DNS troubleshooting help



  • Hello,
    I am new to pfsense and networking in general. I have just installed PF sense on an older server inside a virtual machine it seems to be running well. I have put my cable modem in bridge mode. and the WAN adderess in PFsense is a loadable ip address and all my connected devices can access the internet. I open both firefox and chrome and most websites will timeout and fail to load. I can enter any type of search term into the google search bar and it will very quickly show the search results. When I click on any result it will spin for a while and then timeout. I set the DNS log to level 2 and all other setting are default for a new pfsense install. I have not added any DNS servers and the default ones are listed on the dashboard as 127.0.0.1 which I assume is the pfsens resolver and then Comcasts two ipv4 addresses: 75.75.75.75 and 75.75.76.76 and then the ipv6 versions 2001:558:feed::1 and 2. I think that perhaps teh dns resolver at the local host doesn't have a big list yet because it is a new install so that makes it slow but it seems like it should be able to eventually get to websites without timing out. from my laptop nslookup returns pfSense.localdomain 192.168.1.1 and the correct name and address for any website I try which makes me think the DNS resolver is working and maybe the browsers are the problem. I am not sure what is going on my logse look like this:
    Jul 23 19:27:22 unbound 12034:1 info: NSEC3s for the referral proved no DS.
    Jul 23 19:27:22 unbound 12034:1 info: Verified that unsigned response is INSECURE
    Jul 23 19:27:22 unbound 12034:0 info: response for logx.optimizely.com. AAAA IN
    Jul 23 19:27:22 unbound 12034:0 info: reply from <.> 2001:558:feed::2#53
    Jul 23 19:27:22 unbound 12034:0 info: query response was nodata ANSWER
    Jul 23 19:27:26 unbound 12034:0 info: resolving mab.chartbeat.com. A IN
    Jul 23 19:27:26 unbound 12034:1 info: resolving mab.chartbeat.com. AAAA IN
    Jul 23 19:27:26 unbound 12034:0 info: response for mab.chartbeat.com. A IN
    Jul 23 19:27:26 unbound 12034:0 info: reply from <.> 2001:558:feed::2#53
    Jul 23 19:27:26 unbound 12034:0 info: query response was CNAME
    Jul 23 19:27:26 unbound 12034:0 info: resolving mab.chartbeat.com. A IN
    Jul 23 19:27:26 unbound 12034:1 info: response for mab.chartbeat.com. AAAA IN
    Jul 23 19:27:26 unbound 12034:1 info: reply from <.> 75.75.75.75#53
    Jul 23 19:27:26 unbound 12034:1 info: query response was CNAME
    Jul 23 19:27:26 unbound 12034:1 info: resolving mab.chartbeat.com. AAAA IN
    Jul 23 19:27:26 unbound 12034:0 info: response for mab.chartbeat.com. A IN
    Jul 23 19:27:26 unbound 12034:0 info: reply from <.> 2001:558:feed::2#53
    Jul 23 19:27:26 unbound 12034:0 info: query response was ANSWER
    Jul 23 19:27:26 unbound 12034:0 info: resolving chartbeat.com. DS IN
    Jul 23 19:27:26 unbound 12034:0 info: NSEC3s for the referral proved no DS.
    Jul 23 19:27:26 unbound 12034:0 info: Verified that unsigned response is INSECURE
    Jul 23 19:27:26 unbound 12034:0 info: resolving fastly.net. DS IN
    Jul 23 19:27:26 unbound 12034:0 info: NSEC3s for the referral proved no DS.
    Jul 23 19:27:26 unbound 12034:0 info: Verified that unsigned response is INSECURE
    Jul 23 19:27:26 unbound 12034:1 info: response for mab.chartbeat.com. AAAA IN
    Jul 23 19:27:26 unbound 12034:1 info: reply from <.> 75.75.76.76#53
    Jul 23 19:27:26 unbound 12034:1 info: query response was ANSWER
    Jul 23 19:27:27 unbound 12034:1 info: resolving na1e-acc.services.adobe.com. A IN
    Jul 23 19:27:27 unbound 12034:1 info: resolving na1e-acc.services.adobe.com. A IN
    Jul 23 19:27:27 unbound 12034:1 info: resolving na1e-acc.services.adobe.com. A IN
    Jul 23 19:27:27 unbound 12034:1 info: resolving na1e-acc.services.adobe.com. A IN
    Jul 23 19:27:27 unbound 12034:1 info: response for na1e-acc.services.adobe.com. A IN
    Jul 23 19:27:27 unbound 12034:1 info: reply from <.> 75.75.76.76#53
    Jul 23 19:27:27 unbound 12034:1 info: query response was ANSWER
    Jul 23 19:27:27 unbound 12034:1 info: resolving adobe.com. DS IN
    Jul 23 19:27:27 unbound 12034:1 info: NSEC3s for the referral proved no DS.
    Jul 23 19:27:27 unbound 12034:1 info: Verified that unsigned response is INSECURE
    Jul 23 19:27:27 unbound 12034:1 info: resolving adobe-identity.com. DS IN
    Jul 23 19:27:27 unbound 12034:1 info: NSEC3s for the referral proved no DS.
    Jul 23 19:27:27 unbound 12034:1 info: Verified that unsigned response is INSECURE
    Jul 23 19:27:27 unbound 12034:1 info: resolving amazonaws.com. DS IN
    Jul 23 19:27:27 unbound 12034:1 info: NSEC3s for the referral proved no DS.
    Jul 23 19:27:27 unbound 12034:1 info: Verified that unsigned response is INSECURE
    Jul 23 19:27:29 unbound 12034:1 info: resolving a6709203f34992a5095d2bc7ceaf2ec504f651a8.cws.conviva.com. A IN
    Jul 23 19:27:29 unbound 12034:1 info: resolving a6709203f34992a5095d2bc7ceaf2ec504f651a8.cws.conviva.com. A IN
    Jul 23 19:27:29 unbound 12034:1 info: resolving a6709203f34992a5095d2bc7ceaf2ec504f651a8.cws.conviva.com. A IN
    Jul 23 19:27:29 unbound 12034:1 info: resolving a6709203f34992a5095d2bc7ceaf2ec504f651a8.cws.conviva.com. A IN
    Jul 23 19:27:29 unbound 12034:1 info: resolving conviva.com. DS IN
    Jul 23 19:27:29 unbound 12034:1 info: NSEC3s for the referral proved no DS.
    Jul 23 19:27:29 unbound 12034:1 info: Verified that unsigned response is INSECURE


  • LAYER 8 Global Moderator

    Jul 23 19:27:26 unbound 12034:1 info: reply from <.> 75.75.76.76#53

    You did something other than the default install.. pfsense out of the box would not query comcast dns for anything, or than something its authoritative for, and their public anycast addresses are not authoritative for anything..

    And sure not authoritative for chartbeat or adobe..

    So you switched into forwarding mode? But left on dnssec.. which is pointless when your forwarding and just going to cause extra traffic.

    But lets forget dns for now.. that has nothing to do with once something is resolved and loading the page..

    What is your VM set, what are you using for host.. hyper-v, virtualbox, esxi, kvm, proxmox?



  • Thank you for your help I am not sure how to read the logs so I appreciate you patience. you are correct the DNS Query forwarding is checked. I take it as this is sending all DNS requests to my ISP which is comcast. The base system is ubuntu server and pfsense visualized through KVM and set up through virt-manager. The VM has two NICs both on an intel card using the e1000 drivers. It seems now that I can load some websites and they load quickly quickly, in fact I am now responding to this on a laptop connected through pfsense. The error I get for most websites ERR_CONNECTION_TIMED_OUT although It will load some pages, but some content like links to news stories and banner ads will show as the connection timed out grey box. I had originally thought it is a DNS problem because google search returns all the results instantly with the previews and everything but clicking on them times out about 19 times out of 20, also is I just hit reload on websites that time out about 20 times it will usually get through eventual. I speed seems fine on the things it does connect to.


  • LAYER 8 Global Moderator

    What virtual nics do you have setup in proxmox, while I do not have a lot of experience with proxmox.. In the past there have been some issues running pfsense/freebsd on specific VM software.

    Are you using the virtio cards or e1000.. Try the e1000 cards..

    You will have to do some specific research on any sort of specific details for best running pfsense/freebsd on whatever version of proxmox your running and on your hardware.

    I would like to be of more help - but my experience with proxmox in general is almost nil, and have never tried to run pfsense on it.. Now if you were running it on esxi I could be of great help, and even hyper-v I can fire up fast enough to test any sort of settings.. But currently have no proxmox, and no hardware willing to run it on, so it would be virtual inside virtual.. And nested virtual is not the best for testing for performance issues ;)

    But can tell you with very high level of confidence your issue is not dns related.



  • Thanks that is of great help, I would likely have spent hours reading about DNS and watching youtube videos, I am running e1000 cards. I actually feel more confident looking into hardware/VM/driver type issues than networking issues. I am will try a fresh install or other hypervisor combinations this weekend.


  • LAYER 8 Global Moderator

    If your running e1000 vnics, try changing them to the virtio ones.. You prob find better help for your specific vm host software selection in the virtual section of the forum.. I can move your thread to there if you like.

    Here this might have some hints to what could be causing your grief
    https://docs.netgate.com/pfsense/en/latest/virtualization/virtualizing-pfsense-with-proxmox.html

    For example
    WARNING: because the hardware checksum offload is not yet disabled, accessing pfSense WebGUI might be sluggish. This is NORMAL and is fixed in the following step.

    To disable hardware checksum offload, navigate under System > Advanced and select Networking tab. Under Networking Interfaces section check the Disable hardware checksum offload and click save. Reboot will be required after this step.

    And in there it does say to use virtIO, so they might be the better choice - got that from my 30 second review of that doc.



  • @johnpoz b Thanks for all your help It turns out it was a problem with my router/modem's bridge mode I got a new modem and everything works perfect.


Log in to reply