Big DNS Problems *Illustrated*

skalyx

Hello guys!

I am currently having from a month now many problems with my DNS and Tidal. Sometimes I also get slow DNS resolving. The error code in Chrome is DNS_PROBE_FINISHED_BAD_CONFIG. With Tidal, I often have problems to load a non-downloaded song and, thus, it skips music or does not even load any music except the downloaded ones. Please refer to the following to understand my simplified network with only the essential info:

Moreover, my PFsense which is a laptop with i5, 16GB ram, 256GB SDD uses:

• DNSec with 1.0.0.1 and 1.1.1.1 (Cloudflare's DNSes)
• PureNAT
  -Antivirus function with the Squid Proxy
• Resolver Live Sync in pfBlockerNG

I think the problem comes with my configuration on my Pfsense router. I disabled Squid and Snort. I, however, noticed the Tidal problem does not happen when I use a VPN on my client. The temporary solution to these DNS issues were to restart the restart my 4G router and then my DNS resolver, reboot my PFsense router, or wait. These problems comes many times per day. Every 2 hours about. It is not regular. I really do need DNSsec but I will try whenever possible to deactivate it.

Please help me and let me know if you need any more information.

PS: I have an amazing 4G connection with less than 12ms ping, 130mbps download, 30mbps upload.

Gertjan

@skalyx said in Big DNS Problems *Illustrated*:

DNS_PROBE_FINISHED_BAD_CONFIG

Try this :
Remove Squid.
Remove Snort.
Remove pfBlockerNG,
Remove "1.0.0.1 and 1.1.1.1"
I don't know what PureNAT is, but it's surely not needed, so remove it.
Put Resolver in the default, resolve mode.

Now you reached the point with one possible conclusion : no more issues.

Go the other way around, do one step a day, and test every situation that triggered problems.
As soon as issues come back, will will know where you have to focus on.

Btw : pfSense on a Laptop ????

skalyx

@Gertjan
Hello,
I did not touch anything since I posted my problem here but it looks like the problem disappeared. I did not have the issue since then.

However, I am sure it will happen so I will try the troubleshooting steps you wrote. Thanks for that.

Regarding the laptop, I just have a spare laptop with a broken screen and it works well. I tried on a desktop with multiple Ethernet ports and it performs as well.

Regarding the "pure Nat" it is a function we can activate in PfSense setting-advanced. Please refer to

Btw: I already tried uninstalling snort, squidy purenat. I suspect pfblockerng and DNSec to screw things over

skalyx

UPDATE:
Problems started reoccuring this morning so I have tried to inspect my DNS settings once again. Here what I found:
I have removed the "private-domain: "plex.direct"" in the custom options situated in Services->DNS Resolver. It looks like it works but I will have to let it for some time. Tidal does not have any problem with this change. I will update whenever my "test time" is up.

MikeV7896

You shouldn't need to add a custom option for "plex.direct" anyway... pfSense already adds one to the config file it generates by default.

johnpoz

@virgiliomi said in Big DNS Problems *Illustrated*:

You shouldn't need to add a custom option for "plex.direct" anyway... pfSense already adds one to the config file it generates by default.

Since when?

There is nothing in the unbound showing that it does that - sorry but I believe your mistaken.. If you want prevent rebind issues with plex.direct you would have to put it in there yourself.

Here this direct from the /var/unbound.conf

# DNS Rebinding
# For DNS Rebinding prevention
private-address: 10.0.0.0/8
private-address: ::ffff:a00:0/104
private-address: 172.16.0.0/12
private-address: ::ffff:ac10:0/108
private-address: 169.254.0.0/16
private-address: ::ffff:a9fe:0/112
private-address: 192.168.0.0/16
private-address: ::ffff:c0a8:0/112
private-address: fd00::/8
private-address: fe80::/10
# Set private domains in case authoritative name server returns a Private IP address

There is nothing there for plex.direct to turn off rebind for it - maybe you turned off rebind completely if your not having issues with plex.direct..

MikeV7896

Not sure. But I know if I go into /var/unbound/unbound.conf, there's already

private-domain: "plex.direct"
domain-insecure: "plex.direct" 

in there. And it's well above the area where custom options from the config page go.

johnpoz

Is it under this heading

# Set private domains in case authoritative name server returns a Private IP address

See my previous post edit on what is listed there.

If you setup a domain override?

skalyx

So, the cause of my problems cannot be linked to this entry in custom options? I am surprised by the fact that I do not have any DNS problems since I removed it. I still need to see if it does fix it over time.
In fact, I was restored my PFsense last day and could not activate my DNS resolver until I removed : private-domain: "plex.direct". So, it may be the cause of my problem. I do not remember why I put that and have not had any Plex issue since the time I removed the entry.

MikeV7896

@johnpoz Ahh... so a domain override will put it there. That would be why then. I have one there, but it's basically to save Unbound a few steps since I was having issues with Plex resolution. Learn something new every day.

@skalyx I kinda went off on a tangent related to that option, not realizing that something else in my setup was putting it in the unbound configuration automatically. It seems odd to me that a setting related to Plex would clear up your issue with TIDAL though.

Apologies for the confusion.

skalyx

@virgiliomi No worries, mate! Thanks to participating in my post! I am also surprised to the fact this entry caused problems with my DNS resolver and Tidal. I do not know... I will have to check further.

I now have Plex issues... I am forced to put it again. I get: "Unable to connect to "HDPlex" securely."
I will put it once again and hope my problem is not linked to it.
I will update !

johnpoz

Where are you overriding it to go? I don't use tidal - to honest not sure what plex is trying to do there at all..

Maybe chrome is doing its own sort of rebind protection? Best thing to do is sniff to see exactly what the client is asking for and what is or isn't getting returned, etc.

Can tell you for sure with out turning off rebind for plex.direct your going to run into issues - and prob only get indirect connections to your local plex box.

MikeV7896

@johnpoz I'm overriding it to go to one of Plex's servers still (one of their secondary servers)... just saving Unbound a couple of resolution steps. I was running into timeout issues occasionally. I don't use TIDAL, so no idea what might be going on with that.

johnpoz

So your overriding it to go direct to the authoritative ns for plex? Yeah that would turn off dnssec and rebind..

Once the domain is resolved once - the authoritatives would be cached for the life of the ttl, and would not have to resolve any more? Would just have to ask the cached NS for the domain direct, if a record TTL had expired.

If your having timeouts on resolving - try turning on prefetch, and even the serve 0 ttl option.. This can help if you have slow resolving for specific domains.

MikeV7896

Already had prefetch on... will turn on Serve 0 TTL also.

Again, apologies to the OP for the slight tangent... what turned out to be me trying to point something out has instead helped me... hopefully your issue can be resolved too, though not sure what has been given to me is at all related to your problem.

johnpoz

So just looked and the TTL on those ns for plex.direct are quite long

example

;; ANSWER SECTION:
ns-plexdirect.plex.tv.  604800  IN      A       82.94.168.7

Is your unbound restarting a lot @virgiliomi -- once that is looked up once, you should not have to resolve the NS for plex.direct again for quite some time.. 7 Days to be exact ;)

skalyx

@johnpoz Are you talking to me John? I do not really understand your message.
Do you have any idea what my problem might be caused from?

BTW, private-domain: "plex.direct" fixed "Unable to connect to "HDPlex" securely.".

MikeV7896

@johnpoz Gonna PM you and we can continue chatting there so the topic can go back to the OP's issue.

johnpoz

Yeah sorry @skalyx me and @virgiliomi kind of got on a bit of tangent there from your problem.

So putting in plex.direct back into custom fixed your plex problem - but your still having issues with tidal? I guess I do the free trial thing and see if could duplicate your problem.

skalyx

@johnpoz
No worries!
For the moment, TIDAL is working fine haha. Problems happen from time to time not constantly so I will have to see over time.