DNS Resolver problems, PC can't resolve domain but firewall can...

viragomann · Jul 22, 2023, 11:43 AM

@Hangnail6119
First off DNS resolution of devices using unbound has nothing to do with DNS resolution of pfSense itself, at lest with your settings.
pfSense use the DNS servers which you stated on the general settings, while unbound use root DNS servers.

If you want unbound to use Cloudflare server which you stated in the general settings you have to enable the forwarding mode.
Also consider to set the "DNS Resolution behavior" in the general settings accordingly.

Then on you computer if you cannot resolve host names in Firefox, also try a nslookup or dig in the console to get sure that it doesn't work.
FF possibly uses DNS over HTTP and maybe pfBlockNG block this.

Also try to disable DNSSEC in the Resolver settings.

Hangnail6119 · Jul 22, 2023, 12:08 PM

@viragomann Hi, thanks very much for your reply! :)
It's hard for me to wrap my head around this topic in pfSense since it's split to System > General Setup > DNS Server Settings then we have Services > DNS Resolver and Services > DNS Forwarder.
And now you pointed to me that pfSense is not using the same resolver as hosts on my network. Now I have my mind blown :/

@viragomann said in DNS Resolver problems, PC can't resolve domain but firewall can...:

Then on you computer if you cannot resolve host names in Firefox, also try a nslookup or dig in the console to get sure that it doesn't work.
FF possibly uses DNS over HTTP and maybe pfBlockNG block this.

It's not a FF issue, chrome/brave any other browser is giving me the same error, ping, dig, nslookup also does not work.

In the best case scenario I would like to use pfBlockerNG with custom DNS(quad9 or cloudflare), but I would like to avoid need to restart the service on my own each day. And the worst part is that I don't even know how to pinpoint this issue since there are no error logs on pfsense side(at least I don't know what else can I check).

viragomann · Jul 22, 2023, 12:24 PM

@Hangnail6119
Did you try to resolve with nslookup, when the browser is failing?

Also change the "DNS Resolution Behavior" as suggested to "use local fall back to remote". Then go to Diagnostic > NS lookup and try to resolve the host name, while the browser is failing.
The tool tries to resolve using the DNS servers you stated in the general settings and the Resolver (127.0.0.1) as well. So check, what you get.

I cannot think, what a Resolver restart should affect, since the service is running anyway.

SteveITS · Jul 22, 2023, 1:05 PM

@Hangnail6119 if you have DHCP lease registration enabled unbound will restart at every lease renewal.

viragomann · Jul 22, 2023, 1:29 PM

@SteveITS
It isn’t enabled, as the screenshot above shows.

SteveITS · Jul 22, 2023, 1:42 PM

@viragomann Ah yes I was looking at the log not the screenshot. So why did it restart several times in the log? Was that OP restarting it manually?

viragomann · Jul 22, 2023, 1:48 PM

@SteveITS
That’s the interesting question.
Mine starts once a day only, when the WAN IP changes (PPPoE).

johnpoz · Jul 22, 2023, 1:50 PM

If there is some issue with the wan interface and whatever reason unbound can't bind to it if goes down/up or something then yeah a restart of unbound could fix that.

I am not a fan of the all selection for outgoing connections - just use localhost only. Then if you have some intermittent issue with your want connection it should take unbound down from being bound to the interface..

Or same thing goes for the even the local side interfaces if your having issues with them.. You should fix why those might be going up/down etc.. What does your normal system log show when you see this problem?

Hangnail6119 · Jul 24, 2023, 8:26 AM

Hi everyone,
Sorry for late reply, had some unexpected personal event and problem did not occur yet since last time.

@viragomann said in DNS Resolver problems, PC can't resolve domain but firewall can...:

Did you try to resolve with nslookup, when the browser is failing?

No, only later :(

@viragomann said in DNS Resolver problems, PC can't resolve domain but firewall can...:

Also change the "DNS Resolution Behavior" as suggested to "use local fall back to remote".

I changed it after your post.

@SteveITS said in DNS Resolver problems, PC can't resolve domain but firewall can...:

if you have DHCP lease registration enabled unbound will restart at every lease renewal.

Do you mean some specific setting or just adding static mappings in Services > DHCP Server > HOMENETWORK > DHCP Static Mappings for this Interface?
I have those mappings for all devices in my network and I allow only clients from those interfaces to connect.

@SteveITS said in DNS Resolver problems, PC can't resolve domain but firewall can...:

So why did it restart several times in the log? Was that OP restarting it manually?

I attached the logs only from that morning when DNS was not working, it looks like first reset was made by my pc waking up, the second reset I did on my own to fix the problem.

@johnpoz said in DNS Resolver problems, PC can't resolve domain but firewall can...:

I am not a fan of the all selection for outgoing connections - just use localhost only.

I will update that.

@johnpoz said in DNS Resolver problems, PC can't resolve domain but firewall can...:

What does your normal system log show when you see this problem?

You mean the linux logs or some general logs in pfSense?
In linux Ping could not resolve domains, I did not check any other logs from pfsense, because I kind of don't know for what I should be looking for ;/

PS: I applied all the settings you suggested, I will monitor if everything works as expected and let you know if problem will still occur.

Gertjan · Jul 24, 2023, 8:53 AM

@Hangnail6119 said in DNS Resolver problems, PC can't resolve domain but firewall can...:

It's hard for me to wrap my head around this topic in pfSense since it's split to System > General Setup > DNS Server Settings then we have Services > DNS Resolver and Services > DNS Forwarder.

I'll try to make things easier to understand.
This one : Services > DNS Forwarder : it's there for historical reasons. Normally, no one use this 'forwarder', also called by the process name 'dnsmasq' anymore.
This one : Services > DNS Resolver is the one that is activated ans used these days. It needs no settings changes, and will work out of the box (for 99,9 % of us).

This one : System > General Setup > DNS Server Settings : No need to change what so ever.
With one exception : change this :

I advise not to use / change these :

( exception : If you have to give some one your private DNS data )

It boils down to one simple thing : when you install pfSense it (DNS) works.
Keep it that way is as easy as : not changing and/or adding settings.
I'm pretty sure that you will find things less mind blowing now ;)

SteveITS · Jul 24, 2023, 3:17 PM

@Hangnail6119 said in DNS Resolver problems, PC can't resolve domain but firewall can...:

@SteveITS said in DNS Resolver problems, PC can't resolve domain but firewall can...:
if you have DHCP lease registration enabled unbound will restart at every lease renewal.
Do you mean some specific setting

This setting, in DNS Resolver:

Dyson228 · Jul 26, 2023, 4:16 AM

I'm having the same issue and I've tried many options I see with no changes

DNS forwarder works. DNS Resolver doesn't.
Currently have DNS Resolver with no forwarding. DNS Lookup on the firewall works with no issues and the only listed name server is 127.0.0.1

There are no firewall logs blocking my network traffic to the firewall, and as mentioned before, with DNS Forwarder setup I was able to resolve DNS on my client using the same DNS Server.

Only thing I just discovered is that I have multiple LANs setup, including a default LAN. If I do a nslookup using my default LAN's gateway as the server, it resolves. I feel like this is critical, but can't quite connect the dots.

SteveITS · Jul 26, 2023, 4:24 AM

@Dyson228

I have multiple LANs setup, including a default LAN. If I do a nslookup using my default LAN's gateway as the server, it resolves.

Is Resolver listening on All interfaces? Is port 53 TCP/UDP allowed to the other network IPs?

Dyson228 · Jul 26, 2023, 4:32 AM

@SteveITS

DNS Resolver Network Interface is everything except WAN, and Outgoing is All for now.

No reason why port 53 should have been blocked and I wasn't seeing any network traffic blocking it. I added an explicit allow port 53 rule at the top just to make sure, and that didn't affect it.

Dyson228 · Jul 26, 2023, 4:37 AM

@SteveITS

I may have stumbled on the answer. When I looked at status > Interfaces, my LAN was showing as "Down". This is because during initial setup years ago, I had associated each LAN with an interface port, and over time I had eventually moved to a managed switch. So this interface had been listed as "Down".

Once I removed the interface port, the interface now shows as Up, and I'm getting DNS responses from my gateway.