DNS not working suddenly



  • My system was running great and now DNS isn't working all the time. Maybe it works only with sites that are cached.

    On my pfsense nslookupand ping www.google.com works.
    From windows 10 CMD line it doesn't.

    I've tried rebooting the router, loading a previously working config without luck.
    Replacing the router with my Verizon router works.

    My settings
    General DNS 208.67.222.222 208.67.220.220
    –-DNS Resolver Settings---

    Enable is =Checked.
    Listen Port= 53
    Network Interfaces ALL
    Outgoign Network Interfaces ALL
    System Domain Local Zone Type - transparent
    DNSSEC Enabled =Checked
    DNS Query Forwarding =Unchecked
    DHCP Registration =UnChecked
    Static DHCP= Checked
    OpenVpn Register
    Custom=server:
    Private-domain: "plex.direct"

    I have no idea what happened or how to diagnose or fix it.



  • Hi,

    Your are (are you ??) using the DNS Resolver with default settings, that's great - it works, as it does for me for years now.

    Dono where this came from :

    @naskar said in DNS not working suddenly:

    General DNS 208.67.222.222 208.67.220.220

    Remove these, and you'll be fine with one click.

    Or : if you insist on using the OpenDNS, I advise you read something like Google and use these words : pfsense opendns setup. You'll discover the first link : Pfsense 2.3.1 with OpenDNS (Web filtering) ***
    All steps in this forum thread are needed. Like creating an account @opendns, implementing DynDNS-like setup with them if your WAN IP isn't static, switching from Resolver to DNS Forwarder because your will be forwarding most of your requests to OpenDNS, etc etc.

    Side effects are that you will loose DNNSEC and other Resolver DNS advantages.
    On the other hand : you'll be using OpenDNS.

    Btw : impossible of course to tell you why things stopped working for you. A lot of information is missing.

    *** I just checked that old thread. It's still valid as of today.
    True, the DNS Resolver unbound could be used to forward DNS requests to OpenDNS, but that isn't detailed over there.



  • @gertjan said in DNS not working suddenly:

    Remove these, and you'll be fine with one click.

    Thanks for the response. I don't know why but everything started working again. If I follow you correctly I should delete the General DNS entries to opendns as I would need to follow the link you provided to use openDNS and loose Resolver advantages.

    Would that be using my ISPs DNS servers?

    My original goal was to prevent my ISP from recording my web travels.

    Is there an alternative to opendns that would allow more anonymity?





  • @gertjan
    Thanks for that link.
    What do you look for in the WAN packet capture to confirm DNS over TLS?



  • Well ... euh ..... capture TLS = SSL rubish = non readable.

    But, as said, you could capture packets that have the destination of
    forward-addr: 1.1.1.1@853
    forward-addr: 1.0.0.1@853
    thus both IP 1.1.1.1 and 1.0.0.1 both using port 853 and see what it looks like.



  • Here is a great video on DNS from the Netgate YouTube channel:

    https://www.youtube.com/watch?v=-CISZn804WI

    DNS over TLS is discussed specifically around minute 36 and there are also some additional commands suggested that can be used to check whether it is working properly.

    Hope this helps.



  • Same video : 47min 15 sec to see how to lock down all clients so they will be using DNS-over-TLS.



  • @tman222
    Thanks for posting the link.
    If I don't specify a gateway in the General Setup/DNS servers will it use the Cloudfare DNS for all my web surfing including when I'm connected to my VPN? ie. hide my DNS lookups when in a public wifi connected to the VPN.

    unbound-control -c /var/unbound/unbound.conf dump_infra
    
    1.1.1.1@853 . ttl 429 ping 196 var 7 rtt 224 rto 224 tA 0 tAAAA 0 tother 0 ednsknown 0 edns 0 delay 0 lame dnssec 0 rec 0 A 0 other 0
    1.0.0.1@853 . ttl 428 ping 103 var 45 rtt 283 rto 283 tA 0 tAAAA 0 tother 0 ednsknown 0 edns 0 delay 0 lame dnssec 0 rec 0 A 0 other 0
    

    Do I have to have an SSL cert for my pfsense for this to work? I'm currently using a generic certificate to access the GUI on https.


 

© Copyright 2002 - 2018 Rubicon Communications, LLC | Privacy Policy