PFSENSE + 23.01

Jimbohello

@gertjan
failed to resolve host
more than 200 failed to resolve host

https://www.reddit.com/r/PFSENSE/comments/105dbm9/issues_with_dynamic_dns_on_2301dev/

Gertjan

https://www.reddit.com/r/PFSENSE/comments/105dbm9/issues_with_dynamic_dns_on_2301dev/

Jan 6 21:25:26php-fpm844/services_dyndns_edit.php: Dynamic DNS (pfsense.xxxxxxx.us) There was an error trying to determine the public IP for interface - wan (ix3 ).

That's not an DynDNS problem.
It's worse.

Here : http://checkip.dyndns.org/ and click on that link ( it's safe ).

For everybody, it should indicate your WAN IP.

I can do the same thing on the console / SSH access of my pfSEnse :

[23.01-RELEASE][admin@pfSense.my4100.tld]/root: curl http://checkip.dyndns.org/
<html><head><title>Current IP Check</title></head><body>Current IP Address: 82.127.62.108</body></html>

And that's correct : that my WAN IPv4 !!

Your issue is probably : the same command doesn't work for you.
A possible reason is : your pfSense can't do DNS for itself.

Check that out with :

nslookup checkip.dyndns.org

on your PC.

And do the same command on pfSense :

[23.01-RELEASE][admin@pfSense.my4100.net]/root: nslookup checkip.dyndns.org
Server:         127.0.0.1
Address:        127.0.0.1#53

Non-authoritative answer:
checkip.dyndns.org      canonical name = checkip.dyndns.com.
Name:   checkip.dyndns.com
Address: 193.122.6.168
Name:   checkip.dyndns.com
Address: 132.226.247.73
Name:   checkip.dyndns.com
Address: 193.122.130.0
Name:   checkip.dyndns.com
Address: 132.226.8.169
Name:   checkip.dyndns.com
Address: 158.101.44.242

I don't say that 'this' is your issue.
Just that if pfSense can't access "checkip.dyndns.com" you've 'done' something, because it works out of the box.

Massive issues upgrading to 23.01

You have a 4100 recently so it had what in the beginning , 22.05 ?
Going from 22.05 to 23.01 wasn't that hard if I recall - I thought I was a mouse click thing.
For me it was.

Didn't even know people were talking pfSense also on reddit.
Actually, I never check / use reddit. It's to ... noisy. I like this place : no adds ^^

Dev versions are for those who want to live on the bleeding edge.
It's normal to see some blood ;)

Jimbohello

@gertjan

Server: 127.0.0.1
Address: 127.0.0.1#53

Non-authoritative answer:
Name: checkip.dyndns.com
Address: 132.226.8.169
Name: checkip.dyndns.com
Address: 193.122.130.0
Name: checkip.dyndns.com
Address: 158.101.44.242
Name: checkip.dyndns.com
Address: 193.122.6.168
Name: checkip.dyndns.com
Address: 132.226.247.73

Jimbohello

@gertjan

hum strange !
i test out something !
disable dns over TLS in the dns resolver !
put it back to standard 53, seem to resolved the issue !
pretty strange !

Cylosoft

@jimbohello at this point every issue we have with v23 seems to come back to some unbound DNS issue. You might check the other threads about getting DNS with TLS working.

SteveITS

@jimbohello said in PFSENSE + 23.01:

disable dns over TLS in the dns resolver

As Clyosoft indicates there are a few threads about DNS not working. Disabling DNSSEC while forwarding seems to be required now (and reportedly all along was known to sometimes cause failures when forwarding), but several have said they also need to disable DNS over TLS. See for instance:

https://forum.netgate.com/topic/178413/major-dns-bug-23-01-with-quad9-on-ssl/

Jimbohello

@steveits

DNSSEC was already disable !
i do not use quad9
opendns
cloudflare
google

il just turn off TLS for now :)

Jimbohello

@steveits

i don't know if this help, but i did some testing,

if i remove in tab - /system/general
use remote dns serveur , ignore local dns

the problem is solve using DNS OVER TLS

when i put back "use local dns, ignore remote dns " problem occur

SteveITS

@jimbohello said in PFSENSE + 23.01:

when i put back "use local dns, ignore remote dns " problem occur

This setting affects how pfSense itself does DNS. So again it sounds like DNS is not working on your router, for some reason.
https://docs.netgate.com/pfsense/en/latest/config/general.html#dns-resolution-behavior

Is the DNS Resolver service running? If you try to start it, or restart it, are there errors shown in the system log or DNS Resolver log? Test DNS using Diagnostics/DNS Lookup.

Jimbohello

@steveits

Listen my friend , yesterday before my upgrade 23.01 my setup was the same for several years

Never had ans issue

23.01 is the issue in DoT
I have zero problem on dns resolution for my local lan client.
The problem is only in alias fetching xxxx.dyndns.org ip

Same issue on all my appliance

LOG/ dns resolver /. FAILED TO RESOLVE HOST

If i go back to standard dns(53). Work like luky charm. :)

It exacly this problem

https://forum.netgate.com/topic/178413/major-dns-bug-23-01-with-quad9-on-ssl

quad9, google, opendns, cloudflare or whatever is issue

All my appliance 23.01 are doing this issue
All my appliance 22.05 are doing good

They have the same setup everywhere.

Jimbohello

@steveits

here log level 3
from pfsense resolution imself
Apr 7 21:33:30 unbound 88702 [88702:0] info: finishing processing for vrac-nicolas.dyndns.org.jimbohello.arpa. AAAA IN
Apr 7 21:33:30 unbound 88702 [88702:0] info: query response was NXDOMAIN ANSWER
Apr 7 21:33:30 unbound 88702 [88702:0] info: reply from <.> 1.1.1.1#853
Apr 7 21:33:30 unbound 88702 [88702:0] info: response for vrac-nicolas.dyndns.org.jimbohello.arpa. AAAA IN
Apr 7 21:33:30 unbound 88702 [88702:0] info: iterator operate: query vrac-nicolas.dyndns.org.jimbohello.arpa. AAAA IN
Apr 7 21:33:30 unbound 88702 [88702:0] debug: iterator[module 0] operate: extstate:module_wait_reply event:module_event_reply

From the client side (lan)

Apr 7 21:38:42 unbound 88702 [88702:0] info: finishing processing for vrac-nicolas.dyndns.org. A IN
Apr 7 21:38:42 unbound 88702 [88702:0] info: query response was ANSWER
Apr 7 21:38:42 unbound 88702 [88702:0] info: reply from <.> 8.8.8.8#853
Apr 7 21:38:42 unbound 88702 [88702:0] info: response for vrac-nicolas.dyndns.org. A IN
Apr 7 21:38:42 unbound 88702 [88702:0] info: iterator operate: query vrac-nicolas.dyndns.org. A IN

JESUS I FOUND THE ISSUE I GUEST :
WHY IS PFSENSE ITSELF TRY TO RESOLVE
vrac-nicolas.dyndns.org.jimbohello.arpa
when it suppose to be vrac-nicolas.dyndns.org

pfsense is hading the domain part of itself ! no wonder why it can't resolve

stephenw10

Hmm, I only expect to see that if it has already failed to resolve the fqdn without the domain appended.

Jimbohello

@stephenw10

When following DoT procedure base on netgate.
All alliases having dynamic name to resolve, get an response from dnsfilter « failed to resolve host - will retry again later ». Some of them does resolve bost most part failed completly ans then, at a point failed all.

When chanching aliases to url ip table , no problem occur.

If i remove all DoT everything work as expected

Note : i have arround 140 dynamic name to resolve.

Hope help

Behavior apper on sg-3100, sg-8200 pro max. And all other device

Version 22.05 not affected
Version 23.01 affected

Thank’s

Hope helps