Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Unable to resolve opensuse.org with pfSense DNS resolver

    Scheduled Pinned Locked Moved DHCP and DNS
    12 Posts 7 Posters 1.0k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • D
      dimangelid
      last edited by dimangelid

      Hello,

      I have a pfSense 2.4.5-RELEASE-p1 installation at home.

      I was using DNS resolver in forwarding mode (resolving through 1.1.1.1 and 1.0.0.1) , but recently decided to disable forwarding mode.

      I just removed "Enable Forwarding Mode" , saved the changes and everything is working just fine.

      Today i wanted to download Opensuse but opensuse.org could not resolve. Indeed command nslookup opensuse.org fails from any computer at my home network, even from the pfsense itself:

      From a Windows 10 computer

      windows_10_nslookup.txt

      From the pfsense itself

      pfsense_nslookup.txt

      From a CentOS 7 VM

      centos7_nslookup.txt

      If i do an nslookup from any of the above machines directly to any public nameserver (for example nslookup opensuse.org 1.1.1.1) , then opensuse.org resolves just fine.

      Doing dig opensuse.org +trace from the pfsense itself, has the below results:

      pfsense_dig_trace.txt

      From the above results, i can understand that it can not find IP addresses for nsX.opensuse.org nameservers.

      DNSSEC is disabled. I tried to enable it and restart the resolver, but i did not have any result. Rebooting also the pfsense, did not have any result.

      The issue seems really strange, since i only face it with opensuse.org

      There is no entry somewhere at the pfsense resolver for any subdomain of opensuse.org .

      1.1.1.1 and 1.0.0.1 have been removed from System --> General Setup --> DNS Server Settings

      I attach screenshots with the pfsense resolver settings.

      Does anyone have an idea why this issue occurs?

      2021_08_11_00_15_55_Greenshot.png

      2021_08_11_00_16_55_Greenshot.png

      2021_08_11_00_17_28_Greenshot.png

      2021_08_11_00_18_00_Greenshot.png

      1 Reply Last reply Reply Quote 1
      • D
        dimangelid
        last edited by

        Hello to all. I also made a test installation of the latest pfSense version (2.5.2) and exactly the same issue occurs.

        Does anyone have an idea on why is this happening?

        If someone using DNS Resolver without forwarding mode could test resolving opensuse.org , would be great. And if he can resolve it, it would be very useful to provide some screenshots with the DNS Resolver settings.

        mr.roshM JKnottJ 2 Replies Last reply Reply Quote 1
        • mr.roshM
          mr.rosh @dimangelid
          last edited by

          @dimangelid
          have u restarted unbound service, after u made the change?

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @mr.rosh
            last edited by johnpoz

            Resolves fine here..

            Did you do trace to see where its failing?

            [21.05.1-RELEASE][admin@sg4860.local.lan]/root: dig opensuse.org +trace +nodnssec
                 
                 ; <<>> DiG 9.16.16 <<>> opensuse.org +trace +nodnssec
                 ;; global options: +cmd
                 .                       29855   IN      NS      h.root-servers.net.
                 .                       29855   IN      NS      l.root-servers.net.
                 .                       29855   IN      NS      j.root-servers.net.
                 .                       29855   IN      NS      e.root-servers.net.
                 .                       29855   IN      NS      m.root-servers.net.
                 .                       29855   IN      NS      i.root-servers.net.
                 .                       29855   IN      NS      a.root-servers.net.
                 .                       29855   IN      NS      k.root-servers.net.
                 .                       29855   IN      NS      b.root-servers.net.
                 .                       29855   IN      NS      d.root-servers.net.
                 .                       29855   IN      NS      f.root-servers.net.
                 .                       29855   IN      NS      c.root-servers.net.
                 .                       29855   IN      NS      g.root-servers.net.
                 ;; Received 239 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms
                 
                 org.                    172800  IN      NS      a0.org.afilias-nst.info.
                 org.                    172800  IN      NS      a2.org.afilias-nst.info.
                 org.                    172800  IN      NS      b0.org.afilias-nst.org.
                 org.                    172800  IN      NS      b2.org.afilias-nst.org.
                 org.                    172800  IN      NS      c0.org.afilias-nst.info.
                 org.                    172800  IN      NS      d0.org.afilias-nst.org.
                 ;; Received 443 bytes from 2001:500:a8::e#53(e.root-servers.net) in 13 ms
                 
                 opensuse.org.           86400   IN      NS      ns3.opensuse.org.
                 opensuse.org.           86400   IN      NS      ns4.opensuse.org.
                 opensuse.org.           86400   IN      NS      ns1.opensuse.org.
                 opensuse.org.           86400   IN      NS      ns2.opensuse.org.
                 ;; Received 289 bytes from 2001:500:f::1#53(d0.org.afilias-nst.org) in 27 ms
                 
                 opensuse.org.           1800    IN      A       195.135.221.140
                 ;; Received 85 bytes from 195.135.221.195#53(ns4.opensuse.org) in 123 ms
                 
                 [21.05.1-RELEASE][admin@sg4860.local.lan]/root:      
                                                                                             
            

            I did trace without dnssec just to keep the trace cleaner. But resoles just fine here, using dnssec.

            [21.05.1-RELEASE][admin@sg4860.local.lan]/root: dig opensuse.org 
            
            ; <<>> DiG 9.16.16 <<>> opensuse.org
            ;; global options: +cmd
            ;; Got answer:
            ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 7893
            ;; flags: qr rd ra ad; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1
            
            ;; OPT PSEUDOSECTION:
            ; EDNS: version: 0, flags:; udp: 4096
            ;; QUESTION SECTION:
            ;opensuse.org.                  IN      A
            
            ;; ANSWER SECTION:
            opensuse.org.           3043    IN      A       195.135.221.140
            
            ;; Query time: 0 msec
            ;; SERVER: 127.0.0.1#53(127.0.0.1)
            ;; WHEN: Fri Aug 27 00:09:34 CDT 2021
            ;; MSG SIZE  rcvd: 57
            
            [21.05.1-RELEASE][admin@sg4860.local.lan]/root: 
            

            The problem is not related to your settings.. It would resolve with out of the box settings. So you have nothing in your custom options? Your not showing them.

            works just fine without ipv6 as well.

            [21.05.1-RELEASE][admin@sg4860.local.lan]/root: dig -4 opensuse.org +trace +nodnssec
            
            ; <<>> DiG 9.16.16 <<>> -4 opensuse.org +trace +nodnssec
            ;; global options: +cmd
            .                       29622   IN      NS      c.root-servers.net.
            .                       29622   IN      NS      g.root-servers.net.
            .                       29622   IN      NS      h.root-servers.net.
            .                       29622   IN      NS      l.root-servers.net.
            .                       29622   IN      NS      j.root-servers.net.
            .                       29622   IN      NS      e.root-servers.net.
            .                       29622   IN      NS      m.root-servers.net.
            .                       29622   IN      NS      i.root-servers.net.
            .                       29622   IN      NS      a.root-servers.net.
            .                       29622   IN      NS      k.root-servers.net.
            .                       29622   IN      NS      b.root-servers.net.
            .                       29622   IN      NS      d.root-servers.net.
            .                       29622   IN      NS      f.root-servers.net.
            ;; Received 239 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms
            
            org.                    172800  IN      NS      a2.org.afilias-nst.info.
            org.                    172800  IN      NS      d0.org.afilias-nst.org.
            org.                    172800  IN      NS      b0.org.afilias-nst.org.
            org.                    172800  IN      NS      c0.org.afilias-nst.info.
            org.                    172800  IN      NS      b2.org.afilias-nst.org.
            org.                    172800  IN      NS      a0.org.afilias-nst.info.
            ;; Received 471 bytes from 192.33.4.12#53(c.root-servers.net) in 13 ms
            
            opensuse.org.           86400   IN      NS      ns1.opensuse.org.
            opensuse.org.           86400   IN      NS      ns3.opensuse.org.
            opensuse.org.           86400   IN      NS      ns2.opensuse.org.
            opensuse.org.           86400   IN      NS      ns4.opensuse.org.
            ;; Received 289 bytes from 199.19.56.1#53(a0.org.afilias-nst.info) in 90 ms
            
            opensuse.org.           1800    IN      A       195.135.221.140
            ;; Received 85 bytes from 195.135.221.195#53(ns4.opensuse.org) in 130 ms
            
            [21.05.1-RELEASE][admin@sg4860.local.lan]/root: 
            

            If your having trouble resolving - first thing to do is a trace to see where its failing. Oh your failing talking to the specific ns

            couldn't get address for 'ns1.opensuse.org': not found
            couldn't get address for 'ns4.opensuse.org': not found
            couldn't get address for 'ns3.opensuse.org': not found
            couldn't get address for 'ns2.opensuse.org': not found
            
            ;; ADDITIONAL SECTION:
            ns1.opensuse.org.       86400   IN      A       62.146.92.204
            ns2.opensuse.org.       86400   IN      A       195.135.221.196
            ns3.opensuse.org.       86400   IN      A       91.193.113.68
            ns4.opensuse.org.       86400   IN      A       195.135.221.195
            

            Can you query one of them directly? can you talk to any of the afiliates?

            ;; AUTHORITY SECTION:
            org.                    172800  IN      NS      a0.org.afilias-nst.info.
            org.                    172800  IN      NS      a2.org.afilias-nst.info.
            org.                    172800  IN      NS      b0.org.afilias-nst.org.
            org.                    172800  IN      NS      b2.org.afilias-nst.org.
            org.                    172800  IN      NS      c0.org.afilias-nst.info.
            org.                    172800  IN      NS      d0.org.afilias-nst.org.
            
            ;; ADDITIONAL SECTION:
            a0.org.afilias-nst.info. 172800 IN      A       199.19.56.1
            a0.org.afilias-nst.info. 172800 IN      AAAA    2001:500:e::1
            a2.org.afilias-nst.info. 172800 IN      A       199.249.112.1
            a2.org.afilias-nst.info. 172800 IN      AAAA    2001:500:40::1
            b0.org.afilias-nst.org. 172800  IN      A       199.19.54.1
            b0.org.afilias-nst.org. 172800  IN      AAAA    2001:500:c::1
            b2.org.afilias-nst.org. 172800  IN      A       199.249.120.1
            b2.org.afilias-nst.org. 172800  IN      AAAA    2001:500:48::1
            c0.org.afilias-nst.info. 172800 IN      A       199.19.53.1
            c0.org.afilias-nst.info. 172800 IN      AAAA    2001:500:b::1
            d0.org.afilias-nst.org. 172800  IN      A       199.19.57.1
            d0.org.afilias-nst.org. 172800  IN      AAAA    2001:500:f::1
            

            Try asking one of them for ns1,2,3,4.opensuse.org, then can you talk to any of the ns for opensuse.org?

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.8, 24.11

            1 Reply Last reply Reply Quote 0
            • JKnottJ
              JKnott @dimangelid
              last edited by

              @dimangelid said in Unable to resolve opensuse.org with pfSense DNS resolver:

              Does anyone have an idea on why is this happening?

              It's always worked for me.

              PfSense running on Qotom mini PC
              i5 CPU, 4 GB memory, 32 GB SSD & 4 Intel Gb Ethernet ports.
              UniFi AC-Lite access point

              I haven't lost my mind. It's around here...somewhere...

              1 Reply Last reply Reply Quote 0
              • J
                j03man
                last edited by

                I have the same problem with a fresh install of pfSense v2.5.2 installed on a VM using VMware Workstation Pro. I installed it because I wanted to isolate some VMs behind a firewall from the rest of my LAN.

                DNS Resolver simply does not work at all if DNS Forwarding is not on, which to me defeats the purpose all together of having a "resolver"...

                I had to turn Resolver OFF and turn Forwarder ON to go around the issue but I have not found a solution that allows me to use Resolver or a reasonable explanation of what I am misinterpreting from DNS Resolver intended functionality.

                johnpozJ 1 Reply Last reply Reply Quote 0
                • johnpozJ
                  johnpoz LAYER 8 Global Moderator @j03man
                  last edited by

                  Well resolver can not work if you can not talk to roots.. Its that simple - resolver directly talks to roots, and the gtld servers, then the authoritative name servers for the domain your looking up. If your having issues talking to these - then resolver is not going to work..

                  An intelligent man is sometimes forced to be drunk to spend time with his fools
                  If you get confused: Listen to the Music Play
                  Please don't Chat/PM me for help, unless mod related
                  SG-4860 24.11 | Lab VMs 2.8, 24.11

                  J 1 Reply Last reply Reply Quote 1
                  • J
                    j03man @johnpoz
                    last edited by j03man

                    @johnpoz Thank you for your reply. Certainly appreciate it. Could this be then answered with a simple yes or no based on the following affirmation:

                    DNS Resolver will not resolve queries to google.com (for example) unless forwarders are ticked and properly configured under "System / General Setup / DNS Servers or DNS Server Override.

                    If your answer is yes, which to my understanding it should be; then how could you describe the difference between DNS Resolver and DNS Forwarder?

                    They both resolve queries to the outside world and they both can provide DHCP lease to DNS registration for LAN host resolution as well as manual hosts registration for static IP configurations.

                    All I'm saying is: Resolver and Forwarder are the same thing with different names. Could setup either and both will deliver same outcome/functionality.

                    Thanks again for your time and feedback, I'm sure its helpful to many. 🙂

                    GertjanG johnpozJ 2 Replies Last reply Reply Quote 0
                    • GertjanG
                      Gertjan @j03man
                      last edited by

                      @j03man said in Unable to resolve opensuse.org with pfSense DNS resolver:

                      DNS Resolver will not resolve queries to google.com (for example) unless forwarders are ticked and properly configured under "System / General Setup / DNS Servers or DNS Server Override.

                      Euh.... No.

                      Unbound using resolver mode doesn't need any settings.
                      It has the list with the 13 known Internet DNS root servers build in.

                      It needs at least one working WAN uplink so it can make requests against those servers.

                      When you install pfSense, all this will "work out of the box" - no user configuration needed.

                      It doesn't work : great : some one is blocking your access to the main 13 Internet DNS servers. Change to another ISP ....

                      Resolving is needed if you want to make use of DNSSEC.

                      Forwarding has it own advantages, but is mostly something of the past.

                      No "help me" PM's please. Use the forum, the community will thank you.
                      Edit : and where are the logs ??

                      1 1 Reply Last reply Reply Quote 1
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator @j03man
                        last edited by

                        @j03man said in Unable to resolve opensuse.org with pfSense DNS resolver:

                        All I'm saying is: Resolver and Forwarder are the same thing with different names

                        Not even close to the same thing.. You do not understand how a resolver works, if you think its anything like forwarding to googledns, which then resolves what you asked for.. There is always a resolver somewhere in the line.

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 1
                        • 1
                          1ntr0v3rt3ch @Gertjan
                          last edited by

                          @gertjan said in Unable to resolve opensuse.org with pfSense DNS resolver:

                          @j03man said in Unable to resolve opensuse.org with pfSense DNS resolver:

                          DNS Resolver will not resolve queries to google.com (for example) unless forwarders are ticked and properly configured under "System / General Setup / DNS Servers or DNS Server Override.

                          Euh.... No.

                          Unbound using resolver mode doesn't need any settings.
                          It has the list with the 13 known Internet DNS root servers build in.

                          It needs at least one working WAN uplink so it can make requests against those servers.

                          When you install pfSense, all this will "work out of the box" - no user configuration needed.

                          It doesn't work : great : some one is blocking your access to the main 13 Internet DNS servers. Change to another ISP ....

                          Resolving is needed if you want to make use of DNSSEC.

                          Forwarding has it own advantages, but is mostly something of the past.

                          upon reading this reply, I'm thinking this is the problem with my current setup: https://forum.netgate.com/topic/166780/add-dns-in-dhcp-server-settings-required/8

                          GertjanG 1 Reply Last reply Reply Quote 1
                          • GertjanG
                            Gertjan @1ntr0v3rt3ch
                            last edited by

                            @1ntr0v3rt3ch said in Unable to resolve opensuse.org with pfSense DNS resolver:

                            https://forum.netgate.com/topic/166780/add-dns-in-dhcp-server-settings-required/8

                            When you set up pfSense, there is no need to enter any where '8.8.8.8' or '8.8.4.4'.
                            These two - or any others - are mentioned no where in the Pfsense manual.

                            Again : the default Resolver doesn't need any setting to be altered : it works out of the box.
                            But : if you have some sort of contract with Alphabet cooporation - (aka Google) that you have to hand over all your 'private' DNS request, then, ok, why not.

                            I don't think an ISP exists that actually blocks you from accessing basic Internet servers like the 13 root servers. And even if they exist, because, after all, it's a free world, so why not. It will be the ISP without clients, that's for sure.

                            No "help me" PM's please. Use the forum, the community will thank you.
                            Edit : and where are the logs ??

                            1 Reply Last reply Reply Quote 3
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.