pfBlocker blocking all DNS
-
@photomankc In the "bad state" was the DNS Resolver service running? Did you happen to try restarting it? There's an issue with pfBlocker updates where Resolver is stopped and must be started, which as I recall is some sort of issue in pfSense that the package maintainer can't fix.
-
@steveits - If I run into this again, I'll check on that. Damn, should have noticed it was SERV FAIL when I switched to the firewall, not lookup failure.
-
So this happened again today. Woke up in the morning to my wife complaining that nothing was working for her meeting this morning. No pages load on any internal browser and appears to be a DNS based error. I logged into the firewall and all services were running. So my watchdog on unbound could not help me out here. I restarted unbound and pfBlocker services and it was resolved. So this appears to be a bug of some kind that the service manages to keep running but not do it's job.
I suspect it was really unbound at fault here. So hopefully next time I run into it I won't be under the "OMG I need internet NOW" gun. I'll restart each service and test starting with unbound. This might not be directly a pfblocker issue.
-
@photomankc Any chance it's related to
Fixed: DNS resolver does not update its configuration or reload during link down events #13254
from https://docs.netgate.com/pfsense/en/latest/releases/23-01.html#dns-resolver
-
I don't think it does. No interfaces down in the switch logs and no obvious signs of going down from the outside ip monitoring. From what I saw this morning, if you had a DNS entry locally cached then everything worked fine, but new lookups would fail "SERVFAIL".
After a service restart the lookups succeed immediately.
-
I upgraded from CE to + (23.01) yesterday, this issue began immediately after the upgrade, but also when I awoke and started my workstation this morning.
I'm unsure if unbound was responding with anything at all, but as with OP my nslookup output was the same.
nslookup
Default Server: pfSense.LAN
Address: ::deletedmacrumors.com
Server: pfSense.LAN
Address: ::deleted*** pfSense.LAN can't find macrumors.com: Server failed
After 20 or so seconds of accessing multiple services (i.e. I restored my browser tabs from yesterday, and clicked through some) it started working for other domains but the issue for macrumors.com remained.
In order to restore this, and access to the Steam friends network, I restarted unbound which appears to have resolved the issue.
I hope the "this started immediate after updating" element may offer some guidance to someone who understands the underlying changes between pfBlockerNG 1.x and pfBlockerNG 2 which was bundled as part of the pfSense+ version change better than I.
-
I ran the setup wizard to wipe all of my configuration changes from the earlier release which appears to have (for now) addressed the issue; my next step will be to remove pfBlocker entirely and readd, and if all else fails I'm going back to pfsenseCE and the earlier major revision of pfBlocker
-
@pnds @photomankc If you have DNS forwarding enabled in DNS Resolver settings, and have DNSSEC enabled, disable DNSSEC.
-
@steveits Done - thanks for your insight.
Is this a bug, or perhaps a conflicting feature?
If it's a bug, is there a bug ID or something I can track?
If not, please could you help me with an explanation of why this functionality cannot be enabled when using a DNS forwarder? -
@pnds yeah I didn’t really elaborate there. See thread https://forum.netgate.com/topic/178042/23-01-upgrade-unbound-issue/2
It worked for me.
Can cause failures.
Is unnecessary, if forward servers do it anyway. -
@steveits Thanks for pointing me in the right direction!
-
I checked and mine is not using a forwarder but is set to use DNSSEC.
Right now I have a cron job set to simply restart unbound at 02:00 every day. If not seen a recurrence of this issue since doing that.