DNS resolver refuses queries via IPv6
Running pfSense CE 2.5.2-RC on a Qotom with 4 ports. 1 WAN, 3 LANs, of which LAN1 is always connected, LAN2 is unplugged at night, LAN3 is mostly unused and unplugged.
After pfSense is rebooted, the DNS resolver refuses queries via IPv6 (on at least LAN1 and LAN2 I've checked). If I restart the DNS resolver in the web interface, after that it responds to queries via IPv6, until the next reboot.
This recently became an issue I noticed on my work PC, I think after a Windows 10 update to 21H1. Before that, I'm not sure if Windows 10 had done a fall-back to IPv4, or if pfSense had not being failing in this way earlier. The rest of the home runs Linux and Android stuff, and none of them seem to be affected, so I guess they're automatically falling back to IPv4.
Time to do some packet captures to see what's happening. Given that it works with Linux and Android, that implies something different with W10 since the update.
BTW, I have W10 here with the latest update and haven't noticed any issue, but then I don't use Windows much.
First guess, W10 isn't using the correct IPv6 address. Normally, RDNSS is used to pass the IPv6 DNS address, but if you have something misconfigured, that can cause problems as you describe. Make sure you haven't configured a DNS server for IPv6. No need to configure on IPv4 either, as DHCP provides the address.
I should clarify, that when I say it "works" with Linux and Android, I mean when running apps normally. Eg Firefox on Linux has no errors accessing web sites. I assume the Linux DNS query service (systemd?) is normally doing a fall-back to IPv4 queries behind-the-scenes. Whereas the first I noticed the problem on Windows was when Firefox was giving intermittent errors something like "we can't access this site", which would usually resolve when clicking Retry.
It's when I did a
nslookup example.com <pfSense-LAN-IPv6>on Windows that I saw the DNS queries being refused. Likewise, on Linux if I did
dig example.com @<pfSense-LAN-IPv6>I also saw they were being refused. After a restart of the pfSense DNS resolver, both of those started working.
On the local LAN, the pfSense DHCP provides the pfSense LAN address as the DNS server, and IPv6 router advertisement provides the pfSense LAN IPv6 address as the DNS server. Those addresses both look correct. DNS queries through the IPv4 address work fine. And after a restart of the pfSense DNS resolver, DNS queries resolve correctly through the IPv6 address.
The RA and DHCP may look fine, but there are also settings on the Windows end. If you go into IPv6 properties, you can set it to obtain the DNS address automatically or you can set it manually. If set manually, is it correct? Again, packet captures may tell you what's happening. You can use Packet Capture on pfsense or Wireshark on the Windows and Linux computers. Setting it manually is fine on a computer that never moves off the network, but you'd want to do it automagically on a portable computer that may be used elsewhere.
Also, you can manually set the address the RA provides, but if that's wrong, it would affect everything.
The essence of the issue, as I reported, is that pfSense DNS resolver refuses DNS queries via its IPv6 address, from boot until the DNS resolver is manually restarted.
What I reported about Windows 10 is really just some background information that, in the end, means I'm uncertain about how long pfSense has exhibited the issue. I upgraded Windows 10 to 21H1 on June 15, and I upgraded pfSense from 2.4.5-p1 to 2.5.2-RC on June 16. So I'm not sure which of those is the reason I started seeing DNS look-up failures appear on the Windows PC.
I verified this on Windows by doing
nslookup example.com 2403:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:bb42
I have verified this on Linux by doing
dig example.com @2403:xxxx:xxxx:xxxx:xxxx:xxxx:xxxx:bb42
In both cases, after pfSense had been rebooted, the lookups failed. But then after I had manually restarted pfSense's DNS resolver using the web interface, the lookups succeeded after that.
I had manually restarted pfSense's DNS resolver using the web interface
And what interfaces do you have unbound listening on? The default is ALL, did you alter that?
You wouldn't be able to do a query to an any address on pfsense if unbound is not listening on that addess.
Since your not doing the query to link-local address for IPv6, its possible when unbound started the IPv6 your doing query to was not available, or it changed after unbound started.
Next time it happens, before you restart anything - validate that unbound is actually listening on the IP be it v4 or v6 is actually being listened on. Netstat would show you the IP being listened on for dns by unbound
In checking this, I came across something curious. On one W10 system, the DNS requests are IPv6, but IPv4 on the other, even though both have a valid IPv6 DNS configured. Ipconfig shows the IPv6 address listed first on one system and last on the other, reflecting which is used. A search on the Internet shows this is a "feature" of Windows 10, but there doesn't appear to be a fix.
Regardless, packet captures are useful to see what's actually happening. If I hadn't done that, I wouldn't have noticed that one W10 system was asking via IPv4. Please try some packet captures, so that you know what's actually on the wire.
@jknott Windows doesn't use configured DNS servers in order, it remembers the "last success" and prefers that one. It's not new in W10. People get in trouble all the time by listing their domain controller IPs first and public DNS "as a backup" and end up having network problems when the PC can't find the domain on the public DNS.
@cmcqueen Can you ping the router LAN IPv6 when in the "bad" state? This is probably not your issue but after setting up a Hurricane Electric tunnel recently, I found the PCs could connect out over IPv6 but could not ping the LAN IPv6 nor resolve DNS until the router was restarted. Couldn't seem to duplicate it afterwards which is odder.