No DNS Unless Set In DHCP

johnnyrocket

I'm new to pfSense (using a SG1100) which replaced a Ubiquiti USG.

I set DNS in System/General Setup per Configuring DNS over TLS.

I have the following networks:
10.1.0.0/24 (admin) - no DNS changes in DHCP, main wifi network
10.20.0.0/24 VLAN50 (guest) - no DNS changes in DHCP, wifi network with isolation enabled
192.168.54.0/24 VLAN60 (work issued computer) - 8.8.8.8 set in DHCP, single switch port

Everything is working as expected.

After some YouTube videos I decided it would be wise (fun?) to move the main WiFi off of the management LAN and onto a VLAN with firewall rules to keep IOT devices and friends out of things they shouldn't be in.

I created 10.10.0.0/24 VLAN70. One allow all firewall rule for initial testing. I could ping everything else on the network but no internet access. I followed Client Tests and determined it is a DNS issue.

If I give this new LAN a DNS server in Services/DHCP Server/NEWLAN (even the exact same as System/General Setup) the new LAN works fine.
I'm stumped as to why this is the case... am I missing something?

Any help is appreciated!

johnpoz

@johnnyrocket what rule(s) exactly did you put on this new vlan? Did you allow for dns?

Out off the box when you enable dhcp, the dhcp server will hand out pfsense IP on that interface as the dns.

Do you not have unbound listening on that interface? Had you modified the ACLs in unbound from the default automatic that allows all pfsense networks?

johnnyrocket

@johnpoz Thanks for the quick response.

alt text
I think this should allow for everything?

@johnpoz said in No DNS Unless Set In DHCP:

Do you not have unbound listening on that interface?

Not sure how I would have disabled that...

@johnpoz said in No DNS Unless Set In DHCP:

Had you modified the ACLs in unbound from the default automatic that allows all pfsense networks?

I don't think so. You're talking about Services/DNS Resolver/Access Lists? That has no entries.

The rest of the network still functions fine btw. Adding the new network didn't affect the existing networks.

I think this should allow for everything?

The rest of the network still functions fine btw. Adding the new network didn't affect the existing networks.

johnpoz

@johnnyrocket said in No DNS Unless Set In DHCP:

That has no entries.

If you turned off auto, then no entries would mean nothing works.

Do you have any other rules on the this vlan interface? Like blocking rfc1918, have seen that way more than you could possible think possible ;)

On a client on this network.. Look at its config - do you get the IP address of the interface for your dns server?

Do a query with your fav dns tool, dig, host, nslookup at the pfsense IP - does it resolve anything?

johnnyrocket

@johnpoz I'm going to sound like I'm losing my mind. Had to run some errands for a few hours. I removed the DNS entry from the DHCP config a bit ago to run the tests you suggested and now they work just fine.
I have no explanation... I'm speechless.
Thank you for your time troubleshooting with me.