::observation:: DNS resolver problem when used with Comcast Business in USA
-
At this point this is only an observation.
PFsense by default installs and makes available the DNS resolver.
I think of it as mini caching DNS.
It has always worked as-is for years now.
Recently for a number of my customers who use Comcast business+static IP, I have been having to Both turn off DNSSEC and put the resolver into forwarding mode to get them working again.
I really need to dig into this further. Right now I am just sharing an observation/experience.
I am wondering if any else has run into this or similar more recently.
I usually set DNS on these routers to Google or to Comcast's on these routers.
I am always able to resolve names from the PFSense router command line without problems
while these problems are happening.
But none of the computers behind the router (using the resolver) can resolve names.
It's very intermittent. sometimes it works and sometimes it does not work.
I think the resolver works completely independently from the DNS settings in PFSense.
And explains why names resolve at the router itself without issue while those on the internal network using the resolver fail.
I'll have to do some packet captures and see what's going on.
But for now over the past months I have been having to change these settings to get
a few small offices that use the resolve to be able to use their Internet connection again.
I don't think it's PFSense but I suspect Comcast may be mishandling DNS traffic.
But I am only having problems with the PFSense resolver in this regard.
Which has always worked flawlessly in the past.I feel more like I do now.
-
Confirmed seeing same problem with PFsense on Comcast business dynamic IP.
Same problem if in Bridge mode (single NAT) Public IPV4 on PFsense.
Or put behind Comcast NAT router (dual NAT).
Still get sporadic (mostly not working) can look up DNS names.
IF turn off dnssec and put resolver in relay mode works fine. -
@n8lbv There are several threads about forwarding issues in 23.01…search for Quad9. Short version, disable DNSSEC when forwarding. If that doesn’t work disable DNS over TLS.
pfSense by default uses “local then remote” DNS so if unbound is not working it will likely just try directly.
-
@steveits Thanks!
I'll check them out.
I'm in pretty good shape just turning them off, but was extremely curious why it is suddenly
an issue lately when it had been working up until now.
And it's on 2.6.0 so there have been no changes to the software that would have affected this
from when it had been working till now. :)
