Domain name doesn't get resolved with local dns resolver

ryaoi42

Hi,

I'm having issue resolving domain name with my pfsense.

I got two pfsense(their hostname are nat2 and nat) and one of them (nat2) can not resolve any domain name by their local dns resolver. (pinging IPv4 works fine for both of them)

Their
General Setup / DNS Server Settings
looks like this

And Their General Settings / General DNS Resolver Options are both enabled.

Any idea what could go wrong?
Thanks for any help
Ryota

Gertjan

On the left pfSEnse, use the upstream resolver directly.
Tell it to use, for example, 8.8.8.8 as the DNS :

Like this :

dig @8.8.8.8 pfsense.org

for a complete analysis.
Or

dig @8.8.8.8 pfsense.org +short

if you know an answer exists, and you just want a positive answer = the IPv4.

No answer means : here is no 'connection' between your pfSense and 8.8.8.8 - or 8.8.8.8 is down ^^

Btw :

dig pfsense.org +trace

will drill down from the top, the 13 root main Internet root servers, to the final domain name servers of "pfsense.org", to obtain a A record == the IPv4.

ryaoi42

@Gertjan said in Domain name doesn't get resolved with local dns resolver:

Hi, thanks for your help! I appreciate it a lot.
seems like there is no connection between my pfsense and 8.8.8.8. Am i right about this?

dig @8.8.8.8 pfsense.org

; <<>> DiG 9.12.2-P1 <<>> @8.8.8.8 pfsense.org
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

dig @8.8.8.8 pfsense.org +short

; <<>> DiG 9.12.2-P1 <<>> @8.8.8.8 pfsense.org +short
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

dig pfsense.org +trace

; <<>> DiG 9.12.2-P1 <<>> pfsense.org +trace
;; global options: +cmd
;; Received 28 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms

Gertjan

@ryaoi42 said in Domain name doesn't get resolved with local dns resolver:

seems like there is no connection between my pfsense and 8.8.8.8. Am i right about this?

Well ....

@ryaoi42 said in Domain name doesn't get resolved with local dns resolver:

; <<>> DiG 9.12.2-P1 <<>> @8.8.8.8 pfsense.org
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

"no servers could be reached" leaves no room for doubts.

edit : note : even when pfSense has no DNS facilities running, a

dig @8.8.8.8 pfsense.org

would / should work just fine.

ryaoi42

@Gertjan

yeah it should work... :(
oh and when i use my own dns(LAN side).
It works fine.

dig @10.51.1.253 pfsense.org

; <<>> DiG 9.12.2-P1 <<>> @10.51.1.253 pfsense.org
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 37497
;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 4

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4096
; COOKIE: 2602589c9bc9a699508836555e71e7019a0dee9980206aa0 (good)
;; QUESTION SECTION:
;pfsense.org.			IN	A

;; ANSWER SECTION:
pfsense.org.		300	IN	A	208.123.73.69

;; AUTHORITY SECTION:
pfsense.org.		3816	IN	NS	ns2.netgate.com.
pfsense.org.		3816	IN	NS	ns1.netgate.com.

;; ADDITIONAL SECTION:
ns1.netgate.com.	90082	IN	A	208.123.73.80
ns2.netgate.com.	90082	IN	A	162.208.119.38
ns1.netgate.com.	90082	IN	AAAA	2610:160:11:11::80

;; Query time: 1170 msec
;; SERVER: 10.51.1.253#53(10.51.1.253)
;; WHEN: Wed Mar 18 18:16:49 JST 2020
;; MSG SIZE  rcvd: 191

Gertjan

@ryaoi42 said in Domain name doesn't get resolved with local dns resolver:

dig @10.51.1.253 pfsense.org

which means that the device LAN (?) 10.51.1.253 can connect to pfSense - your router - and "pass through it" to connect to what ever upstream DNS it uses, using TCP/UDP port 53 (or 853 ?).
Or : (I'm not sure) : "10.51.1.253" is just answering from it's local cache.

Could you re check with

dig @10.51.1.253 pfsense.org +trace +short

?

ryaoi42

@Gertjan said in Domain name doesn't get resolved with local dns resolver:

10.51.1.253 = my internal LAN side DNS Server.

dig @10.51.1.253 pfsense.org +trace +short

NS h.root-servers.net. from server 10.51.1.253 in 0 ms.
NS c.root-servers.net. from server 10.51.1.253 in 0 ms.
NS j.root-servers.net. from server 10.51.1.253 in 0 ms.
NS b.root-servers.net. from server 10.51.1.253 in 0 ms.
NS k.root-servers.net. from server 10.51.1.253 in 0 ms.
NS g.root-servers.net. from server 10.51.1.253 in 0 ms.
NS e.root-servers.net. from server 10.51.1.253 in 0 ms.
NS f.root-servers.net. from server 10.51.1.253 in 0 ms.
NS i.root-servers.net. from server 10.51.1.253 in 0 ms.
NS d.root-servers.net. from server 10.51.1.253 in 0 ms.
NS a.root-servers.net. from server 10.51.1.253 in 0 ms.
NS l.root-servers.net. from server 10.51.1.253 in 0 ms.
NS m.root-servers.net. from server 10.51.1.253 in 0 ms.
[...]
couldn't get address for 'h.root-servers.net': not found
couldn't get address for 'c.root-servers.net': not found
couldn't get address for 'j.root-servers.net': not found

Got some nice message from dig.

Gertjan

Your "internal LAN side DNS Server." is also out of business.
No more DNS for you.

You're good for the entire check list now.
An easy one is :
Save (export) your settings.
Reset pfSense to default.
Activate WAN (not deeded if it uses the default DHCP).
Connect a device to LAN.
You should be able to :

1. visit the pfSEnse GUI using a browser.
2. be able to resolve. More commonly said "Internet is just fine".

Is that right ?

If not, your issue is upstream.

ryaoi42

@Gertjan

from the log, it seems like it was able to reach to the root name server isn't it?

With both pfsense (nat2 and nat) the command

dig @10.51.1.253 pfsense.org +trace +short

works.but for

dig @8.8.8.8 pfsense.org +trace +short

only nat works and nat2 doesn't work.

Wait so I should reset pfsense and start over?
I am able to access the pfsense GUI using browser already.

Gertjan

@ryaoi42 said in Domain name doesn't get resolved with local dns resolver:

Wait so I should reset pfsense and start over?

This will take 5 minutes or so. Do what I said above.