Internal DNS server not working

mk873425

Hi all,

I just moved, and of course I wanted to install my pfSense router. The connection is a VDSL (VPLUS) line. I have a FritzBox 7530 as a modem with PPPoE passthrough enabled. I successfully got it working on pfSense, I have a public IPv4 and can ping to the outside world, great!

However, I'm having a really weird issue with the unbound DNS resolver. The service is running, but it won't resolve anything. I'm using 8.8.8.8 and 8.8.4.4 as my DNS servers under System -> General setup. When I ping using the Ping diagnostic tool in pfSense it resolves just fine. (Both from Source address WAN and Localhost)

But clients using pfSense as their DNS server can only resolve the hostname of the router itself, but won't resolve any public hostnames. When I set 8.8.8.8 and 8.8.4.4 as DNS servers on the clients everything works as expected.

I have been using pfSense for over 5 years, but I've never seen this behavior before.

Any ideas? The pfSense installation is bone stock, except for the fact that I disabled IPv6, and the PPPoE settings of course.

johnpoz

@mk873425 said in Internal DNS server not working:

The service is running, but it won't resolve anything. I'm using 8.8.8.8 and 8.8.4.4 as my DNS servers under System -> General setup.

This has nothing to do with clients asking unbound for something. Unbound out of the box resolves.. It does not forward - so unless you setup unbound to forward. What you put in general has nothing to do with anything. Other than those are NS that pfsense could use..

If your saying unbound can not actually resolve something - then look to why it can not. Do say dig +trace on pfsense.. Can you actually to the roots and other authoritative NS?

[21.02-RELEASE][admin@sg4860.local.lan]/: dig www.google.com +trace

; <<>> DiG 9.16.12 <<>> www.google.com +trace
;; global options: +cmd
.                       82162   IN      NS      i.root-servers.net.
.                       82162   IN      NS      j.root-servers.net.
.                       82162   IN      NS      k.root-servers.net.
.                       82162   IN      NS      l.root-servers.net.
.                       82162   IN      NS      m.root-servers.net.
.                       82162   IN      NS      a.root-servers.net.
.                       82162   IN      NS      b.root-servers.net.
.                       82162   IN      NS      c.root-servers.net.
.                       82162   IN      NS      d.root-servers.net.
.                       82162   IN      NS      e.root-servers.net.
.                       82162   IN      NS      f.root-servers.net.
.                       82162   IN      NS      g.root-servers.net.
.                       82162   IN      NS      h.root-servers.net.
.                       82162   IN      RRSIG   NS 8 0 518400 20210423050000 20210410040000 14631 . Niy8kDI1iRwFte5LMilYe7D8zgTiQI/IC4GXa3Hit3u6ilTYpOp7Z/Lz 8ZfBwBulwjH/xIA7XKqxFU4aYLbxGSZXy5C+Z4ztAAcMaOODFHEJ9yYx E7d3DQY6nNQ8G9ySPVGj6JAZ7zS9BchiuBAB1rTa6ueDlCs6nIWJfUQa PhZai6xJqHvamgDu/ZFx2plwPZ6Egz8ubhiwR5TpaVgMQOj62yK4JS9n MM9htbSXpf5C/+Hd9DH7x6sAZbYpTh6aA9IJ66N3IN/c+QNuPh+swKSg bPhEbDF1QmNHA3aQqX32RQsEqMM1BUHn/i8V439PS7YGISSdmLM2DBSz iEte7g==
;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 1 ms

com.                    172800  IN      NS      i.gtld-servers.net.
com.                    172800  IN      NS      h.gtld-servers.net.
com.                    172800  IN      NS      g.gtld-servers.net.
com.                    172800  IN      NS      m.gtld-servers.net.
com.                    172800  IN      NS      j.gtld-servers.net.
com.                    172800  IN      NS      e.gtld-servers.net.
com.                    172800  IN      NS      d.gtld-servers.net.
com.                    172800  IN      NS      l.gtld-servers.net.
com.                    172800  IN      NS      f.gtld-servers.net.
com.                    172800  IN      NS      k.gtld-servers.net.
com.                    172800  IN      NS      a.gtld-servers.net.
com.                    172800  IN      NS      b.gtld-servers.net.
com.                    172800  IN      NS      c.gtld-servers.net.
com.                    86400   IN      DS      30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766
com.                    86400   IN      RRSIG   DS 8 1 86400 20210423050000 20210410040000 14631 . YaqELtyVMPfTfsRClMKDGqEGhBoE9MHSDo7Fo16ivf3owQQCrHmekoYF q8LunOS+3wDpOa3mvVqnXwZzGk6+V3WJYCu8tz9TGywl4Odmvqkb9duY ZZTvLQe9RLxEOx/fu5brt9SfXlK8QXL0EM9dO32XvQYgDkFb0ERnSISh 1X8D5/8tPovS6de3+QVomsJbqyvdYk7nJnv9JLqLR7dnsgtTuG4xOFQ7 IL31AcJ2NuppEB5/O4mwbdYFSPt6qBSdjPOA4fvSQbxVfZ3S28p/jd0X ovfJiHWsNgVsKsA84o9Ob+AxVtcdVstkZDqRDJEBHXHBNZX1ituSq+ZF QTxDrA==
;; Received 1202 bytes from 192.33.4.12#53(c.root-servers.net) in 13 ms

google.com.             172800  IN      NS      ns2.google.com.
google.com.             172800  IN      NS      ns1.google.com.
google.com.             172800  IN      NS      ns3.google.com.
google.com.             172800  IN      NS      ns4.google.com.
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q1GIN43N1ARRC9OSM6QPQR81H5M9A NS SOA RRSIG DNSKEY NSEC3PARAM
CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20210414042407 20210407031407 58540 com. j3cNahya8vattBAZz5eA/EdhnNhz5pLI7Ng99OX+kGI2aBWLMirJYol9 2AZUTUoP3XTEORS714FgcIDtQZAdtsj3fREaDyvyATLeqNSqlRx1MrCg UmK8WOx27g9pL1C3KlKyYqOeq7UbGHJ9QpFZPPaLl2VuJX0MAOHI1YbY yf+Hiqo5zj8Jo7gn45Mq8Xb7HFXqVDADvNiLeJpD18pVNw==
S84BDVKNH5AGDSI7F5J0O3NPRHU0G7JQ.com. 86400 IN NSEC3 1 1 0 - S84BUO64GQCVN69RJFUO6LVC7FSLUNJ5 NS DS RRSIG
S84BDVKNH5AGDSI7F5J0O3NPRHU0G7JQ.com. 86400 IN RRSIG NSEC3 8 2 86400 20210415042141 20210408031141 58540 com. s06QZrjWbZ4oIX+dpR35Ld44X5T1No7APc7AJ+N/LEIWy56YD8NLXwl3 4a8VuYUeiex/z8qAkt917FLtgulzGHSISRH2JCeAg4jxs3CjRILT1OAY frmJUeyOejA1ndfXVx0cvFv+80PGcKDhf9GJFsef7Ajn+17kFT8Rk0ty krnGH04wzxTYn+N3idT98hu9oBe4A22SVbVf14haKTE+fQ==
;; Received 840 bytes from 192.54.112.30#53(h.gtld-servers.net) in 25 ms

www.google.com.         300     IN      A       172.217.6.4
;; Received 59 bytes from 216.239.34.10#53(ns2.google.com) in 29 ms

[21.02-RELEASE][admin@sg4860.local.lan]/: 

mk873425

@johnpoz
If I perform a dig, the connection times out. No servers could be reached.

johnpoz

Well then you have something wrong... You should be able to talk to the root servers or any other dns you want to on the planet.

float

@johnpoz @mk873425
I have the same problem with the same hardware (FritzBox 7530) and a Netgate 7100. Without a PPPoE connection the resolver responds (few ms). When the connection is established, the resolver doesn't respond any longer (no response). All the root servers timeout.

login-to-view

When I use it in forwarder mode, everything works. I tried it after a reinstall of pfSense: same thing. Resolver works on 127.0.0.1 without PPPoE-connection. Resolver stops working on 127.0.0.1 with PPPoE-connection.

Cool_Corona

@float Fritzbox is blocking DNS to everything else than their own?

float

@cool_corona I only use it as a modem - pfsense builds the PPPoE-connection. I can also use any other DNS servers like Google, CloudFare, etc. except the root servers. Those all timeout.

mk873425

@cool_corona I think so, I already contacted AVM about it, they say they can't do anything about it. I've swapped the Fritz for a Zyxel modem, all is working well now.

mk873425

@float The issue lies with the Fritz Box, it's somehow blocking DNS, tried everything but couldn't get the resolver to work, only the forwarder. Swapped it out for a Zyxel modem, everything is working as it should now.

norbi771

Hi,
After a power failure, I have a similar issue.
I cannot resolve anything.

cat /etc/resolv.conf
nameserver 8.8.8.8
nameserver 8.8.4.4
search corp

root: dig www.google.pl +trace

; <<>> DiG 9.12.2-P1 <<>> www.google.pl +trace
;; global options: +cmd
;; connection timed out; no servers could be reached

root: dig @8.8.8.8 www.google.pl +trace

; <<>> DiG 9.12.2-P1 <<>> @8.8.8.8 www.google.pl +trace
; (1 server found)
;; global options: +cmd
;; connection timed out; no servers could be reached

Normally, I use forwarder.
After power failure users reported that they cannot access the internet, and it looked like the forwarder issue.

I then realized that PFSense itself cannot resolve anything.
I disabled forwarder and resolver, to be sure they do not mess with my tests.

I never saw anything like that.

Can somebody comment on that, please?

float

FYI, AVM is looking at the problem.

norbi771

In my case it was another device, which was connected to PFSENSE, causing the problem.

float

Update from AVM:

We are still examining your reported DNS issue, yet are unable to find any causes on side of the FRITZ!Box.

We are therefore continuing our investigations regarding this issue based on your data. As far it is reproducible and on our part solvable issue, we will provide a solution with a forthcoming firmware update for your FRITZ!Box. As the FRITZ!OS development is a complex process, we are unable to offer a short-term solution.

Please test whether any improvement of the behaviour can be achieved when a new firmware update for your FRITZ!Box has been released. We will get in touch with you if we can offer any solutions for you or give you the exact external cause.

norKoeri

The thread is a bit old, but since June 2024 the latest FRITZ!OS addresses this issue: ‘Im PPPoE-Passthrough-Betrieb der FRITZ!Box werden DNS-"Root Queries" über UDP nicht mehr gefiltert’.

When I reported the issue, AVM found the culprit, a Firewall rule. Furthermore, just UDP/IPv4 was affected, TCP or IPv6 worked for DNS root queries.

Consequently, with the upcoming FRITZ!OS 8, this should be fixed for everyone. Not sure if @mk873425 @float (or someone registered for notifications to this thread) still uses a FRITZ!Box as DSL modem, anyway please give it a try. @mk873425 I think you had a Reddit about this as well, please, update there if still possible.