DNS server not responding

yodar44

i have 2 computers, one connected to the LAN port and one connected to the OPT port on my sg-1100.
the one on LAN is working fine. the one on OPT shows no internet connection.
when i run windows network diagnostics, it says DNS server not responding.
ipconfig/all says
IPv4 Address. . . . . . . . . . . : 10.100.1.3(Preferred)
Default Gateway . . . . . . . . . : 10.100.1.1
DHCP Server . . . . . . . . . . . : 10.100.1.1
DNS Servers . . . . . . . . . . . : 10.100.1.1
am i missing something in the OPT configuration, or what?

kiokoman

maybe a firewall rule that permit dns request?
by default LAN is open but OPT need specific rules
to surf the web you need at least port 53 (dns)/ 80 (http)/ 443 (https)

yodar44

@yodar44
how do i do that?
what would the rule say?

kiokoman

this is for DNS

repeat for port 80 and 443 with protocol TCP

you should end up with something like this

yodar44

@kiokoman
ok, that fixed it.
tnx
is there a manual that covers stuff like this?
i have Security Gateway Manual, SG-1100 [54pages]
but it doesn't go into much detail.

kiokoman

almost everything is here https://docs.netgate.com/pfsense/en/latest/
if something is not clear just ask here, no prob

Gertjan

I advise to change UDP for "TCP & UDP" ;)

yodar44

@kiokoman
it looks like i spoke too soon. most sites seem to be working, but not all. some that i haven't been to for a while say: Firefox can’t establish a connection to the server at www... etc. this only happens on the computer on the OPT port.
[ i did try Gertjans TCP/UDP suggestion too. no help]
this still seems to be a DNS problem. any suggestions?

Gertjan

@yodar44 said in DNS server not responding:

any suggestions?

Always ;)

@yodar44 said in DNS server not responding:

seems to be a DNS problem

Normally, you can't stay in the "seem" state. Why would you ?
When your browser can't connect to 'some. site', you fire up a command prompt, type nslookup + enter and then

some.site

and enter.
It resolves : no DNS issue.
It didn't resolve : DNS issue.

Example :

thus www.google.com resolves (for me) to two IP's, and IPv4 and IPv6.

As @kiokoman already mentioned above, did you open TCP 80 and TCP 443 ?
If not, your browser will not be able to connect to the outside world, because you did not gave him the possibility to do so.

During testing, why not open everything on your OPT1 interface with an identical rule as you found on the LAN interface : you'll be sure outgoing connection will succeed, including FTP, SSH, all the mail connections, NTP, etc etc. When this works, you can decide to fine-grain your firewall rules.

Example (this is my OpenVPN interface - but is also valid for your OPT1 interface )

Also : because posting images is so easy on this forum - post your OPT1 firewall rules.

yodar44

Screen Shot 10-29-19 at 11.43 AM.JPG

Screen Shot 10-29-19 at 11.57 AM.JPG

Gertjan

This second rule

should have been :

You're saved by the fact that the first rule is a "TCP pass all" (so TCP DNS requests to port 53 are handled by this rule).

Again, I advise you to put a pass all rule on the fifth position ( IPv4 TCP and UDP ).

Btw : did you change any of the DNS Resolver settings ?

johnpoz

Can tell there is something wrong..

See where when you do nslookup it comes back unknown for your dns..

That is not how it should look..

$ nslookup
Default Server:  sg4860.local.lan
Address:  192.168.9.253

This should come back with your pfsense fqdn.. If you can talk to pfsense for dns, dns is actually running on pfsense.. pfsense has to do no lookup at all for that to work.. So this would be basic sanity check.. If that does not come back with pfsnse name.. Then you have connectivity problem, unbound/dnsmasq/bind is not running on pfsense (whatever you are using).. Or there is some wrong with it for sure.

Gertjan

@johnpoz said in DNS server not responding:

some wrong

For sure.
Like Resolver (unbound) using ACL - and nothing has been setup for OPT1.
Or its forwarding and that setup is faulty.
Or .... what ever.
It's time @yodar44 starts communicating a bit better as it's DNS ^^

johnpoz

@Gertjan said in DNS server not responding:

Or its forwarding and that setup is faulty.

Even even forwarding and not working, the name of pfsense should come back when the dns client does the ptr for it.

Your ACL suggestion possible yeah.

yodar44

@johnpoz Screen Shot 10-30-19 at 10.08 AM 001.JPG
i'm attaching screen shots of DNS resolver settings. do you see any thing wrong? i didn't change anything. it is same as it came.

johnpoz

what about your acl tab? Did you turn off the auto acl, or did you create your own? But if your acl were not allowing then you wouldn't ever get any answers.

You sure its just not restarting a lot.. Are you running pfblocker, are you doing any attempted dns redirect..

Here is the thing.. When put in the nslookup cmd and you don't get back the name of the dns your pointing to - this is telling you have a problem at basic level, and not just having issues resolving stuff.

Type just nslookup at the cmd line... You should see a name for your pfsense, like you in mine.

yodar44

@johnpoz
the acl tab is blank:
ServicesDNS ResolverAccess Lists
General Settings
Advanced Settings
Access Lists
Access Lists to Control Access to the DNS Resolver

i don't know what pfblocker is.
i didn't intentionally do any dns redirect.
my nslookup:
C:\WINDOWS\system32>nslookup
Default Server: UnKnown
Address: 2001:558:feed::1

how do i set what DNS i am pointing to?

Gertjan

@yodar44 said in DNS server not responding:

how do i set what DNS i am pointing to?

You said it yourself : your fist post :

@yodar44 said in DNS server not responding:

DNS Servers . . . . . . . . . . . : 10.100.1.1

and just above :

@yodar44 said in DNS server not responding:

Address: 2001:558:feed::1

which is ok for me .... I see the same "IPv6" address :

Your OPT1 interface and for that matter pfSense is handling / has been set up to handle IPv6 ?
edit : use

ipconfig /all

to see all the network details of your PC.

johnpoz

@yodar44 said in DNS server not responding:

how do i set what DNS i am pointing to?

Via your dhcp.. Or directly on your client... What your pointing to there is a IPv6 address for Xfiniity dns..

And that should resolve to
cdns01.comcast.net.

;; QUESTION SECTION:
;1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.d.e.e.f.8.5.5.0.1.0.0.2.ip6.arpa. IN PTR

;; ANSWER SECTION:
1.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.0.d.e.e.f.8.5.5.0.1.0.0.2.ip6.arpa. 7172 IN PTR cdns01.comcast.net.

yodar44

@johnpoz
this is my ipconfig/all
Ethernet adapter Ethernet:

Connection-specific DNS Suffix . : localdomain
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : DC-FE-07-0A-71-0B
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv6 Address. . . . . . . . . . . : 2601:246:5680:ae30::bea3(Preferred)
Lease Obtained. . . . . . . . . . : Wednesday, October 30, 2019 2:36:37 AM
Lease Expires . . . . . . . . . . : Wednesday, November 6, 2019 2:36:37 AM
Link-local IPv6 Address . . . . . : fe80::d9dd:4d34:3b6a:5c85%22(Preferred)
IPv4 Address. . . . . . . . . . . : 10.100.1.3(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Monday, October 28, 2019 4:16:13 PM
Lease Expires . . . . . . . . . . : Wednesday, October 30, 2019 1:06:38 PM
Default Gateway . . . . . . . . . : 10.100.1.1
DHCP Server . . . . . . . . . . . : 10.100.1.1
DHCPv6 IAID . . . . . . . . . . . : 383581703
DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-1E-26-DC-F7-DC-FE-07-0A-71-0B
DNS Servers . . . . . . . . . . . : 2001:558:feed::1
2001:558:feed::2
10.100.1.1
2001:558:feed::1
2001:558:feed::2
NetBIOS over Tcpip. . . . . . . . : Enabled

the only difference between the LAN and OPT is the .1 on OPT vs .10 on LAN
ServicesDHCP ServerOPT: Range 10.100.1.1 From, 10.100.1.254 To
ServicesDHCP ServerLAN: Range 192.168.1.10 From, 192.168.1.245 To

is that significant?

johnpoz

Well your client there has an IPv6 address... So yeah it perfers IPv6... Which in your setup is pretty hosed since now your asking comcast dns vs your own local dns..

I would suggest you disable IPv6 until such time that you can even get IPv4 working.

yodar44

@johnpoz
how do i disable ipv6?

johnpoz

The easy way on windows, from an elevated cmd prompt

reg add hklm\system\currentcontrolset\services\tcpip6\parameters /v DisabledComponents /t REG_DWORD /d 255

Reboot

To put it back exactly how it was before

reg delete hklm\system\currentcontrolset\services\tcpip6\parameters\ /v DisabledComponents /f

reboot.

yodar44

@johnpoz
ok, now ipconfig/all says
Ethernet adapter Ethernet:

Connection-specific DNS Suffix . : localdomain
Description . . . . . . . . . . . : Realtek PCIe GBE Family Controller
Physical Address. . . . . . . . . : DC-FE-07-0A-71-0B
DHCP Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IPv4 Address. . . . . . . . . . . : 10.100.1.3(Preferred)
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Lease Obtained. . . . . . . . . . : Wednesday, October 30, 2019 2:24:19 PM
Lease Expires . . . . . . . . . . : Wednesday, October 30, 2019 4:06:34 PM
Default Gateway . . . . . . . . . : 10.100.1.1
DHCP Server . . . . . . . . . . . : 10.100.1.1
DNS Servers . . . . . . . . . . . : 10.100.1.1
NetBIOS over Tcpip. . . . . . . . : Enabled

but nslookup still says
C:\WINDOWS\system32>nslookup
DNS request timed out.
timeout was 2 seconds.
Default Server: UnKnown
Address: 10.100.1.1

so it seems that something in the pfsense settings is causing the problem. ??

johnpoz

There is nothing in the settings you showed that is odd.. Is it running?

Do you even have connectivity to pfsense? Why is your dhcp lease so short? And such an time?

Up the logging level in the unbound/advanced to atleast 3... And enable logging of queries..

In your options box at the bottom of unbound

server:
log-queries: yes
log-replies: yes

And then we can see what is going on... I don't even think your talking to the pfsense Because your getting timeouts.. So unbound is not running, or you can not talk to it... You have no rules in the floating tab?

yodar44

@johnpoz said in DNS server not responding:

There is nothing in the settings you showed that is odd.. Is it running?
is what running?

Do you even have connectivity to pfsense?
i can login to 10.100.1.1, if that is what you mean.

Why is your dhcp lease so short? And such an time? ??

Up the logging level in the unbound/advanced to atleast 3... And enable logging of queries..
In your options box at the bottom of unbound
i looked in Status/System Logs/Settings, and i don't see these options.
where should i be looking?

johnpoz

That is not where I said to look... I am really starting to think you are just trolling us..

I clearly stated unbound / advanced..

Which you see

Are you not seeing the options box?

yodar44

@johnpoz
ok, i didn't understand where to look.

but now i have new problem. the sg-1100 seems to have failed. i t seems to be completely dead. the pwr light comes on but none of the ports do anything. i tried connecting to the console via putty, no response. also it doesn't get warm any more.
i emailed support to see what to do.

sadainwr

This post is deleted!

william333

This post is deleted!