DNS server not responding

yodar44

i have 2 computers, one connected to the LAN port and one connected to the OPT port on my sg-1100.
the one on LAN is working fine. the one on OPT shows no internet connection.
when i run windows network diagnostics, it says DNS server not responding.
ipconfig/all says
IPv4 Address. . . . . . . . . . . : 10.100.1.3(Preferred)
Default Gateway . . . . . . . . . : 10.100.1.1
DHCP Server . . . . . . . . . . . : 10.100.1.1
DNS Servers . . . . . . . . . . . : 10.100.1.1
am i missing something in the OPT configuration, or what?

kiokoman

maybe a firewall rule that permit dns request?
by default LAN is open but OPT need specific rules
to surf the web you need at least port 53 (dns)/ 80 (http)/ 443 (https)

yodar44

@yodar44
how do i do that?
what would the rule say?

kiokoman

this is for DNS

repeat for port 80 and 443 with protocol TCP

you should end up with something like this

yodar44

@kiokoman
ok, that fixed it.
tnx
is there a manual that covers stuff like this?
i have Security Gateway Manual, SG-1100 [54pages]
but it doesn't go into much detail.

kiokoman

almost everything is here https://docs.netgate.com/pfsense/en/latest/
if something is not clear just ask here, no prob

Gertjan

I advise to change UDP for "TCP & UDP" ;)

yodar44

@kiokoman
it looks like i spoke too soon. most sites seem to be working, but not all. some that i haven't been to for a while say: Firefox can’t establish a connection to the server at www... etc. this only happens on the computer on the OPT port.
[ i did try Gertjans TCP/UDP suggestion too. no help]
this still seems to be a DNS problem. any suggestions?

Gertjan

@yodar44 said in DNS server not responding:

any suggestions?

Always ;)

@yodar44 said in DNS server not responding:

seems to be a DNS problem

Normally, you can't stay in the "seem" state. Why would you ?
When your browser can't connect to 'some. site', you fire up a command prompt, type nslookup + enter and then

some.site

and enter.
It resolves : no DNS issue.
It didn't resolve : DNS issue.

Example :

thus www.google.com resolves (for me) to two IP's, and IPv4 and IPv6.

As @kiokoman already mentioned above, did you open TCP 80 and TCP 443 ?
If not, your browser will not be able to connect to the outside world, because you did not gave him the possibility to do so.

During testing, why not open everything on your OPT1 interface with an identical rule as you found on the LAN interface : you'll be sure outgoing connection will succeed, including FTP, SSH, all the mail connections, NTP, etc etc. When this works, you can decide to fine-grain your firewall rules.

Example (this is my OpenVPN interface - but is also valid for your OPT1 interface )

Also : because posting images is so easy on this forum - post your OPT1 firewall rules.

yodar44

Gertjan

This second rule

should have been :

You're saved by the fact that the first rule is a "TCP pass all" (so TCP DNS requests to port 53 are handled by this rule).

Again, I advise you to put a pass all rule on the fifth position ( IPv4 TCP and UDP ).

Btw : did you change any of the DNS Resolver settings ?

johnpoz

Can tell there is something wrong..

See where when you do nslookup it comes back unknown for your dns..

That is not how it should look..

$ nslookup
Default Server:  sg4860.local.lan
Address:  192.168.9.253

This should come back with your pfsense fqdn.. If you can talk to pfsense for dns, dns is actually running on pfsense.. pfsense has to do no lookup at all for that to work.. So this would be basic sanity check.. If that does not come back with pfsnse name.. Then you have connectivity problem, unbound/dnsmasq/bind is not running on pfsense (whatever you are using).. Or there is some wrong with it for sure.

Gertjan

@johnpoz said in DNS server not responding:

some wrong

For sure.
Like Resolver (unbound) using ACL - and nothing has been setup for OPT1.
Or its forwarding and that setup is faulty.
Or .... what ever.
It's time @yodar44 starts communicating a bit better as it's DNS ^^

johnpoz

@Gertjan said in DNS server not responding:

Or its forwarding and that setup is faulty.

Even even forwarding and not working, the name of pfsense should come back when the dns client does the ptr for it.

Your ACL suggestion possible yeah.

yodar44

@johnpoz Screen Shot 10-30-19 at 10.08 AM 001.JPG
i'm attaching screen shots of DNS resolver settings. do you see any thing wrong? i didn't change anything. it is same as it came.

johnpoz

what about your acl tab? Did you turn off the auto acl, or did you create your own? But if your acl were not allowing then you wouldn't ever get any answers.

You sure its just not restarting a lot.. Are you running pfblocker, are you doing any attempted dns redirect..

Here is the thing.. When put in the nslookup cmd and you don't get back the name of the dns your pointing to - this is telling you have a problem at basic level, and not just having issues resolving stuff.

Type just nslookup at the cmd line... You should see a name for your pfsense, like you in mine.

yodar44

@johnpoz
the acl tab is blank:
ServicesDNS ResolverAccess Lists
General Settings
Advanced Settings
Access Lists
Access Lists to Control Access to the DNS Resolver

i don't know what pfblocker is.
i didn't intentionally do any dns redirect.
my nslookup:
C:\WINDOWS\system32>nslookup
Default Server: UnKnown
Address: 2001:558:feed::1

how do i set what DNS i am pointing to?

Gertjan

@yodar44 said in DNS server not responding:

how do i set what DNS i am pointing to?

You said it yourself : your fist post :

@yodar44 said in DNS server not responding:

DNS Servers . . . . . . . . . . . : 10.100.1.1

and just above :

@yodar44 said in DNS server not responding:

Address: 2001:558:feed::1

which is ok for me .... I see the same "IPv6" address :

Your OPT1 interface and for that matter pfSense is handling / has been set up to handle IPv6 ?
edit : use

ipconfig /all

to see all the network details of your PC.

johnpoz

@yodar44 said in DNS server not responding:

how do i set what DNS i am pointing to?

Via your dhcp.. Or directly on your client... What your pointing to there is a IPv6 address for Xfiniity dns..

And that should resolve to
cdns01.comcast.net.

;; QUESTION SECTION:
;1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.d.e.e.f.8.5.5.0.1.0.0.2.ip6.arpa. IN PTR

;; ANSWER SECTION:
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.d.e.e.f.8.5.5.0.1.0.0.2.ip6.arpa. 7172 IN PTR cdns01.comcast.net.

yodar44

@johnpoz
this is my ipconfig/all
Ethernet adapter Ethernet:

Connection-specific DNS Suffix . : localdomain
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : DC-FE-07-0A-71-0B
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2601:246:5680:ae30::bea3(Preferred)
Lease Obtained. . . . . . . . . . : Wednesday, October 30, 2019 2:36:37 AM
Lease Expires . . . . . . . . . . : Wednesday, November 6, 2019 2:36:37 AM
Link-local IPv6 Address . . . . . : fe80::d9dd:4d34:3b6a:5c85%22(Preferred)
IPv4 Address. . . . . . . . . . . : 10.100.1.3(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Monday, October 28, 2019 4:16:13 PM
Lease Expires . . . . . . . . . . : Wednesday, October 30, 2019 1:06:38 PM
Default Gateway . . . . . . . . . : 10.100.1.1
DHCP Server . . . . . . . . . . . : 10.100.1.1
DHCPv6 IAID . . . . . . . . . . . : 383581703
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1E-26-DC-F7-DC-FE-07-0A-71-0B
DNS Servers . . . . . . . . . . . : 2001:558:feed::1
2001:558:feed::2
10.100.1.1
2001:558:feed::1
2001:558:feed::2
NetBIOS over Tcpip. . . . . . . . : Enabled

the only difference between the LAN and OPT is the .1 on OPT vs .10 on LAN
ServicesDHCP ServerOPT: Range 10.100.1.1 From, 10.100.1.254 To
ServicesDHCP ServerLAN: Range 192.168.1.10 From, 192.168.1.245 To

is that significant?