• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

DNS resolver stops working after a while

Scheduled Pinned Locked Moved DHCP and DNS
3 Posts 3 Posters 748 Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • E
    etoel
    last edited by Mar 21, 2023, 10:46 AM

    pfSense 23.01 on Netgate 6100
    Running DNS Resolver
    Running pfBlockerNG

    I have been running this configuration for about a year (upgraded to 23.01 when released).
    I have my windows 11 computer configured to use DHCP and automatic DNS.
    After reboot of my computer it works perfectly fine, but after some time (hours) I am unable to resolve hosts.

    If I try nslookup <target URL> <DNS IP> it times out.
    When I inspect the DNS resolver logs I find that the domain name I use for the Netgate box is added as a suffix:

    info: resolving netgate.com.<domain>. A IN

    ipconfig /all on my computer lists that domain as DNS Suffix Search List (but not Primary Dns Suffix) and the adapter has it as Connection-specific DNS Suffix. I have not configured this on my computer and it is a member of a workgroup, not a domain.

    I did not have this issue before upgrading to 23.01, but I have also tinkered a bit with pfBlocker after that so it may not be the cause.

    I don't understand why the nslookup times out, but maybe it is recursive when that suffix (same as the box) is added? Chrome displays DNS_BAD_CONFIG when it cannot resolve.

    Is the added suffix the problem? If so how do I get rid of it?

    Thank you

    S G 2 Replies Last reply Mar 21, 2023, 12:46 PM Reply Quote 0
    • S
      SteveITS Galactic Empire @etoel
      last edited by Mar 21, 2023, 12:46 PM

      @etoel There are several DNS threads … https://forum.netgate.com/topic/178413/major-dns-bug-23-01-with-quad9-on-ssl/ for example.

      If you are forwarding, disable DNSSEC, and maybe DNS over TLS.

      I’d expect the DNS search list to get appended if the first query fails…? I’d guess your issue is probably the above.

      Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
      When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
      Upvote 👍 helpful posts!

      1 Reply Last reply Reply Quote 0
      • G
        Gertjan @etoel
        last edited by Gertjan Mar 21, 2023, 2:09 PM Mar 21, 2023, 2:07 PM

        @etoel said in DNS resolver stops working after a while:

        Is the added suffix the problem? If so how do I get rid of it?

        The problem is ..... we - that is you me and nearly everybody else is doing it wrong.

        Launch this in a pfSense SSH or console :

        tail -f /var/log/pfblockerng/dns_reply.log
        

        Now you have a nice view on what the resolver does.

        On a 'dos' command prompt, do a

        nslookup google.com
        

        You will see 2, 3 requests for google.com in the log, the first with the "Connection-specific DNS Suffix" appended.

        Now, again :

        nslookup google.com.
        

        Did you see the dot at the end ? That is the correct way of spelling a host name.
        Now, nslookup will not insist by adding the local "Connection-specific DNS Suffix". As the final dot means : this is the end, nothing comes after this. You'll see just on or two google.com. DNS requests in the log. No more "Connection-specific DNS Suffix" added.
        One, or two, A and/or AAAA is asked.

        Btw :
        Enter nslookup without options, and then type help + enter.
        Type set d2 + Enter

        and now do a test again, like
        google.com

        and now you can see what happened as you have debug mode level 2 activated..

        Btw : I'm running 23.01 and 4100 (that's a small 6100 ;) ) - with the latest pfB 3.2.0_3.
        Resolver settings are 'vanilla', which means I'm resolving.
        My DNS resolver never dies on me.
        Btw : DNSSEC is activated. Works great ..... I guess, as I never noticed an issue.

        No "help me" PM's please. Use the forum, the community will thank you.
        Edit : and where are the logs ??

        1 Reply Last reply Reply Quote 0
        3 out of 3
        • First post
          3/3
          Last post
        Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
          This community forum collects and processes your personal information.
          consent.not_received