Logging DNS queries
-
@johnpoz And now it happened again.
I had to manually restart the DNS service on pfSense. Why did I even touch the whole thing in the first place? Now everything seems to be half broken.
I'll try restarting it again to see if it's triggered by a reboot. -
@Octopuss Yeah, for whatever reason DNS simply doesn't work unless I manually restart it after I reboot pfSense.
This has NEVER happened before! -
@Octopuss why are you rebooting your pfsense?
Look in the log.. unbound can not bind to an interface if its not up.. I set my unbound to only use localhost for outbound, this will be up as soon as the box starts for sure, and your local side should be up pretty much instant as well. But wan could take a bit to come up.
What do you have it bound to for outbound - all? Which is the default
If you bind outbound to only localhost, it will auto be converted to your wan interface IP when it sends outbound traffic, little reason to actually bind it to that interface.
-
@johnpoz Thanks.
It's bound to WAN interface indeed, but that has been working for... well since I started using pfSense years ago!
I just don't understand WTF is going on. -
@johnpoz said in Logging DNS queries:
@Octopuss why are you rebooting your pfsense?
Look in the log.. unbound can not bind to an interface if its not up.. I set my unbound to only use localhost for outbound, this will be up as soon as the box starts for sure, and your local side should be up pretty much instant as well. But wan could take a bit to come up.
What do you have it bound to for outbound - all? Which is the default
If you bind outbound to only localhost, it will auto be converted to your wan interface IP when it sends outbound traffic, little reason to actually bind it to that interface.
Ok that didn't work.
I changed it to localhost and upon reboot nothing would work until I manually restarted the service. -
@Octopuss I had to restore an old configuration from before last two days to get to a stable baseline, and found out this problem triggers when I disabled DNSSEC support.
I don't get it.edit: Yep, I simply cannot disable DNSSEC otherwise I have to manually restart the DNS service on every boot.
I might as well reconfigure everything from scratch because apparently something is rotten somewhere. -
@Octopuss You might want to make sure your not trying to do any of the advanced stuff with dnssec if you turn it off in advanced.
I have never seen an issue with those being on but dnssec being off on the normal check box.. But I only ever turn dnssec off for testing for someone else. And have never actually rebooted pfsense with those advanced setting still checked but dnssec turned off.
Like I said the only time I ever reboot pfsense is on update.
What version are you running of pfsense 24.11 or CE 2.7.2 ?
edit: I could try and duplicate your issue in one of my VMs of pfsense - but not going to reboot my main physical pfsense box ;) heheh
-
@johnpoz I am on 2.7.2.
I thought the advanced settings wouldn't matter if I disable the feature in the general tab.
Anyway, I'll try. Perhaps I found a bug. -
@Octopuss yeah if the normal checkbox is set to not do dnssec, those setting for sure shouldn't come in to play.. But yeah maybe you found something weird.. So if your on 2.7.2 I will try and duplicate in my VM of that.
-
@johnpoz Nope, even with the advaned settings unchecked it's still borked. It's even weirdly borked, because some websites work and some don't, namely this forum and Facebook, but others too I guess.
I really think I should do a reinstall, this seems hopelessly screwed. -
For your reference here are some stock settings on 24.11 using resolver mode and ISC as backend. Python module is enabled as I use PFBlocker.
-
@Octopuss said in Logging DNS queries:
because some websites work and some don't
If unbound is not running - no sites would work, unless your client is just using its cache.. There is zero reason to do a full reinstall. Let me fire up my VM and see if can duplicate.. But not having dnssec check sure and the hell should not keep unbound from starting that is for sure.
-
@johnpoz said in Logging DNS queries:
If unbound is not running - no sites would work, unless your client is just using its cache..
I don't know! All I know pinging by hostname and some website don't work after reboot unless I restart the service.
-
@Octopuss ok I can not duplicate your problem..
Here are my settings, reboot of pfsense and soon as it comes up I can do a query and get answer.. In forwarding mode as you can, pointing to my upstream physical pfsense IP.. dnssec is off, etc..
I then went to change the min ttl to 3600, and go this warning
So unchecked that and then it saved.. Rebooted and again no problems, comes right up - if I do a query now can see that my min ttl is set.
Only thing that comes to mind maybe - do you have the patches installed.. None of them specific jumped out at me that should matter for this.. But I do have all the patches installed.
Vs trying to ping - do an actual query.. Use nslookup, or dig or whatever your fav dns tool is.. Pinging from your pc is going to use its local cache, So yeah its quite possible something is cached and others are not.. Doing a directed query would tell you if unbound is up, and your getting some error like nx or servfail, or if just timing out, etc.
I changed the server nslookup pointed too - because my pc defaults to using my pihole, unbound on my pfsense vm is on 192.168.9.34
-
@johnpoz I changed the settings a bit (they were mostly the same) so they mirror yours, and it still doesn't work withour restarting it.
I don't know what the patches are so I probably didn't touch them.Oh and
-
@Octopuss so you have no patches installed? I would install the patches package, and then apply all the recommended patches.
-
@johnpoz I can do that, but that's irrelevant to this problem I believe. I mean everything worked fine until I disabled DNSSEC as per your recommendation for forwarding mode or something :D
I don't even know where the patches are.
Found the patches, no difference like I expected :( -
@Octopuss they are in the package manager..
Here is the thing - I can't replicate your problem.. I have patches installed. You have an issue, no patches installed.. It would seem pretty logical that possible the patches fixed an issue that your running into.. Because I can not duplicate your problem.
I mean nothing jumps out at me in the patches that could fix whatever your seeing.. But might as well be up to date to see if that does fix it before doing a complete reinstall.
What I can tell you for sure - is I can not duplicate the problem on my 2.7.2 VM
Also what else I can tell you is doing dnssec or not doing dnssec should not force you to restart unbound once pfsense starts.
-
@johnpoz Like I said, I will simply reinstall the entire thing from scratch and redo all the settings manually when I find the motivation to lose several hours of my life, lol.
-
@Octopuss or you could install the patches in like 2 minutes and do a reboot and see if you don't have to reinstall.. And more than likely whatever issue your running into - not sure how a reinstall is going to correct the problem.. This is freebsd, this not windows me ;)
In all the years I have been using pfsense, on all kinds of different hardware.. Have only once had to do a reinstall.. And that was crashed update.. So I had to do a clean install.
