Trouble getting new DNS to work on DHCP server
-
I have an SG-1100 and when I checked, just a few days ago, pfSense was at the latest version. I'm having trouble getting the DHCP server to also provide DNS services for my LAN. We moved and a firewall I was working got trashed, so I resurrected an old version (please don't ask how old!) of pfSense on a Soekris Net5501. Yeah. That old. But I had it running for a while, working as firewall (behind the Starlink firewall), as well as DHCP server and DNS for my LAN.
I had tried setting up my SG-1100 2 years ago, when I got it, but I had a few issues, so I stayed with the firewall I was using at the time. This SG-1100 sat for the past 2 years, then I did a factory reset on it and started setting it up. One issue I had previously revolved around me trying to bring in ONLY the DHCP configuration from the very old Net5501 I mentioned - it had all the MAC addresses and that would help a lot with setup. But things never worked right.
This time I entered that information by hand, cutting and pasting the MAC addresses into the new SG-1100 DHCP setup. When I got the DHCP settings done and saved, I shut down my SG-1100 and took it downstairs and into the "tech closet." I removed the WAN and LAN ethernet cables from my Net5501 and put them into the SG-1100. I'm using the same address space on the SG1100 as on the old system and many systems are at the same IP address on both systems.
When I connected the CAT5 cables to the SG-1100, it took a while before I could ping it (its LAN address is 172.16.7.1). This wasn't just a few seconds, but a minute or more. Also, once I could do that, I tried to ping various systems in my LAN, but the local DNS wasn't working. I could ping addresses, but I could not ping the names or get an IP address for a hostname with the host command.
I've included my DHCP config page, in a long screenshot, below. So, first, am I doing something wrong? And, second, since I'm using it as a drop-in replacement for a much older system, is it normal for it to take time before I can ping the SG-1100 after I plug it in? (Again, it took over a minute, not just a few seconds.) Also, considering that took time, should I have waited longer for DNS to work?
One side note: I think my SG-1100 is running slow. It takes minutes, over 2 minutes (for sure when I checked my phone), and I think over 3 minutes to boot up most of the time. While that's a separate issue, I'm wondering if that's an indication there's a speed issue on this device.
-
@tangooversway said in Trouble getting new DNS to work on DHCP server:
Also, once I could do that, I tried to ping various systems in my LAN, but the local DNS wasn't working. I could ping addresses, but I could not ping the names or get an IP address for a hostname with the host command.
You provide public DNS servers to the DHCP clients. So for sure these servers want be able to resolve your local host names naturally.
Remove the DNS servers from DHCP settings and ensure that the DNS Resolver is running.
If you want to use the Google servers, run it in forwarder mode (check "DNS Query Forwarding") and enter the DNS servers at the System > General page. -
@viragomann said in Trouble getting new DNS to work on DHCP server:
@tangooversway said in Trouble getting new DNS to work on DHCP server:
Also, once I could do that, I tried to ping various systems in my LAN, but the local DNS wasn't working. I could ping addresses, but I could not ping the names or get an IP address for a hostname with the host command.
You provide public DNS servers to the DHCP clients. So for sure these servers want be able to resolve your local host names naturally.
Remove the DNS servers from DHCP settings and ensure that the DNS Resolver is running.
If you want to use the Google servers, run it in forwarder mode (check "DNS Query Forwarding") and enter the DNS servers at the System > General page.I'm going to rephrase this so I can make sure I follow what you're saying.
By providing public DNS servers on this page, I'm bypassing using my SG-1100 as DNS. So I need to provide those servers on the General Page instead.
Am I right?
-
@tangooversway
Correct.If you leave the DNS servers fields blank pfSense provides its interface IP as DNS, presumed the Resolver or Forwarder is enabled.
So I need to provide those servers on the General Page instead.
This makes pfSesne to use them for its own purposes.
If you also want to use them for the local clients, while running the DNS Resolver, enable the forwarding mode in the Resolver.
Otherwise the Resolver requests root DNS servers.However, for resolving local host names you will also have to add host overrides in the Resolver settings or enable "Static DHCP" if you want to use the static mapping names.
-
Okay. I'll do that when I'm back home in an hour or two.
Is it normal for DNS info to take a minute or two to show up on the LAN?
-
@tangooversway
Are you talking about DNS resolutions?
These are cached on almost any system. You may have to clear the DNS cache.
But if you do an nslookup the data are fetched from the server again. -
@tangooversway said in Trouble getting new DNS to work on DHCP server:
Is it normal for DNS info to take a minute or two to show up on the LAN?
There was some threads around here about dns taking awhile to start up - but I believe those where when using bind. You don't have bind package installed or running do you.
Unbound running should only take ms to resolve anything.. And once it is cached you should get an answer to your local clients in like 0 to 1 ms..
$ dig @192.168.9.253 www.google.com ; <<>> DiG 9.16.28 <<>> @192.168.9.253 www.google.com ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 23249 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;www.google.com. IN A ;; ANSWER SECTION: www.google.com. 1756 IN A 142.250.190.4 ;; Query time: 0 msec ;; SERVER: 192.168.9.253#53(192.168.9.253) ;; WHEN: Tue May 31 11:34:40 Central Daylight Time 2022 ;; MSG SIZE rcvd: 59If your talking about when changing what dns your dhcp client gets - if you change it, they would have to renew their lease to get the new info.. If your talking about creating say a host override and your client still pointing to old IP, keep in mind client also keeps a cache of stuff it looked up.. So you might have to clear the local and or even browser dns cache. The OS keeps a cache - and also browsers keep their own cache.
Also with browsers - you need to make sure they are not doing doh (dns over http).. Many a browsers these days like to take it upon themselves to use doh.. So should prob make sure its not if your not wanting it too.
-
Overall note, before responding to John:
Still no DNS on the LAN - more info:
I removed the Google DNS from the DHCP Server/LAN configuration and I made sure they were listed in the General Setup page and saved both twice - just to be sure! I took my SG-1100 back down to the tech closet and turned it on. (Side note, and probably should go on a 2nd thread: The SG-1100 takes 2-4 minutes to start up. By "start up," I'm counting it as started once the green diamond LED stops blinking. That doesn't seem right.) Once it had booted, I swapped it in for the old firewall.
I can ping to systems in the LAN - and they're using the right IP addresses. (Some devices have one IP address on the old firewall and a new one with the SG-1100.) But I still get no DNS on my LAN. DNS for outside the LAN, but not inside it.
@johnpoz said in Trouble getting new DNS to work on DHCP server:
@tangooversway said in Trouble getting new DNS to work on DHCP server:
Is it normal for DNS info to take a minute or two to show up on the LAN?
There was some threads around here about dns taking awhile to start up - but I believe those where when using bind. You don't have bind package installed or running do you.
As best I know. I'm working with the stock install that says it's updated. I haven't added anything.
My older "emergency" system may be using bind. I remember at some point there was a change of was preferred on pfSense, but, as I mentioned, this system is old, so I don't remember the details. (And that older system DOES take time to bring DNS back up.)
If your talking about when changing what dns your dhcp client gets - if you change it, they would have to renew their lease to get the new info.. If your talking about creating say a host override and your client still pointing to old IP, keep in mind client also keeps a cache of stuff it looked up.. So you might have to clear the local and or even browser dns cache. The OS keeps a cache - and also browsers keep their own cache.
I have all this stuff in a "tech closet" with the firewalls, some fiber optic couplers, a media server (just a RAID) and I have one Linux system in there, console only, no GUI. I've been using the Linux system to test, using ping and host. I know host is not used, but I'm finding an issue with installing nslookup - need to update and so on. One thing at a time. I'll do that once I get the new firewall in place.
I have found that when I reboot or switch firewalls I often have to bring the ethernet interface down then back up to make sure I'm dealing with the new one. Even pinging by address can be an issue until I do that. I know some of that is in that system and I need to update it, but first I just want the new firewall to work so I can ditch the emergency/ancient one.
-
I think I have it working - but if I did something dumb that will create problems, please let me know.
I checked under the DNS Resolver. I thought the DHCP handled both DHCP and DNS all in one swell foop. It apparently does not. So under DNS Resolver, which was active, I needed to check the boxes for:
-
DHCP Registration (Register DHCP leases in the DNS Resolver)
-
Static DHCP (Register DHCP static mappings in the DNS Resolver)
Also, in General Setup, I unchecked:
- DNS Server Override (Allow DNS server list to be overridden by DHCP/PPP on WAN)
Then I powered down and moved it back down into my tech zone and swapped it into place where the old emergency firewall was.
-
