DNS with latest 2.1



  • I'm not sure where to sound the alarm, but the latest couple of weeks of updates on 2.1 will not resolve DNS queries directed at the pfSense machines.  I continue to have to backup to December editions of pfSense in order to rectify the problem.  I let this ride for a couple of weeks hoping it would get resolved, but now I'm thinking nobody knows there is an issue.  ???



  • This MIGHT get more attention if it was reported in the 2.1 Snapshot Feedback and Problems forum.


  • Rebel Alliance Developer Netgate

    I'm not seeing this on any of mine.

    How do you get your DNS servers? PPPoE? DHCP? Manually assigned?
    What is in /etc/resolv.conf?
    Does Diagnostics > DNS Lookup return a valid result from all servers?

    If you can run a query with dig or host from a client machine in verbose mode it may also help.


  • Rebel Alliance Global Moderator

    Not showing any problems with using pfsense for dns, both local host overrides or outside dns.

    currently using

    2.1-BETA1 (i386)
    built on Sat Jan 12 00:36:42 EST 2013
    FreeBSD 8.3-RELEASE-p5

    with gitsync as of this morning.



  • mdpugh

    Under general setting DNS plugin google dns servers
    8.8.4.4
    8.8.8.8
    I have had problems with my ISP DNS servers



  • I agree that this might have gotten better notice elsewhere, but as I said, I wasn't sure where to post it (and if you guys want to move it, please feel free).

    My DNS servers are forwarding to the pfSense boxes which are in turn querying my personal ISP's DNS servers and SixSX's and HE's DNS servers.  Please do not get misled.  What I'm saying is that this has been working fine for years and now suddenly is not.  I know I could almost certainly fix this by having my DNS servers bypass the pfSense boxes in the querying process–and maybe this is the preferable way of doing things, but then the problem would only get fixed after someone else fussed about it significantly.  So, I'm short-circuiting that process by saying something is wrong now.

    I'll let you guys lead me.  If I use the standard System->Firmware->Auto Update->(Perform full backup prior to upgrade)->Invoke Auto Upgrade, which I have been using for more than a year successfully, I get this problem.  The fact that, all of the sudden, this problem is occurring is why I'm posting.  I'm not trying to ruffle any feathers--just hoping to get an evident problem fixed.



  • Can you give more detail in answer to jimp's questions:
    @jimp:

    How do you get your DNS servers? PPPoE? DHCP? Manually assigned?
    What is in /etc/resolv.conf?
    Does Diagnostics > DNS Lookup return a valid result from all servers?

    If you can run a query with dig or host from a client machine in verbose mode it may also help.

    I have various 2.1-BETA1 systems working fine with:

    1. DNS servers specified (like google 8.8.8.8 or OpenDNS 208.67.222.222 208.67.220.220 or specifying my ISPs DNS server IP)
    2. DNS servers specified for particular WAN interfaces
    3. DNS server coming by DHCP on WAN - but only on test systems whose WAN is sitting on my production LAN and getting DHCP (including DNS) from an upstream "real" pfSense.
      I don't have any that are getting WAN DNS server address/es via DHCP from the ISP.
      So, need to know exactly how your pfSense is acquiring its DNS servers for use on WAN…


  • Hmmm, I was actually going to ask if you were also implementing IPv6 mdpugh. Weird… I'm investigating further... when I manually update to a build from the 16 the problem persisted... But just as you are saying I had no issues until using this latest build...


  • Rebel Alliance Global Moderator

    And what is the problem exactly?  So your saying dns just doesn't work at all?

    Have you queried pfsense directly with nslookup or dig - does it work then?  Have you verified that dnsmasq is running on pfsense?  Have you queried for host override to pfsense that you have setup?  Does that work, or does only doing queries to outside domains not work?

    Have you did a sniff on wan of pfsense - does it send the queries?

    If dns was broken in the pfsense latest builds - I would think there would be a FLOOD of posts about it, don't you?  So lets dig into your specific issue a bit, or we are never going to get anywhere with what problem your seeing.

    And btw, yes I do queries to IPv6 dns and not having any issues with seeing those responses.  Did a quick sniff on pfsense wan for dns ipv6, then queried pfsense for some gibberish site.  As you can see it sent the request to its ipv6 ns server I have setup, and got back nx




  • So this is only broken within the packages menu, everything else seems to work just fine. I'm going to fire up tcpdump and post my results shortly…


  • Rebel Alliance Developer Netgate

    @brokendash:

    So this is only broken within the packages menu, everything else seems to work just fine. I'm going to fire up tcpdump and post my results shortly…

    Your problem is not the same as the original poster of this thread. I split yours off into a separate thread because it didn't belong here.



  • No I have not done all the tests you suggest.  And I could fix this problem with a bypass effort.

    I stress again: every couple of weeks I have updated to the newest snapshot.  Suddenly DNS went astray.  At that point, I initially troubleshot my own DNS servers thinking that was the problem.  But soon enough I resorted to unchanging everything I had recently changed (and before you ask, Phil, I did this systematically–so as to narrow the scope)--which meant backing up to a previous version of pfSense--and that's when the problem was resolved.  A couple of weeks later, I updated to the newest snapshot again with the same ill results.  Something is wrong: if not with pfSense then at least with the snapshot mechanism.  DNS is broken every time.  EVERY time.

    I have been around long enough to know how to logically troubleshoot.  I should add that I have two pfSense boxes CARPed.  They both experience the same issue when updated to the new snapshot.  I know I'm not crazy--I know something got muddled; I'll even help you fix it--but I just about guarantee you somebody edited this code and added or deleted a single pertinent symbol.  BTDT.


  • Rebel Alliance Developer Netgate

    And all of that means nothing if we can't reproduce it… All the troubleshooting skill in the world doesn't help us figure it out if you don't share the details. Even if you could provide the exact snapshot that does work and then the first one you tried that doesn't work it would help.

    It doesn't appear to be happening to anybody else, so it must be something specific to your setup, but we'll need a lot more info to go on if there is any hope of tracking it down. The other person in this thread who claimed to have "the same" problem did not have a DNS issue.

    If it was as simple as someone changing a bit of code incorrectly, it would be happening to many people, not just (apparently) you. It must be something more subtle.



  • Jim,

    You are absolutely right; but–all I did was update the snapshot on these machines.  I did not reconfigure anything in hardware or software.  I've been doing that for months with success.  Suddenly, things did not work.  If it had happened on only one machine, I would be inclined to agree wholeheartedly with you--but the fact that the problem was immediately duplicated just by updating to the newer snapshot convinces me that there is a problem on your end.  If I'm wrong (and suddenly things start working again), I will happily tuck my tail and move on.

    If the problem is on my end, it must be because I have a configuration that, on two machines, suddenly failed without adjustment.  Surely you see that is unlikely.  If you can propose a scenario in which that is an obvious outcome, I am all ears and I will proceed considerably wiser.

    Just to be on the safe side, is there a way I can send you a record of my configuration?  And denote it in such a way that you'll know whom it's coming from?



  • You can point fingers where ever you want, you're going to have to provide more than "DNS is broke" when it broke only for you and no one else when 4576 unique public IPs have downloaded 2.1 updates in that time.



  • Chris,

    TWO machines.  I will gladly provide you with whatever info you need as I just stated.  Just tell me how to do so.  I'm just trying to get a problem fixed–I don't understand why you're getting defensive.  Well, maybe I do--but this is a problem that needs to be fixed.  I would love it if I could just download and install the latest snapshot and everything automagically works.

    In fact, I'm going to try that.  Cross your fingers.


  • Rebel Alliance Developer Netgate

    If there is a problem, I'd love to fix it. But to fix it, I need details about how it broke for you. You could have had an invalid configuration that happened to work by chance, and some other verification took place that "broke" your setup that was really broken the whole time.

    Nobody else can reproduce it but you, apparently, so we can't just search around in vain and hope we stumble on an answer. If we can't reproduce it that means we also can't check to make sure it has been fixed.

    The only way we'll ever know is if you provide us with the information we asked for earlier in the thread, or more. I already provided a list of information we need.



  • xu.int.compughterworx.com - resolv.conf:

    domain compughterworx.com
    nameserver 127.0.0.1
    nameserver 2001:470:20::2
    nameserver 2001:4de0:1000:a3::2
    nameserver 68.105.28.16
    nameserver 10.0.1.13

    yau.int.compughterworx.com - resolv.conf:

    domain compughterworx.com
    nameserver 127.0.0.1
    nameserver 2001:470:20::2
    nameserver 2001:4de0:1000:a3::2
    nameserver 68.105.28.16
    nameserver 10.0.1.13

    Loopback.
    HE.
    SixSX.
    Cox.
    Local.

    I haven't changed this configuration in better than a year.

    BTW, Jim, I somehow missed your request for this specific info, and I'm sorry.  My bust entirely.  Please bear with me.



  • Well, fellows, I stand now with tossed salad and scrambled eggs on my face.  The latest snapshot is working.  I am sorry I fingered anybody–it's a byproduct of the way I'm wired I think; but you guys came through and I am corrected.  I'm so glad this is working again.  :)



  • Edit: found another thread with my real issue.


Locked