DNS Resolver
-
All of my clients who use pfsense 23.09 have a problem resolving the dns of a site called dc.directchannel.it, if I enter it manually inside DNS resolver it works, but it should resolve it by its own.
Does anyone have any problems like this?
-
@nkamel said in DNS Resolver:
if I enter it manually inside DNS resolver it works
Like this ? :
On my PC, right now :
C:\Users\Gauche>nslookup Serveur par defaut : pfSense.bhf.tld Address: 192.168.1.1 > dc.directchannel.it Serveur : pfSense.bhf.tld Address: 192.168.1.1 Réponse ne faisant pas autorité : Nom : dc.directchannel.it Address: 15.161.9.186This info tells me : nslookup, running on my Windows 1x PC will use "192.168.1.1" as a "DNS source". This will be, as the host name already tells us : pfSense.bhf.tld : my pfSense.
It will be unbound, the DNS resolver, handling my request.The first image tells us that that worked out just fine, as I'm using default pfSense DNS settings, which means that the revolver will resolve.
-
No if I go to Diagnostics-->DNS Lookup and look it up, it will time out without finding it. it will say exactly Host "dc.directchannel.it" could not be resolved.
Same on my desktop nslookup, however on my desktop if I go server 8.8.8.8 and look it up, it will resolve and find it.I tried disabling pfblocking and got the same result.
-
@nkamel said in DNS Resolver:
I tried disabling pfblocking
Because you've found on :
that pfBlockerng was blocking "dc.directchannel.it" ?
@nkamel said in DNS Resolver:
No if I go to Diagnostics-->DNS Lookup and look it up, it will time out without finding it.
That's the classic : "You have a broken DNS". Most known solution : undo what you've been doing (dns and resolver settings), and resolving starts working again. Keep in mind : right after you installed pfSense, it worked.
Another issue might be : Your uplink blocks DNS traffic. This is mostly a "fake story", but it can happen , some ISP's (or sites where some one else is your "ISP") can block things upstream. But again : this is very rare situation.
@nkamel said in DNS Resolver:
however on my desktop if I go server 8.8.8.8
So you know resolving works ^^ as 8.8.8.8 is a resolver. pfSense has also a resolver.
-
Try to look it up against some external DNS server like:
[23.09-RELEASE][admin@plusdev-4.stevew.lan]/root: dig @8.8.8.8 dc.directchannel.it ; <<>> DiG 9.18.16 <<>> @8.8.8.8 dc.directchannel.it ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 9553 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 512 ;; QUESTION SECTION: ;dc.directchannel.it. IN A ;; ANSWER SECTION: dc.directchannel.it. 600 IN A 15.161.9.186 ;; Query time: 53 msec ;; SERVER: 8.8.8.8#53(8.8.8.8) (UDP) ;; WHEN: Fri Dec 01 18:29:03 GMT 2023 ;; MSG SIZE rcvd: 64How do you have DNS configured in those pfSense 23.09 installs?
Steve
-
I don't have any problems resolving that
$ dig @192.168.9.253 dc.directchannel.it ; <<>> DiG 9.16.45 <<>> @192.168.9.253 dc.directchannel.it ; (1 server found) ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 56415 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION: ; EDNS: version: 0, flags:; udp: 4096 ;; QUESTION SECTION: ;dc.directchannel.it. IN A ;; ANSWER SECTION: dc.directchannel.it. 3598 IN A 15.161.9.186 ;; Query time: 2761 msec ;; SERVER: 192.168.9.253#53(192.168.9.253) ;; WHEN: Fri Dec 01 15:39:02 Central Standard Time 2023 ;; MSG SIZE rcvd: 64I would do a +trace from pfsense if your having issues just resolving it.
Looks like had some timeouts talking to some of the NS
; <<>> DiG 9.18.16 <<>> dc.directchannel.it +trace ;; global options: +cmd . 75316 IN NS k.root-servers.net. . 75316 IN NS l.root-servers.net. . 75316 IN NS m.root-servers.net. . 75316 IN NS a.root-servers.net. . 75316 IN NS b.root-servers.net. . 75316 IN NS c.root-servers.net. . 75316 IN NS d.root-servers.net. . 75316 IN NS e.root-servers.net. . 75316 IN NS f.root-servers.net. . 75316 IN NS g.root-servers.net. . 75316 IN NS h.root-servers.net. . 75316 IN NS i.root-servers.net. . 75316 IN NS j.root-servers.net. . 75316 IN RRSIG NS 8 0 518400 20231214170000 20231201160000 46780 . ruGDKRNFa3EGBlG+Cj9gbhCOin3rVUlbuN9UawEFafteMTkn60CQGgDe 7UjKqdsEQTUh34puFgc08oNtFj5xS+oLmOf9ej1WKmNnGibTA0p1IUlf P7yM9+MKeHbJ3OgpCRv8JMdwtZNPQf9hdegbi/RpdVqVGmDLKb7/QhGo VzLWQuTi4yNXL4T1hUI47chEICTkNrepUTBTZTl3uNvTYmerF55Imh/i URMdomj3JoaNrpMRTTu5rZFjjtUdV9fsOHs/ZjR5CogdOyOGqH14LMcm jZ2epzMUxyeZlQL5TkyCbeszgzw8QRzkcnxupHOwAtpn8ujTzyXqo+9D fravOQ== ;; Received 525 bytes from 127.0.0.1#53(127.0.0.1) in 0 ms it. 172800 IN NS d.dns.it. it. 172800 IN NS r.dns.it. it. 172800 IN NS a.dns.it. it. 172800 IN NS nameserver.cnr.it. it. 172800 IN NS dns.nic.it. it. 172800 IN NS m.dns.it. it. 86400 IN DS 41901 10 2 47F7F7BA21E48591F6172EED13E35B66B93AD9F2880FC9BADA64F68C E28EBB90 it. 86400 IN RRSIG DS 8 1 86400 20231214170000 20231201160000 46780 . NKdkgoMcuM9NqsOd3VeXtQ0MQtxVrYDhstZrccg7I1hQF96Fm1c9ZrHF RLoYWyDvzCvTEZI1JjwmgGNk+7sf9SlumWlbIoWm+qKx4RFm+394Dp/A wMDCsvUPORtiuJmtFNBp+HpnLWLGmEomK/T4AZs1Q/2NhU2QjSM/cEWU TVQhSopihw+lAleHi/MHUkYv+mYmxOvNScSksm3NU0+AKF0ImT5hj9gO JjHJ+meHq7gW4yqF80rq2AsgB1TB3FNaLbDVfTLsAYQAXnp3cmFUhKnE I6iWeZMR+5aWdSnJ/0DgGTcOXB/ZiK4+QXTH2NG5Mv/j/1ATjglA6APX Ljj3Bw== ;; Received 766 bytes from 198.41.0.4#53(a.root-servers.net) in 10 ms directchannel.it. 10800 IN NS dns1.mondadori.com. directchannel.it. 10800 IN NS vrdns02.mondadori.it. directchannel.it. 10800 IN NS amefirew.mondadori.it. RS1N3N7M54PDEM5EUNV9NPKH3B6CGPJC.it. 3600 IN NSEC3 1 1 0 - RS45884SRCL7KJJIEP3CU8C925T3VLVN NS SOA RRSIG DNSKEY NSEC3PARAM RS1N3N7M54PDEM5EUNV9NPKH3B6CGPJC.it. 3600 IN RRSIG NSEC3 10 2 3600 20231231200453 20231201200453 18395 it. giyCF3AszQDBLxooMaWLuLJMKmRN37I4EPC4GTlCngLcLVYg7sltCN35 2kLlGOgh5r/pg9uTzfvJcMMbKWYLOTDRjJbLN41XtV2V6V7PD+4yG8yI d3jVioQRgWzst/l+oej7goYdZxWCv7Nw7uPzt+1SWzwjfZckFTdIMnrB rFu4OsL6gLr2yGWgUEeCmKHqLKLBngSL3D/VvlmuFAL2bCPwYW6drGS4 9MErItaYlyEhYgfv+NkkL9s+0UuPAuIBLAabMWFQLOItAuf7wK4MCcrW ssg9wZaB5it5MUiE59MEdiB6hf60km+F85k/TxCygzZ7WKNUZ0Pnveih M23S4g== QD18DDL6ORUEG1JQJUS7T2DC6D3IVM9N.it. 3600 IN NSEC3 1 1 0 - QD8BOSPOL7E4SLMFJMKBR9138N47HGU8 NS DS RRSIG QD18DDL6ORUEG1JQJUS7T2DC6D3IVM9N.it. 3600 IN RRSIG NSEC3 10 2 3600 20231231200453 20231201200453 18395 it. htEA0rkZw1UpecN3W/n8WoAzTHrLt7iedkFtUvZXl20S2x+QdzMAd3P0 TqsR48FNHDsEcdSgUQGCr/fcWwI52PMFQS/6tgDoaU2lOwzGKd/M38/B FPKOvRh8LP2jFsLGGdUQluoBDb5E0QYy0UtHewhkCB7knuGRYhlGpk0B gk7mWRQJZbXWHSvXMBQJeGLjebwrr8Ium0Z0E31W5iB6SiwGrp+c+ZlD OXQIKmSIRbmlio8Iuu4wO0/by7hzp8xjXslI+yMLJLI/SibNA5F69dbe 9tQIukDH2xIhinRdA4n9FKby91FumjxaO3qOCxGRWuTLbFaLenUZSPem JeDePA== ;; Received 938 bytes from 2001:760:ffff:ffff::ca#53(r.dns.it) in 163 ms ;; communications error to 193.42.201.65#53: timed out ;; communications error to 193.42.201.65#53: timed out ;; communications error to 193.42.201.65#53: timed out dc.directchannel.it. 600 IN A 15.161.9.186 directchannel.it. 600 IN NS amefirew.mondadori.it. directchannel.it. 600 IN NS dns1.mondadori.com. directchannel.it. 600 IN NS vrdns02.mondadori.it. ;; Received 227 bytes from 193.42.160.7#53(dns1.mondadori.com) in 115 ms [23.09-RELEASE][admin@sg4860.local.lan]/root: -
Thanks everyone for the help, It wasn't pfblocking, but rather a simple bad DNS provided by my ISP.
I didn't think of it because everything else was working perfectly fine.
However when I went to System -- > General Setup and removed my ISP DNS and replaced it with 127.0.0.1 and 8.8.8.8 it worked just fine.
