DNS stop working
-
Greetings All,
I'm using DNS Resolver.I observed a strange issue , that all of sudden DNS stop working on my lan side . When I ping 8.8.8.8 from pfsense it self it does ping and respond.
I did nslookup google.com on my client end and find following
nslookup google.com DNS request timed out. timeout was 2 seconds. Server: UnKnown Address: 172.16.159.254 DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. DNS request timed out. timeout was 2 seconds. *** Request to UnKnown timed-out
I've simple rule on lan allow all request if destination is pfsense-IP port is DNS 53 let it pass and block all other if destination is not pfsense-ip .
When DNS start working it does response back as below.
nslookup google.com Server: pfSense.local.landomain Address: 172.16.159.254 Non-authoritative answer: Name: google.com Addresses: 2a00:1450:4018:804::200e 216.58.209.142
Regards
-
Are you registering dhcp leases? This will restart the resolver (unbound).. Are you using pfblocker - this can delay the start of unbound.. So if registering dhcp leases and using pfblocker you can run into issues were unbound is offline for a bit of time
-
@scorpoin said in DNS stop working:
that all of sudden DNS stop working on my lan side .
You actually saw :
Or do you see :
Also a good starting point : the place where you can find the truth,; nothing but the truth, etc :
Status > System Logs > System > DNS Resolver
About pfBlockerNG-devel; if used, and you're on the latest 3.00000 series this kind of info is not just optional : https://forum.netgate.com/topic/158592/pfblockerng-devel-v3-0-0-no-longer-bound-by-unbound/17 (and redit posts, etc) so yes, the option 1 and 3 from here should be unchecked :
Although I guess the latest 00005 version ( ? ) does the check for us. But better check for yourself.
If the Resolvers stops without any known reasons, don't rest until you found the reason.
I know mine doesn't stop - never.@scorpoin said in DNS stop working:
all request if destination is pfsense-IP port is DNS 53 let it pass and block all other if destination is not pfsense-ip
Just keep in mind that you should be aware of your own DNS blocking.
If you see DNS issues, de activate your firewall rules. Does it pass now ? Etc.
Wireshark, if needed, etc. -
I do ocationally see Service Watchdog restart Unbound (e-mail notify)
It's rare in the current version , but it still happens.I has one on 19/07 this year , and two on 31/10
/Bingo
-
@gertjan when I check the server is on green status means running but on LAN there is not DNS resolving . I'm using pfblockerng-devel 2.x version I have not updated yet . I don't to jump directly unless its safe to use with out bug so far. I've remove the check from DHCP registration for now and see what happen.
If the issue still occurred then what's is the next step?
Regards