Strange: DNS not working on 2.5.2 & 2.6.0, but ping etc does...
We are trying to install 2.5.2 or 2.6.0 to migrate to pfSense Plus because of i226 NICs. (2.7.0 does not seem to get ready, and a time frame for a migration path to 23.01 seems to be unclear.)
As some posts advise we use USB networking adapters for this. Setup is as follows:
USBNIC-1 connected to LAN but configured as WAN with DHCP. It gets an IP, DNS, gateway etc. Ok.
USBNIC-2 is connected to a switch and got a fixed IP address. On the switch there is a also a notebook for pfSense GUI with a fixed IP address from the same subnet as USBNIC-2. Ok.
USBNIC-1 and USBNIC-2 are on different subnets.
We start the installation that runs fine. What we see is the same for 2.5.2 and for 2.6.0. When installation is finished and IP addresses are set up we do and see the following:
RFC1918 nets are not blocked, bogons not blocked.
pfctl -d (just to be sure nothing blocks)
From the notebook command line we can ping all hosts - on LAN and in the world. From pfSense we can do the same. Routing seems to work fine.
But we are unable to get addresses for any hosts via DNS.
I can ping 22.214.171.124 fine. But dig @126.96.36.199 abc.com (or whatever) does not give any result and times out. This holds true for any host and any DNS server. I can do dig @188.8.131.52 pfsense.org - but this is the only host where I get an IP address. Sometimes on command line of pfSense I get an error from 127.0.0.1. I tried resolver, forwarder, nothing works. We tried everything using nslookup and dig. And there are no rules anywhere that prevents looking up hosts via DNS.
I have no clue. Did never see this before. Can some please enlight me?
EDIT: Also disabled DNSSEC. Did all of what the docs recommend for troubleshooting.
@demux said in Strange: DNS not working on 2.5.2 & 2.6.0, but ping etc does...:
Can some please enlight me?
23.01 is available also for non Netgate devices these days. Get a copy ? Why wait ?
And yes, system debugging with USB is close to auto inflicted pain.
I can't recall 2.5.2 - but I probably used it for months if not longer. It worked just fine.
I used 2.6.0 for more then a year. There were some patching back then (they still exist) and all depends your needs.
The resolver (unbound) was always working just fine for me using resolver mode.
Of course, like realteks NIC, stay away from @x.x.x.x for your DNS needs - only use them if you have to give your DNS traffic to other companies.
Just use unbound as a resolver - as it has been set up out of the box. No wonder why Netgate has set up that mode by default.
If still DNS issues : easy : ditch your ISP.
@gertjan If Netgate gave us 23.01 images for installation we would surely not go that way.
It's not an ISP issue. All other machines can use whatever DNS server they like. It is only this pfSense machine that uses our own DHCP server to get things (and it gets them right) and that uses these USB adapters (with ASIX). It looks to me like the strange things seen with MSS/MTU sizes. But now with UDP traffic. For some queries I get a correct "first part" of an answer and then a timeout. For others I only get a timeout.
It seems as if it was the USB adapter. We changed it to Realtek and it seems to be working.