Rule not working with FQDN because it's not being resolved - Table empty
-
Hi.
I have an ALIAS with different IPs and FQDNs. A given rule uses that ALIAS.
The problem is that pfSense is not resolving my domains anymore and my table is empty. How can I fix this? -
And what are you using for pfsense to resolve... Unbound out of the box resolving? Forwarder mode? Are you using the forwarder? Did you install bind and turn off dnsmasq and or unbound..
Where are you pointing pfsense for dns? It self, ie loopback which is how it is out of the box - is it pointing to where?
etc. etc. What fqdn do you have in your alias - maybe the problem is with that domain, etc.
Is filterdns running - this is how aliases with fqdn get populated - if it crashed or didn't start then yeah those aliases would be empty.
-
There was a bug in a very very old version of pfSense that prevented using IPs and FQDNs in the same alias. I still have mine separated as a result.
I don't imagine you're running that but just in case what pfSense version are you running?Steve
-
There is also an open bug report on the filterdns service stalling for some users. According to reports, when this happens the alias tables are left empty for the addresses being resolved by filterdns. Here is a link to the bug report: filterdns stops working on a regular basis.
This service is used to resolve FQDN aliases to their actual IP address.
-
Hey again @johnpoz, thank you for replying.
I have DNS Resolver enabled and DNS Forwarder disabled.
Where do we see when it resolves an FQDN? Status > System logs > DNS Resolver?
I went there and I only see info and notice lines.DNS Resolver is enabled, set to all interfaces, no custom options.
In System > General Setup I have 1.1.1.1 and 8.8.8.8 set to gateway none. I had it set to my default gateway too, but it wasn't working anyway.I have several IPs and FQDNs in a single ALIAS. It always worked OK.
How can I check filterdns?I see an error in Status > System Logs > System:
/services_unbound.php: The command '/usr/sbin/arp -s 'firewall_lan_ip' 'mac_ip'' returned exit code '1', the output was 'arp: writing to routing socket: Operation not permitted'Not sure what happened, but now I rebooted and it works OK.
My pfSense is 2.4.3.
-
If you go to Status > Filter reload and hit the reload button and then check the DNS Recolver logs you will see all the filterdns entries for your FQDNs. Anything with a problem should show there or in the system log.
Steve
-
Okay, it's happening again.
/services_dnsmasq.php: The command '/usr/sbin/arp -s 'firewall_lan_ip' 'mac_ip'' returned exit code '1', the output was 'arp: writing to routing socket: Operation not permitted' -
Hmm, OK that's the actual LAN interface MAC and IP?
Do you have that defined somewhere? Static ARP entries?
I would search the config for the MAC top be sure it isn't defined there unexpectedly.It looks like it's denied because that is an interface on the firewall itself.
Steve
-
@stephenw10 I had it in my DHCP Server as a static entry. I removed a few hours ago but it's still refusing to update my tables.
-
Are you still seeing that error? You might have a process still running trying to update it.
I assume you didn't see any filterdns errors in the DNS log when you ran the Filter Reload?
Did you see entries for the FQDNs that are not loading?Steve
-
@stephenw10 I don't see any errors anymore, but still not updating my tables.
Strangely, I have an ALIAS with one particular FQDN that it is working (this FQDN is on the same ALIAS I'm having trouble with). I'm not sure if it resolved the IP before this issue though. -
What I expect to see is all the FQDNs you have being resolved in the DNS log when you reload the filter.
If you see nothing there that's a problem.
If you see some and then an error that's a problem.
Of you see them all resolved there and they still don't make it into the tables that's a different problem.Steve
