DNS Resolver Issues...What's going on here?



  • I'm currently using DNS Resolver localhost and have added cloudflare and google

    DNS.jpg

    Web pages are slow to load and many times I get stuck even refreshing a webpage.

    DNS issues.jpg

    I seem to have some setting off or messed up. Using DNS Benchmark only sees local. I've turned off pfblockerng thinking that may have something to do with it, but no changes.

    DNS Benchmark.jpg

    I have DNSSEC, DNS Query Forwarding, DHCP Registration, and Static DHCP all checked. Also, Prefetch Support, Prefetch DNS Key Support, Harden DNSSEC Data, and Serve Expired in Advanced Settings.

    What am I doing wrong here?



  • Hello,

    Did you try to use ISP DNS Servers on the top? In my pfsense, DHCP Registration, Static DHCP. Prefetch Support, Prefetch DNS Key Supportare uncheked. In the past I have enabled DHCP Registration and Static DHCP, but after a while my DNS resolvee began to restart by itself, then I disabled it.



  • Do you have IPv6 enabled?



  • I suggest delete other DNS server ip addresses and use only ISP DNS Server for testing.



  • Haha I was replying to @ARAMP1...

    Disable DNSSEC and see if it works. I've had problems in the past with some public DNS and their DNSSEC. Are you sure your client is using pfsense for DNS?



  • @emammadov said in DNS Resolver Issues...What's going on here?:

    Hello,

    Did you try to use ISP DNS Servers on the top? In my pfsense, DHCP Registration, Static DHCP. Prefetch Support, Prefetch DNS Key Supportare uncheked. In the past I have enabled DHCP Registration and Static DHCP, but after a while my DNS resolvee began to restart by itself, then I disabled it.

    Yes. As a matter of fact, I was using my ISP's DNS server for a little while and thought my problems were coming from that, so I turned it off. Same issues. I'll probably play around with some of these settings to see if that doesn't help. Thanks.

    @KOM said in DNS Resolver Issues...What's going on here?:

    Do you have IPv6 enabled?

    Yes.

    @KOM said in DNS Resolver Issues...What's going on here?:

    Disable DNSSEC and see if it works. I've had problems in the past with some public DNS and their DNSSEC. Are you sure your client is using pfsense for DNS?

    I'll try that. Thanks. Yes, I show that I'm using pfsense for DNS.
    Connection.jpg



  • You could also try System - Advanced - Networking - Prefer IPv4 over IPv6. Check it and see if that makes a difference.



  • @KOM said in DNS Resolver Issues...What's going on here?:

    You could also try System - Advanced - Networking - Prefer IPv4 over IPv6. Check it and see if that makes a difference.

    I'm not sure how it got unchecked, but it was. This may have been the issue. It seems faster already. Thanks.



  • Leonardo Acropolis: "I am... a geniussss."

    DnJ7Sh5XcAApRTb.jpg



  • i had this issue as well.

    i ended unchecking allow dns server list to be overridden by dhcp

    checking. do not use dns forwarder/ dns resolver as a dns server.

    then under services > resolver. i turned OFF DNSSEC support.

    no issues ever since



  • FYI, Just wanted to login to say that I've implemented ALL the suggestions in this thread and seems to have cured my DNS hit and miss resolution.

    Wanted to thank everybody and make sure that future users looking for same info will know that in 2020, you can still use this to solve it.



  • The problem will always persist for some of us. All being member of the group that insists on using :

    cda2d7c8-1f66-4fb7-a267-29951146a0fc-image.png

    The problem has at least two sides :
    What doesn't work ? The local resolver/forwarder ? Or these four guys : 1.1.1.1 ... etc ? It's a know issue that people add 8.8.8.8 and family and break there local DNS while clicking away ...

    The build in resolver works just fine. This is the default setting.
    It will contact one of the 13 Internet root servers. There will always be one that replies.
    (If not, 1) your Internet connection is bad - time to do something different, no Internet for you right now - or 2) WW3 just started, and again, no Internet for you, forever)
    Then, you are directed to one of the top level domain servers. like ".com", the one that wasn't answering (???), see first message above. There are hundreds of .com top level domain servers - so they always answer, except .... (see two cases above).
    Then the name server of the domain that you want to visit will be contacted for the actual A or AAAA or MX record.
    There are always at least two of them. If they are not answering, you could consider to give the webmaster a call.

    The resolver is based on a core functionality of the Internet , so it must be ok after 40 years of adapting it.

    And as always : I would really like to know why people insist on replicating their, far more then just 'web' activities, to external companies ? Really, please, tell me why.
    1.1.11. 8.8.8.8. 1.0.0.1 8.8.4.4 are doing exactly what the resolver does : they resolve and cache. And one thing more, like some sort of a payload : they feed their big data and yes, they promised NOT to 'tape' your WAN IP with it. I'm sceptical.



  • @Gertjan said in DNS Resolver Issues...What's going on here?:

    And as always : I would really like to know why people insist on replicating their, far more then just 'web' activities, to external companies ? Really, please, tell me why.
    1.1.11. 8.8.8.8. 1.0.0.1 8.8.4.4 are doing exactly what the resolver does : they resolve and cache. And one thing more, like some sort of a payload : they feed their big data and yes, they promised NOT to 'tape' your WAN IP with it. I'm sceptical.

    +1.

    And users should ask themselves this question: "what's in it for the companies that are providing this "free" DNS?"

    What could motivate a for-profit company to spend the large sums of money required to maintain a robust DNS infrastructure and then offer it for free? Are you sure it is just pure altruism, or could it be that they see a huge opportunity for monetization of something they get from offering the service? My bet is on the latter, and the thing they are monetizing is your browsing data.

    Why not do as @Gertjan suggests and just use the default pfSense settings with unbound?


Log in to reply