DNS resolver not resolving most host names [FROM NEW DEFAULT INSTALL]



  • I too have been recently struggling a new DNS-related issue after 18+ months of flawless operation.

    I've been using pfSense at home for a few years. My very first experience with pfSense was the most simple, I've installed pfSense, plugged in my WAN, plugged in my LAN and everything worked out of the box.

    I was using the 32 bit version of pfSense 2.3.x on a 15-year-old laptop which was working just fine.
    About 4-6 weeks ago (maybe mid-may 2018), I can't say exactly when, my network setup stopped working.
    Namely, most any host names would no longer be resolved, strangely enough a very few, including google.com would be resolved. I've played with random setup and options on my trusty pfSense box without success.

    Because this was a very old laptop (no 64 bit CPU) and that latest version of pfSense was no longer available for 32 bit architecture, I went to a local computer shop and bought myself another old but newer laptop machine supporting 64 bit architecture for 50$ (with a very decent battery!!!)

    I downloaded latest version of pfSense at that time (2.4.3_1) and did a brand new install using only defaults.
    Still it did not work same issue, nothing would get resolved. I also randomly played with what I thought was related settings (e.g.: adding extra DNS servers, enabling/disabling DNS forwarder or resolver) still no luck.

    A day after my new 2.4.x installing, a new version 2.4.4 was available. I went ahead and allowed the update (a large one that is) to install itself. It did not go flawlessly. There was a good number of PHP related errors. After a bit of fooling around and reboots on my part the system went back online STILL with the same issue: DNS not resolving.

    I thought I my have screwed the system somehow and downloaded a new ISO version of 2.4.4 and re-install wiping everything on the target disk. Got same result:

    • With a brand new default install on a blank HDD of 2.4.4 I'm still experiencing the same DNS not resolving issue.
    • ISP might have changed something that conflicts with pfSense operations (I don't know enough to say it did or that it did not)
    • If I use the modem directly in the WIFI router (not using pfSense at all) everything works.

    I'm not providing screenshot since I'm really using all defaults (beside admin password and time zone)
    but I am including a simple home network diagram:
    0_1538529150021_home_network_2018-5.png



  • What DNS servers do you have set in default on pfsense? A program I use to set my dns's is DNSBench mark. What is showing up in the Firewall log's?



  • @snowaks Whichever is automatically assigned to me from ISP.



  • Try out Dnsbench and setup 1 or 2 backups + your isps DNS, in General setting under DNS server settings. Also make sure Dns server override is not checked. As there dns's servers could be getting overloaded as isp's are expanding and do not always upgrade there back end till the last min. Some Dns's you can use are. (8.8.8.8 8.8.4.4 google) (208.67.222.222 and 208.67.220.220 OpenDNS) (1.1.1.1 Could flare) or (4.2.2.1-6 Level 3)



  • @snowaks Ok, I tried changing pfSense setup (again) without changing wirering (mostly so I could answer you back!)

    I tried:

    • adding both 8.8.8.8 and 8.8.4.4
    • disabling DNS Resolver completely
    • disabling "Allow DNS server list to be overridden by DHCP/PPP on WAN"

    Below is the resultin DNS Server entries:
    0_1538535650730_pfsense_dns_1.png
    And General setup:
    0_1538535697273_pfsense_dns_2.png

    Now I do get some name resolving but I don't understand why I need to add those. Why doesn't pfSense uses ISP assigned one(s)? I never had to manually add those before. Also, what I don't like about adding those is that I'm on a very high latency connection (Satellite 700-850 ms ). If I have to rely on a remote machine to resolve my traffic DNS queries it makes everything ever slower than it is.

    I was hopping I could use pfSense's own DNS Resolver to cache common request locally and get a query time in the 1-2 ms rather than 700-900 ms having to query on a remote machine.



  • Well what I would say Is add your Isp 1st then them 2nd you can still use the Dns resolver. I do pfsense is more enterprise grade then the
    old linksys you buy at bestbuy. So stuff that is auto in there setup is not the same in pfsense. Thing with Dns's Catching is to find that sweet spot for your network. All that is under Advanced Resolver Options I am not the best person to help you with that. You may want to look at the main help files for DNS resolver and look at the advanced resolver options seting.



  • You should both read up on how the resolver works. Hint: Adding DNS servers to the general configuration has no effect unless the resolver is in forwarding mode, and the resolver isn't going to work well with high latency connections because it will run into timeouts.

    Also the DNS forwarder is caching too.



  • Yes I understand that The high latency connection will run in to time outs noting you can do to change that. Cashing with unbound may alleviate some of the problems, but there are so many setting he can do that will help with a high latency. Also setting up squid would help as well. Also you may confuse him by saying forwarding mode as there are to options he can use Unbound/Resolver and Forwarder.