 9.9.5-3ubuntu0.9-Ubuntu <<>> @ns2.toutlehardware.com pc21.fr
    ; (1 server found)
    ;; global options: +cmd
    ;; connection timed out; no servers could be reached
    user@ubuntu:~$ dig @ns0.toutlehardware.com pc21.fr
    
    ; <<>> DiG 9.9.5-3ubuntu0.9-Ubuntu <<>> @ns0.toutlehardware.com pc21.fr
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3318
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 1280
    ;; QUESTION SECTION:
    ;pc21.fr.                       IN      A
    
    ;; ANSWER SECTION:
    pc21.fr.                180     IN      A       212.73.221.110
    
    ;; Query time: 109 msec
    ;; SERVER: 212.73.221.100#53(212.73.221.100)
    ;; WHEN: Mon Oct 03 11:09:51 CDT 2016
    ;; MSG SIZE  rcvd: 52
    
    user@ubuntu:~$
    
    

    If your saying your only have issues with this fqdn, I would chalk it up more to their crappy ns than anything else.  Their ns2 does not respond via udp or tcp, it sure looks like both of their ns are on the same netblock.  I show no PTRs for either of their nameservers, etc. etc.  Such a low TTL.. I would contact them if you use this site and suggest that they actually setup a good dns if they want users to access their site ;)




  • I kinda lost track on this issue, and it's gone as it came :)
    Anyway, wanted to say thanks for the help and time spent.


Log in to reply