2.3.2-RELEASE-p1 (amd64) dns resolver not working


  • Dnsresolver is not working at all. I cannot get answers from pfsense itself or on any client when I enable resolver.
    I have tried with forwarder and it works fine.

    My setup:
    2.3.2-RELEASE-p1 (amd64)
    2 interfaces, WAN and LAN. both has IP6 set to none.
    WAN 1000baseT <full-duplex>91.157..
    LAN 1000baseT <full-duplex>10.10..

    Sytem has 4  dns servers. No matter if only one or two
    DNS server(s)
    195.140.195.21
    193.229.0.40
    208.67.220.220
    8.8.8.8

    No firewall rules created
    Resolver config default, only selected WAN interface for outgoing and LAN and localhost for network.
    Hide version is selected.

    This is what happens from pfsense and all clients.

    [2.3.2-RELEASE][root@sense]/var/unbound: nslookup google.com

    ;; Got SERVFAIL reply from 127.0.0.1, trying next server
    ;; connection timed out; no servers could be reached

    From log I can see:
    Jan 24 17:10:01 sense unbound: [37475:0] info: error sending query to auth server 2001:503:ba3e::2:30 port 53
    Jan 24 17:10:01 sense unbound: [37475:0] info: error sending query to auth server 2001:dc3::35 port 53
    Jan 24 17:10:01 sense unbound: [37475:0] info: error sending query to auth server 2001:500:9f::42 port 53
    Jan 24 17:10:01 sense unbound: [37475:0] info: error sending query to auth server 2001:500:2d::d port 53

    I have set VS6 disabled in unbound.conf
    do-ip6: no

    I also tried remove all unbound entries in system config file and cleared /var/unbound and did restore and entered config again but no help.</full-duplex></full-duplex>


  • Resolver doesn't use the servers listed in General Setup - DNS Server Settings.

    Do you have All selected for both Network Interfaces and Outgoing Network Interfaces?


  • I did have all selected as default and it did not work like that either. I changed those settings when there was lot of errors in logs.

    Jan 24 17:10:01 sense unbound: [37475:0] info: error sending query to auth server 2001:500:1::53 port 53
    Jan 24 17:10:01 sense unbound: [37475:0] info: error sending query to auth server 2001:500:2d::d port 53
    Jan 24 17:10:01 sense unbound: [37475:0] info: error sending query to auth server 2001:500:12::d0d port 53
    Jan 24 17:10:01 sense unbound: [37475:0] info: error sending query to auth server 2001:dc3::35 port 53
    Jan 24 17:10:01 sense unbound: [37475:0] info: error sending query to auth server 2001:500:2::c port 53
    Jan 24 17:10:01 sense unbound: [37475:0] info: error sending query to auth server 2001:500:a8::e port 53
    Jan 24 17:10:01 sense unbound: [37475:0] info: error sending query to auth server 2001:500:a8::e port 53
    Jan 24 17:10:01 sense unbound: [37475:0] info: error sending query to auth server 2001:503:c27::2:30 port 53
    Jan 24 17:10:01 sense unbound: [37475:0] info: error sending query to auth server 2001:7fd::1 port 53
    Jan 24 17:10:01 sense unbound: [37475:0] info: error sending query to auth server 2001:500:2d::d port 53
    Jan 24 17:10:01 sense unbound: [37475:0] info: error sending query to auth server 2001:7fd::1 port 53
    Jan 24 17:10:01 sense unbound: [37475:0] info: error sending query to auth server 2001:dc3::35 port 53
    Jan 24 17:10:01 sense unbound: [37475:0] info: error sending query to auth server 2001:dc3::35 port 53



  • @KOM:

    Resolver doesn't use the servers listed in General Setup - DNS Server Settings.

    Huh?  What does it use then?

    From System/General?DNS Server Settings..

    Address
    Enter IP addresses to be used by the system for DNS resolution. These are also used for the DHCP service, DNS Forwarder and DNS Resolver when it has DNS Query Forwarding enabled.

  • Banned

    @chpalmer:

    Huh?  What does it use then?

    Emphasized for you:

    Address
    Enter IP addresses to be used by the system for DNS resolution.


  • Resolver doesn't use the servers listed in General Setup - DNS Server Settings.

    Address
    Enter IP addresses to be used by the system for DNS resolution.

    And the rest states-

    These are also used for the DHCP service, DNS Forwarder and DNS Resolver when it has DNS Query Forwarding enabled.

    So if Forwarding is not enabled where does the Resolver resolve from?  The system itself?


  • Huh?  What does it use then?

    It talks to the root servers directly and then walks the chain to the authoritative server.

    https://en.wikipedia.org/wiki/Root_name_server


  • Kom-  Thank you!

    Beavis-  select the IPv6 link locals as well.


  • I did select all for network intefface,  but still lots of errors for ipv6 query in log and resolving is not working.

  • Banned

    @beavis:

    but still lots of errors for ipv6 query in log

    Completely useless info. What errors exactly? Why would you be resolving IPv6 at all with no IPv6 set up anywhere?


  • Yes I don't understand why resolver is using IP6. I have disabled IP6 every where and also added manually do-ip6: no to unbound.conf file.
    But every time when I change something in pfsense->services->dns resolver and save and hit apply it changes do-ip6: yes in config file.

    nslookup is only giving time out on every host and pfsense itself.

    This is from resolver.log:
    Jan 25 09:55:05 sense unbound: [40471:0] info: error sending query to auth server 2001:500:127::30 port 53
    Jan 25 09:55:05 sense unbound: [40471:0] info: error sending query to auth server 2a01:111:2002::17 port 53
    Jan 25 09:55:05 sense unbound: [40471:0] info: error sending query to auth server 2a01:111:2bad::17 port 53
    Jan 25 09:55:05 sense unbound: [40471:0] info: error sending query to auth server 2a01:111:2002::17 port 53
    Jan 25 09:55:05 sense unbound: [40471:0] info: error sending query to auth server 2a01:111:2bad::17 port 53
    Jan 25 09:55:05 sense unbound: [40471:0] info: error sending query to auth server 2a01:111:2bad::17 port 53
    Jan 25 09:55:05 sense unbound: [40471:0] info: error sending query to auth server 2a01:111:2002::17 port 53
    Jan 25 09:55:05 sense unbound: [40471:0] info: error sending query to auth server 2a01:111:2bad::17 port 53
    Jan 25 09:55:05 sense unbound: [40471:0] info: error sending query to auth server 2a01:111:2bad::17 port 53
    Jan 25 09:55:05 sense unbound: [40471:0] info: error sending query to auth server 2600:1406:32::c1 port 53
    Jan 25 09:56:28 sense unbound: [40471:0] info: error sending query to auth server 2a03:7900:104:1::2 port 53


  • I lost my patience with this and moved back to forwarder.
    It works like supposed, no strage ip6 issues.