DNS Resolver Not responding

recoveringchemist · Mar 5, 2022, 9:10 PM

Hello,

I'm just setting up my netgate sg-100 for the first time and I cannot get the DNS resolver to work. Here some relevant info:

Config:

I configured DNSBL using the wizard which enabled DNS resolver
In General Settings I have my ISP DNS servers configured and the resolution order is to start with local and fail over to remote.
In the Resolver DNSSEC is disabled
I created a firewall allowing DNS in both directions on all interfaces (this was to log activity)

Observations:

When I do a DNS request from the Diagnostics menu the local address times out or responds after >10s
When a device on my network sends a query to the LAN interface it does not get a response. I can see a packet arrive at the LAN interface, but there is no response.
I can see DNS traffic going out of the WAN interface to my ISP DNS and what I think are authoritative DNS servers
When I change the general setting to ignore the local DNS, queries sent to the LAN IP still get no response.

I think there are two problems:

The local DNS resolver is extremely slow
The pfSense does not send any DNS responses

Can anyone help? Thanks

rc

bmeeks · Mar 6, 2022, 12:55 AM

One quick clarification -- you say you are setting up an SG-100 for the first time. There is no SG-100. Do you maybe mean an SG-1100, or is it another of the Netgate appliances?

You need to take this one step at a time. Do not start with DNSBL. Get plain vanilla DNS working first, then add features like DNSBL later.

Out of the box, you should do absolutely nothing to DNS in pfSense. It is ready to go as a resolver out of the box (meaning a default install). Do not put any IP addresses of any DNS servers anywhere! Let me repeat that, do not put any DNS IP addresses anywhere. Do not check or uncheck any boxes related to DNS. Do absolutely nothing other than the standard steps of defining your LAN and WAN interfaces and their IP addresses, and DNS will work on a default pfSense install. You will have full Internet connectivity. With a default setup pfSense will run the unbound DNS daemon in resolver mode (and I believe, if memory serves me correctly, with DNSSEC enabled). Resolver mode is what you want.

So go back and undo everything you did, and if you can't do that, I would seriously recommend resetting to defaults and starting over. I will repeat, if you change nothing, and do NOT run the DNSBL wizard, DNS will work with a default install with no changes at all. The key here is "no changes to DNS at all". Many users assume they know more about DNS configuation than they actually do, and wind up hosing their firewall after fiddling with several of the settings following various YouTube examples. The problem with many of those examples on YouTube and elsewhere is the person creating that content really had no clue what he was doing. Or they do not take in account all of the various configurations that may exist with different users. So what worked for the guy who did the YouTube may not work for many others.

After you have things working with defaults, then you can run the DNSBL wizard. Again, though, do NOT fiddle with DNS settings on the SYSTEM > GENERAL tab! Leave them at their defaults. Do not fiddle with any firewall rules related to DNS. None are necessary for a basic setup, and can actually cause issues if not done correctly. Later, when DNSBL is working, if you want to restrict your clients from bypassing DNSBL on the firewall, you can configure DNS redirect rules. But do those later AFTER you are sure basic DNS is working.

Your post sounds like maybe you do not have a firm grasp of some key DNS concepts. Make sure you fully understand the difference between "resolving" and "forwarding" when it comes to DNS. Understanding the differences in those two terms is vital to properly configuring DNS. Many new users get them confused. The fact you put your ISP's DNS server IPs on the GENERAL SETTINGS page is an indication that perhaps you are misunderstanding the difference. You don't want to configure the pfSense DNS engine as a resolver and then put your ISP's DNS server addresses on the GENERAL SETTINGS page. No good reason for doing that.

thiasaef · Mar 6, 2022, 10:21 AM

@bmeeks said in DNS Resolver Not responding:

DNS will work with a default install with no changes at all.

Only if you do not connect a device that restarts from time to time, see: https://redmine.pfsense.org/issues/12613 (also broken in 2.6.0).

recoveringchemist · Mar 6, 2022, 3:07 PM

Thanks for your response @bmeeks! You are correct--I have an SG-1100. I did my configuration following several YouTube videos (all of which had different instructions).

I took you advice and reset to factory defaults then re-ran the wizard without making any changes except the LAN IP address and time zone. The DNS service seems to be working (yay)...sort of. Sometimes DNS queries get an immediate response and sometimes no response at all.

System Logs/System/DNS Resolver shows the service stopping and starting every few seconds. It starts, then stops after 3-4s, then starts again 3-4s later. The result is that sometimes a new web page will load immediately and sometimes it will be very slow or hang. The memory and CPU usage are not particularly high. This message appears repeatedly in system logs/system/routing, but it seems unrelated to the constant restarting:

radvd	60425	warning: AdvDNSSLLifetime <= 2*MaxRtrAdvInterval would allow stale DNS suffixes to be deleted faster

Any idea why the resolver service keeps restarting?

SteveITS · Mar 6, 2022, 3:07 PM

@recoveringchemist Do you have it configured to register DHCP leases in DNS? If so unbound restarts at every lease renewal so can be frequent if you have a lot of leases/devices.

recoveringchemist · Mar 6, 2022, 4:02 PM

@steveits I do not have that enabled. The only box that’s checked on the main DNS Resolver page is Enable DSSEC Support.

recoveringchemist · Mar 6, 2022, 5:20 PM

@steveits I went looking for events in the logs that occur at the 6-8s interval of the unbound restarts. There is one of these entries in System/General log 1s before each unbound restart entry. Don’t know if it’s coincidence or cause and effect.

check_reload_status	442	Reloading filter
php-fpm	394	/rc.newwanipv6: rc.newwanipv6: on (IP address: 2600:8806:2400:6b00:xxxx:xxxx:xxxx:xxxx) (interface: wan) (real interface: mvneta0.4090).
php-fpm	394	/rc.newwanipv6: rc.newwanipv6: Info: starting on mvneta0.4090.

SteveITS · Mar 6, 2022, 5:27 PM

@recoveringchemist sounds like https://redmine.pfsense.org/issues/12612 ?
Why is your WAN going down?

thiasaef · Mar 6, 2022, 5:45 PM

@steveits those events also happen on LAN interfaces:

Mar 6 17:04:14	php-fpm	357	/rc.newwanip: rc.newwanip: on (IP address: 192.168.20.1) (interface: LAN[lan]) (real interface: igb1).

The real question is, why Unbound is still fucked up like this.

sounds like https://redmine.pfsense.org/issues/12612 ?

Exactly, and the patch does NOT fix the underlying issue.

bmeeks · Mar 6, 2022, 6:24 PM

There are longstanding issues with unbound (the DNS service on pfSense) and dhcpd (the DHCP daemon on pfSense). The way unbound is notified of new or updated DHCP leases is, shall we say, "not optimum".

There also appears to be a few other issues with the DNS service as well related to how it is tickled when interfaces change state, or appear to change state. Some of those are referenced in the bug report someone else linked.

My original post in this thread was not trying to imply that everything is perfect with unbound and the DNS Resolver service. But just to state that the very first thing to do is get a basic DNS setup working, and only after verifying that, should you start adding bells and whistles like DNSBL or DNS redirects via firewall rules. Monitoring this forum for the last few years I've seen lots of DNS issues get posted where the main problem was the user biting off too much to chew by trying to do everything in one fell configuration swoop. Unless you are really experienced with DNS administration, it is better to work on small chunks getting a working DNS setup each step of the way before going on to the next feature.

If unbound is frequently restarting on your box, that is definitely going to be a hinderance to decent DNS performance. This does not happen to everyone, though. I run the unbound service on my SG-5100 without issue. I have it configured to resolve. I have a Windows AD behind my firewall, so my LAN clients all use the Windows AD DNS and DHCP servers, but I do have the AD DNS servers configured to forward lookups for which they are not authoritative to the DNS Resolver on pfSense.

recoveringchemist · Mar 6, 2022, 9:49 PM

First, @bmeeks, I appreciate your advice to back off and deal with the DNS Resolver issue without the complications of pfBlocker. Plus I did not know that the DNS Resolver worked out of the box.

@steveits said in DNS Resolver Not responding:

Why is your WAN going down?

This turned out to be a pivotal question. I started looking at my cable modem's settings. The modem's DHCPv6 Prefix is hard coded to 56, instead of 64 which is the WAN interface default, so I changed that. I also could not find anything in my modem that looked like a DHCPv6 configuration settings, just the prefix. The modem's not exactly young. So I checked Request Only IPv6 Prefix on the pfSense WAN interface...
...and...
...drum roll...

I think it works!

The DNS Resolver has been responding to requests for about 20min, and either logging is broken, or unbound isn't starting and stopping anymore. I keep staring at it and waiting for something to break, but so far, so good.

Thanks to everyone for your help!!!

And please stick around to help when I try to set up pfBlocker.