Resolve hostname stop working randomley on diffrent hosts
-
Hi Everyone,
Got this week my supermicro sys-5018d-fn8t beast and installed/use pfsense for the first time, getting to know the system. i also have supermicro server that i run VMware with few VMs such as FreeNAS, Ubuntu servers..etc. for the pfsense configuration i have used the wizard, added IoT vlan, open SMB port 445 IoT to LAN and port forward for WordPress webserver access. for Local DNS i used BIND9 but replaced it with pfsense DNS RESOLVER. after adding all the hostnames I’m able to resolve on chrome browser by hostname, however resolve hostname stop working randomly on different hosts when using the browser, but IP and nslookup working fine. As well after some time suddenly it comes back and resolve the hostname. See below the DNS and other related setting i used, are the following:
General Setup
Hostname: pfsense
Domain: example.com.au
DNS SERVERS: 192.168.1.1, 8.8.8.8, 8.8.4.4
TimeServers: 0.au.pool.ntp.org (replace pfsense TS)
all the rest defaultDNS Resolver
Network interfaces: ALL
Outgoing interfaces: WAN
DHCP Registration: enabled by default
Static DHCP: enabled by default
DNSSEC: enabled by default
all the rest default
added hostnames: hostname Domain Local IPDHCP Server IPV4
Range: Added
DNS SERVERS: 192.168.1.1, 8.8.8.8, 8.8.4.4
all the rest defaultIPV6 - disabled on all interfaces
Advance Firewall/NAT
NAT Reflection mode for port forwards: enabled Pure NAT
Enable automatic outbound NAT for Reflection: Enable
(allow WordPress access not sure what NAT Reflection does it do but it’s the only way i managed to get access)Firewall Port Forward
Port forwards: 8081 to 80
NAT reflection: use system default
Filter rule association: PASS
(allow WordPress access not sure what NAT Reflection does it do but it’s the only way i managed to get access)Firewall Rules
LAN-
-
- LAN Address 443, 80, 22 * * Anti-Lockout Rule
IPv4 * LAN net * * * * none Default allow LAN to any rule
IPv6 * LAN net * * * * none Default allow LAN IPv6 to any rule (left it in case needed somewhere)
- LAN Address 443, 80, 22 * * Anti-Lockout Rule
-
IoT
IPv4 TCP IOT net * LAN net 445 (MS DS) * none SMB
IPv4 * IOT net * ! LAN net * * none Anywhere but LANUPnP & NAT-PMP
- Enable UPnP & NAT-PMP
- Enabled UPnP Port Mapping
- Enabled NAT-PMP Port Mapping
- External Interface WAN
- Interfaces IoT
FYI - not sure if its related but i think its wort to mention that I use the Supermicro PF server SFP+ 10G interface ix0 connected to my UniFi Switch SFP 1G, SPEED/DUPLEX Auto both sides.
What i have tried and didn’t work (solutions from this forum).
- removed DNS servers 8.8.8.8, 8.8.4.4 from general setup, using only 192.168.1.1.
- Untick/disabled DNSSEC from Resolver
Still testing
- Untick/disabled DHCP Registration, Static DHCP from Resolver
Per description above is there anything in the configuration that can cause hostname issues?
How does the pfsense resolve the public IPs after i removed it from the DNS server list?
as well regarding my configuration in general will be great if you can review/recommend.Didn’t include logs, still getting to know the system, please let me know if you need more information
Thank you
-
-
@avsion said in Resolve hostname stop working randomley on diffrent hosts:
How does the pfsense resolve the public IPs after i removed it from the DNS server list?
Because the one that does the resolving, the Resolver, is a resolver ;)
Now what is a resolver ?A resolver uses the known 13 main Internet Root servers to do the DNS job for you. It doesn't need any upstream DNS server, it doesn't use them.
But if you have to give "8.8.8.8, 8.8.4.4" your private DNS queries, you're free to do so.Have a look at the logs of the resolver. Is it (re) starting often ? And if so, check out one of the many forum threads about the subject.
Btw : I'm using the resolver with the default settings.
Except one : I unchecked also "DHCP Registration".
You can leave " Static DHCP Register DHCP static mappings in the DNS Resolver" checked because the IP is static, so DNS info stays static. These won't restart the resolver. -
Hi @Gertjan ,
Thank you for your reply,
@Gertjan said in Resolve hostname stop working randomley on diffrent hosts:
A resolver uses the known 13 main Internet Root servers to do the DNS job for you. It doesn't need any upstream DNS server, it doesn't use them.
But if you have to give "8.8.8.8, 8.8.4.4" your private DNS queries, you're free to do so.In general because of privacy reasons I prefer not to use google dns for outbound if I don’t need too. if the resolver will do the basic task of resolving dns queries without using my information for any other reasons. If so do I just use PFS DGW 192.168.1.1 in the general settings? And can I remove google DNS outbound from the DHCP server from all interfaces as well?
Regarding private queries as far as I understand any Public DNS server such as google cannot resolve RFC1908 ranges, I have use google dns only for the upstream queries, is there somthing i'm missing about the general dns settings?
The DNS Resolver does show 99 restarts over snapshot of 8 hours, see attached image
any tips how to resolve that issue? any thread you know i can check, had a look at the forum and tried the above as describe in the OP.Thank you
-
@avsion said in Resolve hostname stop working randomley on diffrent hosts:
if the resolver will do the basic task of resolving dns queries without using my information for any other reasons.
No information from you is needed. Internet became autonomous a couple of days after his birth.
These are the default - and perfect - settings :
You saw it : nothing should be changed here.
@avsion said in Resolve hostname stop working randomley on diffrent hosts:
And can I remove google DNS outbound from the DHCP server from all interfaces as well?
If you want all your devices to have Google as their DNS, wjy not.
Normally it's the local router who's doing that job for you. In that case : put all settings back to default (== no DNS settings) which means your pfSense will resolve/cache/dnnsec/etc.@avsion said in Resolve hostname stop working randomley on diffrent hosts:
The DNS Resolver does show 99 restarts over snapshot of 8 hours, see attached image
any tips how to resolve that issue? any thread you know i can checkLike Home > pfSense
Software > DHCP and DNS Unbound > VERY frequent restarts (DNS Resolver Restarts) ?First : this one :
is not checked, right ?
unbound, the resolver is also restarted when :
Interfaces go down and up (like a non stable WAN - example : you have a 60 second WAN lease - seen that recently) or a VPN-client connection that is not stable at all.
Bad LAN interface / cable ?
Or : look at this : https://forum.netgate.com/topic/150108/unbound-very-frequent-restarts-dns-resolver-restartsGave a look at the System log .... there is always useful info there.
-
@Gertjan said in Resolve hostname stop working randomley on diffrent hosts:
Normally it's the local router who's doing that job for you. In that case : put all settings back to default (== no DNS settings) which means your pfSense will resolve/cache/dnnsec/etc
Hi @Gertjan
i will factory default and start again no google dns let PFS do it all. in the wizared step 2
"Override DNS: Allow DNS servers to be overridden by DHCP/PPP on WAN"
should be enabled or disabled ?Thank you
-
Disabled.
Whatever the upstream router proposes - pfSense doesn't need them.
The upstream router could be on your premises, or on the ISP side. -
by default the pfsense wizared is enabled/ticked, just doublecheck it should be disabled correct? i didnt understand what does this setting do?
Thank you
-
@avsion said in Resolve hostname stop working randomley on diffrent hosts:
just doublecheck it should be disabled correct?
Never used the (a) wizard.
By looking at the description :If this option is set, pfSense will use DNS servers assigned by a DHCP/PPP server on WAN for its own purposes (including the DNS Forwarder/DNS Resolver). However, they will not be assigned to DHCP clients.I can't imagine a situation where this option has a sense.
Fort historical reasons ? A fact is, that, in the past, most ISP routers worked this way.
Probably because the ISP wanted to be in the DNS-chain ( so the router contained a light weight DNS forwarder), because it was exposing services to it's clients that were not accessible for the outside world. That's mostly a thing of the past now. -
Hi @Gertjan
Thank you for your reply, I have Factory default the pfSense and set the following:
General settings - add hostname, domain, DNS Servers Leave blank and untick Override DNS, all the rest default.
Services
DHCP Servers - Leave blank.DNS Resolver - Network Interfaces and Outgoing Network Interfaces set to ALL, DNSSEC and DHCP Static enabled, DHCP Registration disabled, upload XML hostnames.
NTP - added local NTP servers
UPnP & NAT-PMP - UPnP Port Mapping, NAT-PMP Port Mapping enabled for IoT VLAN Only.
LAN/IoT Interface - hardcoded Speed / Duplex to 1000BaseSX on both ends router and switch as the supermicro LAN/VLAN interface i use is SFP+ and the UniFi switch is SFP.
The system now running well can't see any errors or resolver restarts in the system log. i do feel bit of LAG when opening some app on the IoT VLAN compare to the Google DNS, maybe still caching.
Few questions:
DNS Resolver
Network Interfaces set to ALL, if i want the resolver to respond to all interfaces/IP on my network, correct?Outgoing Network Interfaces is set to ALL however i only have one WAN interface, should i keep it ALL or select WAN to use WAN only? (not clear if the other interfaces are in use if i have one WAN interface).
ALL DHCP Servers - Leave blank to use the pfSense DNS Resolver correct?
LAN/IoT Interface - Do i need to set the speed/duplex on the IoT VLAN interface as well (Both) or just on the Main LAN interface?
Any other comments or recommended setting?
Thank you
-
Up, and above : ok to me.
But what do you mean with :@avsion said in Resolve hostname stop working randomley on diffrent hosts:
upload XML hostnames.
@avsion said in Resolve hostname stop working randomley on diffrent hosts:
UPnP & NAT-PMP - UPnP Port Mapping, NAT-PMP Port Mapping enabled for IoT VLAN Only.
Whatever you want ^^
IMHO : UPNP should be avoided at all time. As you have to fully trust your devices .... and the entire Internet seeing them. You're right : put these on a seperate LAN - OPTx network.The rest : I'm using identical settings so I tend to say : all ok for your usage.
This has an explanation :
@avsion said in Resolve hostname stop working randomley on diffrent hosts:Outgoing Network Interfaces is set to ALL however i only have one WAN interface, should i keep it ALL or select WAN to use WAN only? (not clear if the other interfaces are in use if i have one WAN interface).
The resolver knows at hand the 13 IP (26 actually) addresses of the main root servers.
The router (pfSense) has a routing table - as it is a router, so it knows that these 13 addresses are not local. Using other words : it can not reach them on the network like LAN OPT1, etc. Only the WAN type interfaces offer a possible way to these 13 IP's.
The main 13 DNS root servers will return other remote DNS servers, up until the domain name server that servers the final DNS records.
So their is no real need to specify the outgoing interfaces, as the router already knows them.This explains why you can leave both settings to "All : Resolver's outgoing and ingoing interfaces
-
@Gertjan said in Resolve hostname stop working randomley on diffrent hosts:
But what do you mean with :
@avsion said in Resolve hostname stop working randomley on diffrent hosts:upload XML hostnames.
Before reset to factory default i backup the resolver that includes all the manual hostname data entries.
@Gertjan said in Resolve hostname stop working randomley on diffrent hosts:
IMHO : UPNP should be avoided at all time. As you have to fully trust your devices .... and the entire Internet seeing them. You're right : put these on a seperate LAN - OPTx network.
Agree will disable UPnP. IoT is already on a separted VLAN with all firewall rules blocking access to LAN.
Thank you for your help, i will monitor the system and see how we go