2.3.3 - DNS resolution from firewall stops working over time
I have a weird issue, and am not sure how to proceed…
New install of 2.3.3. I use DNS Resolver, with the DNS forwarding option, for client DNS on the firewall. All of my clients work fine, DNS name resolution works fine, no issues.
What I've noted is that sometimes I log into the pfSense web interface and it can't check for updates, and can't get the list of available packages. Suspecting a DNS issue, I went to Diagnostics -> DNS Lookup, and sure enough it can't resolve names at all. The exact same names resolve just fine on my clients - just not on the firewall itself.
In the DNS Lookup tool it shows the DNS servers as expected, but can't resolve a name (ibm.com is a common one I try). For the DNS servers 127.0.0.1 shows 0ms or 1ms response, all the others show "no response".
If I reboot the pfSense VM, then try Diagnostics -> DNS Lookup after restart it can lookup names correctly - which is the correct behavior. If I then test in a few hours, it again cannot. So I think the config is OK, and something is happening to make it die over time.
Any smart people have some ideas on what this could be, or at least what I should start looking at?
Well, has been working 24 hours now without failing… After failing multiple days in a row.
Weird. I'll keep my eye on it and see if it happens again....
I think I figured it out, and I think it is a bug…
I was trying out traffic limiters / rate limiters. I was able to reproduce 3 times now that if you add/remove/add/remove traffic shapers a few times, it breaks DNS resolution until reboot.
Specifically I was adding/testing bloat/removing/testing bloat/adding/testing bloat/removing codelq from my interfaces. No other queues or limiters.