Website won't resolve. says DNS_PROBE_FINISHED_NXDOMAIN
-
I'm somewhat familiar with pfsense, and very familiar with dns and networking. But i'm stumped.
pfsense 23.01-RELEASE
papamurphys.com won't resolve. not a huge issue, but i want to find out why.
If i change the dns on a computer on the network, it comes up fine, but if it's using the dns of the firewall, no joy.
There are only three packages installed, aws-wizard, ipsec-profile-wizard, and netgate_Firmware_Upgrade. all of which were there by default.
General page is set to 1.1.1.2,1.0.0.2, and 9.9.9.9 as dns, i've tried opendns, cloudflare, and comcast, all the same.Dns lookup is same ip on all networks.
I currently have dns server override unchecked, and dns resolution behavior "use remote, ignore local" on the general page.
I'm at a loss here. not sure how to check logs or see if something is blocked internally. there are a few other sites that are blocked also.The only way i can make it work is if i enable dns query forwarding mode. That seems to be subverting any security i might put in place locally however, so not thrilled.
So it's something to do with when it uses itself as the resolver, instead of outside. not horrible, since there isn't a server on this network, but i'm very curious as to how to look into WHY it's blocked.
-
@noitalever resolves here
;; QUESTION SECTION:
;papamurphys.com. IN A;; ANSWER SECTION:
papamurphys.com. 3600 IN A 217.114.85.70I resolve vs forwarding..
the settings for remote or local in general has zero to do with clients asking unbound for something, that only has to do with pfsense itself trying to resolve something.
If you are using unbound on default and resolving and not forwarding do a dig +trace to see where you might be failing in the resolve process.
[23.05-RELEASE][admin@sg4860.local.lan]/root: dig papamurphys.com +trace ; <<>> DiG 9.18.13 <<>> papamurphys.com +trace ;; global options: +cmd . 6943 IN NS l.root-servers.net. . 6943 IN NS m.root-servers.net. . 6943 IN NS a.root-servers.net. . 6943 IN NS b.root-servers.net. . 6943 IN NS c.root-servers.net. . 6943 IN NS d.root-servers.net. . 6943 IN NS e.root-servers.net. . 6943 IN NS f.root-servers.net. . 6943 IN NS g.root-servers.net. . 6943 IN NS h.root-servers.net. . 6943 IN NS i.root-servers.net. . 6943 IN NS j.root-servers.net. . 6943 IN NS k.root-servers.net. . 6943 IN RRSIG NS 8 0 518400 20230704170000 20230621160000 60955 . gWRNcv5tKshs4O8Lq62sWKgJ8UshBnH5sCfGEnIzSn/lthDJw2GnaMc/ OMcH+kSK8uKBCdMw23qW85ZNe7XUbXQtMSwU8Lo9iU+yuIZydaTZzk83 A4uncWMKZPw33tY3q0J6TFaEdood/FMg5Szeusg/NKZOfuk89BcltR+V ct8vZqVwxWtBPE8m+dMSz2FaNYcPm9G88skw+A0viO1hgTMkEtBYWWoO 7nbtD0UpPOYfueIXLREpSXQT7Aw0sDirTQBqaDCVLpgkZZkF73CH/+QH rEp16BMvXq6CDjucKlZp+T9d8hjlpwIZIUnVHGOT6NOcVaH1ElIdJzMG 4hVjJw== ;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms com. 172800 IN NS a.gtld-servers.net. com. 172800 IN NS b.gtld-servers.net. com. 172800 IN NS c.gtld-servers.net. com. 172800 IN NS d.gtld-servers.net. com. 172800 IN NS e.gtld-servers.net. com. 172800 IN NS f.gtld-servers.net. com. 172800 IN NS g.gtld-servers.net. com. 172800 IN NS h.gtld-servers.net. com. 172800 IN NS i.gtld-servers.net. com. 172800 IN NS j.gtld-servers.net. com. 172800 IN NS k.gtld-servers.net. com. 172800 IN NS l.gtld-servers.net. com. 172800 IN NS m.gtld-servers.net. com. 86400 IN DS 30909 8 2 E2D3C916F6DEEAC73294E8268FB5885044A833FC5459588F4A9184CF C41A5766 com. 86400 IN RRSIG DS 8 1 86400 20230705170000 20230622160000 60955 . mahLAMMrZ7kVmoMSJdQ/plxvoCb7fHlLD4QFfpdBMDGNKYwSW14ANUOi P8dzQ83lBB+Qv4Rw07XafvykrlOvfOsFssD9mL+n/auvMLiLxornO4fs ZQjwW4pgDTLvbq3LCsh1r97sfevuRep2Y63+/hv/tcd8/E0edaPAWKH3 w9yn/upKyFX97lMA2h6QFf5t+3mmF4Zge5ueq8VvQvi4v4rNa04easfh uUMxKF/a34TpJgwzYoG5qCpTMVupNIXUUZ435benV9libtn4PT2Zn23t 1DGKxbfrO7mJxLHB6t9plUxQzBwbWcr5QivpyjSttBW50pDqc/eej2OA p1CrAQ== ;; Received 1175 bytes from 2001:500:2d::d#53(d.root-servers.net) in 21 ms papamurphys.com. 172800 IN NS pdns13.domaincontrol.com. papamurphys.com. 172800 IN NS pdns14.domaincontrol.com. CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN NSEC3 1 1 0 - CK0Q2D6NI4I7EQH8NA30NS61O48UL8G5 NS SOA RRSIG DNSKEY NSEC3PARAM CK0POJMG874LJREF7EFN8430QVIT8BSM.com. 86400 IN RRSIG NSEC3 8 2 86400 20230627042518 20230620031518 46551 com. HfAI+YRdruDFRrUwxPdrcjD3IpzH8FpMwbtAOZEXGFV7wdQcIVZ0jQ4V J5cTrrln4DOL7e6gvqaxnreMIhljyU8iUpmKqBCR/s5vI96486yJvo5k f4hIwBW31cQtLzKQz4jsC1S7ja+yJY5JMoagnzHPmZRwCQ1Jt42yJZ/j Nta0rulw5kFuCp3lpaNOLawObJ64nm6PURwTR21IFySPRw== 9U5UJJSVMT5UGI2DJLSS62PFK422OM8T.com. 86400 IN NSEC3 1 1 0 - 9U5V5ASDLE8O1NIT423QC740155MSSGM NS DS RRSIG 9U5UJJSVMT5UGI2DJLSS62PFK422OM8T.com. 86400 IN RRSIG NSEC3 8 2 86400 20230629051553 20230622040553 46551 com. AXPHGo9wdJpR2+rMhxn8dwG2N9+ZKqhMN7e24Qu4E5r/5nmxFZ4ykNoS o/SZwZMoYhLdwQfs8BRfcARO3KBDtZ7ja1YS9gsmT2/cpoSljpt6ClTD irisZdR5RPNAnbKfidHodi6gWPj2Io1zftt3gJevp8SlwPqHHrdt0JnJ 7DJOep2kKDlZ50e8ptJp+9eL+NzZy/kj1MTJhGHV4wHkNA== ;; Received 681 bytes from 2001:502:7094::30#53(j.gtld-servers.net) in 61 ms papamurphys.com. 600 IN A 217.114.85.70 papamurphys.com. 3600 IN NS pdns14.domaincontrol.com. papamurphys.com. 3600 IN NS pdns13.domaincontrol.com. ;; Received 116 bytes from 97.74.110.56#53(pdns13.domaincontrol.com) in 14 ms [23.05-RELEASE][admin@sg4860.local.lan]/root: -
@noitalever not really related but if you are not forwarding normally, why set pfSense to not query itself? I guess it would work in that config.
Are there any rules, including floating, that might block DNS?
There is this, which I don’t think made it into 23.05:
https://redmine.pfsense.org/issues/14056 -
@johnpoz Thanks, and complete noob question, but where do I "dig"? I don't see a shell or terminal and the "command" menu choice seems to just want me to send a command, but not sure how to format it.
i'm obviously missing something... obvious. since the forums don't seem to have instructions.
-
@noitalever It’s common on *nix OSs but you can install on Windows:
https://docs.digitalocean.com/tutorials/use-dig/ -
@noitalever said in Website won't resolve. says DNS_PROBE_FINISHED_NXDOMAIN:
but where do I "dig"?
You have dig.
Its part of the commandset of pfSense.
SSH into pfSense using Putty if you have a Micirosft device, or use a native ssh client on all other devices.Or use the console 'serial/USB' access if you have a Netgate device.
For other, VGA builds : use the keyboard + screen.When you see the menu, use option 8 shell).
[23.05-RELEASE][root@pfSense.verylocal.net]/root: dig papamurphys.com +short 217.114.85.70 -
@noitalever said in Website won't resolve. says DNS_PROBE_FINISHED_NXDOMAIN:
but where do I "dig"?
Thought it would be pretty clear from my posted example - clearly showing I was on pfsense ;)
doesn't the 23.05 release at the prompt give it away?
-
@johnpoz Yep, I knew you were doing it on pfsense, I just have never had to do this with a pfsense box before and since this is a netgate appliance i didn't know if it was a "helpful gui" type thing where it hid things "most" people shouldn't need.
I'm mostly windows server guy. For firewalls, Fortigate where the console is built into the gui. This netgate gui didn't lend itself to a place where I would be able to use that command, hence my reply. Someone else gave me useful information, so i'm good.
We all have to start somewhere, and not knowing the steps to do something is pretty standard until you do.
-
@noitalever there is Diagnostics/Command prompt, though it is not interactive so can only run commands that end/complete.
-
@noitalever EDIT: I updated to 23.05 and the problem went away, and all previous resolver settings are now back to normal.
from my brief stumbling around, I think it was an issue with their website not liking the advanced privacy options in the dns resolver I had checked.
-now to learn how to "dig". -
@Gertjan Thank you for this response, it was helpful.
-
@noitalever said in Website won't resolve. says DNS_PROBE_FINISHED_NXDOMAIN:
advanced privacy options in the dns resolver I had checked.
And what are those? You were forwarding somewhere over tls?
