DNS lookups fail
-
I have a basic system,.. running all services from a single physical host.
I have successfully configured two additional ports and a vlan port to serve 5 additional vlans.
I have a DHCP server running on each vlan successfully allocating addresses on each port and vlan,.. and I can view them from the 'status->dhcp leases' menu.
what I cannot do is ping a leased name,...
if I try diagnostics I get the following.Timings Name server Query time 127.0.0.1 0 msec 81.139.56.100 6 msec 81.139.57.100 7 msec 8.8.8.8 7 msec 8.8.4.4 8 msec
with no return address, even though the system apparently looks at itself,.
I have not enabled any additional resolvers etc,..
and I have not added / enabled the resolver / forwarder within general setting.
All DNS entries within each Port DHCP services tab are blank,.. so no overrides I believe happening.
so what am I missing?
Many tx -
To tick this one in the unbound resolver settings
But be warned ... It comes at a price.
/Bingo
-
@bingo600 Many tx for your response,.. I have this option already set,.. does it only apply to 'new' leases,.. can I force refresh leases to get their names in the local resolver...
Edit:,.. they seem to be updating,... although not all have done so yetAnd what do you mean by 'comes at a price'....
tx -
The price is that Unbound starts and stops repeatedly throughout the day, as leases are given/updated. Causes a lot of log spam because of it, and might even be moments during Unbound restarting that DNS requests time out. I gave up on that option very quickly because of it. I have only static entries registered, since those are more likely to be the devices I access more often... that and anything else would usually have some kind of broadcast or discovery mechanism that I can use to find it instead.
-
@virgiliomi said in DNS lookups fail:
Causes a lot of log spam because of it
pfSense log files are circular, so these logs files won't grow ..... but : if there are issues, the logs will overwrite themselves so useful information gets lost quickly.
The real price is : when a DHCP lease comes in, (or renews ?) the DNS server (onbound) gets restarted. Doing so will throw away the DNS cache !!!
So, just before the lease, the cache would know what IP has facebook.com, and who Google is. After the restart, unbound has to resolve all again all these often used DNS requests, which totally annihilates the usage of a DNS cache.Things can get even worse, as it has been seen that stupid/cheap devices with stupid DHCP setup request a DHCP-Discover/Renew ever xx minutes. So unbound was restarting every xx minutes.
Worse ! people start to use pofBlockerNG with big feeds, so it takes time - many tens of seconds - for unbound to restart, as it has to parse all the files with DNS info. This will impact the quality of your network severally. Btw : last versions of pfBlockerNG using python mode addresses this issue.Rule of thumb : if you need the DNS info of a device on your LAN, as it "serves" something, give it a Static DHCP MAC lease. Because the relation between the host name and IP (the lease info) is fixed, the info will be available at boot, and DHCP requests from these devices won't impact (== restart) unbound.
So, this is the perfect set-up :
-
@diyhouse
I totally agree with the other posters wrt. not ticking register dhcp ...TLDR
In fact i'm (on my home lan) not even running DHCP on my pfSense , i'm running DNS and (ISC) DHCP on my linux server. And have set that up with dynamic registrations.
I have 2 sites , my main site , and the summerhouse (OpenVPN linked). Each have two linux'es (one is a Raspi) , and the other a small intel.
My primary DNS zone belongs to the main site , and the summerhouse is set up as secondary DNS w. zonetransfer from the primary. DHCP at both sites reports back to the primary DNS , that registers the DHCP lease in DNS. And does the zone transfer to the secondary DNS servers.
It was a "because i can" excersize , and took quite some time to setup for 2 x 14 Vlans , but the end result is quite good.
I use unbound (forwarding to the linux DNS'es) as my Client (Vlan) DNS , and it resolves all my DHCP leases via the linux bind9 servers. The pfSense(s) also uses the DHCP Relay function , to relay DHCP requests to the Linux DHCP servers.
Using unbound and DHCP Relay , means that none of my clients need to "speak DNS/DHCP" to anything but the pfSense Vlan interface.
If you're not experienced with linux, you prob. don't even want to try that.
At work i just use pfSense DHCP , 100 times easier.
And have accepted not being able to resolve DHCP assigned names.If someone ever makes unbound being able to register DHCP leases w. a "HUP signal" instead of a restart. I would always recommend just using unbound, in a simple setup.
/Bingo
-
@bingo600 Tx guys,... some great responses,.. I understand the issues much more now,.. ( its really nice to have these things explained )...
I think I will drop the 'DHCP registration',.. and go for the static DHCP registration,.. as other folks have said,.. the number of hosts I actually access by name is quite limited,.. certainly not the full list,...
But thanks guys,.. really helpful..