• Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login
Netgate Discussion Forum
  • Categories
  • Recent
  • Tags
  • Popular
  • Users
  • Search
  • Register
  • Login

DNS resolver working for pfSense but not on LAN

Scheduled Pinned Locked Moved DHCP and DNS
dns resolverservfail
8 Posts 3 Posters 1.1k Views
Loading More Posts
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • N
    NickJH
    last edited by NickJH Apr 16, 2024, 11:46 AM Apr 16, 2024, 11:44 AM

    I am trying to prep pfSense on my LAN so I can insert it as my router with minimum downtime so I have a bit of a messy networking setup.

    At the moment pfSense is using the Resolver and, from ssh, can resolve upstream DNS. However it gives ServFail messages to LAN connected devices. I have done a tcpdump on the pfSense internal and external interfaces:

    Internal:

    0:16:07.461347 IP 172.17.2.116.58654 > 172.17.2.254.53: 64030+ A? www.msftconnecttest.com. (41)
    10:16:07.461422 IP 172.17.2.116.61404 > 172.17.2.254.53: 72+ A? www.msftconnecttest.com. (41)
    10:16:07.483491 IP 172.17.2.125.60409 > 172.17.2.254.53: 2+ A? ntp.homehub.btopenworld.com. (45)
    10:16:07.483702 IP 172.17.2.254.53 > 172.17.2.125.60409: 2 ServFail 0/0/0 (45)
    10:16:07.484193 IP 172.17.2.125.53360 > 172.17.2.254.53: 3+ A? time.windows.com. (34)
    10:16:07.484397 IP 172.17.2.254.53 > 172.17.2.125.53360: 3 ServFail 0/0/0 (34)
    10:16:07.495641 IP 172.17.2.116.58654 > 172.17.2.254.53: 64030+ A? www.msftconnecttest.com. (41)
    10:16:07.495690 IP 172.17.2.116.61404 > 172.17.2.254.53: 72+ A? www.msftconnecttest.com. (41)
    10:16:07.518034 IP 172.17.2.254.53 > 172.17.2.116.61404: 72 ServFail 0/0/0 (41)
    10:16:07.518037 IP 172.17.2.254.53 > 172.17.2.116.58654: 64030 ServFail 0/0/0 (41)
    10:16:07.518051 IP 172.17.2.254.53 > 172.17.2.116.61404: 72 ServFail 0/0/0 (41)
    10:16:07.518053 IP 172.17.2.254.53 > 172.17.2.116.58654: 64030 ServFail 0/0/0 (41)
    

    External:

    10:16:07.462084 IP 172.17.4.231.57286 > 192.36.148.17.53: 48335+ [1au] A? www.msftconnecttest.com. (52)
    10:16:07.462104 IP 192.112.36.4.53 > 172.17.4.231.43143: 6611 0/0/0 (21)
    10:16:07.462202 IP 172.17.4.231.55442 > 193.0.14.129.53: 50434+ [1au] A? www.msftconnecttest.com. (52)
    10:16:07.512560 IP 172.17.4.231.27436 > 192.36.148.17.53: 2167+ [1au] A? www.msftconnecttest.com. (52)
    10:16:07.514487 IP 172.17.4.231.8517 > 193.0.14.129.53: 43843+ [1au] A? www.msftconnecttest.com. (52)
    10:16:07.517759 IP 192.36.148.17.53 > 172.17.4.231.57286: 48335 2/0/0 A 23.73.137.235, A 23.73.138.194 (73)
    10:16:07.517776 IP 193.0.14.129.53 > 172.17.4.231.8517: 43843 2/0/0 A 23.73.137.235, A 23.73.138.194 (73)
    10:16:07.517779 IP 192.36.148.17.53 > 172.17.4.231.27436: 2167 2/0/0 A 23.73.137.235, A 23.73.138.194 (73)
    10:16:07.517781 IP 193.0.14.129.53 > 172.17.4.231.55442: 50434 2/0/0 A 23.73.137.235, A 23.73.138.194 (73)
    

    If I try pinging somewhere from a LAN PC I get:

    C:\Users\nick>ping google.com
    Ping request could not find host google.com. Please check the name and try again.
    

    So I can see the DNS request going upstream and coming back to pfSense, but pfSense then turns it into a ServFail.

    In the resolver, Network Interfaces is set to ALL and Outgoing Network Interfaces to WAN. I have also tried enabling DNS Query Forwarding with upstream servers of 1.1.1.1 and 1.0.0.1 but it made no difference.

    The (horrible) networking set up is:

    Internet
         |
    Router A (for main LAN)
         | 172.17.2.0/24
    Router B
         | 172.17.4.0/24
    pfSense
         | 172.17.2.0/24
    Test LAN
    

    Note that because I am trying to load pfSense with fixed leases, it needs the same LAN subnet as the main LAN so I have to insert Router B between the main LAN and test LAN to avoid pfSense having the same subnet on its LAN and WAN.

    Is there something obvious I am missing?

    G 1 Reply Last reply Apr 16, 2024, 12:27 PM Reply Quote 0
    • G
      Gertjan @NickJH
      last edited by Apr 16, 2024, 12:27 PM

      @NickJH said in DNS resolver working for pfSense but not on LAN:

      C:\Users\nick>ping google.com
      Ping request could not find host google.com. Please check the name and try again.

      Just to be sure :

      ipconfig /all
      

      what is the assigned DNS server to this PC ?

      @NickJH said in DNS resolver working for pfSense but not on LAN:

      So I can see the DNS request going upstream and coming back to pfSense, but pfSense then turns it into a ServFail.

      Strange.
      But reasons exist. One of them is : DNSSEC. if the time of the pfSense is incorrect, and the requested domain name has DNSSEC info, then validation fails and the answer will be 'fail'.

      3e2bae33-8265-4722-894f-3197d37278bb-image.png

      Not a mess.
      What is known as "Internet" in your "networking setup" as a huge chain of even more routers.
      Btw : two chained local networks using "172.17.2.0/24" ? I've never seen that before. Better be safe then sorry : don't do that, whatever your motives are.

      No "help me" PM's please. Use the forum, the community will thank you.
      Edit : and where are the logs ??

      N 1 Reply Last reply Apr 16, 2024, 1:13 PM Reply Quote 0
      • N
        NickJH @Gertjan
        last edited by NickJH Apr 16, 2024, 1:24 PM Apr 16, 2024, 1:13 PM

        @Gertjan said in DNS resolver working for pfSense but not on LAN:

        @NickJH said in DNS resolver working for pfSense but not on LAN:

        C:\Users\nick>ping google.com
        Ping request could not find host google.com. Please check the name and try again.

        Just to be sure :

        ipconfig /all
        

        what is the assigned DNS server to this PC ?

        Wireless LAN adapter WiFi:
        
           Connection-specific DNS Suffix  . : howitts.co.uk
           Description . . . . . . . . . . . : Realtek RTL8821CE 802.11ac PCIe Adapter
           Physical Address. . . . . . . . . : 00-E9-3A-3D-87-FF
           DHCP Enabled. . . . . . . . . . . : Yes
           Autoconfiguration Enabled . . . . : Yes
           Link-local IPv6 Address . . . . . : fe80::ce93:ae3e:9468:4450%11(Preferred)
           IPv4 Address. . . . . . . . . . . : 172.17.2.116(Preferred)
           Subnet Mask . . . . . . . . . . . : 255.255.255.0
           Lease Obtained. . . . . . . . . . : 16 April 2024 10:59:38
           Lease Expires . . . . . . . . . . : 16 April 2024 12:59:38
           Default Gateway . . . . . . . . . : 172.17.2.254
           DHCP Server . . . . . . . . . . . : 172.17.2.254
           DHCPv6 IAID . . . . . . . . . . . : 117500218
           DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-29-0C-41-D9-00-E9-3A-3D-87-FF
           DNS Servers . . . . . . . . . . . : 172.17.2.254
           Primary WINS Server . . . . . . . : 172.17.2.1
           NetBIOS over Tcpip. . . . . . . . : Enabled
        

        And pfSense:

        ifconfig
        bge0: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
                options=8009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LINKSTATE>
                ether fc:15:b4:7a:ff:aa
                inet 172.17.4.231 netmask 0xffffff00 broadcast 172.17.4.255
                inet 62.30.63.91 netmask 0xffffffff broadcast 62.30.63.91
                inet 62.30.63.94 netmask 0xffffffff broadcast 62.30.63.94
                inet6 fe80::fe15:b4ff:fe7a:ffaa%bge0 prefixlen 64 scopeid 0x1
                media: Ethernet autoselect (1000baseT <full-duplex,master>)
                status: active
                nd6 options=23<PERFORMNUD,ACCEPT_RTADV,AUTO_LINKLOCAL>
        bge1: flags=1008843<UP,BROADCAST,RUNNING,SIMPLEX,MULTICAST,LOWER_UP> metric 0 mtu 1500
                description: LAN
                options=8009b<RXCSUM,TXCSUM,VLAN_MTU,VLAN_HWTAGGING,VLAN_HWCSUM,LINKSTATE>
                ether fc:15:b4:7a:ff:ab
                inet 172.17.2.254 netmask 0xffffff00 broadcast 172.17.2.255
                inet6 fe80::fe15:b4ff:fe7a:ffab%bge1 prefixlen 64 scopeid 0x2
                inet6 fe80::1:1%bge1 prefixlen 64 scopeid 0x2
                media: Ethernet autoselect (1000baseT <full-duplex>)
                status: active
                nd6 options=21<PERFORMNUD,AUTO_LINKLOCAL>
        

        @NickJH said in DNS resolver working for pfSense but not on LAN:

        So I can see the DNS request going upstream and coming back to pfSense, but pfSense then turns it into a ServFail.

        Strange.
        But reasons exist. One of them is : DNSSEC. if the time of the pfSense is incorrect, and the requested domain name has DNSSEC info, then validation fails and the answer will be 'fail'.

        Date is spot on:

        [2.7.2-RELEASE][root@pfSense.howitts.co.uk]/root: date
        Tue Apr 16 14:09:38 BST 2024
        

        3e2bae33-8265-4722-894f-3197d37278bb-image.png

        Not a mess.
        What is known as "Internet" in your "networking setup" as a huge chain of even more routers.
        Btw : two chained local networks using "172.17.2.0/24" ? I've never seen that before. Better be safe then sorry : don't do that, whatever your motives are.

        [edit]
        My comment at the end disappeared. I have to use the same network on the pfSense LAN as I am loading static leases and they fail validation if they do not belong to the LAN subnet.

        I have disabled DNSSEC in pfSense and DNS now works from the PC. That seems wrong. How can I get it going?
        [/edit]

        G 1 Reply Last reply Apr 16, 2024, 1:56 PM Reply Quote 0
        • G
          Gertjan @NickJH
          last edited by Apr 16, 2024, 1:56 PM

          @NickJH

          If you have 10 minutes :

          1. Save/backup your pfSense config.
          2. Console option : 4 Reset to factory default.
          3. When it boots, and interfaces needs to be assigned, go bare minimum mode : assign a DHCP mode WAN, and set up the LAN with the "out of the box", world's most tested 192.168.1.1/24, network.
          4. Connect to your 'Router A'.

          Now you have a "it works" situation - no exceptions, no doubts, 100 % guaranteed.

          From this known to be working setup, you start applying your own settings.
          As soon as things stop to work : undo your last setup - as this one needs more thoughts, and you'll be good.

          I know, sound all pretty silly. It's known that the road to success is always easy when you know it upfront.

          No "help me" PM's please. Use the forum, the community will thank you.
          Edit : and where are the logs ??

          1 Reply Last reply Reply Quote 0
          • N
            NickJH
            last edited by Apr 17, 2024, 10:50 AM

            I feel bad about this one. I've had a sudden dawning that there is an upstream fancy DNS filter (adam:ONE) and pfSense was being filtered in such a way as to break DNSSEC to the pfSense clients. I am not sure why it worked to pfSense, but that is irrelevant. The purpose of this box is to replace the upstream filter so I am happy it is working.

            G 1 Reply Last reply Apr 17, 2024, 12:08 PM Reply Quote 0
            • G
              Gertjan @NickJH
              last edited by Apr 17, 2024, 12:08 PM

              @NickJH

              Ok, good : progress 👍

              Btw : pfSense LAN clients 'normally' don't do any DNSSEC checking.

              Read this short write up, as it looks pretty accurate IMHO.

              Your pfSense network clients are / should forwarder to a Resolver. That resolver can be : the pfSense unbound resolver, or any other resolver, like ... dono ... 8.8.8.8 ?
              Unbound can do DNSSEC checking for you.

              DNSSEC checking is validating that the top to bottom relation is valid : example : https://dnsviz.net/d/test-domaine.fr/dnssec/

              No "help me" PM's please. Use the forum, the community will thank you.
              Edit : and where are the logs ??

              N 1 Reply Last reply Apr 17, 2024, 1:17 PM Reply Quote 0
              • N
                NickJH @Gertjan
                last edited by Apr 17, 2024, 1:17 PM

                @Gertjan I was just trying to build a router before putting it into operation, but trying to pre-load it to minimise downtime so I had a horrible setup. pfSense is going to be directly connected to my cable modem. It will use the DNS Resolver (unless I get fed up with it) and the LAN clients will use pfSense as their upstream forwarder.

                My new N100 toy arrived today, so I have just loaded it up and plan to get it into operation tomorrow when there is no one at home.

                S 1 Reply Last reply Apr 17, 2024, 1:23 PM Reply Quote 0
                • S
                  SteveITS Galactic Empire @NickJH
                  last edited by Apr 17, 2024, 1:23 PM

                  @NickJH DNSSEC should be disabled if forwarding. See blue note here:
                  https://quad9dns.github.io/documentation/Setup_Guides/Open-Source_Routers/pfSense_%28Encrypted%29/

                  Pre-2.7.2/23.09: Only install packages for your version, or risk breaking it. Select your branch in System/Update/Update Settings.
                  When upgrading, allow 10-15 minutes to restart, or more depending on packages and device speed.
                  Upvote 👍 helpful posts!

                  1 Reply Last reply Reply Quote 0
                  1 out of 8
                  • First post
                    1/8
                    Last post
                  Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.
                    This community forum collects and processes your personal information.
                    consent.not_received