Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Strange issue - not sure how to fix

    Scheduled Pinned Locked Moved General pfSense Questions
    93 Posts 3 Posters 16.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • P
      pfguy2018
      last edited by

      I have been experiencing a strange issue that seems to only affect navigation to a single website. My box is an SG-4860, on 2.4.4-RELEASE-p3 (supplying this info in case it is pertinent). From time to time, I am unable to connect to a specific website, feedly.com. When I check under Diagnostics -DNS lookup, resolver is able to look up the site and return the IP address. However, if I try to ping or traceroute to the site (either by name or IP address), there is no connection. Rebooting pfSense fixes the problem, but then it recurs at some variable amount of time later (generally 1 to several days, but it varies and does not seem to be predictable).

      I have pfBlocker NG installed, but I have feedly.com whitelisted, and feedly.com does not appear in any of the block lists. Additionally, feedly.com does not appear in the pfBlocker logs to indicate that it is being blocked.

      Additionally, I have not seen feedly.com on any of the firewall logs.

      How can I work this problem? Any suggestions would be welcome.

      1 Reply Last reply Reply Quote 0
      • P
        pfguy2018
        last edited by

        One thing to add that might be a clue.
        When I check under Status - DNS resolver, feedly.com is listed as
        173.245.58.102 feedly.com.
        173.245.59.143 feedly.com.

        However, when I do a DNS lookup for feedly.com, I get
        104.20.60.241
        104.20.59.241

        Could this be the source of the issue? What do I do to fix it?

        1 Reply Last reply Reply Quote 0
        • johnpozJ
          johnpoz LAYER 8 Global Moderator
          last edited by johnpoz

          What your seeing for status there is the NS for that domain, which are cloudflare NS..

          ; QUESTION SECTION:
          ;feedly.com.                    IN      NS
          
          ;; ANSWER SECTION:
          feedly.com.             86400   IN      NS      anna.ns.cloudflare.com.
          feedly.com.             86400   IN      NS      sid.ns.cloudflare.com.
          

          I am on the same box as you 4860, but that really doesn't have anything to do with it... I am not having any issues accessing that site currently.. Never been on it before.

          feedly.jpg

          You sure when your having issues, its just not that unbound has restarted or something.. pfblocker can delay unbounds startup time.

          The TTL on those records is really low at 5 minutes.

          ;feedly.com.                    IN      A
          
          ;; ANSWER SECTION:
          feedly.com.             300     IN      A       104.20.59.241
          feedly.com.             300     IN      A       104.20.60.241
          

          Couple of things you could do when you have problems resolving.. You could turn on prefetching, you could enable return on 0 ttl. And you could also set a min ttl, ie have mine set to 1 hour 3600 seconds. Because I think its just asinine to use such short ttls for a record 5 minutes... JFC people really!! ;)

          in advanced enable
          Prefetch Support
          Serve Expired
          If you want set your
          Minimum TTL for RRsets and Messages
          to something like 3600, or 1200 or something so your caching stuff like this for more than 5 freaking minutes.

          An intelligent man is sometimes forced to be drunk to spend time with his fools
          If you get confused: Listen to the Music Play
          Please don't Chat/PM me for help, unless mod related
          SG-4860 24.11 | Lab VMs 2.8, 24.11

          1 Reply Last reply Reply Quote 0
          • P
            pfguy2018
            last edited by

            I don't think it is unbound restarting, as all other sites resolve properly when this behavior occurs, and there are no entries in the unbound logs indicating that it restarted.

            I applied the settings you recommended, but no joy. Still not resolving feedly.com.
            I am mystified by this.

            1 Reply Last reply Reply Quote 0
            • johnpozJ
              johnpoz LAYER 8 Global Moderator
              last edited by johnpoz

              Can you directly query the NS? Do a dig plus trace to see where you might be failing..

              [2.4.4-RELEASE][admin@sg4860.local.lan]/root: dig feedly.com +trace
              
              ; <<>> DiG 9.12.2-P1 <<>> feedly.com +trace
              ;; global options: +cmd
              .                       55245   IN      NS      h.root-servers.net.
              .                       55245   IN      NS      k.root-servers.net.
              .                       55245   IN      NS      e.root-servers.net.
              .                       55245   IN      NS      m.root-servers.net.
              .                       55245   IN      NS      c.root-servers.net.
              .                       55245   IN      NS      f.root-servers.net.
              .                       55245   IN      NS      i.root-servers.net.
              .                       55245   IN      NS      g.root-servers.net.
              .                       55245   IN      NS      b.root-servers.net.
              .                       55245   IN      NS      j.root-servers.net.
              .                       55245   IN      NS      a.root-servers.net.
              .                       55245   IN      NS      d.root-servers.net.
              .                       55245   IN      NS      l.root-servers.net.
              .                       55245   IN      RRSIG   NS 8 0 518400 20200305190000 20200221180000 33853 . Md9l213wnywkUFV95YPQHkCeE+ZwSJbop+9tJq3SIyBOpUlmRk550Q3R b12eEipqdJr0PqwGX5a4kI0LrtRTRfVw87g2/shLnNU8n8eeeu5AhpYN oieNajpTyijaHBthsOu6mooM9kUyeWr4SAPTJ7ejna5z7MXKLxLp5x65 YWbyxoJZYgqVvrq9UG30Z6xMT2nHLlYJP8jrRVcFm2BRtLSGGTYr/zPu T/CukO9xW0O+VNKgV2QlQ1nWkKBytd3SylJ/cDk7xn6ilQNk1y31B0T3 5mj7xuDY6bspkMMXweDSmADVDX9YHQBs8jMFEpzAYASf3xDU3rHiif5f Qn7yfg==
              ;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms
              
              com.                    172800  IN      NS      a.gtld-servers.net.
              com.                    172800  IN      NS      b.gtld-servers.net.
              com.                    172800  IN      NS      c.gtld-servers.net.
              com.                    172800  IN      NS      d.gtld-servers.net.
              com.                    172800  IN      NS      e.gtld-servers.net.
              com.                    172800  IN      NS      f.gtld-servers.net.
              com.                    172800  IN      NS      g.gtld-servers.net.
              com.                    172800  IN      NS      h.gtld-servers.net.
              com.                    172800  IN      NS      i.gtld-servers.net.
              com.                    172800  IN      NS      j.gtld-servers.net.
              com.                    172800  IN      NS      k.gtld-servers.net.
              com.                    172800  IN      NS      l.gtld-servers.net.
              com.                    172800  IN      NS      m.gtld-servers.net.
              com.                    86400   IN      DS      30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
              com.                    86400   IN      RRSIG   DS 8 1 86400 20200306170000 20200222160000 33853 . nKP5Lv27AOcUTOm757OfCNXwSlfg8v2sgN8bBC6JvkPlCWDl1P9WI7MQ uQeLEkx7/uUV8LIWt9ydzRb0C1ZPAmZQqzcs/AyAS2vZpxg4zPntejA2 U8RrTi2LCNmB3nr6LKGGZIcFMPH9CzLGld2PI6PNJPLE6Fjd/KnfwmLk t3Say5Rc1Q04998aQU56kXwzVy35zni3HZXMrPkKnlW0aMYm3u2UC+Pi HuxP9QrzE7G9QAz/mq2jkf3IjSyi3b4E5gOhGOMpU0gdKAHngVaDLa6W 1Pdv+ksnrqkXAwbFxhzMW8HDC3qEHxxcNWvZBJyvjcWwAsHbUPtcHiTd c1+gMQ==
              ;; Received 1170 bytes from 192.58.128.30#53(j.root-servers.net) in 50 ms
              
              feedly.com.             172800  IN      NS      sid.ns.cloudflare.com.
              feedly.com.             172800  IN      NS      anna.ns.cloudflare.com.
              CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
              CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20200227054927 20200220043927 56311 com. A7zRR2FLhyIgXRnCDNNvgAx2rJS8Rmn1XVVobuXfiDuGSvok2VpUPFfq cSN1rspiJJxCuU1z0IP5QL6zVUroFJ6JEghztjdP+P8l0rpE28/MEJz6 XHIagMgIVeUQfmDgzvBvk8ufccBKbrMJ6CWsmtJZYIjp+5Bar5qx7Ekr +QfZbnhvW2bmnLuUxK57EhVDcdpllDVYBxxjye0EU60l5Q==
              3I8E1G3SLVIC3HRKRAQSO6EK28ISKHP7.com. 86400 IN NSEC3 1 1 0 - 3I8FF9SHMK4CDS6I5ID1K3FROQE4EUPK NS DS RRSIG
              3I8E1G3SLVIC3HRKRAQSO6EK28ISKHP7.com. 86400 IN RRSIG NSEC3 8 2 86400 20200229055410 20200222044410 56311 com. jomgLV9NMlv4s8S+WeAWT7lq3AUzv0Ij0KcEneyjQYXyCGktENfZBAfr g1qlt1eZBVwG8jIXh+zmfSbW5QLVzRLjTC0WuuDMWOW8S2mkpt3cWfY3 yHwNNZgP3zobIylthc+VnC+jhEqeQavOnlyVv10XUX4Ceyg/k7MTnSR3 Svq9A+CNrdZLztwXlHEQ8/mCZU+BFLMXGfNkFYK6+V7hHQ==
              ;; Received 727 bytes from 2001:502:1ca1::30#53(e.gtld-servers.net) in 38 ms
              
              feedly.com.             300     IN      A       104.20.59.241
              feedly.com.             300     IN      A       104.20.60.241
              ;; Received 71 bytes from 173.245.59.143#53(sid.ns.cloudflare.com) in 23 ms
              
              

              Those settings won't help resolve something that is specifically failing if you have not atleast resolved it once.

              An intelligent man is sometimes forced to be drunk to spend time with his fools
              If you get confused: Listen to the Music Play
              Please don't Chat/PM me for help, unless mod related
              SG-4860 24.11 | Lab VMs 2.8, 24.11

              1 Reply Last reply Reply Quote 0
              • P
                pfguy2018
                last edited by

                @johnpoz said in Strange issue - not sure how to fix:

                dig feedly.com +trace

                This is the output:
                ; <<>> DiG 9.12.2-P1 <<>> feedly.com +trace
                ;; global options: +cmd
                . 86247 IN NS b.root-servers.net.
                . 86247 IN NS e.root-servers.net.
                . 86247 IN NS l.root-servers.net.
                . 86247 IN NS g.root-servers.net.
                . 86247 IN NS f.root-servers.net.
                . 86247 IN NS i.root-servers.net.
                . 86247 IN NS k.root-servers.net.
                . 86247 IN NS d.root-servers.net.
                . 86247 IN NS a.root-servers.net.
                . 86247 IN NS m.root-servers.net.
                . 86247 IN NS h.root-servers.net.
                . 86247 IN NS c.root-servers.net.
                . 86247 IN NS j.root-servers.net.
                . 86247 IN RRSIG NS 8 0 518400 20200306170000 20200222160000 33853 . OllzbzJsOGxkm+P/Ey6qfFo8aQAw2uj4myYKF8VK5wW/2wxfpUNvRpfR zqrknCl2bYIuW/NtVVqrfD/u8NxeMEqOf44O7SjHj6xEvEVlDnb+L3tU rb2q3yUOKROLKd4hsjNWqzYqX8ceP9ZfFnSMGrDEZLgS64/SK3QRHY74 XEGj1knstNH7iRjvUt/DH851ViURrJ+sQCnw0eXWqkKsgF27arrQES3T vgnW7VvEal5bPgLNImafvgmiHmjL74No2QlRUtWl2KpspZqqiXZOe3lr HIMnZJhY5ku8QB35u9Yxb/YX6b5yo0u9xv4akOB8rYKlzwLRw9/ilQ2a vhDQRQ==
                ;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

                ;; connection timed out; no servers could be reached

                What does this tell me?

                1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator
                  last edited by

                  Tells me you are not able to talk to any of the roots!! So nothing going to resolve.. Only stuff you have cached already is going to be able to resolve.

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  1 Reply Last reply Reply Quote 0
                  • P
                    pfguy2018
                    last edited by

                    That is strange. Because I am having no trouble accessing any other sites, including sites where I have never browsed before.

                    How do I solve that issue? Any pointers?

                    1 Reply Last reply Reply Quote 0
                    • johnpozJ
                      johnpoz LAYER 8 Global Moderator
                      last edited by

                      Well why can you not query the roots... Try to query one..

                      [2.4.4-RELEASE][admin@sg4860.local.lan]/root: dig @h.root-servers.net com NS
                      
                      ; <<>> DiG 9.12.2-P1 <<>> @h.root-servers.net com NS
                      ; (2 servers found)
                      ;; global options: +cmd
                      ;; Got answer:
                      ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 54900
                      ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 27
                      ;; WARNING: recursion requested but not available
                      
                      ;; OPT PSEUDOSECTION:
                      ; EDNS: version: 0, flags:; udp: 4096
                      ;; QUESTION SECTION:
                      ;com.                           IN      NS
                      
                      ;; AUTHORITY SECTION:
                      com.                    172800  IN      NS      a.gtld-servers.net.
                      com.                    172800  IN      NS      b.gtld-servers.net.
                      com.                    172800  IN      NS      c.gtld-servers.net.
                      com.                    172800  IN      NS      d.gtld-servers.net.
                      com.                    172800  IN      NS      e.gtld-servers.net.
                      com.                    172800  IN      NS      f.gtld-servers.net.
                      com.                    172800  IN      NS      g.gtld-servers.net.
                      com.                    172800  IN      NS      h.gtld-servers.net.
                      com.                    172800  IN      NS      i.gtld-servers.net.
                      com.                    172800  IN      NS      j.gtld-servers.net.
                      com.                    172800  IN      NS      k.gtld-servers.net.
                      com.                    172800  IN      NS      l.gtld-servers.net.
                      com.                    172800  IN      NS      m.gtld-servers.net.
                      
                      ;; ADDITIONAL SECTION:
                      a.gtld-servers.net.     172800  IN      A       192.5.6.30
                      b.gtld-servers.net.     172800  IN      A       192.33.14.30
                      c.gtld-servers.net.     172800  IN      A       192.26.92.30
                      d.gtld-servers.net.     172800  IN      A       192.31.80.30
                      e.gtld-servers.net.     172800  IN      A       192.12.94.30
                      f.gtld-servers.net.     172800  IN      A       192.35.51.30
                      g.gtld-servers.net.     172800  IN      A       192.42.93.30
                      h.gtld-servers.net.     172800  IN      A       192.54.112.30
                      i.gtld-servers.net.     172800  IN      A       192.43.172.30
                      j.gtld-servers.net.     172800  IN      A       192.48.79.30
                      k.gtld-servers.net.     172800  IN      A       192.52.178.30
                      l.gtld-servers.net.     172800  IN      A       192.41.162.30
                      m.gtld-servers.net.     172800  IN      A       192.55.83.30
                      a.gtld-servers.net.     172800  IN      AAAA    2001:503:a83e::2:30
                      b.gtld-servers.net.     172800  IN      AAAA    2001:503:231d::2:30
                      c.gtld-servers.net.     172800  IN      AAAA    2001:503:83eb::30
                      d.gtld-servers.net.     172800  IN      AAAA    2001:500:856e::30
                      e.gtld-servers.net.     172800  IN      AAAA    2001:502:1ca1::30
                      f.gtld-servers.net.     172800  IN      AAAA    2001:503:d414::30
                      g.gtld-servers.net.     172800  IN      AAAA    2001:503:eea3::30
                      h.gtld-servers.net.     172800  IN      AAAA    2001:502:8cc::30
                      i.gtld-servers.net.     172800  IN      AAAA    2001:503:39c1::30
                      j.gtld-servers.net.     172800  IN      AAAA    2001:502:7094::30
                      k.gtld-servers.net.     172800  IN      AAAA    2001:503:d2d::30
                      l.gtld-servers.net.     172800  IN      AAAA    2001:500:d937::30
                      m.gtld-servers.net.     172800  IN      AAAA    2001:501:b1f9::30
                      
                      ;; Query time: 45 msec
                      ;; SERVER: 198.97.190.53#53(198.97.190.53)
                      ;; WHEN: Sat Feb 22 16:49:09 CST 2020
                      

                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                      If you get confused: Listen to the Music Play
                      Please don't Chat/PM me for help, unless mod related
                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                      1 Reply Last reply Reply Quote 0
                      • P
                        pfguy2018
                        last edited by

                        @johnpoz said in Strange issue - not sure how to fix:

                        dig @h.root-servers.net com NS

                        ; <<>> DiG 9.12.2-P1 <<>> @h.root-servers.net com NS
                        ; (2 servers found)
                        ;; global options: +cmd
                        ;; connection timed out; no servers could be reached

                        1 Reply Last reply Reply Quote 0
                        • johnpozJ
                          johnpoz LAYER 8 Global Moderator
                          last edited by johnpoz

                          your not even getting an IP? dig to IP.

                          [2.4.4-RELEASE][admin@sg4860.local.lan]/root: dig h.root-servers.net 
                          
                          ; <<>> DiG 9.12.2-P1 <<>> h.root-servers.net
                          ;; global options: +cmd
                          ;; Got answer:
                          ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 31354
                          ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
                          
                          ;; OPT PSEUDOSECTION:
                          ; EDNS: version: 0, flags:; udp: 4096
                          ;; QUESTION SECTION:
                          ;h.root-servers.net.            IN      A
                          
                          ;; ANSWER SECTION:
                          h.root-servers.net.     85798   IN      A       198.97.190.53
                          
                          ;; Query time: 0 msec
                          ;; SERVER: 127.0.0.1#53(127.0.0.1)
                          ;; WHEN: Sat Feb 22 16:51:18 CST 2020
                          ;; MSG SIZE  rcvd: 63
                          

                          Then try and dig to that IP..

                          dig @198.97.190.53 com ns

                          If your not getting back IPs from unbound for roots - then yeah your going to have all kinds of issues!! You would only be able to resolve stuff that you have IPs to be able to ask those NS.

                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                          If you get confused: Listen to the Music Play
                          Please don't Chat/PM me for help, unless mod related
                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                          1 Reply Last reply Reply Quote 0
                          • P
                            pfguy2018
                            last edited by

                            @johnpoz said in Strange issue - not sure how to fix:

                            dig h.root-servers.net

                            I just rebooted, so I am able to access feedly.com again. But who knows for how long?

                            This is the output:
                            ; <<>> DiG 9.12.2-P1 <<>> h.root-servers.net
                            ;; global options: +cmd
                            ;; Got answer:
                            ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 8969
                            ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1

                            ;; OPT PSEUDOSECTION:
                            ; EDNS: version: 0, flags:; udp: 4096
                            ;; QUESTION SECTION:
                            ;h.root-servers.net. IN A

                            ;; ANSWER SECTION:
                            h.root-servers.net. 86400 IN A 198.97.190.53

                            ;; Query time: 3199 msec
                            ;; SERVER: 127.0.0.1#53(127.0.0.1)
                            ;; WHEN: Sat Feb 22 17:57:27 EST 2020
                            ;; MSG SIZE rcvd: 63

                            ; <<>> DiG 9.12.2-P1 <<>> @198.97.190.53 com ns
                            ; (1 server found)
                            ;; global options: +cmd
                            ;; Got answer:
                            ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49732
                            ;; flags: qr rd; QUERY: 1, ANSWER: 0, AUTHORITY: 13, ADDITIONAL: 27
                            ;; WARNING: recursion requested but not available

                            ;; OPT PSEUDOSECTION:
                            ; EDNS: version: 0, flags:; udp: 4096
                            ;; QUESTION SECTION:
                            ;com. IN NS

                            ;; AUTHORITY SECTION:
                            com. 172800 IN NS a.gtld-servers.net.
                            com. 172800 IN NS b.gtld-servers.net.
                            com. 172800 IN NS c.gtld-servers.net.
                            com. 172800 IN NS d.gtld-servers.net.
                            com. 172800 IN NS e.gtld-servers.net.
                            com. 172800 IN NS f.gtld-servers.net.
                            com. 172800 IN NS g.gtld-servers.net.
                            com. 172800 IN NS h.gtld-servers.net.
                            com. 172800 IN NS i.gtld-servers.net.
                            com. 172800 IN NS j.gtld-servers.net.
                            com. 172800 IN NS k.gtld-servers.net.
                            com. 172800 IN NS l.gtld-servers.net.
                            com. 172800 IN NS m.gtld-servers.net.

                            ;; ADDITIONAL SECTION:
                            a.gtld-servers.net. 172800 IN A 192.5.6.30
                            b.gtld-servers.net. 172800 IN A 192.33.14.30
                            c.gtld-servers.net. 172800 IN A 192.26.92.30
                            d.gtld-servers.net. 172800 IN A 192.31.80.30
                            e.gtld-servers.net. 172800 IN A 192.12.94.30
                            f.gtld-servers.net. 172800 IN A 192.35.51.30
                            g.gtld-servers.net. 172800 IN A 192.42.93.30
                            h.gtld-servers.net. 172800 IN A 192.54.112.30
                            i.gtld-servers.net. 172800 IN A 192.43.172.30
                            j.gtld-servers.net. 172800 IN A 192.48.79.30
                            k.gtld-servers.net. 172800 IN A 192.52.178.30
                            l.gtld-servers.net. 172800 IN A 192.41.162.30
                            m.gtld-servers.net. 172800 IN A 192.55.83.30
                            a.gtld-servers.net. 172800 IN AAAA 2001:503:a83e::2:30
                            b.gtld-servers.net. 172800 IN AAAA 2001:503:231d::2:30
                            c.gtld-servers.net. 172800 IN AAAA 2001:503:83eb::30
                            d.gtld-servers.net. 172800 IN AAAA 2001:500:856e::30
                            e.gtld-servers.net. 172800 IN AAAA 2001:502:1ca1::30
                            f.gtld-servers.net. 172800 IN AAAA 2001:503:d414::30
                            g.gtld-servers.net. 172800 IN AAAA 2001:503:eea3::30
                            h.gtld-servers.net. 172800 IN AAAA 2001:502:8cc::30
                            i.gtld-servers.net. 172800 IN AAAA 2001:503:39c1::30
                            j.gtld-servers.net. 172800 IN AAAA 2001:502:7094::30
                            k.gtld-servers.net. 172800 IN AAAA 2001:503:d2d::30
                            l.gtld-servers.net. 172800 IN AAAA 2001:500:d937::30
                            m.gtld-servers.net. 172800 IN AAAA 2001:501:b1f9::30

                            ;; Query time: 27 msec
                            ;; SERVER: 198.97.190.53#53(198.97.190.53)
                            ;; WHEN: Sat Feb 22 17:57:53 EST 2020
                            ;; MSG SIZE rcvd: 828

                            Does it matter that my DNS is set to 127.0.0.1?

                            1 Reply Last reply Reply Quote 0
                            • johnpozJ
                              johnpoz LAYER 8 Global Moderator
                              last edited by

                              That was after you rebooted.. Or was that before you rebooted... You shouldn't have to reboot - just restart unbound.

                              An intelligent man is sometimes forced to be drunk to spend time with his fools
                              If you get confused: Listen to the Music Play
                              Please don't Chat/PM me for help, unless mod related
                              SG-4860 24.11 | Lab VMs 2.8, 24.11

                              1 Reply Last reply Reply Quote 0
                              • johnpozJ
                                johnpoz LAYER 8 Global Moderator
                                last edited by

                                if you are resolving - then yes your dns should be set to loopback! That is unbound directly..

                                An intelligent man is sometimes forced to be drunk to spend time with his fools
                                If you get confused: Listen to the Music Play
                                Please don't Chat/PM me for help, unless mod related
                                SG-4860 24.11 | Lab VMs 2.8, 24.11

                                1 Reply Last reply Reply Quote 0
                                • P
                                  pfguy2018
                                  last edited by

                                  This was after I rebooted. Prior to that, I did in fact restart unbound manually, but it did not fix the problem. Rebooting always solves this issue, for some length of time, but then it always recurs

                                  It occurs to me that the reason I can access sites in the browser that I have never accessed before even when I am experiencing this issue is that I am using Firefox, which internally sets its own DNS to cloudfare DNS. So it is probably bypassing the pfSense DNS and allowing me to access these sites. So it was masking the issue. Strangely though, it was still not allowing me to access feedly.com. So something is still being blocked somewhere at some point.

                                  1 Reply Last reply Reply Quote 0
                                  • P
                                    pfguy2018
                                    last edited by

                                    Other than rebooting, is there anything else I can try to get Unbound connected to the root servers when this occurs again?

                                    1 Reply Last reply Reply Quote 0
                                    • johnpozJ
                                      johnpoz LAYER 8 Global Moderator
                                      last edited by johnpoz

                                      @pfguy2018 said in Strange issue - not sure how to fix:

                                      which internally sets its own DNS to cloudfare DNS

                                      Mine doesn't - I have that shit turned off!! F that going to hand everything to cloudflare..

                                      I would validate the query is actually going out, or not... Do a sniff on your wan - are you seeing dns going out.. Up the logging of unbound to see if you can see errors, etc.

                                      If your saying restarting unbound doesn't fix it but reboot, then points to something with the connection... Sniff to see if your dns goes out and your just not getting an answer.

                                      An intelligent man is sometimes forced to be drunk to spend time with his fools
                                      If you get confused: Listen to the Music Play
                                      Please don't Chat/PM me for help, unless mod related
                                      SG-4860 24.11 | Lab VMs 2.8, 24.11

                                      1 Reply Last reply Reply Quote 0
                                      • P
                                        pfguy2018
                                        last edited by

                                        I don't see any errors in the unbound log at level 2 or 3 logging. I am not sure how to sniff the WAN traffic - can you point me to some instructions for how to do that?

                                        1 Reply Last reply Reply Quote 0
                                        • johnpozJ
                                          johnpoz LAYER 8 Global Moderator
                                          last edited by

                                          Go to diag menu, packet capture - pick your wan interface.

                                          An intelligent man is sometimes forced to be drunk to spend time with his fools
                                          If you get confused: Listen to the Music Play
                                          Please don't Chat/PM me for help, unless mod related
                                          SG-4860 24.11 | Lab VMs 2.8, 24.11

                                          1 Reply Last reply Reply Quote 0
                                          • P
                                            pfguy2018
                                            last edited by

                                            Doing that, how do I check if the root servers are being queried?

                                            1 Reply Last reply Reply Quote 0
                                            • First post
                                              Last post
                                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.