DNS resolution issue with High Availability

emc

I've finished setup high availability on my network using two identical pfSense routers.

The fallback works as expected. However, DNS resolution seems to be an issue when the backup pfSense takes over as main.

Whenever the second pfSense takes over as the main, I am able to ping 1.1.1.1 using the command line and even ping google.com from the command line itself without an issue. The problem occurs when I browse, I get a DNS error page.

My setup is as follows:
System/General Setup/DNS Server Settings
1.1.1.1
8.8.8.8

Services/DHCP Server/VLAN
DNS Servers: 192.168.100.1 (CARP IP)
Gateway: 192.168.100.1 (CARP IP)
Failerover peer IP: 192.168.100.3 (Secondary PFSENSE)

Services/DNS Resolver/General Settings
DNS Query Forwarding (Enabled)
Outgoing Network Interfaces (ALL)

I also have some host overrides under DNS Resolver, and those work fine on the browser.

I've been scratching my head for a few days, I cannot figure out what the issue is here. Any help would be appreciated, thank you in advanced!

SteveITS

@emc said in DNS resolution issue with High Availability:

DNS Query Forwarding (Enabled)

Ensure the DNSSEC option is disabled.
https://docs.quad9.net/Setup_Guides/Open-Source_Routers/pfSense_%28Encrypted%29/
"DNSSEC is already enforced by Quad9, and enabling DNSSEC at the forwarder level can cause false DNSSEC failures."

ping google.com from the command line itself

The command line of pfSense or of your client device?

emc

@SteveITS

I set Quad9 as my DNS servers and disabled DNSSEC.

The issue persists.

I can ping from pfsense2 to 1.1.1.1 and google.com. I am unable to ping 1.1.1.1 or google.com from my end user (laptop) at all when pfsense2 becomes the master

viragomann

@emc
Did you configure the outbound NAT to translate to the CARP WAN VIP?

emc

@viragomann

It is set to the CARP IP WAN.

Am I supposed to set the DNS server to the VLAN CARP IP?

Under Services/DHCP Server/VLAN
I had setup DNS servers to the CARP IP of the LAN 192.168.100.1. After running "ipconfig /all" in the windows laptop, I can see that indeed that is the DNS server I receive, I cannot ping using this server.

However, if I change the DNS server to 9.9.9.9, I am able to browse as expected when the secondary pfsense becomes master.

I thought that by setting the DNS to the CARP IP of the VLAN 192.168.100.1, it would get the DNS Servers set up under System/General Setup

SteveITS

@emc you don’t need to use quad9, just disable DNSSEC.

The shared IP should work. You can test with nslookup. Is DNS Resolver set to listen on all IPs?

Does Status/CARP show master/backup is correct on both routers?

emc

@SteveITS said in DNS resolution issue with High Availability:

eed to use quad9

I had disabled DNSSEC and the issue persisted.

Yes it is set to listen to all IPs. And the status is correct in Master/Backup on both routers.

The DNS error persists unless I replace 192.168.100.1 with an external DNS under the DHCP section

SteveITS

@emc Have you tried restarting the DNS Resolver service?

emc

@SteveITS

Yes, restarted the DNS Resolver in both pfsense. The same issue persists. I can't think of that the issue is

viragomann

@emc
To investigate if it's a DNS issue on the secondary run nslookup against the interface address of both.
Both should reply, no matter, in which CARP state they are.

emc

@viragomann

I watched all of netgate official tutorials.
In one of them they mention that if my setup is structured as a DMZ, the outbound NAT should be set as default:

https://www.youtube.com/watch?v=-UszV8qIaRw&t=2426s

My setup is set as a DMZ
COMCAST ROUTER -> DMZ WAN CARP IP (either pfsense1 or pfsense2)

I removed the custom NAT outbound rules pointing to the WAN CARP IP, and left it at hybrid default rules.
The DNS resolution is working now.

Besides this small mention in a tutorial from 9 years ago, I do not see anywhere else this mention about DMZ in the documentation from netgate. Either way, it is working now. I hope this helps someone else in the future.

Thank you for your help!