DNS Stops working
-
well in means its restarting - do you have it registering dhcp? Did you just make a change to host or domain overrides... Did pfblocker update, etc..
Problem is when restarts cache is lost, while its restarting nothing can respond to dns, etc.
-
-
-
@manjotsc said in DNS Stops working:
" do you have it registering dhcp?
Do you have checked this one :
If so, when a new lease is asked and granted, the Resolver is restarted.
Compare DHCP logs and DNS Resolver log. You can see it happen.If you have a device that insists in asking a new DHCP lease every xx minutes, then yes, your Resolver get's restarted every xx minutes. Something you do not want at all ...
@manjotsc said in DNS Stops working:
Maybe because it set to every hour,
So you get what you want : a guaranteed Resolver restart every hour.
And the risk that feed servers are blacklisting your download attempts.@manjotsc said in DNS Stops working:
Now when I start downloading something file large files, DNS stops working.
Loading some file from the net doesn't use the DNS.
In the beginningt, the URL of the file is resolved. The IP connection is made, and packets just stream through the router/firewall.
Whatever the Resolver is doing at that moment, it has nothing to do with this data stream.If you want to look for system instability :
Remove ALL packages.
Check for 'strange' system messages : enter the console, option 8 and type "dmesg". See if new logs are added. Are they NIC related ? -
@Gertjan DHCP Registration, is not checked.
-
@Gertjan This is what I am getting on logs,
----------------------------------------------- Before Reboot ---------------------------------------------
--------------------------------------------- After Reboot -------------------------------------------------
-
@manjotsc said in DNS Stops working:
This is what I am getting on logs,
Both logs show a lot of what happens during DNS resolving.
Logging as much info - note that both logs images show lines that all took please in 1 second (!!).
Logging this much info really takes a hit on the system.
DNS resolving over port 853 (TLS) implies huge processing, because everything has to be encrypted - en of course decrypted - re encrypted on the other side. Reply times like 0.120 seconds or 120 milliseconds become 'normal'.
You do have AES-NI, but, still SDNS takes more time then classic DNS.Do you have to supply 8.8.8.8 and 1.1.1.1 your private DNS info ? Please remember : these are companies. The fact that they don't bill you is because you gave them valuable info. Do you have to ? Did you try other DNS sources, like the official Internet DNS root servers ?
Another thing : do the http://www.dslreports.com/speedtest test.
No A's means : .... would you experience right now .... the WAN connection gets congested.
-
@Gertjan Can you help me find Root DNS servers, I made searchg, couln't find.
Thanks,
-
@manjotsc said in DNS Stops working:
Can you help me find Root DNS servers
If you don't enable "DNS Query Forwarding" in the DNS resolver settings, then pfSense will query Internet root servers by default.
https://docs.netgate.com/pfsense/en/latest/book/services/dns-resolver.html -
@manjotsc said in DNS Stops working:
Can you help me find Root DNS servers, I made searchg, couln't find.
As @teamits said : you, and unbound do not nedd to find them.
These 13 servers are exceptional : their host name and IP adrresses (IPv4 and IPv6 ) are build into unbound.
Here they are : https://www.iana.org/domains/root/servers (install Google and use these words : DNS root servers)Use this command on pfSense to see them :
dig . ns
-
-
@Gertjan @johnpoz I tried few other dns servers, same issue. DNS stops working and went to pfsense Diagnostics then ping, for exemple i tried ping 1.1.1.1 from WAN it pings but from lan side and guest side it does not ping. It looks like something is blocking on lan and guest from reaching dns servers.
-
@manjotsc said in DNS Stops working:
blocking on lan
That something is called a firewall rule. The default one works just fine.
Or you've busted the routing. -
@Gertjan ok, that's right I have setup pfsense to block any dns server other than 192.168.40.1 on lan side see screenshot, all my lan devices ae set to use pfsense box as DNS server(192.168.40.1). Still I can't figure out the problem. Also I noticed one thing more DNS starts working fine if pfsense or modem is rebooted.
-
Your doing some DNS related things with your firewall rules on LAN - all have a destination port of '53'.
DNS uses UDP and can use TCP.
Your not blocking ICMP - the protocol ping is using - so it will pass using the last, pass all rule for IPv4 stuff.
ICMP does not use the concept of 'ports'.Ping to 1.1.1.1 should be possible from your LAN.
Thse are my LAN rule :
which is 100 % identical to your rules - I'm not blocking any DNS things. Just a big pass all.
And I also use IPv6 .... (not related to your question).I can ping 1.1.1.1 just fine.
-
@Gertjan When DNS is working I am able ping 1.1.1.1, but not when DNS stops. It's been months I trying figure this out and I dont have any dns rule on guest, still causes problem.
thanks, -
@manjotsc said in DNS Stops working:
When DNS is working I am able ping 1.1.1.1, but not when DNS stops.
And what if 'DNS' (the resolver / unbound) is still working and your issue is the connection between the two devices ? NIC ? Cables ? switches ?
Such a question would last a couple of minutes normally. You can be sure right away :
When your 'ping 1.1.1.1' on a LAN based device "doesn't work", does it work on pfSense at that very moment (use the console ssh access, option 8) and execute the same command over there.
To test DNS on pfSense, do adig one.one.one.one +trace
which will resolve from top to bottom.
If ping using an IP, and using a host name, and the proposed DNS works on pfSense, you know now where to look ...
Btw : DNS never stops working by itself, except :
Bad uplink (WAN) connection.
Some packages can receive settings that totally 'kill' pfSense, DNS, or the entire system. - The combination pfBlockerNG-devel <-> Unbound is very known.
etc etc. -
@Gertjan Alright I'll give a try when It goes down again, thanks.
-
Hello!
Just a shot in the dark....
In addition to pfb, are you running snort/suricata...with blocking turned on...and maybe some ET DNS type rules...?
John
-
@serbus I am not using snort or surcata,