Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS resolver stops working after a while

    Scheduled Pinned Locked Moved
    DHCP and DNS
    3
    3
    492
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      etoel
      last edited by

      pfSense 23.01 on Netgate 6100
      Running DNS Resolver
      Running pfBlockerNG

      I have been running this configuration for about a year (upgraded to 23.01 when released).
      I have my windows 11 computer configured to use DHCP and automatic DNS.
      After reboot of my computer it works perfectly fine, but after some time (hours) I am unable to resolve hosts.

      If I try nslookup <target URL> <DNS IP> it times out.
      When I inspect the DNS resolver logs I find that the domain name I use for the Netgate box is added as a suffix:

      info: resolving netgate.com.<domain>. A IN

      ipconfig /all on my computer lists that domain as DNS Suffix Search List (but not Primary Dns Suffix) and the adapter has it as Connection-specific DNS Suffix. I have not configured this on my computer and it is a member of a workgroup, not a domain.

      I did not have this issue before upgrading to 23.01, but I have also tinkered a bit with pfBlocker after that so it may not be the cause.

      I don't understand why the nslookup times out, but maybe it is recursive when that suffix (same as the box) is added? Chrome displays DNS_BAD_CONFIG when it cannot resolve.

      Is the added suffix the problem? If so how do I get rid of it?

      Thank you

      S GertjanG 2 Replies Last reply Reply Quote 0
      • S
        SteveITS Rebel Alliance @etoel
        last edited by

        @etoel There are several DNS threads … https://forum.netgate.com/topic/178413/major-dns-bug-23-01-with-quad9-on-ssl/ for example.

        If you are forwarding, disable DNSSEC, and maybe DNS over TLS.

        I’d expect the DNS search list to get appended if the first query fails…? I’d guess your issue is probably the above.

        Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
        When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
        Upvote 👍 helpful posts!

        1 Reply Last reply Reply Quote 0
        • GertjanG
          Gertjan @etoel
          last edited by Gertjan

          @etoel said in DNS resolver stops working after a while:

          Is the added suffix the problem? If so how do I get rid of it?

          The problem is ..... we - that is you me and nearly everybody else is doing it wrong.

          Launch this in a pfSense SSH or console :

          tail -f /var/log/pfblockerng/dns_reply.log

          Now you have a nice view on what the resolver does.

          On a 'dos' command prompt, do a

          nslookup google.com

          You will see 2, 3 requests for google.com in the log, the first with the "Connection-specific DNS Suffix" appended.

          Now, again :

          nslookup google.com.

          Did you see the dot at the end ? That is the correct way of spelling a host name.
          Now, nslookup will not insist by adding the local "Connection-specific DNS Suffix". As the final dot means : this is the end, nothing comes after this. You'll see just on or two google.com. DNS requests in the log. No more "Connection-specific DNS Suffix" added.
          One, or two, A and/or AAAA is asked.

          Btw :
          Enter nslookup without options, and then type help + enter.
          Type set d2 + Enter

          and now do a test again, like
          google.com

          and now you can see what happened as you have debug mode level 2 activated..

          Btw : I'm running 23.01 and 4100 (that's a small 6100 ;) ) - with the latest pfB 3.2.0_3.
          Resolver settings are 'vanilla', which means I'm resolving.
          My DNS resolver never dies on me.
          Btw : DNSSEC is activated. Works great ..... I guess, as I never noticed an issue.

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          1 Reply Last reply Reply Quote 0
          • First post
            Last post