DNS not resolving for ntpd
-
I noticed that NTP logs were reporting that it could not resolve time.windows.com, time.nist.gov and time.google.com. I tried a specific IP from the nist ntp server pool and it began syncing correctly. I'm not quite sure where to start investigating this issue since I can resolve dns queries from the LAN interface just fine. I would appreciate any pointers on where to start investigating.
version: 2.3.4-RELEASE-p1 (i386)
-
@bobsuruncle said in DNS not resolving for ntpd:
version: 2.3.4-RELEASE-p1 (i386)
Upgrade!
Are you using Unbound for DNS? Do you have DNSSec enabled?
If the time on your firewall is sufficiently far out the cert can show as invalid when means Unbound won't resolve anything creating a chicken/egg scenario.
Steve
-
Update doesn't show as available. Maybe I have an old platform? I am not using dnssec or unbound. The specific error is "retrying DNS time.nist.gov: hostname nor servname provided, or not known (8)", for each ntp server host (3 entered). The time is correct (remember it's syncing w remote ip ntp server).
-
Yes you are running a very old version and 32bit which is no longer supported. 2.3.5 was the last 32bit version. If your hardware is actually 64bit capable you should just re-install.
What are you using for DNS? Something is preventing those resolve.
Steve
-
Thanks for reviewing. I am running a 32-bit processor so that explains it.
For dns, I have dns forwarder enabled. In general setup, I had no dns servers configured and "Allow DNS server list to be overridden by DHCP/PPP on WAN" was not checked. I think I understand that this means pfsense will forward dns queries to wan dhcp provided dns servers, but will not use them for its own purposes.
Just for fun, I added opendns, Google and cloudfare dns servers to the list in general setup. This immediately resolved the ntp dns issue (ofcourse). I suppose I never noticed pfsense couldn't (itself) resolve dns (it's been 7 years!) until now, ahen I needed an ntp server.
I do see that dns resolver is typically enabled by default and talks directly to root dns servers using dnssec. That seems like a better option IMO. What's the performance impact expected to be for that? Will it tax my lowly 1.6ghz dual core atom processor to the max?
-
No I would not expect it to be unduly taxing. Unbound is still the default on the SG-1000 (single core arm32).
You should probably see 2.3.5 available as an update now pfSense can resolve the update servers.You should think about new hardware though, 2.3.5 is very old at this point.
It's actually a 32bit Atom? N270?Steve
-
N280 actually, yes 32-bit. I will look into getting new hardware once I finish the latest network project. I don't want to add new hardware as another variable for troubleshooting.
Oddly enough, the "updating status" has always been successful and it has not changed with the addition of these DNS servers. 2.3.4 seems to be the latest unless I allow for non-stable updates.
" 2.3.4-RELEASE-p1 (i386)
built on Fri Jul 14 14:53:03 CDT 2017
FreeBSD 10.3-RELEASE-p19The system is on the latest version"