Request to pfSense.localdomain timed-out



  • Hello,

    Alomost no websites working. only youtube work flawlessly.

    sometimes redmondpie loads very slow.

    If i use 8.8.8.8 on my local machine all websites resolves perfect.

    tried everything restarted DNS service DHCP SNORT pfblockerNG.

    C:\Documents and Settings\tushar>nslookup www.pfsense.org
    Server:  pfSense.localdomain
    Address:  192.168.1.1
    
    DNS request timed out.
        timeout was 2 seconds.
    *** pfSense.localdomain can't find www.pfsense.org: Server failed
    
    C:\Documents and Settings\tushar>nslookup www.amazon.com
    Server:  pfSense.localdomain
    Address:  192.168.1.1
    
    DNS request timed out.
        timeout was 2 seconds.
    DNS request timed out.
        timeout was 2 seconds.
    *** Request to pfSense.localdomain timed-out
    
    C:\Documents and Settings\tushar>nslookup www.facebook.com
    Server:  google-public-dns-a.google.com
    Address:  8.8.8.8
    
    Non-authoritative answer:
    Name:    star-mini.c10r.facebook.com
    Address:  31.13.95.36
    Aliases:  www.facebook.com
    
    C:\Documents and Settings\kislay>nslookup www.pfsense.org
    Server:  google-public-dns-a.google.com
    Address:  8.8.8.8
    
    Non-authoritative answer:
    Name:    www.pfsense.org
    Address:  208.123.73.69
    
    ```![Screen Shot 2016-10-21 at 1.29.59 PM.png](/public/_imported_attachments_/1/Screen Shot 2016-10-21 at 1.29.59 PM.png)
    ![Screen Shot 2016-10-21 at 1.29.59 PM.png_thumb](/public/_imported_attachments_/1/Screen Shot 2016-10-21 at 1.29.59 PM.png_thumb)
    ![screenshot-192.168.1.1-2016-10-21-15-28-36.png](/public/_imported_attachments_/1/screenshot-192.168.1.1-2016-10-21-15-28-36.png)
    ![screenshot-192.168.1.1-2016-10-21-15-28-36.png_thumb](/public/_imported_attachments_/1/screenshot-192.168.1.1-2016-10-21-15-28-36.png_thumb)

  • LAYER 8 Global Moderator

    Do you have your ACLs setup?  Did you mess with those?

    To me from that permissions denied statement in the log I think you have your accesslist messed up.  And not allowing anyone to query the resolver.




  • nothing is messed up sir. i did nothing just started this morning when i tried to access some websites like redmondpie fb etc.

    don't know what happend





  • LAYER 8 Global Moderator

    well without accesslist not going to be able to use resolver.



  • what  "without accesslist not going to be able to use resolver"

    im using internet without any modification since one month. i didn't added or removed anything from access list.





  • Sir KOM,

    here if i put 8.8.8.8 on machine manually FB open flawlessly but on 192.168.1.1 pfsense ip nothing server not found. only youtube working fine fine



  • Yes, I understood that the first time you said it.  You are either having a DNS problem with your upstream or your configuration is somehow broken.  Since a couple of people are complaining about DNS today, I thought it might be related to the DDoS of DynDNS.


  • LAYER 8 Global Moderator

    Yeah there is a major ddos to a major dns provider going on right now.  If they are hosting the authoritative servers for domains your interested in looking up then you going to have a problem.

    Looking up pfsense own name has nothing to do with outside dns though.  You have to have a access list to be able to query resolver.  I you can not query pfsense own name, then resolver not running, your not allowed because of accesslist or you have connectivity issue or something broke in the resolver.

    
    user@ubuntu:~$ dig pfsense.local.lan
    
    ; <<>> DiG 9.9.5-3ubuntu0.9-Ubuntu <<>> pfsense.local.lan
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 4439
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;pfsense.local.lan.             IN      A
    
    ;; ANSWER SECTION:
    pfsense.local.lan.      3600    IN      A       192.168.9.253
    
    ;; Query time: 2 msec
    ;; SERVER: 192.168.9.253#53(192.168.9.253)
    ;; WHEN: Fri Oct 21 11:00:03 CDT 2016
    ;; MSG SIZE  rcvd: 62
    
    

    I pulled my local network out of the access list

    
    user@ubuntu:~$ dig pfsense.local.lan
    
    ; <<>> DiG 9.9.5-3ubuntu0.9-Ubuntu <<>> pfsense.local.lan
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: REFUSED, id: 24649
    ;; flags: qr rd ad; QUERY: 0, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
    ;; WARNING: recursion requested but not available
    
    ;; Query time: 1 msec
    ;; SERVER: 192.168.9.253#53(192.168.9.253)
    ;; WHEN: Fri Oct 21 11:01:21 CDT 2016
    ;; MSG SIZE  rcvd: 12
    
    

    I upped the logging level in my resolver.

    
    Oct 21 11:03:29 	unbound 	71253:1 	debug: refused query from ip4 192.168.9.8 port 57371 (len 16)
    Oct 21 11:03:29 	unbound 	71253:1 	debug: refuse[41:0] 5C7C010000010000000000000C7361666562726F7773696E6706676F6F676C6503636F6D0000010001
    Oct 21 11:03:29 	unbound 	71253:1 	debug: refused query from ip4 192.168.9.8 port 57371 (len 16)
    Oct 21 11:03:29 	unbound 	71253:1 	debug: refuse[41:0] 5C7C010000010000000000000C7361666562726F7773696E6706676F6F676C6503636F6D0000010001
    Oct 21 11:03:29 	unbound 	71253:1 	debug: refused query from ip4 192.168.9.8 port 57371 (len 16)
    Oct 21 11:03:24 	unbound 	71253:0 	debug: refuse[50:0] 6BE4010000010000000000000F6C6F672D72747332342D69616430310764657669636573046E65737403636F6D0000010001
    Oct 21 11:03:24 	unbound 	71253:0 	debug: refused query from ip4 192.168.4.96 port 47019 (len 16) 
    
    

    You can see it refusing queries from my local network.

    Do you have this checked or unchecked?




  • For me resolver is unable to resolve at least these two domans:
    github.com
    twitter.com


  • LAYER 8 Global Moderator

    yeah those are listed as two of the domains that are hosted there..

    github.com.            172800  IN      NS      ns1.p16.dynect.net.
    github.com.            172800  IN      NS      ns3.p16.dynect.net.
    github.com.            172800  IN      NS      ns2.p16.dynect.net.
    github.com.            172800  IN      NS      ns4.p16.dynect.net.

    twitter.com.            172800  IN      NS      ns1.p34.dynect.net.
    twitter.com.            172800  IN      NS      ns2.p34.dynect.net.
    twitter.com.            172800  IN      NS      ns3.p34.dynect.net.
    twitter.com.            172800  IN      NS      ns4.p34.dynect.net.

    dynect.net is what is under ddos.



  • its unchecked no modification done on this page.

    only youtube is working properly…. How to correct my dns resolver if it get corrupted




  • I plugged Linksys RV042 everything working fine. just pfSense having problem unbound DNS resolving…

    Any hope for broken Unbound DNS resolver or fresh install again?? :-\


  • LAYER 8 Moderator

    Yet again. Nothing todo with Unbound per se. Just try some different upstream DNS servers to test. I had problems a few days ago, too and adding e.g. an opendns and another local free dns server in addition to 8.8.8.8 helped solving it as even the Google DNS couldn't resolve twitter and github anymore. A few others had other cache timings etc. so could still resolve them. That helped.

    Also restart/refresh unbound so it resolves the domains again and doesn't use negative caching against you.
    Use "ipconfig /flushdns" as you're using windows. That caches negative DNS, too.
    Not everything is simply a pfSense problem ;)



  • @JeGr:

    Yet again. Nothing todo with Unbound per se. Just try some different upstream DNS servers to test. I had problems a few days ago, too and adding e.g. an opendns and another local free dns server in addition to 8.8.8.8 helped solving it as even the Google DNS couldn't resolve twitter and github anymore. A few others had other cache timings etc. so could still resolve them. That helped.

    Also restart/refresh unbound so it resolves the domains again and doesn't use negative caching against you.
    Use "ipconfig /flushdns" as you're using windows. That caches negative DNS, too.
    Not everything is simply a pfSense problem ;)

    i did what you said still same. check screenshots what settings i do more….







  • LAYER 8 Global Moderator

    Ya think maybe your pfblocker dns might have something to do it it ;)

    lets go over this again..  Can you query pfsense own name from something on your network?

    example

    dig pfsense.local.lan

    ; <<>> DiG 9.11.0 <<>> pfsense.local.lan                                 
    ;; global options: +cmd                                                   
    ;; Got answer:                                                           
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 51432                 
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:                                                     
    ; EDNS: version: 0, flags:; udp: 4096                                     
    ;; QUESTION SECTION:                                                     
    ;pfsense.local.lan.            IN      A

    ;; ANSWER SECTION:                                                       
    pfsense.local.lan.      3600    IN      A      192.168.9.253

    ;; Query time: 1 msec                                                     
    ;; SERVER: 192.168.9.253#53(192.168.9.253)                               
    ;; WHEN: Mon Oct 24 06:24:07 Central Daylight Time 2016                   
    ;; MSG SIZE  rcvd: 62

    nslookup pfsense.local.lan
    Server:  pfsense.local.lan
    Address:  192.168.9.253

    Name:    pfsense.local.lan
    Addresses:  2001:470:snipped::1
              192.168.9.253



  • Yes Sir,

    lubuntu@lubuntu:~$ dig pfsense.local.lan
    
    ; <<>> DiG 9.10.3-P4-Ubuntu <<>> pfsense.local.lan
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 7057
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;pfsense.local.lan.		IN	A
    
    ;; AUTHORITY SECTION:
    .			3559	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2016102400 1800 900 604800 86400
    
    ;; Query time: 46 msec
    ;; SERVER: 127.0.1.1#53(127.0.1.1)
    ;; WHEN: Mon Oct 24 17:03:25 IST 2016
    ;; MSG SIZE  rcvd: 121
    
    lubuntu@lubuntu:~$ dig pfsense.local.lan
    
    ; <<>> DiG 9.10.3-P4-Ubuntu <<>> pfsense.local.lan
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NXDOMAIN, id: 11851
    ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;pfsense.local.lan.		IN	A
    
    ;; AUTHORITY SECTION:
    .			3499	IN	SOA	a.root-servers.net. nstld.verisign-grs.com. 2016102400 1800 900 604800 86400
    
    ;; Query time: 0 msec
    ;; SERVER: 127.0.1.1#53(127.0.1.1)
    ;; WHEN: Mon Oct 24 17:08:44 IST 2016
    ;; MSG SIZE  rcvd: 121
    
    
    lubuntu@lubuntu:~$ nslookup pfsense.local.lan
    Server:		127.0.1.1
    Address:	127.0.1.1#53
    
    ** server can't find pfsense.local.lan: NXDOMAIN
    
    

    See only youtube working very fine only….

    lubuntu@lubuntu:~$ dig www.youtube.com
    
    ; <<>> DiG 9.10.3-P4-Ubuntu <<>> www.youtube.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42624
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;www.youtube.com.		IN	A
    
    ;; ANSWER SECTION:
    www.youtube.com.	86385	IN	CNAME	youtube-ui.l.google.com.
    youtube-ui.l.google.com. 286	IN	A	216.58.220.206
    
    ;; Query time: 0 msec
    ;; SERVER: 127.0.1.1#53(127.0.1.1)
    ;; WHEN: Mon Oct 24 17:25:42 IST 2016
    ;; MSG SIZE  rcvd: 94
    
    

  • LAYER 8 Global Moderator

    And u are doing query to loopback 127.0.1.1 not pfsense where is ur linix box sending tahat query?



  • @johnpoz:

    And u are doing query to loopback 127.0.1.1 not pfsense where is ur linix box sending tahat query?

    ; <<>> DiG 9.10.3-P4-Ubuntu <<>> pfsense.localdomain
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 19430
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;pfsense.localdomain.		IN	A
    
    ;; ANSWER SECTION:
    pfsense.localdomain.	3600	IN	A	192.168.2.1
    
    ;; Query time: 0 msec
    ;; SERVER: 127.0.1.1#53(127.0.1.1)
    ;; WHEN: Mon Oct 24 20:43:19 IST 2016
    ;; MSG SIZE  rcvd: 64
    
    
    lubuntu@lubuntu:~$ nslookup pfsense.localdomain
    Server:		127.0.1.1
    Address:	127.0.1.1#53
    
    Name:	pfsense.localdomain
    Address: 192.168.2.1
    
    

    Small correction pfsense.localdomain not pfsense.local.lan. This  is all what i get dig output, using same configuration since 16days no reboot. suddenly stopped resolving hostnames,  somehow only youtube working fine without any problem.

    should i need to specify dns ip also - System/General Setup/ DNS Server setting

    also using some packages like SNORT, pfblockerNG, squid proxy transparent mode. ClamAV.


  • LAYER 8 Global Moderator

    U need to query pfsense directly with ur dig command because where is linux actualy sending that quer? U are doing query to itself



  • i dont know why 127.0.0.1 unbound unable to resolve domain names. only youtube working. Do i need to update some kind of cache of unbound DNS?


  • LAYER 8 Global Moderator

    Well ur linux box is most likly not asking pfsemse



  • any idea what i do now, because 127.0.0.1 not resolving domains…..... DNS look also keep searching but nothing

    NOTE:-- tested this - when i do DNS Query Forwarding - Enabled and put google DNS 8.8.8.8 in System/General setup eveything works normal. But before that i use to keep uncheck DNS Query and no DNS in System/General everything just works fine....


  • LAYER 8 Global Moderator

    dude so when you query the pfsense directly??

    dig @pfsenseIP pfsense.localdomainname.tld

    does that respond or not?

    On pfsense using the resolver and pointing to itself, can it resolve other domains?

    Your problem is your linux is asking some service running local, that does what?  does it forward to what?

    Its possible pfsense resolver is having an issue talking to roots and the authoritative ns.  But it should be able to resolve its own name when asked by itself or other clients

    Its also possible you just don't have an Accesslist that allows your client to even query pfsense for anything that the resolver can resolve either your own local names or host overrides or outside.




  • ; <<>> DiG 9.10.3-P4-Ubuntu <<>> pfsense.localdomain
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 1336
    ;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;pfsense.localdomain.		IN	A
    
    ;; ANSWER SECTION:
    pfsense.localdomain.	3600	IN	A	192.168.2.1
    
    ;; Query time: 0 msec
    ;; SERVER: 127.0.1.1#53(127.0.1.1)
    ;; WHEN: Tue Oct 25 01:37:58 IST 2016
    ;; MSG SIZE  rcvd: 64
    
    













  • LAYER 8 Global Moderator

    ok so you can query pfsense local name, and you can query some domains.

    You need to figure out why you can not query those…  Set up your debug level in unbound and try the queries again and see what it says?

    Do a query direct to the ns for facebook.com

    dig @a.ns.facebook.com www.facebook.com

    ; <<>> DiG 9.11.0 <<>> @a.ns.facebook.com www.facebook.com
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 64707
    ;; flags: qr aa rd; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 4
    ;; WARNING: recursion requested but not available

    ;; QUESTION SECTION:
    ;www.facebook.com.              IN      A

    ;; ANSWER SECTION:
    www.facebook.com.      3600    IN      CNAME  star-mini.c10r.facebook.com.

    ;; AUTHORITY SECTION:
    facebook.com.          172800  IN      NS      a.ns.facebook.com.
    facebook.com.          172800  IN      NS      b.ns.facebook.com.

    ;; ADDITIONAL SECTION:
    a.ns.facebook.com.      172800  IN      AAAA    2a03:2880:fffe:c:face:b00c:0:35
    a.ns.facebook.com.      172800  IN      A      69.171.239.12
    b.ns.facebook.com.      172800  IN      AAAA    2a03:2880:ffff:c:face:b00c:0:35
    b.ns.facebook.com.      172800  IN      A      69.171.255.12

    ;; Query time: 15 msec
    ;; SERVER: 69.171.239.12#53(69.171.239.12)
    ;; WHEN: Mon Oct 24 17:30:50 Central Daylight Time 2016
    ;; MSG SIZE  rcvd: 186

    Maybe your having ipv6 issues?  Maybe your isp is doing something with your dns queries?

    Do a +trace with did to see what might be failing?  the resolver works completely different than forwarding.  You walk the tree down from roots too the authoritative server.  If your internet connection has problems to these authoritative servers then you can have issues.

    Change over to the forwarder if your having issues with resolving, or put the resolver in forwarder mode - most likely have to turn off dnssec if where you forward doesn't support it.



  • ; <<>> DiG 9.10.3-P4-Ubuntu <<>> www.facebook.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 42715
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;www.facebook.com.		IN	A
    
    ;; Query time: 0 msec
    ;; SERVER: 127.0.1.1#53(127.0.1.1)
    ;; WHEN: Tue Oct 25 10:32:57 IST 2016
    ;; MSG SIZE  rcvd: 45
    
    
    lubuntu@lubuntu:~$ traceroute www.facebook.com
    www.facebook.com: Temporary failure in name resolution
    Cannot handle "host" cmdline arg `www.facebook.com' on position 1 (argc 1)
    
    
    lubuntu@lubuntu:~$ traceroute www.google.com
    traceroute to www.google.com (216.58.220.196), 30 hops max, 60 byte packets
     1  pfSense.localdomain (192.168.2.1)  0.227 ms  0.248 ms  0.156 ms
     2  192.168.1.1 (192.168.1.1)  2.080 ms  2.485 ms  2.654 ms
     3  103.30.141.1 (103.30.141.1)  33.453 ms  33.419 ms  33.363 ms
     4  172.25.24.66 (172.25.24.66)  33.535 ms  50.011 ms  49.956 ms
     5  172.25.24.17 (172.25.24.17)  49.919 ms  49.871 ms  49.848 ms
     6  172.25.24.78 (172.25.24.78)  49.344 ms  48.722 ms  49.034 ms
     7  103.14.124.125 (103.14.124.125)  48.936 ms  47.614 ms  47.483 ms
     8  108.170.238.13 (108.170.238.13)  46.678 ms  37.054 ms  36.928 ms
     9  216.58.220.196 (216.58.220.196)  36.913 ms  18.125 ms  18.031 ms
    lubuntu@lubuntu:~$ 
    













    ![debug-level -1-2016-10-25-10-15-14.png](/public/imported_attachments/1/debug-level -1-2016-10-25-10-15-14.png)
    ![debug-level -1-2016-10-25-10-15-14.png_thumb](/public/imported_attachments/1/debug-level -1-2016-10-25-10-15-14.png_thumb)





  • devs any idea about this why im not able to resolve domains,  only youtube and google.com working fine?


  • LAYER 8 Global Moderator

    Well lets track one specific thing that you say does not resolve..

    So for example… How do you think this .localdomain is going to resolve???

    tools.ietf.org.localdomain

    Seems your tacking on .localdomain to your queries.. Yeah those are going to FAIL every time!!

    Looks like your also trying to do ipv6 which is failing.

    Also what part do you NOT get about doing a query to pfsense directly...  Your asking something running on your linux box.. your asking 127.0.1.1 which is loopback.. Where is it asking???  Pfsense?  Maybe something else?  You don't freaking know, etc..  So in your dig command directly query pfsense IP..

    Dig @pfsenseIP what.yourlooking.for

    Do a query direct to your pfsense IP for facebook..  If that fails, then look in your resolver log to why, etc.




  • ; <<>> DiG 9.10.3-P4-Ubuntu <<>> 192.168.2.1 www.facebook.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 3953
    ;; flags: qr aa rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 1280
    ;; QUESTION SECTION:
    ;192.168.2.1.			IN	A
    
    ;; ANSWER SECTION:
    192.168.2.1.		0	IN	A	192.168.2.1
    
    ;; Query time: 0 msec
    ;; SERVER: 127.0.1.1#53(127.0.1.1)
    ;; WHEN: Thu Oct 27 10:29:33 IST 2016
    ;; MSG SIZE  rcvd: 56
    
    ;; connection timed out; no servers could be reached
    

    After some R&D looks like my isp not allowing me to use any third party DNS other then there own Google 8.8.8.8 and there own 103.14.124.6. I tried putting opendns dns 208.67.222.222 dns forwarding mode still not able to resolve domains when i use 8.8.8.8 all works fine.

    I cant even ping any IP or domain other then google services like youtube, plus google, google .com and google DNS.


  • LAYER 8 Global Moderator

    Well if your ISP is that crappy I would change ISP to be honest ;)

    If that is the case then NO you can not use a resolver, and can only forward.  To the ns they allow you to talk to, resolving will not work unless you can talk to ANY IP on the planet on udp/tcp 53.  Since you have no idea where the authoritative server for somedomain.tld will actually be.

    Dude but your killing me.. Your posted dig was not to pfsense directly.. You asked yet again the local service running on your linux box 127.0.1.1 hey what is the A record for 192.168.2.1 – yeah that is not what I said to do.  I said to query pfsense directly!!!

    so as I gave example use the @ in your dig command to tell it where to go..

    Ie dig @192.168.2.1 what.yourlookking.for

    If 192.168.2.1 is the IP of pfsense that unbound is listening on.

    dig **@**192.168.9.253 www.facebook.com

    
    user@ubuntu:~$ dig [b]@[/b]192.168.9.253 www.facebook.com
    
    ; <<>> DiG 9.9.5-3ubuntu0.9-Ubuntu <<>> @192.168.9.253 www.facebook.com
    ; (1 server found)
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 6660
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 5
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;www.facebook.com.              IN      A
    
    ;; ANSWER SECTION:
    www.facebook.com.       3600    IN      CNAME   star-mini.c10r.facebook.com.
    star-mini.c10r.facebook.com. 60 IN      A       31.13.65.36
    
    ;; AUTHORITY SECTION:
    c10r.facebook.com.      1651    IN      NS      a.ns.c10r.facebook.com.
    c10r.facebook.com.      1651    IN      NS      b.ns.c10r.facebook.com.
    
    ;; ADDITIONAL SECTION:
    a.ns.c10r.facebook.com. 1651    IN      AAAA    2a03:2880:fffe:b:face:b00c:0:99
    a.ns.c10r.facebook.com. 1651    IN      A       69.171.239.11
    b.ns.c10r.facebook.com. 1651    IN      AAAA    2a03:2880:ffff:b:face:b00c:0:99
    b.ns.c10r.facebook.com. 1651    IN      A       69.171.255.11
    
    ;; Query time: 28 msec
    ;; SERVER: 192.168.9.253#53(192.168.9.253)
    ;; WHEN: Thu Oct 27 07:04:56 CDT 2016
    ;; MSG SIZE  rcvd: 213
    
    

    Notice the @192.168.9.253 in my command, notice dig tells me who I ask
    ;; SERVER: 192.168.9.253#53(192.168.9.253)

    Or you could do it this way

    dig www.facebook.com **@**192.168.9.253

    
    user@ubuntu:~$ dig www.facebook.com @192.168.9.253
    
    ; <<>> DiG 9.9.5-3ubuntu0.9-Ubuntu <<>> www.facebook.com @192.168.9.253
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 17550
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 2, ADDITIONAL: 5
    
    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;www.facebook.com.              IN      A
    
    ;; ANSWER SECTION:
    www.facebook.com.       3463    IN      CNAME   star-mini.c10r.facebook.com.
    star-mini.c10r.facebook.com. 60 IN      A       31.13.65.36
    
    ;; AUTHORITY SECTION:
    c10r.facebook.com.      1514    IN      NS      a.ns.c10r.facebook.com.
    c10r.facebook.com.      1514    IN      NS      b.ns.c10r.facebook.com.
    
    ;; ADDITIONAL SECTION:
    a.ns.c10r.facebook.com. 1514    IN      AAAA    2a03:2880:fffe:b:face:b00c:0:99
    a.ns.c10r.facebook.com. 1514    IN      A       69.171.239.11
    b.ns.c10r.facebook.com. 1514    IN      AAAA    2a03:2880:ffff:b:face:b00c:0:99
    b.ns.c10r.facebook.com. 1514    IN      A       69.171.255.11
    
    ;; Query time: 17 msec
    ;; SERVER: 192.168.9.253#53(192.168.9.253)
    ;; WHEN: Thu Oct 27 07:07:13 CDT 2016
    ;; MSG SIZE  rcvd: 213
    
    

    Again notice the @ and the IP of who I want to ask.  192.168.9.253 in my case.

    If your ISP is going to limit who you can ask for dns, then your prob best off using the forwarder and not the resolver..  And just putting in the IPs of the dns they let you ask.  Or I would really freaking complain to them - blocking you from asking a NS for something is just BS plain and simple.

    You can use that command to ask some ns on the public internet for something directly.  this would validate if your isp is allowing or blocking you.  As long as your lan rules allow you outbound on 53..  You can even tell did to use TCP vs UDP..



  • my pfsense ip is 192.168.2.1

    i tried using isp dns and google ip 8.8.8.8 all websites open perfect but one new problem cant ping any thing other then google dns and isp provided dns ip.

    it looks like they are restricting us from using third party dns and not allowing us to ping any ip

    what wrong dig :( im so frustrated you asked me for "dig @pfsenseIP www.whatever.com"

    
    lubuntu@lubuntu-:~$ dig @192.168.2.1 www.facebook.com
    
    ; <<>> DiG 9.10.3-P4-Ubuntu <<>> @192.168.2.1 www.facebook.com
    ; (1 server found)
    ;; global options: +cmd
    ;; connection timed out; no servers could be reached
    lubuntu@lubuntu-:~$ 
    
    
    Tushars-MacBook-Pro:~ tushar$ ping 208.67.222.222
    PING 208.67.222.222 (208.67.222.222): 56 data bytes
    Request timeout for icmp_seq 0
    Request timeout for icmp_seq 1
    Request timeout for icmp_seq 2
    Request timeout for icmp_seq 3
    Request timeout for icmp_seq 4
    ^C
    --- 208.67.222.222 ping statistics ---
    6 packets transmitted, 0 packets received, 100.0% packet loss
    
    
    
    Tushars-MacBook-Pro:~ tushar$ ping 8.8.8.8
    PING 8.8.8.8 (8.8.8.8): 56 data bytes
    64 bytes from 8.8.8.8: icmp_seq=0 ttl=58 time=8.675 ms
    64 bytes from 8.8.8.8: icmp_seq=1 ttl=58 time=11.394 ms
    64 bytes from 8.8.8.8: icmp_seq=2 ttl=58 time=10.896 ms
    ^C
    --- 8.8.8.8 ping statistics ---
    3 packets transmitted, 3 packets received, 0.0% packet loss
    round-trip min/avg/max/stddev = 8.675/10.322/11.394/1.182 ms
    

Log in to reply