Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS_PROBE_FINISHED_BAD_CONFIG

    Scheduled Pinned Locked Moved DHCP and DNS
    11 Posts 2 Posters 4.5k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • S
      sashpta
      last edited by

      Hey,
      I just installed PfSense but unfortunately, I cannot browse the Internet. I%(#000000)[colored text] keep getting the following error message in Chromium when I try to browse to a website: DNS_PROBE_FINISHED_BAD_CONFIG
      I assume that is because pfsense tries to use the wrong DNS server. As far as I know my university doesn't allow all DNS servers and in their setup guide they just tell the user to select "obtain DNS automatically".

      Idk if this is important or not, but the university's firewall blocks all UDP-traffic, and for TCP-traffics, these ports are blocked: 135, 137-139, 445 (SMB)
      Below are some Diagnostic things I tried and their output, as well as some other information.

      I hope you can help me, and thanks in advance! ☺
      PfSense Version: 2.4.3-Release (amd64)
      WAN IP addr: 192.168.82.232

      All settings are now set to default...
      Interfaces -> LAN: all settings are at default, the 'IPv4 Configuration Type' is set to "Static IPv4" (by default) and 'IPv6 Configuration Type' to "None" (by default)
      DNS Server(s) listed on the pfsense Dashboard:

      • 127.0.0.1
      • 192.168.82.252
      • 192.168.82.251

      Desktop Ping:

      $ ping google.com
      ping: google.com: Temporary failure in name resolution
      

      Desktop Tracepath:

      $ tracepath 172.217.16.174
      1?: [LOCALHOST]                  pmtu 1500
      1:  _gateway                                    0.267ms
      1:  _gateway                                    0.162ms
      2:  192.168.82.254                         0.813ms
      2:  192.168.82.254                         0.625ms !H
          Resume: pmtu 1500
      

      Diagnostics Ping:

      PING 172.217.16.174 (172.217.16.174): 56 data bytes
      92 bytes from 192.168.82.254: Communication prohibited by filter
      Vr HL TOS  LEN    ID FIG   off  TTL  Pro     cks    SRC            Dst
       4 5   00 0054  c3c3  0   0000   3f  01     e6cd  192.168.82.232   172.217.16.174
      ...
      --- 172.217.16.174 ping statistics ---
      3 packets transmitted, 0 packets received, 100.0% packet loss
      

      Diagnostic Traceroute:

      1. 192.168.82.254   0.490 ms  0.418 ms  0.359 ms
      2. 192.168.82.254   0.358 ms !X 0.358 ms !X 0.366 ms !X
      

      Diagnostic Routes: alt text

      1 Reply Last reply Reply Quote 0
      • DerelictD
        Derelict LAYER 8 Netgate
        last edited by Derelict

        Your best bet is probably the university support line.

        As far as I know my university doesn't allow all DNS servers and in their setup guide they just tell the user to select "obtain DNS automatically".

        So did you do that or did you define DNS servers in System > General ?

        It looks like you both defined google DNS and set gateways on them.

        What do you get in Diagnostics > DNS Lookup for something like www.cnn.com?

        Chattanooga, Tennessee, USA
        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
        Do Not Chat For Help! NO_WAN_EGRESS(TM)

        S 1 Reply Last reply Reply Quote 0
        • S
          sashpta @Derelict
          last edited by sashpta

          @derelict we don't have a support line, we have some ppl who are called "admins" but all they do is add your device to the database, so you aren't blocked out.

          I added the DNS servers I have on my laptop (which uses wifi and wasn't connected to pfsense) and i tried Google's DNS servers. But that didn't help.
          At the moment there is no DNS server in "general settings"

          I got to get this running on the university's network (https://wiki.archlinux.org/index.php/Internet_sharing) and I was hoping if this works then it can't be that much more difficult to get pfsense running

          1 Reply Last reply Reply Quote 0
          • DerelictD
            Derelict LAYER 8 Netgate
            last edited by

            What do you get in Diagnostics > DNS Lookup for something like www.cnn.com?

            Chattanooga, Tennessee, USA
            A comprehensive network diagram is worth 10,000 words and 15 conference calls.
            DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
            Do Not Chat For Help! NO_WAN_EGRESS(TM)

            1 Reply Last reply Reply Quote 0
            • DerelictD
              Derelict LAYER 8 Netgate
              last edited by

              What shows for WAN in Status > Interfaces?

              Chattanooga, Tennessee, USA
              A comprehensive network diagram is worth 10,000 words and 15 conference calls.
              DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
              Do Not Chat For Help! NO_WAN_EGRESS(TM)

              1 Reply Last reply Reply Quote 0
              • S
                sashpta
                last edited by

                I think every device registered in the network is given a DNS Server. I'll do some more research on that. But my idea would be to put that DNS server in "General Settings" and then (in theory) the DNS problem should be gone right?

                DNS Lookup cnn.com:
                alt text

                Status > interfaces:
                alt text

                Status -> Systemlogs -> System -> gateways:
                alt text

                Last 50 Firewall Logs: https://hastebin.com/oyijijamix.nginx

                1 Reply Last reply Reply Quote 0
                • DerelictD
                  Derelict LAYER 8 Netgate
                  last edited by

                  @sashpta said in DNS_PROBE_FINISHED_BAD_CONFIG:

                  I think every device registered in the network is given a DNS Server. I'll do some more research on that. But my idea would be to put that DNS server in "General Settings" and then (in theory) the DNS problem should be gone right?

                  What you have looks like it is working but those error: 65 messages indicate the connection is pretty unreliable.

                  Here is the list of things to check:

                  https://www.netgate.com/docs/pfsense/routing/no-buffer-space-available.html

                  In a nutshell, it means that your WAN is down at the time.

                  Chattanooga, Tennessee, USA
                  A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                  DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                  Do Not Chat For Help! NO_WAN_EGRESS(TM)

                  1 Reply Last reply Reply Quote 0
                  • S
                    sashpta
                    last edited by sashpta

                    Error 65 seems to be fixed now.
                    I assume I connected the wrong cable at some point and then the internet is blocked since it thinks it's an unregistered device...
                    That is fixed now

                    I found out which "DNS name" is listed in the university's network database for the machine that's running pfsense.
                    I guess I can try to add that...
                    I also have the option to "Remove IPv6 Autoconf Address for DNS" in the terminal of my university's network
                    ("This setting is about whether our DNS server returns the IPv6 autoconf address of your device to the other devices. They use this information when contacting your device")

                    But the dns error is still there...
                    alt text

                    Dns lookup now is also different
                    alt text

                    1 Reply Last reply Reply Quote 0
                    • S
                      sashpta
                      last edited by

                      uhm, so the DNS-Server that's listed in the Database can't be used. Since it's an IPv6 address.
                      on my desktop I have this as DNS, can we somehow get something similar to pfsense?

                      # Generated by NetworkManager
                      search fem.tu-ilmenau.de net.fem.tu-ilmenau.de
                      nameserver 192.168.82.252
                      nameserver 192.168.82.251
                      nameserver fd66:656d:0:82::2
                      # NOTE: the libc resolver may not support more than 3 nameservers.
                      # The nameservers listed below may not be recognized.
                      nameserver fd66:656d:0:82::3
                      
                      1 Reply Last reply Reply Quote 0
                      • DerelictD
                        Derelict LAYER 8 Netgate
                        last edited by Derelict

                        If you absolutely have to use only certain name servers (192.168.82.251 and 192.168.82.252) then you need to use either the DNS forwarder or DNS resolver in forwarding mode. Else the DNS resolver will try to do just that - resolve names using all DNS servers configured in the zone (NS records) being queried from the roots down.

                        I would try unchecking DNSSEC and checking forwarding mode in the DNS resolver settings and see if that helps.

                        Chattanooga, Tennessee, USA
                        A comprehensive network diagram is worth 10,000 words and 15 conference calls.
                        DO NOT set a source address/port in a port forward or firewall rule unless you KNOW you need it!
                        Do Not Chat For Help! NO_WAN_EGRESS(TM)

                        S 1 Reply Last reply Reply Quote 1
                        • S
                          sashpta @Derelict
                          last edited by

                          @derelict Thank you, I'll try that.
                          Unfortunately, I am not at home for a week, but when I am back, I'll try your solution and give you an update.

                          1 Reply Last reply Reply Quote 0
                          • First post
                            Last post
                          Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.