Help troubleshoot DNS issue?…



  • Hi all -

    I have searched, tried various configurations, reloaded, rebooted, etc… and I need troubleshooting help.

    LAN side users, using Chrome on Win7 64 are having WWW requests getting stuck with the message "Sending request..."  Pages take 30+ seconds to load or timeout with the message ERR_NAME_NOT_RESOLVED, or never timeout.  Many times the page loads fast on second try.  It is random and intermittent.

    My config is:
    pfSense 2.0.1-RELEASE-pfSense (i386)
      WAN (wan) -> re0 -> xxx.xxx.19.167 (DHCP) = Comcast cable 12MB+
      LAN (lan) -> re1 -> 192.168.20.1 = small office

    Allow DNS server list to be overridden by DHCP/PPP on WAN = checked

    My IPCONFIG is:

    My routes are:

    Hopefully my error(s) is(are) obvious.

    TIA - Brad



  • @Verohomie:

    Allow DNS server list to be overridden by DHCP/PPP on WAN = checked

    I have read a number of reports in the pfSense forums that their ISP name servers have given worse performance than some public name servers such as Google and OpenDNS.

    You MIGHT get snappier name service by using pfSense as name server (e.g. enable DNS forwarder) so that DNS lookup results get cached locally and systems can use the results from earlier lookups by other machines.

    @Verohomie:

    Hopefully my error(s) is(are) obvious.

    Sorry, good try but not obvious to me.



  • Use your firewall LAN IP as your DNS server, not your ISP directly. Those are frequently hit and miss. Then put in not only the two ISP DNS servers, but throw in Google's public DNS too, 8.8.8.8 and 8.8.4.4, and uncheck the allow override. The DNS forwarder is a lot smarter than your OS at resolving DNS, it'll query them all simultaneously and take the fastest response. Eliminates delays if your ISP DNS servers (which are DDoS magnets especially for large ISPs) are slow to respond or fail to respond.



  • wallabybob & cmb -

    Per your comments, I unchecked allow override and added OpenDNS first & Google DNS servers on the general page.  Also I checked enable DNS forwarding.  Today I will know if this helped.

    To complicate things, I am running a SBS 2003 server, mainly for Exchange.  On the SBS server, I have added the OpenDNS servers to the DNS forwarders tab as detailed in "The Definitive Guide".

    What are your thoughts about my SBS DNS configuration?

    Currently I have DHCP is disabled on the router and enabled on the SBS 2003 server.

    Is this OK and an accepted method?

    Thanks for the replies - Brad

    BTW - I recently posted my PPTP config for SBS Exchange access here: http://forum.pfsense.org/index.php/topic,46948.0.html



  • I would strictly use the LAN IP as your forwarder on SBS which IIRC is what I wrote in the book. For the same aforementioned performance and reliability reasons.



  • cmb -

    With in a minute of your reply, I posted to the DHCP & DNS forum: http://forum.pfsense.org/index.php/topic,48079.0.html

    I am looking in your book for the LAN IP reference.  I did find the OpenDNS section for a Windows Server but I am not sure this is where I would point to pfSense.

    I hope my new post shows the conflicting approaches and sheds more light into the problems I am having.

    Thanks for your support - Brad



  • oh, if you want to use OpenDNS, then yes that is a valid approach. Though given the issues you're having, if you want to use OpenDNS, configure strictly the OpenDNS servers on the firewall, and use its LAN IP as the SBS's forwarder.



  • cmb -

    Please explain, use its LAN IP as the SBS's forwarder?

    In my case, 192.168.20.1 on the SBS DNS Forwarder tab?

    Thanks - Brad



  • yes



  • Hi All -

    After extensive troubleshooting my DNS issue was being caused by Snort.

    To get things running smoothly I had to remove the Snort interface from the Snort services page and reboot pfSense.

    Stopping the service was not enough.

    Hope this helps others.

    Brad



  • @cmb:

    Use your firewall LAN IP as your DNS server, not your ISP directly. Those are frequently hit and miss. Then put in not only the two ISP DNS servers, but throw in Google's public DNS too, 8.8.8.8 and 8.8.4.4, and uncheck the allow override. The DNS forwarder is a lot smarter than your OS at resolving DNS, it'll query them all simultaneously and take the fastest response. Eliminates delays if your ISP DNS servers (which are DDoS magnets especially for large ISPs) are slow to respond or fail to respond.

    Quick question, i had a similar issue. So i should add these 2 google DNS to my list of DNS servers given my by ISP, untick the override box, leave do not use override unticked.. then on DHCP server settings, i can leave DNS empty as it will use LAN IP as DNS server to give to clients through DHCP?  Or do i have to add my LAN IP in that space?



  • luke240778 -

    I am still a noob and dont't have your answers.  Since my last post, I restarted snort BUT with the "block offenders" checkbox unchecked.  This wreaked havoc on my system.  I am still reading docs on Snort and hope to be able to enable "block offenders" soon.  I have been running smoothly for 24hrs with Snort running.

    Sorry I couldn't help further.

    Brad


Log in to reply