DNS reslution error just on pfsense box
-
Hi,
I have 8.8.8.8 and 1.1.1.1 dns setup on my pfsense machine but I cannot get it to complete a dns lookup from diagnostics>dns lookup
I am able to ping both dns ips from the diagnostic>ping screen.
Client devices on LAN using the same dns are able to resolve.
Thanks for any feedback provided
-
I've several suggestions :
You've showed the first one third of the Resolver settings, but not the other, lower part.
So, are you forwarding or not ?
What are the other settings ?Same question, with an image :
is this checked, or not ?
If it's not, congratulations, you are using the default resolver mode. That would work out of the box if you have working Internet connection (in the WAN interface).
You can remove 8.8.8.8 1.1.1.1 212.56.129.288 as they are not needed and not used anyway.In the GUI, do you have :
or, same question : is the resolver running ?
If so, enter the console, or SSH (or use the GUI : Diagnostics Command Prompt ) and type:
dig google.comYou should see :
; <<>> DiG 9.16.26 <<>> google.com ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 11083 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;google.com. IN A ;; ANSWER SECTION: google.com. 30 IN A 142.250.75.238 ;; Query time: 2 msec ;; SERVER: 127.0.0.1#53(127.0.0.1) ;; WHEN: Wed Nov 23 11:29:46 CET 2022 ;; MSG SIZE rcvd: 55The dig command was using address "127.0.0.1", port 53 and unbound, the resolver, listening on that address, and port.
-
Thanks for the reply.
DNS resolver service is running.
DNS forwarder is completely switched off.If I remove the dns entries from System>General Setup, how would the resolver know which servers to contact for dns queries?
dig output below.
Shell Output - dig google.com
; <<>> DiG 9.16.11 <<>> google.com
;; global options: +cmd
;; connection timed out; no servers could be reached -
@viktor77 said in DNS reslution error just on pfsense box:
how would the resolver know which servers to contact for dns queries?
When the Internet was created, everything was fine.
The first computer used 1.0.0.1** and the other one was 1.0.0.2**.
The network could get bigger, but there were only two devices, so who needs host names ?A week or so later, the number of devices exploded, routers, hubs (switches later on) were created.
Like the phone companies, there was a need for 'naming' these devices, as looking up all the IP addresses became tedious. So, why invent the wheel again : DNS was created : as system that could derive a IP address from a host name.Things like 'root servers' TLDs (like com net org and net) and domain name servers were created,
The root server was one 'master' device, who knows where are all the TLD DNS servers are (what IP address they have).
These TLDs know where are all the domain name servers, the ones that know that "forum.netgate.com points to "208.123.73.199" ***.Today, this structure starts with 13 root 'dot' servers : there IP address is build (compiled) into a resolver. Here they are : https://en.wikipedia.org/wiki/Root_name_server
When you use 8.8.8.8 as a DNS resolver, then 8.8.8.8 will use one of the 13 root servers, ans asks : "who knows where dot com is" (the TLDs). Then the resolver will ask a TLD : where are the domain name servers of "netgate.com" and then the resolver will ask one of these domain name servers : what is the IP of forum.netgate.com" ? The domain name server will answer "208.123.73.199". This domain name server is typically rented and/or adminustrated by the Netgate folks, so it point to the IP where the forum.netgate.com web server is.
unbound is a resolver to, so : nothing is needed to make 'DNS' work on pfSense.
unbound will know where to find the main root servers, and will use any of them, typically, the closest one. And drill down from there to resolve everything - any hos name - that exists on the Internet.So no need for your ISP DNS resolver (could be a forwarder also), or 8.8.8.8 or anybody else.
Even better : these didn't even exist back then, and the Internet worked just fine.All this boils down to : do not enter any DNS info when setting up pfSense, and it will work perfectly well.
To see the same info with images graphs etc, fire up Youtube, and type "DNS root server", look at the first 10 video's, and you'll be a DNS expert in less then one hour.
**, yes, I'm not sure.
*** "208.123.73.199" exists for compatibility reasons. Most device will prefer to use the other address : 2610:160:11:18::199 ;) -
I removed all dns entries in the system>general setup page. I also unchecked Allow DNS server list to be overridden by DHCP/PPP on WAN. The issue is still persisting.
I also have a different pfsense box setup with 8.8.8.8 which is working fine. Removed the dns and kept on working fine.
Thanks for your very informative reply, I truly appreciate every second you put into writing it. unbound seems like a very good feature to have implemented in something like pfsense. Is this a common feature across all vendors? even something like tp-link?
-
@viktor77 said in DNS reslution error just on pfsense box:
even something like tp-link?
If I was "tp-link", and I had to build a router for the non-initiated, I would call Google and ask them : "We'll forward to 8.8.8.8 for out new router product - how much do you offer ?"
Google will write a big check to tp-link && Google will now have all the DNS details of all those people who bought this router.
On the other hand, the tp-link has no end user DNS settings in its GUI, which means : what an end-user can't enter, he can do wrong neither, and this will economize in after sales costs. The tp-link will 'silently' forward to 8.8.8.8 using a simple DNS forwarder such as the dnsmasq (also present in pfSense, for those who want to forward and/or not use unbound).edit : wait ... this was a joke of course, as I'm not tp-link.
But some one is paying Google an awfull lot of money.
And what tp-link could do, could also be done by our ISPs etc.@viktor77 said in DNS reslution error just on pfsense box:
The issue is still persisting.
Can you detail what the issue is :
Run and show
ipconfig /allon your PC.
The same info is also available on your iPhone, OtherPhone, MAC, Linux or whatever device.Run this command on pfSense (console) :
22.05-RELEASE][root@pfSense.yournetwork.net]/root: sockstat | grep 'unbound' unbound unbound 12338 3 udp4 *:53 *:* unbound unbound 12338 4 tcp4 *:53 *:* unbound unbound 12338 5 udp4 *:853 *:* unbound unbound 12338 6 tcp4 *:853 *:* unbound unbound 12338 7 udp6 *:53 *:* unbound unbound 12338 8 tcp6 *:53 *:* unbound unbound 12338 9 udp6 *:853 *:* unbound unbound 12338 11 tcp6 *:853 *:* unbound unbound 12338 12 tcp4 127.0.0.1:953 *:* ....This info tells me that the unbound process is listening on every known interface on pfSense (so all the LANs, and, surprisingly, also all the WAN interfaces).
As you can see, unbound also listens to 127.0.0.1.
Port 53 is used for UDP and TCP, as DNS can uses both ! - this is a less known secret, and was created for all the muppets that 'open' UDP port 53 on their LAN, but forget about TCP, and wind up having 'all kind of' DNS issues. You don't bother, as you use the default pfSense LAN firewall rule (right ?!) :This rule (don't bother my IPv6 lines 2,3 and 4) - the bottom line :
Btw : I'm using the default Resolver settings, with one exception :
I un checked :
as this option is a unbound killer.
And that's all there is.
And it boils down to : Install pfSense, keep everything to default, except the password, and 'it' works out of the box.So, what is your issue ? What is different on your pfSense ?
-
G Gertjan referenced this topic on
-
G Gertjan referenced this topic on
-
@gertjan said in DNS reslution error just on pfsense box:
ipconfig /all
I have 8.8.8.8 and 1.1.1.1 in the DHCP settings for LAN. So the clients are reaching DNS.
The problem is that pfsense is unable to reach DNS (so i cannot update or download packages)@gertjan said in DNS reslution error just on pfsense box:
Run this command on pfSense (console) :
sockstat | grep 'unbound' shows 127.0.0.1:953 in the list
@gertjan said in DNS reslution error just on pfsense box:
as you use the default pfSense LAN firewall rule (right ?!) :
I have allow to any default rule at the moment since this is a brand new pfsense install
@gertjan said in DNS reslution error just on pfsense box:
Btw : I'm using the default Resolver settings, with one exception :
I un checked :Mine is unchecked also, it is unchecked by default. I have all the default settings
-
@viktor77 said in DNS reslution error just on pfsense box:
sockstat | grep 'unbound' shows 127.0.0.1:953 in the list
What does
sockstat | grep 'unbound'show ?
Btw : I presume that you use "out of the box DNS Unbound settings" now.
When you install pfSense, unbound, the resolver, works using all defauult settings.You can test that easiliy, just to be sure.
Save / backup your current config.
Now use console option number 4.
Set up LAN and WAN - don't add change anything else.
DNS now works, you can populate the available packages list, try to update pfSEnse, etc -
@gertjan said in DNS reslution error just on pfsense box:
What does
sockstat | grep 'unbound'show ?
unbound unbound 60246 3 udp6 *:53 :
unbound unbound 60246 4 tcp6 *:53 :
unbound unbound 60246 5 udp4 *:53 :
unbound unbound 60246 6 tcp4 *:53 :
unbound unbound 60246 7 tcp4 127.0.0.1:953 :
unbound unbound 60246 8 dgram -> /var/run/logpriv
unbound unbound 60246 9 stream -> ??
unbound unbound 60246 10 stream -> ??
unbound unbound 60246 11 stream /var/run/php-fpm.socket
unbound unbound 60246 12 stream /var/run/php-fpm.socket
unbound unbound 60246 13 stream -> ??
unbound unbound 60246 15 stream -> ??
unbound unbound 60246 16 stream -> ??
unbound unbound 60246 17 stream -> ??
unbound unbound 60246 18 stream -> ??
unbound unbound 60246 19 stream -> ??
unbound unbound 60246 25 udp6 fe80::62be:b4ff:fe04:c6be%igc0:56101 2001:503:c27::2:30:53
unbound unbound 60246 26 udp6 fe80::62be:b4ff:fe04:c6be%igc0:8806 2001:500:200:
53
unbound unbound 60246 27 udp6 fe80::62be:b4ff:fe04:c6be%igc0:8421 2001:500:2f::f:53
unbound unbound 60246 28 udp6 fe80::62be:b4ff:fe04:c6be%igc0:16894 2001:dc3::35:53@gertjan said in DNS reslution error just on pfsense box:
Btw : I presume that you use "out of the box DNS Unbound settings" now.
When you install pfSense, unbound, the resolver, works using all defauult settings.Yes, I removed 8.8.8.8 and 1.1.1.1 from the general setup to use unbound
@gertjan said in DNS reslution error just on pfsense box:
You can test that easiliy, just to be sure.
Save / backup your current config.I was trying to keep the reset option as a last resort. I will try to reset later on today.
-
@viktor77 said in DNS reslution error just on pfsense box:
as a last resort
As soon as you finish testing, import the config back in, and one reboot later you're back at square 1.
@viktor77 said in [DNS reslution error just on pfsense box](/post/1072703): > unbound unbound 60246 3 udp6 *:53 : > unbound unbound 60246 4 tcp6 *:53 : > unbound unbound 60246 5 udp4 *:53 : > unbound unbound 60246 6 tcp4 *:53 : > unbound unbound 60246 7 tcp4 127.0.0.1:953 :Mine looks different ....
[22.05-RELEASE][admin@pfSense.mynetwork.net]/root: sockstat | grep 'unbound' unbound unbound 84353 3 udp4 *:53 *:* unbound unbound 84353 4 tcp4 *:53 *:* .... unbound unbound 84353 7 udp6 *:53 *:* unbound unbound 84353 8 tcp6 *:53 *:* ....These lines show me that unbound litens on all interfaces, for TCP and UDP, port 53 using IPv6 and IPv4.
-
@gertjan said in DNS reslution error just on pfsense box:
ort the config back in, and one reboot later you're back at square 1.
I reinstalled pfsense, left everything as default. It still couldn't resolve DNS.
Ended up upgrading installation boot usb from 2.5 to 2.6, re-installed pfsense once again with all default settings, changed the NIC and it resolved the issue.I am still unsure what caused the issue though.
Thanks for all your input Gertjan :)