DNS Resolver not working after config restore

doxymoron

My pfsense device recently died. I've restored my config to a new device, but for some reason I cannot get the DNS resolver to work. Local clients cannot resolve any addresses using pfsense as the DNS server, and pfsense itself can't resolve anything using DNS Lookup from the GUI (For example it can't even check for updates). What should I be checking? Other than the hardware, nothing else has changed.

SteveITS

@doxymoron Is it running? What do the system and DNS logs show? Are you forwarding (if so disable DNSSEC) or resolving (the default)?

doxymoron

@steveits Service is running. I have disabled DNSSEC (was previously using this). It was in forwarding mode, I tried disabling but that made no change. I see this in the system logs when I start Unbound:

/system.php: Unbound /var/unbound/root.key file is corrupt, removing and recreating.

This is latest form the DNS Resolver log, seems like it may be stopping and restarting?:

Mar 3 17:45:49 unbound 95307 [95307:0] info: start of service (unbound 1.12.0).
Mar 3 17:45:49 unbound 95307 [95307:0] notice: init module 0: iterator
Mar 3 17:45:49 unbound 95307 [95307:0] notice: Restart of unbound 1.12.0.
Mar 3 17:45:49 unbound 95307 [95307:0] info: server stats for thread 3: requestlist max 0 avg 0 exceeded 0 jostled 0
Mar 3 17:45:49 unbound 95307 [95307:0] info: server stats for thread 3: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
Mar 3 17:45:49 unbound 95307 [95307:0] info: server stats for thread 2: requestlist max 0 avg 0 exceeded 0 jostled 0
Mar 3 17:45:49 unbound 95307 [95307:0] info: server stats for thread 2: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
Mar 3 17:45:49 unbound 95307 [95307:0] info: server stats for thread 1: requestlist max 0 avg 0 exceeded 0 jostled 0
Mar 3 17:45:49 unbound 95307 [95307:0] info: server stats for thread 1: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
Mar 3 17:45:49 unbound 95307 [95307:0] info: server stats for thread 0: requestlist max 0 avg 0 exceeded 0 jostled 0
Mar 3 17:45:49 unbound 95307 [95307:0] info: server stats for thread 0: 0 queries, 0 answers from cache, 0 recursions, 0 prefetch, 0 rejected by ip ratelimiting
Mar 3 17:45:49 unbound 95307 [95307:0] info: service stopped (unbound 1.12.0).
Mar 3 17:45:49 unbound 95307 [95307:0] info: start of service (unbound 1.12.0).

doxymoron

What I don't get, is even if I disable DNS Resolver completely, pfsense cannot resolve anything. Shouldn't it be using the DNS server I set in General-Setup? I don't get why everything was fine using the exact same config.

SteveITS

@doxymoron can you ping or traceroute out from pfSense itself, on the Diagnostic menu?

doxymoron

@steveits Yes I can ping 8.8.8.8 from pfsense for example. Traceroute gives me this:

1 10.6.0.1 10.781 ms 10.292 ms 9.396 ms
2 24.140.1.55 10.635 ms 8.590 ms 11.504 ms
3 * * *
4 * 64.125.22.228 33.254 ms *
5 * * *
6 74.125.50.194 21.498 ms 18.355 ms 19.994 ms
7 * * *
8 * * *
9 * * *
10 * * *
11 * * *
12 * * *
13 * * *
14 * * *
15 * * *
16 * * *
17 * * *
18 * * *

SteveITS

@doxymoron well not every router will respond to pings but it looks like you connection dies at 74.125.50.194. Which apparently has no PTR record so not sure what that is.

Ping 8.8.8.8 continuously, do you have packet loss?

doxymoron

@steveits No, it's solid.

SteveITS

@doxymoron Long shot but does it work if you reset to defaults? Can always restore again after.

doxymoron

@steveits I just completely installed 2.6 from scratch. I'm unable to resolve anything. Something isn't right...could there be some issue at the ISP level where they are blocking pfsense as a DNS resolver? I don't get what's going on.

SteveITS

@doxymoron Can you “nslookup netgate.com 8.8.8.8” from your PC?

doxymoron

@steveits Yes that works. But when I try to nslookup using pfsense, gives me DNS request timed out.

SteveITS

@doxymoron if you enable forwarding in the Resolver settings does it work?

I mean, I suppose it’s conceivable the ISP is blocking third party DNS but I would think they’d block Google before the root servers. Awfully uncommon though. Not sure I’ve heard of blocking DNS at the ISP level.

doxymoron

@steveits So enabling forwarding worked on the fresh install. I have restored my config and made the same settings. It still did not resolve. I found this thread:

https://forum.netgate.com/topic/87141/can-t-access-internet-fresh-install/20

Which suggests doing this:

Go to Interface - WAN - Uncheck Block private networks.

I did this and now DNS Resolver is working. Interestingly, I went back and checked that box again, and it still continues to work. I really don't know why or how though...

SteveITS

@doxymoron Hmm that adds a rule to prevent incoming connections on the interface.

doxymoron

@steveits I wonder if somehow unchecking that box reset something that was in my config causing it not to work correctly? Not sure...