Vlans will not DNS resolve
-
I have been messing with this for weeks and i am done dinking with it, so i am here asking for help.
Right now many of my firewall rules are opened up trying to solve this issue. I have 4 vlans with an additional LAN. on the LAN network i can ping an IP without issue. On that same LAN i can also ping github.com or google.com and the seems to work flawlessly. If i go into my vlan and try to update a package on the server or try to git clone anything the entire process falls flat on its face. Pretty sure this is what ruined my plex server as well. Anyhow, while trying to problem solve this i SSHd into the server and ran a ping to 1.1.1.1 and got a response. I then tried google.com and github.com as a sanity check. Both named pings failed. "ping: google.com: Name or service not known". At this point red flags for DNS resolver were going through my head. so i went back to the laptop on my LAN and retested the pings. Both name and addressed pings to the internet worked. I also ran a ping to the PFsense firewall from the laptop and the server via the correlating DHCP servers on LAN and vlan. Those pings worked as expected.
I have no idea what i have screwed up but if someone has some idea i am very willing to listen or try anything to get this to work. I am not using a VPN for all of my network traffic. There is a VPN from the server out but that is tunneled through the network. Pretty sure that is not working right now either but i have no prrof of that right now. Any help that could be provided would be appreciated.
-
@sentein and what rules did you put on these vlans? Where are you pointing for dns? Are these vlans downstream of pfsense or attached?
A simple dig or nslookup or host or doggo or whatever your fav dns tool is.. What does it show that its pointing for dns? Does that answer, if no then yeah your going to have a really bad day because without dns the internet is useless..
See my client is pointing to 192.168.9.253, my pfsense IP on this network... If that fails, then you don't have unbound listening on that interface? Your firewall rules on this interface do not allow it.. Or maybe your vlan is downstream and not directly attached and the unbound ACLs are not right.. Or maybe you disabled the auto ACLs in unbound? And when you added this new vlan the acls were not updated?
-
@johnpoz I have attached some of the setting you asked about. I feel like there is something telling about the response from the lookup. I would not know right now what it means but its not right. my brain might be too far gone to mush. I have tried so many things trying to get this to work i probably screwed this up further. As for disabling anything in unbound, i am unsure how i would have done that as i cannot find any menus for that at all. the Vlans are ran through a brocade switch. beyond that there is nothing seperating them from PFsense. so its PFsense/Brocade/Vlan. I guess if any of this triggers anything for you let me know. Or if you want more information i am all ears. Seems like i am in for a bad day but only on the vlans. DI=is works on the regular lan.
-
@sentein Also, restart DNS Resolver after you add the VLAN interface(s).
-
@sentein that server is pointing to itself for dns 127.0.0.1, where is it actually trying to go?
Do a directed query.. with nslookup change using server to like 8.8.8.8 then try your query
$ nslookup Default Server: sg4860.home.arpa Address: 192.168.9.253 > server 8.8.8.8 Default Server: dns.google Address: 8.8.8.8 > www.google.com Server: dns.google Address: 8.8.8.8 Non-authoritative answer: Name: www.google.com Addresses: 2607:f8b0:4009:81a::2004 142.250.190.132Does that work? Ok set it your pfsense IP.. I take it that is that 10.10.4.4 address?
-
@johnpoz sorry for the delay. the wife wanted to go out to eat. Thank you for the help with this. I ran the test you mentioned. When specifying the server the nslookup actually worked.
I am figuring this means my actual problem is in the server itself. Please correct me if i am incorrect. If thats the case i guess i need to go root around in the setting for the server.
-
@sentein so yeah linux will point to itself like that, and then forward elsewhere - but where it actually forwards to you have no idea where, which isn't working what flavor of linux are you running? prob using netplan would be my guess. Not really a fan..
For example this version of ubuntu is doing it.
user@UC:~$ nslookup > www.google.com Server: 127.0.0.53 Address: 127.0.0.53#53 Non-authoritative answer: Name: www.google.com Address: 172.217.0.164 >prob want to make sure its listening on 53..
user@UC:~$ netstat -anl | grep :53 tcp 0 0 127.0.0.53:53 0.0.0.0:* LISTEN udp 0 0 127.0.0.53:53 0.0.0.0:*And you can see where its pointing
user@UC:~$ resolvectl status Global Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported resolv.conf mode: stub Link 2 (ens3) Current Scopes: DNS Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported Current DNS Server: 192.168.3.10 DNS Servers: 192.168.3.10 DNS Domain: home.arpa user@UC:~$ -
@johnpoz Right now this server is running linux mint 21.3 edge. I tried ubuntu headless but i could not wrap my head around netplan. ubuntu wanted to route everything through the 10Gbe because it was faster. That was not working because the 10Gbe interface was and still is completely isolated. I did try to figure out what is going on with the DNS on the server. Below is the command and the output. It seems that my DNS settings are being forwaded to the server. I am a bit lost as to what it is doing. If you are sure that my problem is in the OS i can go bother someone else. At that point it is not a pfsense problem.
nmcli dev show |grep DNS
IP4.DNS[1]: 0.0.0.0
IP4.DNS[2]: 9.9.9.9
IP4.DNS[3]: 149.112.112.112
IP4.DNS[4]: 84.200.70.40
IP4.DNS[5]: 84.200.69.80 -
The ---> DNS Domain: #####.net below is me sanitizing my address.
Global
Protocols: -LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
resolv.conf mode: stub
Current DNS Server: 10.10.5.4
DNS Servers: 10.10.5.4
Fallback DNS Servers: 9.9.9.9Link 2 (ens1f0)
Current Scopes: none
Protocols: +DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported
DNS Domain: #####.netLink 3 (ens1f1)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupportedLink 4 (ens5)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupportedLink 5 (ens5d1)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupportedLink 6 (docker0)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupportedLink 28 (veth118db9f)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupportedLink 30 (veth2dd1412)
Current Scopes: none
Protocols: -DefaultRoute +LLMNR -mDNS -DNSOverTLS DNSSEC=no/unsupported -
@sentein said in Vlans will not DNS resolve:
DNS Servers: 10.10.5.4
And what IP is that, you should be pointing to pfsense lan IP..
-
@johnpoz that is the DHCP server for the vlan in question. 10.10.4.4 is the LAN DHCP server. So i should requires it to point to the LAN PFsense IP? Maybe thats most of my issue.
-
@sentein does this dhcp server provide dns?
Doesn't seem to - do a directed query to it..
-
@johnpoz I thought it was supposed to. Maybe i have something wrong.... I have a second PC for the PFsense box. Should i just start over?
-
@johnpoz No freaking idea what i did but now everything is working....
-
@sentein Huh? So you have dhcp running on pfsense.. Thought you said you had a different dhcp server?
Also Unless you put unbound into forwarding mode, setting those dns servers is pointless..
