DNS resolver fails to work when pfSense has an IPv6 address



  • I was recently allocated an IPv6 block by my ISP and set up DHCP6 under the WAN interface. pfSense is now allocated an IPv4 and IPv6 address as expected, and the pfSense ping tool can ping 2001:4860:4860::8888 etc.

    However, shortly after the WAN interface changes from IPv4 only to IPv4+IPv6 (i.e. enable DHCP6 on a working connection), devices on the network stop being able to browse the internet.

    If I try to ping, dig etc from my machine it says "no servers could be reached". Observing traffic with wireshark shows that my machine is sending repeated DNS queries to pfSense for the sites I'm trying to load, but not receiving any responses.

    If I disable the resolver and use the forwarder instead, DNS queries are resolved and everything works correctly.

    Any ideas why this would be the case or where I should start looking? I would prefer to use the DNS resolver since I assume it is required if you are using DNS block lists.

    The settings for the resolver and forwarder are both default as far as I'm aware, except that static and DHCP leases are registered and the resolver has server:include: /var/unbound/pfb_dnsbl.*conf as a custom option.

    The affected devices are on a VLAN, however they have unrestricted access to the rest of the network and the firewall logs do not show any packets being blocked.



  • It appears the issue is caused by unbound (or dnsmasq) entering a restart loop and being unable to respond to DNS queries.

    The problem only occurs with IPv6 enabled. Both options for registering DHCP/static leases are turned off. pfBlockerNG DNSBL is disabled.



  • @samb said in DNS resolver fails to work when pfSense has an IPv6 address:

    pfBlockerNG DNSBL is disabled.

    With DNSBL disabled, you ran a Force Update ?
    and the

    server:include: /var/unbound/pfb_dnsbl.*conf
    

    is gone from Resolver Custom options ?



  • @RonpfS yes, I did run an update and remove that line from settings (can't remember whether I had to do it manually or not)

    However most of my testing has been on a fresh install and restore of pfSense 2.4.4-p1 that has never had DNSBL enabled at all.

    On the fresh install without DNSBL, unbound and dnsmasq both crash repeatedly if IPv6 is enabled.

    As soon as I disable IPv6, they work correctly, even with DNSBL and everything else turned back on.



  • @samb said in DNS resolver fails to work when pfSense has an IPv6 address:

    On the fresh install without DNSBL, unbound and dnsmasq both crash repeatedly if IPv6 is enabled.

    What makes you think they crash?

    It's much more likely they get restarted because your IPv6 config is flawed. So if you actually want help you'll need to post the system logs and screenshots of your config, otherwise you are on your own.



  • @grimson

    Crash was not the right word, they continually restart. When I re-enabled IPv6 today to investigate it looks like it's because the IPv6 address keeps "changing" (although the address itself does not change):

    0_1547409143872_Screen Shot 2019-01-14 at 8.47.21 AM.png

    The DNS Resolver log shows that unbound is repeatedly starting and stopping, presumably each time the IPv6 address "changes"

    My IPv6 settings at the moment are:

    WAN Interface:
    (I have also tried with "Do not allow PD/Address release" enabled)
    0_1547409388096_Screen Shot 2019-01-14 at 8.44.07 AM.png

    LAN Interface:
    0_1547409404189_Screen Shot 2019-01-14 at 8.44.33 AM.png

    DHCPv6 Server:
    0_1547409454782_Screen Shot 2019-01-14 at 8.45.48 AM.png
    0_1547409462893_Screen Shot 2019-01-14 at 8.46.01 AM.png

    Is there a way to find out why my IPv6 keeps "changing"? I don't know what's triggering it or where to look to find out.



  • @samb said in DNS resolver fails to work when pfSense has an IPv6 address:

    Is there a way to find out why my IPv6 keeps "changing"? I don't know what's triggering it or where to look to find out.

    Do you have "Do not allow PD/Address release" selected on the WAN page?



  • @jknott Yes, I currently have "Do not allow PD/Address release" enabled and the following is still being repeatedly logged:

    Jan 14 12:05:26 	php-fpm 	12023 	/rc.newwanipv6: Removing static route for monitor fe80::9000:b:1 and adding a new route through fe80::9000:b:1%pppoe0
    Jan 14 12:05:27 	check_reload_status 		Reloading filter
    Jan 14 12:05:27 	php-fpm 	12023 	/rc.newwanipv6: rc.newwanipv6: Info: starting on pppoe0.
    Jan 14 12:05:27 	php-fpm 	12023 	/rc.newwanipv6: rc.newwanipv6: on (IP address: 2406:1e00:9b10:22:208:a2ff:fe0b:c703) (interface: wan) (real interface: pppoe0).
    

    I turned gateway monitoring off for the default IPv6 gateway and the first line is no longer logged, but the remaining lines are. The logs don't seem to indicate why rc.newwanipv6 is being triggered every 10 sec or so.