Newbie having DNS problems

BriarPatch · Jan 29, 2022, 6:59 PM

Hello, I hope that someone can offer advice?
I've purchased one of the 4 port Intel(R) Celeron(R) J4125 CPU @ 2.00GHz boxes to run pfsense. Apparently it has 2.5GHz NICs. The unit came with pfsense version 2.5.0? Installed and I was expecting it to work out of the box. I have a BT Smart Home Hub v2 as the modem and originally connected to the first network port (igc0) via DHCP for the WAN with the second port (igc1) acting as the LAN interface which I originally configured as 192.168.3.1 however I just couldn't get the dns to work using either the DNS Forwarder or DNS Resolver.
Since then I decided to upgrade to version 2.5.2 and the current settings are: HomeHub on the 192.168.2.X network with the hub at 192.168.2.254; the pfsense WAN port at 192.168.2.2 (via DHCP) and the LAN on 192.168.1.1 with DHCP enabled. However I just can't get the dns to work from within pfsense, as a consequence the package manger can't show any packages etc.
The interface must be passing dns requests as when I configure the dns on my windows machine on the 192.168.1.X subnet it all works OK.
Bear in mind that I'm now probably on my 5th install to try and get it working. I can SSH in on the 192.168.1.1 port and, on previous installs, I could access the web-configurator on 192.168.1.1. However this time I can only access it via the 192.168.2.2 i.e. the WAN side. I've no idea why this should work?
From the terminal I can ping IP address OK i.e. 8.8.8.8 & 192.168.2.254 but not when use a name i.e. www.bbc.co.uk. I've added a host override for www.bbc.co.uk and that works fine from the terminal and also from the DNS Lookup page returning from 127.0.0.1 in 0ms but no response from 192.168.2.254 or 8.8.8.8.
Whilst I had clients working OK when not using DNS Forwarder or the DNS Resolver (i.e. just using 192.168.2.254 for the dns server) pfsense itself was unable to find anything.
Have you any suggestions on what to change or how to check things? Also any suggestions as to why I can access the web configurator from the WAN address and not the LAN address?
Currently I have the DNS resolver enabled.
I've gone through the manual pages, disabled DNSSEC etc. but still nothing works except the host override.
Any suggestions on how to get the dns working gratefully received.
Best wishes,
J

johnpoz · Jan 29, 2022, 7:57 PM

@briarpatch said in Newbie having DNS problems:

The unit came with pfsense version 2.5.0? Installed

That is suppose to be a big no no to be honest.. @stephenw10

However this time I can only access it via the 192.168.2.2 i.e. the WAN side

Well that is broken..

But if your upstream is not allowing to talk to root dns then unbound would not work in its default resolver mode. Is your upstream device blocking other dns? Is it redirecting dns to itself and then forwarding to something..

BriarPatch · Jan 29, 2022, 8:53 PM

@johnpoz
Hello John,
Many thanks for getting back to me. I've now done another 4) Reset to Factory Defaults and switched from the chrome browser to Firefox on a Windows Machine. I now have a tab open on 192.168.1.1 and another on 192.168.2.2, both showing the pfsense gui! Under services I have dhcpd, dpinger, pcscd, sshd, syslogd, unbound. Initially unbound showed a red error but on restart its gone to a green tick. I can SSH in on 192.168.1.1 ping to any numerical IP but not to any name.
Any suggestions ?
Best wishes,
J

johnpoz · Jan 29, 2022, 10:11 PM

@briarpatch again if dns is not working then no internet not going to work.. Your pfsense is behind something.. Is it blocking other dns, is intercepting and forwarding?

Do a sniff on pfsense wan, and then query something.. you should see it go ask the roots and then the gtld servers then the athoritative ns for whatever your looking for - if your not getting answers then no internet is not going to work..

This should and would work right out of the box unless you have something blocking manipulating your dns upstream.. Many a soho router can be set to do dns interception and then forward to isp or whatever, will trying to resolve through something like that is not going to work.

Set pfsense to forward vs resolve - does that work?

BriarPatch · Jan 30, 2022, 12:14 PM

Hello John,
Again thanks for the suggestions. I have a windows PC on the lan port at 192.168.1.4. I've set up the Packet Capture in pfsense and set it for 192.168.2.254 and port 53. The windows machine seems to be doing dns requests and getting data back. Examples below.
11:46:40.748642 IP 192.168.1.4.64469 > 192.168.2.254.53: UDP, length 34
11:46:40.748645 IP 192.168.1.4.56846 > 192.168.2.254.53: UDP, length 39
11:46:40.748653 IP 192.168.1.4.56907 > 192.168.2.254.53: UDP, length 44
11:46:40.761055 IP 192.168.2.254.53 > 192.168.1.4.56907: UDP, length 108
11:46:40.761694 IP 192.168.2.254.53 > 192.168.1.4.64469: UDP, length 79
11:46:40.762042 IP 192.168.1.4.63707 > 192.168.2.254.53: UDP, length 44
11:46:40.762417 IP 192.168.1.4.64563 > 192.168.2.254.53: UDP, length 36
11:46:40.762870 IP 192.168.2.254.53 > 192.168.1.4.63707: UDP, length 108
11:46:40.763265 IP 192.168.2.254.53 > 192.168.1.4.64563: UDP, length 52
11:46:40.763500 IP 192.168.1.4.58710 > 192.168.2.254.53: UDP, length 44
11:46:40.770867 IP 192.168.1.4.56082 > 192.168.2.254.53: UDP, length 36
11:46:40.776772 IP 192.168.2.254.53 > 192.168.1.4.58710: UDP, length 128
11:46:40.777831 IP 192.168.1.4.63665 > 192.168.2.254.53: UDP, length 26
11:46:40.783043 IP 192.168.2.254.53 > 192.168.1.4.56082: UDP, length 64
11:46:40.783759 IP 192.168.1.4.50791 > 192.168.2.254.53: UDP, length 33
cat /etc/resolv.conf gives

nameserver 127.0.0.1
nameserver 192.168.2.254
search home

on the pfsense box.
Setting the packet capture to 192.168.2.2 on port 53 does show some dns requests
12:01:18.627311 IP 192.168.2.2.11461 > 192.168.2.254.53: UDP, length 34
12:01:18.627317 IP 192.168.2.2.19288 > 192.168.2.254.53: UDP, length 39
12:01:18.628102 IP 192.168.2.2.59405 > 192.168.2.254.53: UDP, length 44
12:01:18.629202 IP 192.168.2.254.53 > 192.168.2.2.59405: UDP, length 44
12:01:18.630956 IP 192.168.2.2.15146 > 192.168.2.254.53: UDP, length 33
12:01:18.638756 IP 192.168.2.254.53 > 192.168.2.2.11461: UDP, length 79
12:01:18.639562 IP 192.168.2.2.11088 > 192.168.2.254.53: UDP, length 36
12:01:18.640096 IP 192.168.2.254.53 > 192.168.2.2.11088: UDP, length 52
12:01:18.641421 IP 192.168.2.2.33404 > 192.168.2.254.53: UDP, length 29
12:01:18.644422 IP 192.168.2.254.53 > 192.168.2.2.15146: UDP, length 72
12:01:18.645149 IP 192.168.2.2.53506 > 192.168.2.254.53: UDP, length 38
12:01:18.645608 IP 192.168.2.254.53 > 192.168.2.2.53506: UDP, length 54
12:01:18.647487 IP 192.168.2.2.36332 > 192.168.2.254.53: UDP, length 38
12:01:18.659513 IP 192.168.2.254.53 > 192.168.2.2.36332: UDP, length 66
12:01:18.660479 IP 192.168.2.2.30178 > 8.8.8.8.53: UDP, length 39
12:01:18.675351 IP 192.168.2.2.61355 > 8.8.8.8.53: UDP, length 29
12:01:18.745328 IP 192.168.2.254.53 > 192.168.2.2.19288: UDP, length 85
12:01:18.745840 IP 8.8.8.8.53 > 192.168.2.2.30178: UDP, length 85
12:01:18.761573 IP 192.168.2.254.53 > 192.168.2.2.33404: UDP, length 61
12:01:18.763026 IP 192.168.2.2.56172 > 192.168.2.254.53: UDP, length 29
12:01:18.763650 IP 192.168.2.254.53 > 192.168.2.2.56172: UDP, length 61
12:01:18.764476 IP 192.168.2.2.33963 > 192.168.2.254.53: UDP, length 29
12:01:18.795409 IP 192.168.2.2.57565 > 8.8.8.8.53: UDP, length 29
12:01:18.796648 IP 8.8.8.8.53 > 192.168.2.2.61355: UDP, length 61
12:01:18.844998 IP 192.168.2.254.53 > 192.168.2.2.33963: UDP, length 85
12:01:18.880391 IP 8.8.8.8.53 > 192.168.2.2.57565: UDP, length 85
12:01:19.412651 IP 192.168.2.2.41568 > 192.168.2.254.53: UDP, length 31
12:01:19.792068 IP 192.168.2.2.35656 > 192.168.2.254.53: UDP, length 34
12:01:21.711853 IP 192.168.2.2.29859 > 192.168.2.254.53: UDP, length 23
12:01:24.431745 IP 192.168.2.2.41568 > 192.168.2.254.53: UDP, length 31
12:01:25.644590 IP 192.168.2.2.3631 > 192.168.2.254.53: UDP, length 31
12:01:25.740300 IP 192.168.2.2.26379 > 192.168.2.254.53: UDP, length 42
12:01:26.679395 IP 192.168.2.2.61244 > 192.168.2.254.53: UDP, length 42
12:01:26.733564 IP 192.168.2.2.49724 > 192.168.2.254.53: UDP, length 23
12:01:26.822258 IP 192.168.2.2.27917 > 192.168.2.254.53: UDP, length 29
12:01:27.309645 IP 192.168.2.2.8879 > 192.168.2.254.53: UDP, length 40
12:01:29.451831 IP 192.168.2.2.41568 > 192.168.2.254.53: UDP, length 31
12:01:30.735497 IP 192.168.2.2.49286 > 192.168.2.254.53: UDP, length 31
12:01:31.752092 IP 192.168.2.2.49724 > 192.168.2.254.53: UDP, length 23
12:01:31.841284 IP 192.168.2.2.27917 > 192.168.2.254.53: UDP, length 29
12:01:32.341610 IP 192.168.2.2.13307 > 192.168.2.254.53: UDP, length 45
12:01:32.724487 IP 192.168.2.2.61244 > 192.168.2.254.53: UDP, length 42
12:01:32.724551 IP 192.168.2.2.26379 > 192.168.2.254.53: UDP, length 42
12:01:32.803992 IP 192.168.2.2.3631 > 192.168.2.254.53: UDP, length 31
My understanding of this is that there is the odd answer but not many e.g.
12:01:18.844998 IP 192.168.2.254.53 > 192.168.2.2.33963: UDP, length 85
Switching between forward and resolve doesn't seem to make any difference.
doing a ping from the pfsense terminal still just gives
Host name lookup failure
Have you any suggestions on what to try next?
Best wishes and thanks for the help.
J

johnpoz · Feb 20, 2022, 9:02 PM

@briarpatch said in Newbie having DNS problems:

12:01:18.627311 IP 192.168.2.2.11461 > 192.168.2.254.53: UDP, length 34

So that is a query to what, that sure isn't one of the roots, one of your IPs upstream of pfsense. Your upstream router.. And he doesn't seem to be answering much either..

Yeah you don't seem to be getting any sort of timely replies..

12:01:18.660479 IP 192.168.2.2.30178 > 8.8.8.8.53: UDP, length 39

This looks to be the reply

12:01:18.745840 IP 8.8.8.8.53 > 192.168.2.2.30178: UDP, length 85

85 ms later.. That is a pretty slow response from google..

But I don't see any queries to any of the root servers there.. Thought you tested with resolving as well?

Do you have your upstream routing through a vpn? How do you have whatever pfsense is asking there 2.254 setup for dns? So a query to 8.8.8.8 for say cnn.com

I get a response back in 22 something ms..

BriarPatch · Feb 20, 2022, 9:02 PM

@johnpoz Hello John, just to thank you for your help and apologize for not replying earlier. This weekend I had time to look at it again and noticed that version 2.6.0 had been released. I installed that and all my problems disappeared, it worked out of the box just as it should have done , but didn't, with version 2.5.2.
Once again many thanks for your suggestions.
Best wishes,
J

johnpoz · Feb 20, 2022, 11:10 PM

@briarpatch did you do a clean install of pfsense - and not touch anything for the dns setting..