Issues with resolving and no internet access..
AR15USR last edited by AR15USR
I have recently switched from Squid/Squidgrard to pfblockerNG. Since that switch I have been having issues with long "resolving host..." times, inability to find sites, and complete internet access blockage (even on subnets not monitored by pfblockerNG). Before, this resolving was instantaneous (at least to the human eye). I am running pfBlockerNG-devel 2.2.1.
I have had the TLD feature enabled up until disabling it today, I'll see if this changes anything. With this enabled, my memory utilization was only 47% fyi.
Pics of my settings are below, I can post up log files but I am not sure which one would be apropos, just let me know.
Any ideas where / what to start with?
As an update I have not seen the issue since I disabled TLD setting.
If you are on a Multi-Segmented LAN (ie: VLANS), you will need to enable the "DNSBL Permit rule" option which will allow your VLANs to access the DNSBL VIP.
You should be able to ping and browse to the DNSBL VIP from all VLAN subnets.
I do have it enabled, see screen pic above “Permit firewall rules”, unless you are referring to something else?
The problem though was happening on the LAN. After unchecking the “TLD” feature it got better, but still happens. Never happened before installing pfblockerNG devel.
Timeouts typically only occur when the LAN/VLANs cannot access the DNSBL VIP. When a request is HTTP, the Lighttpd DNSBL webserver sends a 1x1 pixel back to the browser to terminate the connection. For HTTPS blocked domains, the browser will terminate as soon as it sees that the DNSBL Cert is invalid and should drop the connection without delay.
Can you ping and browse to the DNSBL VIP?
Yes I can browse and ping the VIP (10.10.10.1, the default) (when I browse I see the block page).
Here is an example of how it happens from the user point of view if it helps:
You enter a URL in the browser (Chrome). You see "resolving host..." in the status bar at the bottom, this happens for a minute or so, sometimes faster. Then you get the "This site cant be reached" error. If you type the URL in the browser again it will then resolve and find the site right away. Sometimes you need to enter it a couple times to resolve correctly.
You enter a URL in the browser (Chrome). You see “resolving host…” in the status bar at the bottom, this happens for a minute or so, sometimes faster. Then you get the “This site cant be reached” error. If you type the URL in the browser again it will then resolve and find the site right away. Sometimes you need to enter it a couple times to resolve correctly.
Are you using the Resolver in "Forwarder" or "Resolver" mode?
If in "Forwarder" mode, it will use the External DNS Server settings that are defined in the pfSense General Tab DNS settings.
If in "Resolver" mode, it will use the 13 Root DNS Servers for DNS resolution.
If you have DNSSEC enabled, it will work for "Resolver" mode, and also for DNS Servers that support it.
You can increase the log verbosity in the Resolver settings to "2" and then review the pfSense Resolver.log for any error messages.
Also ensure that your LAN devices only have the pfSense IP defined as the DNS Server, so that all DNS requests are filtered before any outbound DNS requests.
Are you using any IP/GeoIP Blocking? or Snort/Suricata? If so, check the Alerts Tab for clues to see if DNS servers are getting blocked which can cause DNS resolution issues.