Potential DNS Issue On Windows 10 PC's



  • Hi All,

    I am experiencing a strange issue that is only affecting Windows PC's on my home network (Windows 10). My other PC's running various distros of Linux are not having the same problem.

    Issue experienced:
    Windows 10 PC's cannot browse the Internet unless they connect using a VPN. Linux PC's have no issue at all browsing the Internet. Both have DHCP set to dynamic, and DNS to automatic.

    Here is the setup:
    Internet > ISP > pfSense Box > Switch > Various PC's

    Troubleshooting performed so far:

    • All PC's correctly receive and IP Address from the DHCP Server.
    • All PC's can ping each other on the LAN, and can communicate with the Gateway.
    • Can ping 8.8.8.8 from all PC's.
    • Cannot ping google.com only on Windows 10 PC's. Request timed out.
    • nslookup google.com on an affected Windows 10 PC displays [192.18.1.1]. Not sure what this is, the Gateway is 192.168.1.1.
    • Restarted DNS service in pfSense.
    • Tried to flush and register DNS in CMD.
    • Tried to set a static IP's and DNS.
    • Rebooted pfSense box.
    • Decided to factory reset pfSense and left it pretty much all on auto. ISP recommends setting WAN IP Address to dynamic.

    The DNS servers it is displaying now is, 127.0.0.1, 1.1.1.1 and 8.8.8.8. I also haven't manually set DNS Servers yet in Services > DHCP > Server > LAN. I haven't had to do this in the past.

    Not sure what else to try, thanks in advance for any assistance.



  • DNS Port is allowed in your firewall? If 8.8.8.8 works but not google.de maybe that's the issue.



  • Essentially I can ping 8.8.8.8 on the Windows PC's, but not google.com.
    I'll include some screenshots of my settings, most of which are on default since the factory reset.1.jpg 2.png 3.png 4.png


  • Galactic Empire

    I'd untick DNS Server Override for a start.


  • LAYER 8 Global Moderator

    lets see your lan rules..

    And output of nslookp..

    example

    $ nslookup www.google.com                 
    Server:  sg4860.local.lan                 
    Address:  192.168.9.253                   
                                              
    Non-authoritative answer:                 
    Name:    www.google.com                   
    Addresses:  2607:f8b0:4009:812::2004      
              172.217.6.100                   
    

    Does it say timeout, what?

    If can not resolve pfsense name as the server - points to not being able to even talk to dns on pfsense.



  • Tried unticking DNS Server Override, I assume I will now need to set some DNS servers manually in System > General Setup > DNS Server Settings. e.g. 1.1.1.1 / 1.0.0.1.

    Here is a screenshot of LAN Interface settings:
    6.png

    nslookup result on Windows PC:
    7.png


  • LAYER 8 Global Moderator

    So your windows machine is using that fe80 address for dns.. Which is link local ipv6 address, is that pfsense?

    And its looking for www.google.com.localdomain

    Which is resolving to 198.18.1.1..

    Why is you client auto adding that localdomain in your query? And why does that resolve to 198.18.1.1???

    NetRange: 198.18.0.0 - 198.19.255.255
    CIDR: 198.18.0.0/15
    NetName: SPECIAL-IPV4-BENCHMARK-TESTING-IANA-RESERVED

    Change your server in nslookup to use pfsense ipv4 address.

    $ nslookup
    Default Server:  sg4860.local.lan
    Address:  192.168.9.253
    
    > server 192.168.1.1
    Default Server:  [192.168.1.1]
    Address:  192.168.1.1
    

    Then ask for www.google.com


  • Galactic Empire

    If you use DNS resolver it talks to the root servers.

    Does a lookup directly from your pfSense box still resolve FQDNs?



  • I have no idea what that fe80 IPV6 Address is, I don't think its pfSense. Also not sure what 192.18.1.1 is, never seen that before.

    Changing the server in nslookup displays a more promising result:
    9.png

    A lookup from the pfSense box resolves to a FQDN:
    10.png


  • LAYER 8 Global Moderator

    So you need to figure out who exactly is that fe80 address?

    look on pfsense lan interface - is that pfsense linklocal address?
    linklocal.png

    You can find that under the status / interfaces tab

    198.18 is a special address block - like rfc1918 address space... Suppose to be used in special cases for benchmarking, etc..

    Do you have any other router on the network? Say an ISP device... what is the output of ipconfig /all on your windows box... Did you setup ipv6 on pfsense?



  • So the LAN interface IP on PF is not the same as the one listed in the CMD screenshot (fe80).

    "198.18 is a special address block - like rfc1918 address space... Suppose to be used in special cases for benchmarking, etc.."

    Interesting.

    "Do you have any other router on the network? Say an ISP device... what is the output of ipconfig /all on your windows box... Did you setup ipv6 on pfsense?"

    I think there might be some routers around but they would have DHCP turned off.
    There is also an ISP device on the the network (FTTC box).
    I haven't set IPV6 on PF. I did a factory reset earlier today though.
    Standby I'll get the full output of ipconf.



  • Here is the full IP configuration from CMD.
    11.png



  • PF LAN interface stats.
    12.png



  • "198.18 is a special address block - like rfc1918 address space... Suppose to be used in special cases for benchmarking, etc.."

    Actually, Prime95 happens to be running on that particular PC, maybe that has something to do with it?



  • You are passing ipv6 addresses from something through pfsense. Your ISP modem/router is also using ipv6 and you have configured your LAN Interface to take those ipv6 addresses and probably use them.

    If you have no need, disable ipv6, remove the ipv6 track interface from the LAN interface configuration page and I suppose your problems will go away. It might be that your Linux machines are not configured to use ipv6 and thus have no problems.



  • "If you have no need, disable ipv6, remove the ipv6 track interface from the LAN interface configuration page and I suppose your problems will go away. It might be that your Linux machines are not configured to use ipv6 and thus have no problems."

    Yep that seems to have done it, although I wasn't able to stop IPV6 Track on the LAN interface. Due to this error; "The DHCP6 Server is active on this interface and it can be used only with a static IPv6 configuration. Please disable the DHCPv6 Server service on this interface first, then change the interface configuration".

    Regardless I disabled IPV6 on the Windows PC's for good measure and they are able to load webpages now.

    Thanks for the help.



  • @akministrator Glad to help although your setup is still problematic.

    If you have no use for ipv6, please disable the dhcpv6 server and everything related to ipv6 under each Interface, DHCP or DNS tabs. Your Windows machines were being assigned either local or probably public ipv6 addresses from either the ISP modem/router or the ISP itself and that could lead to security risks.


  • LAYER 8 Global Moderator

    well somehow your windows box got it in head to use that link local 4eb2 device as dns...

    You really need to figure out what that device is... To start with you could do a simple sniff on your windows machine and then do a nslookup for something that is asking that 4eb2 box.. Say using wireshark - which you can then see the mac address with.. From that you can atleast tell what is the maker of the device from the first 3 numbers in the mac..

    You could also do a
    netsh int ipv6 show neighbors

    from a cmd prompt on windows and look to see the mac address of that 4eb2 address.

    unless you enabled ipv6 in pfsense, and turned on RA - it could be handing that info out... What else is on network windows is connected too.. How does your isp device connect into your network..

    for example on my windows box I see this in the neighbors table

    fe80::208:a2ff:fe0c:e624                      00-08-a2-0c-e6-24  Stale (Router)
    

    If I look up that 00-08-a2 I cans tell that its the pfsense box..

    https://aruljohn.com/mac/0008A2
    maclookkup.png

    Or you could look it up here as well
    anotherlookupspot.png

    as to it being prime95, the search for prime numbers thing - yeah I find that really unlikely.. Your best bet is to track down the device with that 4eb2 address... Another way would be to sniff and look for RAs

    Running wireshark on your windows machine you can see the RAs and then figure out the device sending them telling you to use that 4eb2 address for dns..

    icmp6.png


  • LAYER 8 Global Moderator

    Just to make sure its not left over something from when you were playing with ipv6 maybe on pfsense? Look at the RA on your lan in pfsense - or any other interfaces in case you have multiple networks on the same layer 2 and validate that RA are not enabled on any of pfsense interfaces.

    leftovers.png

    And dhcpv6 as well - if your not using IPv6 none of this should be running on pfsense.

    Quick fix would be to just disable ipv6 on windows - but you really should figure out where its getting that info from.



  • Hi,

    I have a similar issue, with 192.18.1.1 showing as any hosts IP when pinging them, this is on 2 x win10 machines.

    I have a SamKnows ACCC monitoring box between pfSense lan interface and my switch where all devices connect to.

    WAN > PFS > SamKnows > Switch >devices (inc Wifi AP)

    Some win10 machines are fine.

    IPv6 all disabled (from what I can see).

    OP - did you resolve this?



  • Disabling IPv6 did work in my case, although you don't need to disable it on the PC's if you do it directly in pfSense.


Log in to reply