Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    Netgate 1100 and DNS issues

    Scheduled Pinned Locked Moved DHCP and DNS
    6 Posts 3 Posters 419 Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • L
      luu5
      last edited by luu5

      I got 1100 and seem to be having random DNS issues. That is the resolving of the names fail for some time and then they suddenly work. I am using most basic setup with DHCP provided DNS servers on WAN and one LAN network with basic DHCP on that side.

      For example I just tried:

      iMac:~ uusitalo$ nslookup docs.netgate.com
Server:		192.168.1.1
Address:	192.168.1.1#53

** server can't find docs.netgate.com.home.arpa: SERVFAIL

iMac:~ uusitalo$ nslookup docs.netgate.com 192.89.123.230
Server:		192.89.123.230
Address:	192.89.123.230#53

Non-authoritative answer:
Name:	docs.netgate.com
Address: 208.123.73.68

iMac:~ uusitalo$ nslookup docs.netgate.com 192.89.123.231
Server:		192.89.123.231
Address:	192.89.123.231#53

Non-authoritative answer:
Name:	docs.netgate.com
Address: 208.123.73.68

iMac:~ uusitalo$ nslookup docs.netgate.com
Server:		192.168.1.1
Address:	192.168.1.1#53

*******

As an addition I got non existing domain...

iMac:~ uusitalo$ nslookup www.europeantour.com 192.168.1.1
Server:		192.168.1.1
Address:	192.168.1.1#53

** server can't find www.europeantour.com: NXDOMAIN

iMac:~ uusitalo$ nslookup www.europeantour.com 8.8.8.8
Server:		8.8.8.8
Address:	8.8.8.8#53

Non-authoritative answer:
www.europeantour.com	canonical name = classic.europeantour.com.edgekey.net.
classic.europeantour.com.edgekey.net	canonical name = e2513.a.akamaiedge.net.
Name:	e2513.a.akamaiedge.net
Address: 2.22.39.83

      Those 192.89.123.230 and .231 addresses are the ISP DNS servers. So the DNS itself works, but the resolver does strange things. Trying Diagnostics/DNS lookup works also fine.

      Why does it add home.arpa as a domain in the queries going to 192.168.1.1? Or is this just a symptom and not a reason?

      This situation usually lasts for few minutes and then the DNS works fine, to come back after few minutes.

      L S GertjanG 3 Replies Last reply Reply Quote 0
      • L
        luu5 @luu5
        last edited by

        Made an additional test with dig, these are within 30 seconds:

        iMac:~ uusitalo$ dig @192.168.1.1 www.maalampofoorumi.fi

; <<>> DiG 9.8.3-P1 <<>> @192.168.1.1 www.maalampofoorumi.fi
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: SERVFAIL, id: 40698
;; flags: qr rd ra; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.maalampofoorumi.fi.		IN	A

;; Query time: 42 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Thu Oct  5 22:12:59 2023
;; MSG SIZE  rcvd: 40

iMac:~ uusitalo$ dig @192.168.1.1 www.maalampofoorumi.fi

; <<>> DiG 9.8.3-P1 <<>> @192.168.1.1 www.maalampofoorumi.fi
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 58073
;; flags: qr rd ra; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;www.maalampofoorumi.fi.		IN	A

;; ANSWER SECTION:
www.maalampofoorumi.fi.	14400	IN	CNAME	maalampofoorumi.fi.
maalampofoorumi.fi.	14400	IN	A	93.90.53.13

;; Query time: 108 msec
;; SERVER: 192.168.1.1#53(192.168.1.1)
;; WHEN: Thu Oct  5 22:13:24 2023
;; MSG SIZE  rcvd: 70
        1 Reply Last reply Reply Quote 0
        • S
          SteveITS Galactic Empire @luu5
          last edited by

          @luu5

          1. If you are using DNS Resolver but have it set to forward, do not use DNSSEC (can cause false failures when forwarding)

          2. If you have DNS over TLS enabled, Unbound has a bug fixed in 23.09, you need to disable ASLR.

          Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
          When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
          Upvote 👍 helpful posts!

          L 1 Reply Last reply Reply Quote 0
          • L
            luu5 @SteveITS
            last edited by

            @SteveITS thank you. Unfortunately I am not using either of them. But changing the settings (and at the same time restarting unbound?) makes the queries work for few minutes...

            But enabling the Forwarding Mode in Resolver may have helped. We will see if that is the workaround.

            1 Reply Last reply Reply Quote 0
            • GertjanG
              Gertjan @luu5
              last edited by Gertjan

              @luu5 said in Netgate 1100 and DNS issues:

              Why does it add home.arpa as a domain in the queries going to 192.168.1.1?

              Because 'it' tries to find out if docs.netgate.com isn't a local host first.
              You made it doing so, as you wrote "docs.netgate.com". Next time, use "docs.netgate.com." (see the ending dot ? With the ending dot it won't add "home.arpa".

              Run

              grep 'start' /var/log/resolver.log

              Does your unbound (re) restarts a lot ?
              If so : make sure that "DHCP Registration" is not checked ( Services > DNS Resolver > General Settings )
              Another reason : when interfaces go down and up (disconnected, reconnected) processes like unbund also restart.

              restarting isn't really an issue, but it takes time, and during this time : no DNS.

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              L 1 Reply Last reply Reply Quote 0
              • L
                luu5 @Gertjan
                last edited by

                @Gertjan I could understand the "home.arpa" addition, if it would happen in every case, but it does not happen always.

                Unbound does not restart that often, and I do not have DHCP Registration checked. I changed the DNS Forwarding ON on the resolver, and this seems to have helped. At least so far.

                I will try to get more verbose unbound logs when I have a chance.

                1 Reply Last reply Reply Quote 0
                • First post
                  Last post
                Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.