NordVPN DNS servers seems to be down from my end but are apparently npt

pftdm007

Hello,

This morning out of the blue no more internet. It actually looked like my ISP disconnected me completely. After a lot of screwing and searching around why openvpn was failing on all three interfaces of the GW group, I managed to discover that for some reasons, pfsense could not access nordvpn's DNS servers (103.86.96.100 & 103.86.99.100).

Trying Diagnostics > Ping gave

PING 103.86.96.100 (103.86.96.100): 56 data bytes

--- 103.86.96.100 ping statistics ---
3 packets transmitted, 0 packets received, 100.0% packet loss

PING 103.86.99.100 (103.86.99.100): 56 data bytes
64 bytes from 103.86.99.100: icmp_seq=1 ttl=58 time=27.394 ms
64 bytes from 103.86.99.100: icmp_seq=2 ttl=58 time=26.636 ms

--- 103.86.99.100 ping statistics ---
3 packets transmitted, 2 packets received, 33.3% packet loss
round-trip min/avg/max/stddev = 26.636/27.015/27.394/0.379 ms

103.86.99.100 seems to respond to pings but has 33% packet loss (not uncommon with nordvpn the openvpn interfaces were always bouncing back & forth between down, pending, loss and offline then online). Never got ANY stability out of this cr**.

Reverting to OpenDNS's servers in pfsense's System>General Setup instantly solved all the issues.

Simple enough I thought Nord's DNS servers were down for some reasons so I contacted them to ask and they assured me that their DNS servers were not down. I still cant ping the first one and the second one has severe packet loss. They still cause troubles to DNS resolve so in the meantime I am still using OpenDNS.

I dont understand why pfsense doesnt flip between DNS servers? If the 1st is down, why is it not switching or reveting to using the 2nd one? Anybody else has issues with Nord's DNS?

Finally, different topic but not totally unrelated, I am curious: Has anyone successfully managed to cancel their nordvpn's plan and got a refund (or even a partial refund)?

Bob.Dig

@pftdm007 Those servers are bad in general. But DNS configuration in pfSense is a little bit complicated, so no easy answer to your question, it depends...

pftdm007

@bob-dig

Hey there!

When you say bad what do you mean? Is there other servers that I can use? I just fired up an email to their tech support to complain a bit. I kinda feel entitled for once to do this, with the amount of troubles I've had so far.... They are quick to point pfsense as the culprit of my troubles. It may be true, but I pretty much started having issues all over the place the moment I configured pfsense to work with nord....

What would you need to know to be able to guide me a bit on this? I will probably end up trashing nordvpn completely (I asked for a refund or partial refund. if they accept then its case closed, otherwise I maybe try to make it work until my plan expires in 18 months).... This is why I'd like to understand whats going on here....

At the end of the day I still feel the issue is on their end. Why would I have ZERO connectivity this morning when Its been working for several months now (not well as I casually lose OpenVPN instances and have to jump start them manually....)

Bob.Dig

@pftdm007 What you describe is pretty normal with most VPN providers I guess. Nord has so many servers, the will go down, for minutes or forever. But you should keep in mind that nord isn't expensive.

Now DNS, there are several ways of handling DNS in pfSense, resolver, relayer, resolver doing DNS Query Forwarding ...
If you care about DNS-leaks, what I do is giving some hosts in my network 8.8.8.8 as their DNS-Server per DHCP and don't let them use pfSense for DNS (= no DNS leaks), problem solved (for me). If for some other hosts there is DNS Leak, I don't care that much.

pftdm007

@bob-dig

while you're talking about DNS and how pfsense can be configured with it, I wonder why my VLAN300 clients cannot do DNS resolution unless I manually specify the DNS servers in the DHCP server of that interface?

The tooltip below the DNS text fields in the DHCP server page says

Leave blank to use the system default DNS servers: this interface's IP if DNS Forwarder or Resolver is enabled, otherwise the servers configured on the System / General Setup page.

I left them blank. Since Unbound is NOT running on VLAN300 (I want VLAN300 to completely bypass DNSBL and be straight to the "outside" world) I'd expect the servers configured on the System / General Setup page to be provided to the clients of VLAN300 for DNS resolution.

If I copy the DNS servers from the General Setup into the DHCP settings of VLAN300, everything works as expected. Do I need to setup FW rules or NAT stuff for this to work?

Bob.Dig

@pftdm007 said in NordVPN DNS servers seems to be down from my end but are apparently npt:

Do I need to setup FW rules or NAT stuff for this to work?

Sure but do it like I and now you did, provide a DNS server like 8.8.8.8 and there shouldn't be any DNS leak.

pftdm007

@bob-dig

Okay but why are the system DNS servers not being passed on to the clients??? the tooltip is clear

Leave blank to use the system default DNS servers

Its NOT working. Is it a bug in pfsense?

Bob.Dig

@pftdm007 said in NordVPN DNS servers seems to be down from my end but are apparently npt:

Is it a bug in pfsense?

no... it is a bug in your rulemaking. ^^

pftdm007

@bob-dig

Excellent now I know where to investigate!

Thanks

Bob.Dig

@pftdm007 Here is a hint.

pftdm007

@bob-dig

Yes what you're showing me is what I had. Somehow, DNS resolution on the clients of that VLAN is not working. I see the amount of states going up in the rules but still clients cant resolve FQDN's..

From one of the linux client I can confirm the DNS server is indeed the VLAN interface (DHCP) IP (192.168.2.1 in that case).

mint@linuxmint:~$ nmcli dev show | grep DNS
IP4.DNS[1]:                             192.168.2.1

The first rule with the 25/81 KiB (states) is the one I am trying to make work. Also note Unbound is not running on that VLAN.

Its like client requests for DNS resolution are indeed going thru pfsense and thru the FW rule but somehow are being blocked after that.

To test, I made a NAT rule to redirect any DNS requests to 8.8.8.8 but no improvements.

I confirm the clients can ping IP's on the internet. I tried with Google's IP:

PING 142.251.32.67 (142.251.32.67) 56(84) bytes of data.
64 bytes from 142.251.32.67: icmp_seq=1 ttl=118 time=19.9 ms
64 bytes from 142.251.32.67: icmp_seq=2 ttl=118 time=16.4 ms
64 bytes from 142.251.32.67: icmp_seq=3 ttl=118 time=18.5 ms
64 bytes from 142.251.32.67: icmp_seq=4 ttl=118 time=16.6 ms
64 bytes from 142.251.32.67: icmp_seq=5 ttl=118 time=18.3 ms
64 bytes from 142.251.32.67: icmp_seq=6 ttl=118 time=18.2 ms
^C
--- 142.251.32.67 ping statistics ---
6 packets transmitted, 6 received, 0% packet loss, time 5051ms
rtt min/avg/max/mdev = 16.395/17.980/19.874/1.182 ms

Bob.Dig

@pftdm007 But why? Why is unbound not running on your DMZ-VLAN, no wonder DNS is not working.

pftdm007

@bob-dig I was hoping not to open that can of worms but oh well ;)

I am running pfB+DNSBL on the other VLAN's but I didnt want to run it on VLAN_DMZ because it was interfering with my work laptop and equipment.

The only (easiest) solution was not to run unbound on VLAN_DMZ and manually pass DNS servers to its clients, effectively bypassing Unbound completely (and DNSBL at the same time).

Now DNSBL has python group policies which can be used to exclude IP's from it, I tried (really tried) to use it but it just kept bugging ans causing all kind of issues. So I reverted back to bypassing Unbound.

Now the only difference is that I am trying to "automate" the config a bit by having the system DNS servers (System > General Setup) automatically passed on to the clients of VLAN_DMZ when they request a lease.

Let me ask you a different question:

What does pfsense do if something is specified in these fields? Knowing how pfsense uses whats specified in these fields would help me understand how the routing happens.

Bob.Dig

@pftdm007 If left empty, it will be that pfSense interface. If filled, that will be given to the DHCP-Clients.
Not that complicated.
I don't know what happens when you disable unbound only on this interface, probably nothing > no more DNS.

pftdm007

@bob-dig Make sense now that I read the tooltip differently. When the tooltip says "...if DNS Forwarder or Resolver is enabled" they mean enabled VS disabled from a service perspective and not on a per-interface basis.... That's what I misinterpreted.

That's be nice to be able to NOT run unbound on an interface and serve system DNS servers. IMO the DHCP server should pass DNS servers in the following order:

If DNS fields are populated
 use their settings;
Otherwise
 If unbound is running on the interface
   use interface IP
 Else
   pass system DNS servers

That's probably more of an improvement idea than anything else. For now (and probably forever) I have copied the system DNS servers onto the DHCP fields for DMZ and I'm back to normal.

Sorry about the confusion. Funny how something can be interpreted differently... Thanks for your patience @Bob-Dig !