Strange issue - not sure how to fix
-
What I posted above would seem to confirm that the root servers are reachable by my system. So I am not sure why the dig feedly.com +trace command yields the output I posted above. But feedly is still reachable via cached DNS:
; <<>> DiG 9.12.2-P1 <<>> feedly.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 18657 ;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;feedly.com. IN A ;; ANSWER SECTION: feedly.com. 0 IN A 104.20.59.241 feedly.com. 0 IN A 104.20.60.241 ;; Query time: 0 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Tue Feb 25 07:24:23 EST 2020 ;; MSG SIZE rcvd: 71 -
@johnpoz said in Strange issue - not sure how to fix:
dig @h.root-servers.net com NS
This was just now.
dig: couldn't get address for 'h.root-servers.net': not found; <<>> DiG 9.12.2-P1 <<>> @198.97.190.53 com ns ; (1 server found) ;; global options: +cmd ;; connection timed out; no servers could be reachedI am really stumped by all this.
-
Because unbound not running.. Why don't you turn off pfblocker for a bit and see if you continue to have issues.
-
@johnpoz said in Strange issue - not sure how to fix:
Because unbound not running.. Why don't you turn off pfblocker for a bit and see if you continue to have issues.
My previous post showed that unbound IS running. That's what makes this so perplexing.
I am at work now, but when I return home, I am going to give your suggestion of disabling pfBlocker a shot to see what I can discover.
-
Popping back in here. I think the issue might be solved. After searching these forums, I came across a post in this thread (https://forum.netgate.com/topic/147092/curl-error-7-on-all-downloads/8) that noted curl errors in pfBlockerNG after the default WAN gateway had been changed. I have been observing the same errors when pfBlockerNG updates, and lo and behold, my default gateway had also changed from what I had originally set. I changed it back to what it should be, and instantly DNS began to resolve. However, I am not sure how/why this unintended gateway change occurred, or how to prevent it from happening again.
-
@pfguy2018 said in Strange issue - not sure how to fix:
my default gateway had also changed from what I had originally set.
Meaning what exactly.. You have more than 1 wan interface? Your using PPPoE? Your using a VPN? What do you mean your gateway changed?
-
@johnpoz said in Strange issue - not sure how to fix:
@pfguy2018 said in Strange issue - not sure how to fix:
my default gateway had also changed from what I had originally set.
Meaning what exactly.. You have more than 1 wan interface? Your using PPPoE? Your using a VPN? What do you mean your gateway changed?
Yes - I have several outgoing interfaces set up due to VPN use. The default has always been the WAN (non VPN) interface (for many years). At some point this got changed (without any intervention on my part), and re-setting it seems to have fixed the DNS issue. I will continue to monitor to see if this remains fixed. But I have no idea how/why the change happened in the first place, and whether it might occur again.
-
Well if you pull routes from your vpn service, its possible that becomes the default..
If your going to use a vpn service - its best to not pull routes from them, even though pretty much all their guides say to, or don't mention it (and its default)..
-
Where would I adjust that setting for VPN?
Also - interestingly - the default interface became one of the incoming VPN servers that are run on my pfSense box (I have several). Not sure if that is relevant or not.
-
In your vpn client setting, check the box that says do not pull routes..
-
Thanks. Is there an equivalent setting for the VPN servers that I run on the pfSense box? I don't actually have any VPN clients set up on pfSense
-
What do you want your clients to do, do you want them to just come to pfsense for your network(s).. Then don't set it to be the default route..
-
I do want the clients to use pfSense for all traffic - in order to make use of pfBlocker NG when outside the network. So I would want to keep that box checked I think.
-
Yes if you want all traffic to go through pfsense to get to the internet then you would leave that checked..
-
So is that going to cause the default gateway to change on pfSense again, without any intervention on my part? I would like to keep the default locked to the WAN, as I have set.
-
Huh?? Your vpn server your running has ZERO to do with pfsense being a client to some vpn service.
I would like to keep the default locked to the WAN
What?? You setting rules on your lan to force clients out dhcp wan or vpn services has ZERO to do with what pfsense and services running on pfsense use to get to the internet.
-
I get that. But as I noted above, somehow the default gateway for pfSense got changed to one of the VPN server gateway interfaces on its own - I did not make that change. This seems to have been the cause of the DNS resolution problems I have been experiencing. I am trying to figure out how to prevent that from occurring again.
To clarify - the setting I am referring to is under system/routing/gateways. That is where the incorrect default gateway got set somehow.
-
@pfguy2018 said in Strange issue - not sure how to fix:
one of the VPN server gateway interfaces on its own
No it DIDNT!! It did what it was told - if you pull routes from your vpn service - are you?? Then that would become the default route... If you have failover set for your multiple wans, and something fails then it would failover..
That is where the incorrect default gateway got set somehow.
And lets see what you have in there...
-
No failover set. I will have to check each of my VPN clients to see if any of them are set up to pull routes from the VPN service. But I am not sure how that could change the default gateway set on the pfSense box they are connecting to.
-
WTF does you vpn clients have to do with anything??????????????????
Oh let me think about it for 2 seconeds = NOTHING!!!
Do you have pfsense being a vpn client to some vpn service or not?? Your devices connecting to pfsense has NOTHING TO DO WITH ANYTHING!!
What do you have in your gateways?
