Unbound Not Resolving ANYTHING
-
We have a fresh install of pfSense. Unbound is running and the DNS resolver is on.
However, we cannot resolve any domains at all when using the local interface. We can use the same external DNS provider that unbound uses and it resolves fine.
Firewall rules allow all traffic to the interface IP.
All responses we get from nslookup are "Server Fail"
Pulling my hair out on this one. Completely stumped.
ALL Default settings regarding DNS resolver.
-
A new install of pfSense, with the usual set up of LAN = 192.168.1.1/24 and DHCP server running on LAN with some pool like 192.168.1.x => y
and WAN set to DHCP-clientAnd no other changes (no VLANs, no DNS param changes, nothing).
will produce in a working setup.
There is, of course, one thing to check.
You you hook up pfSense to un upstream ISP router, and this ISP router uses 192.168.1.1/24 on its own LAN, then the WAN IP of pfSense becomes 192.168.1.z where z is something between 2 and 254.
That's where things break : LAN and WAN have the same network : the router can't route.@csit-0 said in Unbound Not Resolving ANYTHING:
We can use the same external DNS provider that unbound uses
Initially, you should need to do anything to make DNS work.
You don't need an "ISP DNS", and you don't need the services of 1.1.1.1 or 8.8.8.8.@csit-0 said in Unbound Not Resolving ANYTHING:
However, we cannot resolve any domains at all when using the local interface.
Your LAN devices can reach the pfSense LAN interface ?
Unbound replies ?
Run the "nslookup somesite.com" command on your PC, it will tell you what you want to know
Run "ipconfig /all" and check if all parameters are within expected ranges.The pfSense default LAN firewall rule passes all traffic, no exceptions.
Can you do a dig or nslookup on pfSense itself ?
No hidden game changers in play like "VLAN" or "VM" or "Realtek NICs" ?
What does Status > DNS Resolver show ?
-
@csit-0 Does it work if you manually restart the unbound service after the device has booted up ? (From Status -> Services)
Also try this - SSH into the PFSense box and then run:
nslookup www.google.com 127.0.0.1Does this work ? What about:
nslookup www.google.com 192.168.1.1Does this work ? (replace 192.168.1.1 with the actual LAN IP address of your PFSense box)
-
@dbmandrake said in Unbound Not Resolving ANYTHING:
nslookup www.google.com 127.0.0.1
Server: 127.0.0.1
Address: 127.0.0.1#53** server can't find www.google.com: SERVFAIL
-
We do have VLANS, and we have changed the default subnet. We moved everything from .1 to .198, so there should be no conflicts there.
Tracert indicates a single NAT.
LAN Devices can ping the interface just fine and login to it.
We are using a Netgate 6100 with the install it came with.
We have installed pfblockerNG with default settings, but it can't block anything because unbound doesn't seem to work. Does not make a difference on or off.
Output:
2001:500:12::d0d . 258 0 94 376 376 0 0 0
2001:503:ba3e::2:30 . 701 0 94 376 376 0 0 0
199.9.14.201 . 257 9 89 365 365 0 0 0
2001:500:200::b . 257 0 94 376 376 0 0 0
192.33.4.12 . 257 8 88 360 360 0 0 0
192.112.36.4 . 257 4 79 320 320 0 0 0
2001:500:9f::42 . 258 0 94 376 376 0 0 0
199.7.91.13 . 258 8 88 360 360 0 0 0
2001:500:2f::f . 257 0 94 376 376 0 0 0
2001:dc3::35 . 257 0 94 376 376 0 0 0
202.12.27.33 . 257 8 88 360 360 0 0 0
192.203.230.10 . 257 8 88 360 360 0 0 0
198.41.0.4 . 257 8 88 360 360 0 0 0
2001:7fd::1 . 258 0 94 376 376 0 0 0
DNS Resolver Infrastructure Cache Stats
2001:500:12::d0d . 0 0 0 0 0 0 0
2001:503:ba3e::2:30 . 0 0 0 0 0 0 0
199.9.14.201 . 1 0 0 0 1 0 0
2001:500:200::b . 0 0 0 0 0 0 0
192.33.4.12 . 1 0 0 0 1 0 0
192.112.36.4 . 1 0 0 0 1 0 0
2001:500:9f::42 . 0 0 0 0 0 0 0
199.7.91.13 . 1 0 0 0 1 0 0
2001:500:2f::f . 0 0 0 0 0 0 0
2001:dc3::35 . 0 0 0 0 0 0 0
202.12.27.33 . 1 0 0 0 1 0 0
192.203.230.10 . 1 0 0 0 1 0 0
198.41.0.4 . 1 0 0 0 1 0 0
2001:7fd::1 . 0 0 0 0 0 0 0 -
@csit-0 Which interfaces do you have selected for "Network Interfaces" and "Outgoing Network Interfaces" in the DNS Resolver configuration ?
Are they still both on the default "All" or have you changed them ?
If you are logged into the PFSense box directly with SSH and
nslookup www.google.com 127.0.0.1fails, (and assuming you have either All or Localhost enabled in "Network Interfaces") then unbound is not working at all and you can immediately rule out anything on the LAN side of your network or any clients.Do you get anything from the same SSH session if you try
nslookup www.google.com x.x.x.xwhere x.x.x.x is your configured upstream DNS server ?Also, do you have "DNS Query Forwarding" ticked ? If not then unbound is NOT using your upstream DNS server, instead it will be trying to query the root servers directly. Make sure you tick this box if you want to forward all your queries to a specific upstream server.
Also to rule it out as a possible problem, disable the PFBlockerNG service for now. When I was playing around with PFBlockerNG I found misconfiguring it could break unbound completely.
-
They are both set to all. Fails on localhost and works on external.
Enabled DNS Query Forwarding, seemed to have missed that. Still not resolving, Server Fail.
pfblocker is disabled.
:/
-
@csit-0 I have experienced this issue several times when the admin accidentally sets the pfSense host name in a .local domain name: fx. pfsense.domain.local
The .local part seems to mess up unbound under most cirumstances. (Yes, I know it's a problematic name and is both reserved and used in MDNS). But still.....
-
@keyser It is not set to .local domain or anything like that.
DNS Resolver set to forwarding (not DNS Forwarder) seems to have randomly started working. But setting it back to the resolver mode, servfail every time.
-
@csit-0
If you have DNSBL on in pfBlockerNG try to disable it. Disabling pfBlockerNG is not sufficient. -
My unbound stopped resolving all remote addresses while local addresses worked fine just because the computer date was reset to it's factory default 20 years ago. I changed the BIOS date and the resolver works again. No log on this issue so this problem took me a day until I quickly discovered the solution from using telepathic meditation.
-
What do you have configured for ACLs in the firewall?
Is port 53, 853 allowed to pass your lan interface? If your using DOT port 853 needs to be allowed to pass.
Do you have NAT rules in place for your port 53? If so you need to add both loopback and firewall IP for the NAT rule with it negated, meaning anything not going to the firewall or the loopback redirect that traffic to the firewall.
Have you attempted a trace route and run a ping to your DNS?
Has it ever worked before?
Does your ISP give you an IPv6 address also?
-
i was having similar symptoms for months after an isp change. elusive, intermittent failures. certain sites faring well, others almost unusable. then a day later, seemingly random redistribution of problematic sites and working sites.
figured out my isp was handing out ip6 and ip4 addresses to dhcp clients, while only allowing port 53 traffic over ip4 for some ungodly reason.
SOLVED: putting "do-ip6: no" in unbound.conf cleared everything right up. AAAA records still come back but everything port 53 up and downstream of my resolver now happens over ip4.
sadly i guess i cannot access any of the zero domains known to me with their authoritative nameservers only available via ip6 unless i use my isps cache (lazy bums actually only offer up google's in the dhcp response anyway; no thank you)
-
@Gawzirabaws said in Unbound Not Resolving ANYTHING:
sadly i guess i cannot access any of the zero domains known to me with their authoritative nameservers only available via ip6
I guess these exist only for testing purposes.
