DNS Resolver problems, PC can't resolve domain but firewall can...

Hangnail6119

Hello,
It's my second pfSense box and I have the same problems with DNS Resolver(Unbound). At some point it just stops resolving anything.
TLDR: When I open my pc after some time(eg. I suspend it over night, and open it i the morning) - it can't resolve any DNS request. I can ping any ip(eg. 9.9.9.9), but when pining domain I get:
ping: startpage.com: Temporary failure in name resolution
When I open pfSense web ui and go to Diagnostics > DNS Lookup, the firewall can resolve IP just fine.
Video presenting the issue.zip

Current fix is to go to Status > Services and restart Unbound on my own

My setup:
a) On General Setup I set Quad9 DNS servers

b) I have DNS Resolver ENABLED, and DNS Forwarder DISABLED
c) I changed only one thing in Services > DNS Resolver, I added do-ip6: no to Custom options, since on other issue someone stated that have helped them with similar issue

d) I have one Host Override for IP to my Homelab, one Domain and few aliases
e) I DON'T have any packages installed beside Wireguard and FreeRadius, and even before this packages problem occured.
f) I have few VLANs and all of them are using the same DNS settings that are not overriden in any way(they use default)
g) DHCP has static leases for all pc's so there is no random changes in VLANs on hosts
h) There are no Rules blocking DNS requests on any VLAN
i) I don't use IPv6, it's disabled on WAN, it's disabled on LAN and any other VLAN

When I go to Status > Services unbound is running
When I check DNS Resolver logs I can't see any errors, only that service stopped working and then started again.
Jul 22 07 49 36 unbound.txt
And I don't know what else I could check...

At first I thoutght that it's a problem because I use pfBlockerNG and that was on my FIRST pfSense Box and since I am almost only user using that box it was not such a big problem, plus it's not working there for not more than 1-2 minutes until it starts working.
Now it's different because it will be used by more people and it's not restarting on it's own. So I can spend 20-30 minutes just staring at the screen and it won't restart. That is a NO go for home/office setup that needs to be ready in seconds.

Do you guys know what I might have misconfigured? Or why this could be happening? I don't want to give up on pfSense DNS Resolver, especially when there are packages like pfBlockerNG and different levels of DNS filtering for VLANs, but if I won't be able to fix it I will be looking into other solutions like PiHole. I used it before pfSense and it had no such issues. :(

viragomann

@Hangnail6119
First off DNS resolution of devices using unbound has nothing to do with DNS resolution of pfSense itself, at lest with your settings.
pfSense use the DNS servers which you stated on the general settings, while unbound use root DNS servers.

If you want unbound to use Cloudflare server which you stated in the general settings you have to enable the forwarding mode.
Also consider to set the "DNS Resolution behavior" in the general settings accordingly.

Then on you computer if you cannot resolve host names in Firefox, also try a nslookup or dig in the console to get sure that it doesn't work.
FF possibly uses DNS over HTTP and maybe pfBlockNG block this.

Also try to disable DNSSEC in the Resolver settings.

Hangnail6119

@viragomann Hi, thanks very much for your reply! :)
It's hard for me to wrap my head around this topic in pfSense since it's split to System > General Setup > DNS Server Settings then we have Services > DNS Resolver and Services > DNS Forwarder.
And now you pointed to me that pfSense is not using the same resolver as hosts on my network. Now I have my mind blown :/

@viragomann said in DNS Resolver problems, PC can't resolve domain but firewall can...:

Then on you computer if you cannot resolve host names in Firefox, also try a nslookup or dig in the console to get sure that it doesn't work.
FF possibly uses DNS over HTTP and maybe pfBlockNG block this.

It's not a FF issue, chrome/brave any other browser is giving me the same error, ping, dig, nslookup also does not work.

In the best case scenario I would like to use pfBlockerNG with custom DNS(quad9 or cloudflare), but I would like to avoid need to restart the service on my own each day. And the worst part is that I don't even know how to pinpoint this issue since there are no error logs on pfsense side(at least I don't know what else can I check).

viragomann

@Hangnail6119
Did you try to resolve with nslookup, when the browser is failing?

Also change the "DNS Resolution Behavior" as suggested to "use local fall back to remote". Then go to Diagnostic > NS lookup and try to resolve the host name, while the browser is failing.
The tool tries to resolve using the DNS servers you stated in the general settings and the Resolver (127.0.0.1) as well. So check, what you get.

I cannot think, what a Resolver restart should affect, since the service is running anyway.

SteveITS

@Hangnail6119 if you have DHCP lease registration enabled unbound will restart at every lease renewal.

viragomann

@SteveITS
It isn’t enabled, as the screenshot above shows.

SteveITS

@viragomann Ah yes I was looking at the log not the screenshot. So why did it restart several times in the log? Was that OP restarting it manually?

viragomann

@SteveITS
That’s the interesting question.
Mine starts once a day only, when the WAN IP changes (PPPoE).

johnpoz

If there is some issue with the wan interface and whatever reason unbound can't bind to it if goes down/up or something then yeah a restart of unbound could fix that.

I am not a fan of the all selection for outgoing connections - just use localhost only. Then if you have some intermittent issue with your want connection it should take unbound down from being bound to the interface..

Or same thing goes for the even the local side interfaces if your having issues with them.. You should fix why those might be going up/down etc.. What does your normal system log show when you see this problem?

Hangnail6119

Hi everyone,
Sorry for late reply, had some unexpected personal event and problem did not occur yet since last time.

@viragomann said in DNS Resolver problems, PC can't resolve domain but firewall can...:

Did you try to resolve with nslookup, when the browser is failing?

No, only later :(

@viragomann said in DNS Resolver problems, PC can't resolve domain but firewall can...:

Also change the "DNS Resolution Behavior" as suggested to "use local fall back to remote".

I changed it after your post.

@SteveITS said in DNS Resolver problems, PC can't resolve domain but firewall can...:

if you have DHCP lease registration enabled unbound will restart at every lease renewal.

Do you mean some specific setting or just adding static mappings in Services > DHCP Server > HOMENETWORK > DHCP Static Mappings for this Interface?
I have those mappings for all devices in my network and I allow only clients from those interfaces to connect.

@SteveITS said in DNS Resolver problems, PC can't resolve domain but firewall can...:

So why did it restart several times in the log? Was that OP restarting it manually?

I attached the logs only from that morning when DNS was not working, it looks like first reset was made by my pc waking up, the second reset I did on my own to fix the problem.

@johnpoz said in DNS Resolver problems, PC can't resolve domain but firewall can...:

I am not a fan of the all selection for outgoing connections - just use localhost only.

I will update that.

@johnpoz said in DNS Resolver problems, PC can't resolve domain but firewall can...:

What does your normal system log show when you see this problem?

You mean the linux logs or some general logs in pfSense?
In linux Ping could not resolve domains, I did not check any other logs from pfsense, because I kind of don't know for what I should be looking for ;/

PS: I applied all the settings you suggested, I will monitor if everything works as expected and let you know if problem will still occur.

Gertjan

@Hangnail6119 said in DNS Resolver problems, PC can't resolve domain but firewall can...:

It's hard for me to wrap my head around this topic in pfSense since it's split to System > General Setup > DNS Server Settings then we have Services > DNS Resolver and Services > DNS Forwarder.

I'll try to make things easier to understand.
This one : Services > DNS Forwarder : it's there for historical reasons. Normally, no one use this 'forwarder', also called by the process name 'dnsmasq' anymore.
This one : Services > DNS Resolver is the one that is activated ans used these days. It needs no settings changes, and will work out of the box (for 99,9 % of us).

This one : System > General Setup > DNS Server Settings : No need to change what so ever.
With one exception : change this :

I advise not to use / change these :

( exception : If you have to give some one your private DNS data )

It boils down to one simple thing : when you install pfSense it (DNS) works.
Keep it that way is as easy as : not changing and/or adding settings.
I'm pretty sure that you will find things less mind blowing now ;)

SteveITS

@Hangnail6119 said in DNS Resolver problems, PC can't resolve domain but firewall can...:

@SteveITS said in DNS Resolver problems, PC can't resolve domain but firewall can...:

if you have DHCP lease registration enabled unbound will restart at every lease renewal.

Do you mean some specific setting

This setting, in DNS Resolver:

Dyson228

I'm having the same issue and I've tried many options I see with no changes

DNS forwarder works. DNS Resolver doesn't.
Currently have DNS Resolver with no forwarding. DNS Lookup on the firewall works with no issues and the only listed name server is 127.0.0.1

There are no firewall logs blocking my network traffic to the firewall, and as mentioned before, with DNS Forwarder setup I was able to resolve DNS on my client using the same DNS Server.

Only thing I just discovered is that I have multiple LANs setup, including a default LAN. If I do a nslookup using my default LAN's gateway as the server, it resolves. I feel like this is critical, but can't quite connect the dots.

SteveITS

@Dyson228

I have multiple LANs setup, including a default LAN. If I do a nslookup using my default LAN's gateway as the server, it resolves.

Is Resolver listening on All interfaces? Is port 53 TCP/UDP allowed to the other network IPs?

Dyson228

@SteveITS

DNS Resolver Network Interface is everything except WAN, and Outgoing is All for now.

No reason why port 53 should have been blocked and I wasn't seeing any network traffic blocking it. I added an explicit allow port 53 rule at the top just to make sure, and that didn't affect it.

Dyson228

@SteveITS

I may have stumbled on the answer. When I looked at status > Interfaces, my LAN was showing as "Down". This is because during initial setup years ago, I had associated each LAN with an interface port, and over time I had eventually moved to a managed switch. So this interface had been listed as "Down".

Once I removed the interface port, the interface now shows as Up, and I'm getting DNS responses from my gateway.