Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    local DNS stops working if WAN goes down

    Scheduled Pinned Locked Moved
    DHCP and DNS
    2
    6
    825
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • H
      HankB
      last edited by

      I found a post from 2009 on this: https://forum.netgate.com/topic/14365/dns-resolution-fails-when-wan-goes-down?_=1654611646805 but there seems to be no confirmed solution.

      The issue is that when my Internet provider goes down, local hosts no longer resolve. This makes it difficult to do anything on my local LAN such as accessing my file server and dealing with IoT devices.

      I'm on the most recent free release 2.6.0-RELEASE (amd64) and have the following DNS settings:

      • Network Interfaces: All
      • Outgoing Network Interfaces: WAN
      • Strict Outgoing Network Interface Binding: Unchecked
      • System Domain Local Zone Type: Transparent

      Following are checked

      • DNSSEC
      • DHCP Registration
      • Static DHCP

      I have configured custom options to use Google and Cloudflare instead of the DNS server provided by Comcast DHCP. (Too many times "the Internet was down" because the Comcast DNS server was down.) I have had to manually override some sites due to their DNS configuration and now have the following in custom options:

      server:
domain-insecure: "coder.show"
domain-insecure: "linuxactionnews.com"
domain-insecure: "techsnap.systems"
domain-insecure: "techtalk.today"
forward-zone:
name: "."
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853
forward-addr: 8.8.8.8@853
forward-addr: 1.0.0.1@853
forward-addr: 8.8.4.4@853

      My firewall blocks outbound DNS to force clients to use my pfsense box (and yes, I know that browsers bypass this by doing DOH.)

      I also have 2 VLANs configured to isolate IoT devices from the rest of my stuff. In general devices on the main LAN have full access to the IoT LAN and IoT devices are blocked from accessing the main LAN but have full access to the Internet.

      Any suggestions on fixing this are most welcome.

      Thanks!

      johnpozJ 1 Reply Last reply Reply Quote 0
      • johnpozJ
        johnpoz LAYER 8 Global Moderator @HankB
        last edited by johnpoz

        @hankb couple things I see wrong here.

        If your going to forward, dnssec should be unchecked. Where you forward is either doing dnssec already or they are not - you asking for it does nothing. Other than problematic.

        Also if your going to forward via tls you need the fqdn of where your forwarding too in the statement

        example

        forward-addr: 1.1.1.1@853#cloudflare-dns.com

        Another thing that can be problematic is registering dhcp - this causes restarts of unbound, this for one clears the cache, and 2nd its going to be down for clients while it restarts. Sometimes the restart can take a while, also if your wan is down while it restarts this can extend the start up time.

        https://redmine.pfsense.org/issues/12985

        So I could see your wan going down, some dhcp client getting a new or renewed IP and dhcp leases being registering causing a restart of unbound that takes a while - looking like your local dns is down. I could kill off my wan connection and validate local dns works - but kind of need my wan connection currently ;) But will try and test it some time later.

        Also you don't mention did you uncheck using dns from your wan dhcp? If not those could still be used. What did you set pfsense option for dns to be? By default it would fall back to remote dns.

        An intelligent man is sometimes forced to be drunk to spend time with his fools
        If you get confused: Listen to the Music Play
        Please don't Chat/PM me for help, unless mod related
        SG-4860 24.11 | Lab VMs 2.7.2, 24.11

        H 1 Reply Last reply Reply Quote 1
        • H
          HankB @johnpoz
          last edited by

          @johnpoz said in local DNS stops working if WAN goes down:

          @hankb couple things I see wrong here.

          If your going to forward, dnssec should be unchecked.

          Done

          Also if your going to forward via tls you need the fqdn of where your forwarding too in the statement

          example

          forward-addr: 1.1.1.1@853#cloudflare-dns.com

          Thanks for the tip. My google-fu iis not up to finding the FQDN for Google. Traceroute at whois.is shows dns.google for 8.8.8.8 (and 8.8.4.4). Does that sound right?

          Another thing that can be problematic is registering dhcp - this causes restarts of unbound, this for one clears the cache, and 2nd its going to be down for clients while it restarts.

          One of the things I really like about PFsense (and other routers I've used) is their ability to provide DNS for my local LAN. I lose that if I uncheck registering, right? Will I get that back if I assign static IP addresses to the local hosts I wish to access by name? Can I leave "Static DHCP" checked?

          So I could see your wan going down, some dhcp client getting a new or renewed IP and dhcp leases being registering ... But will try and test it some time later.

          I will try to check that when I test the changes you suggest. Will I see the resolver restarts in logs?

          Also you don't mention did you uncheck using dns from your wan dhcp? If not those could still be used. What did you set pfsense option for dns to be? By default it would fall back to remote dns.

          I don't see any DNS settings on Interfaces -> WAN. On System -> General Setup the dropdown for DNS Resolution behavior is "use local DNS (127.0.0.1), fall back to remote DNS Servers (default.)" Also on the General Setup page I see the DNS servers for Cloudflare listed by IP (e.g. dotted decimal notation) and the hostname fields left empty. This makes me wonder if I need the special settings mentioned earlier which I added to get secure DNS back ... Ouch... I'm already finding the answer to part of the situation as I can no longer reach my server to check my notes. ;)

          I may be back with more questions but I have some work to do first.

          Thanks!

          johnpozJ 1 Reply Last reply Reply Quote 0
          • johnpozJ
            johnpoz LAYER 8 Global Moderator @HankB
            last edited by

            @hankb said in local DNS stops working if WAN goes down:

            provide DNS for my local LAN. I lose that if I uncheck registering, right? Will I get that back if I assign static IP addresses to the local hosts I wish to access by name? Can I leave "Static DHCP" checked?

            Yeah static just loads those in when unbound starts - there is no renew or lease that would restart unbound out of the blue.

            Its a been problematic for some time where register dhcp causes a restart of unbound. Now if you don't have a lot of clients, and you have a long lease time, etc. and unbound starts up in a second or 2 prob never have an issue. But with many users using pfblocker that can cause delays in startup, and for example that bug if wan is down also taking extended time to start, etc.

            It can be problematic. Personally I don't see a need for registering dhcp - anything I would like to resolve locally would have a reservation set so I know what its IP is going to be. Only stuff in my network that actually gets some random dhcp IP would be guest users. And maybe something I am testing, but if I end up leaving that on the network, I would assign it an IP..

            An intelligent man is sometimes forced to be drunk to spend time with his fools
            If you get confused: Listen to the Music Play
            Please don't Chat/PM me for help, unless mod related
            SG-4860 24.11 | Lab VMs 2.7.2, 24.11

            H 2 Replies Last reply Reply Quote 1
            • H
              HankB @johnpoz
              last edited by

              @johnpoz said in local DNS stops working if WAN goes down:

              anything I would like to resolve locally would have a reservation set

              The lazy bastage that I am, I was happy to let pfsense assign IP addresses and register the name. ;) I'm in the process of converting those to static assignments.

              Note to self. Configure all static assignments before turning off registration!

              Thanks again.

              1 Reply Last reply Reply Quote 0
              • H
                HankB @johnpoz
                last edited by

                @johnpoz Thanks again for your help.

                I configured all of my "interesting" hosts to static IPs and unchecked "register DHCP hosts" and pulled power to my cable modem to test. DNS worked in that circumstance so unless there's some other condition (combined with WAN going down) that causes the DNS hang, I think this is fixed.

                best,

                1 Reply Last reply Reply Quote 0
                • S SteveITS referenced this topic on
                • First post
                  Last post