DNS_PROBE_FINISHED_BAD_CONFIG

sashpta

Hey,
I just installed PfSense but unfortunately, I cannot browse the Internet. I%(#000000)[colored text] keep getting the following error message in Chromium when I try to browse to a website: DNS_PROBE_FINISHED_BAD_CONFIG
I assume that is because pfsense tries to use the wrong DNS server. As far as I know my university doesn't allow all DNS servers and in their setup guide they just tell the user to select "obtain DNS automatically".

Idk if this is important or not, but the university's firewall blocks all UDP-traffic, and for TCP-traffics, these ports are blocked: 135, 137-139, 445 (SMB)
Below are some Diagnostic things I tried and their output, as well as some other information.

I hope you can help me, and thanks in advance!
PfSense Version: 2.4.3-Release (amd64)
WAN IP addr: 192.168.82.232

All settings are now set to default...
Interfaces -> LAN: all settings are at default, the 'IPv4 Configuration Type' is set to "Static IPv4" (by default) and 'IPv6 Configuration Type' to "None" (by default)
DNS Server(s) listed on the pfsense Dashboard:

127.0.0.1
192.168.82.252
192.168.82.251

Desktop Ping:

$ ping google.com
ping: google.com: Temporary failure in name resolution

Desktop Tracepath:

$ tracepath 172.217.16.174
1?: [LOCALHOST]                  pmtu 1500
1:  _gateway                                    0.267ms
1:  _gateway                                    0.162ms
2:  192.168.82.254                         0.813ms
2:  192.168.82.254                         0.625ms !H
    Resume: pmtu 1500

Diagnostics Ping:

PING 172.217.16.174 (172.217.16.174): 56 data bytes
92 bytes from 192.168.82.254: Communication prohibited by filter
Vr HL TOS  LEN    ID FIG   off  TTL  Pro     cks    SRC            Dst
 4 5   00 0054  c3c3  0   0000   3f  01     e6cd  192.168.82.232   172.217.16.174
...
--- 172.217.16.174 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss

Diagnostic Traceroute:

1. 192.168.82.254   0.490 ms  0.418 ms  0.359 ms
2. 192.168.82.254   0.358 ms !X 0.358 ms !X 0.366 ms !X

Diagnostic Routes:

Derelict

Your best bet is probably the university support line.

As far as I know my university doesn't allow all DNS servers and in their setup guide they just tell the user to select "obtain DNS automatically".

So did you do that or did you define DNS servers in System > General ?

It looks like you both defined google DNS and set gateways on them.

What do you get in Diagnostics > DNS Lookup for something like www.cnn.com?

sashpta

@derelict we don't have a support line, we have some ppl who are called "admins" but all they do is add your device to the database, so you aren't blocked out.

I added the DNS servers I have on my laptop (which uses wifi and wasn't connected to pfsense) and i tried Google's DNS servers. But that didn't help.
At the moment there is no DNS server in "general settings"

I got to get this running on the university's network (https://wiki.archlinux.org/index.php/Internet_sharing) and I was hoping if this works then it can't be that much more difficult to get pfsense running

Derelict

What do you get in Diagnostics > DNS Lookup for something like www.cnn.com?

Derelict

What shows for WAN in Status > Interfaces?

sashpta

I think every device registered in the network is given a DNS Server. I'll do some more research on that. But my idea would be to put that DNS server in "General Settings" and then (in theory) the DNS problem should be gone right?

DNS Lookup cnn.com:
alt text

Status > interfaces:
alt text

Status -> Systemlogs -> System -> gateways:
alt text

Last 50 Firewall Logs: https://hastebin.com/oyijijamix.nginx

Derelict

@sashpta said in DNS_PROBE_FINISHED_BAD_CONFIG:

I think every device registered in the network is given a DNS Server. I'll do some more research on that. But my idea would be to put that DNS server in "General Settings" and then (in theory) the DNS problem should be gone right?

What you have looks like it is working but those error: 65 messages indicate the connection is pretty unreliable.

Here is the list of things to check:

https://www.netgate.com/docs/pfsense/routing/no-buffer-space-available.html

In a nutshell, it means that your WAN is down at the time.

sashpta

Error 65 seems to be fixed now.
I assume I connected the wrong cable at some point and then the internet is blocked since it thinks it's an unregistered device...
That is fixed now

I found out which "DNS name" is listed in the university's network database for the machine that's running pfsense.
I guess I can try to add that...
I also have the option to "Remove IPv6 Autoconf Address for DNS" in the terminal of my university's network
("This setting is about whether our DNS server returns the IPv6 autoconf address of your device to the other devices. They use this information when contacting your device")

But the dns error is still there...
alt text

Dns lookup now is also different

sashpta

uhm, so the DNS-Server that's listed in the Database can't be used. Since it's an IPv6 address.
on my desktop I have this as DNS, can we somehow get something similar to pfsense?

# Generated by NetworkManager
search fem.tu-ilmenau.de net.fem.tu-ilmenau.de
nameserver 192.168.82.252
nameserver 192.168.82.251
nameserver fd66:656d:0:82::2
# NOTE: the libc resolver may not support more than 3 nameservers.
# The nameservers listed below may not be recognized.
nameserver fd66:656d:0:82::3

Derelict

If you absolutely have to use only certain name servers (192.168.82.251 and 192.168.82.252) then you need to use either the DNS forwarder or DNS resolver in forwarding mode. Else the DNS resolver will try to do just that - resolve names using all DNS servers configured in the zone (NS records) being queried from the roots down.

I would try unchecking DNSSEC and checking forwarding mode in the DNS resolver settings and see if that helps.

sashpta

@derelict Thank you, I'll try that.
Unfortunately, I am not at home for a week, but when I am back, I'll try your solution and give you an update.