Intermittently losing DNS



  • I using pfsense 2.4.4 and just recently noticed intermittently I'm loosing my DNS. When I ping www.google.com from my computer I get Host name lookup failure. I'm using Quad9 DNS servers over TLS. Adding 208.67.220.220 to the System/General setup/DNS Server Settings will fix it.
    I've tried upgrading to 2.4.4_1 and getting the same problem. I believe this problem started after trying to migrate to new hardware but I'm back on the original pfsense box without any configuration changes.
    I have no idea what the issue is.



  • I've noticed that sometimes some of the public servers intermittently fail when using DNS over TLS or DNSSEC.



  • I'm not sure but I think the intermittent loss of DNS was due to running out of memory. After I removed snort which was eating up my memory the intermittent nature resolved. Does that sound like that issue would cause that problem?

    My DNS stops working when I enable Quad9 DNS servers over TLS. Here are my settings.

    0_1545097011864_TLS-00.jpg
    Firewall/rules/LAN
    0_1545097019903_TLS-01.jpg
    System/General Setup/DNS Server Settings
    0_1545097025507_TLS-02.jpg
    Error in web browser
    0_1545097031263_TLS-03.jpg



  • Could a problem with the ntp server cause dns issues?
    I reset my system clock to the correct time and changed the NTP server to the WAN interface.
    So far DNS is working.
    Is the best way to check looking at the DNS resolver log and seeing entries with "A IN NOERROR 0.057908 0 58" in it?



  • @naskar

    Quad9 appears to have issue resolving when using DNSSEC from recent testing I and others have done recently. Sometimes a refresh or two is required to load the page.



  • A correct time is very important for DNSSEC.



  • @xentrk said in Intermittently losing DNS:

    @naskar

    Quad9 appears to have issue resolving when using DNSSEC from recent testing I and others have done recently. Sometimes a refresh or two is required to load the page.

    Would I be better off switching to Cloudflare’s DNS service?

    @gertjan said in Intermittently losing DNS:

    A correct time is very important for DNSSEC.
    Can you have DNSSEC and Use SSL/TLS for outgoing DNS Queries to forwarding servers?



  • @naskar
    Yes, Cloudflare was the other DNS we tested with and it had no issues like Quad 9. It seems to play better. Just note that the Cloudflare help site https://1.1.1.1/help does not support DNSSEC and will fail the DoT test if you have DNSSEC turned on.



  • @xentrk said in Intermittently losing DNS:

    @naskar
    Yes, Cloudflare was the other DNS we tested with and it had no issues like Quad 9. It seems to play better. Just note that the Cloudflare help site https://1.1.1.1/help does not support DNSSEC and will fail the DoT test if you have DNSSEC turned on.

    I changed to Cloudfare and have DNSSEC enabled and it seems to be working. But after going to your link I realized that DoT wasn't working. After turning it off DoT works. Is DNSSSEC not important? Is it ok to not use it?

    Or are you just saying leave DNSSEC on and ignore what the https://1.1.1.1/help says about DoT?