[SOLVED] DNS forwarder stopping with pfsense2.0.3-RELEASE

packetmonkey

Hello,

Hope somebody can help.

I am running pfsense2.0.3-RELEASE (amd64) built on Fri Apr 12 10:27:15 EDT 2013 FreeBSD 8.1-RELEASE-p13 which according to the dashboard is the latest version.

I have a simple config with internal (LAN) and external (WAN) interfaces.

LAN is feeding DHCP and is allowing the LAN machines to use the DNS forwarding service on the internal interface. I have rules to allow the internal clients to get access to port 53 for resolution.

I have noticed that more times than not the DNS forwarding service is stopping (crashing?) which is preventing internal access to the LAN machines.

Stopping and starting the "Enable DNS forwarder" service can bring this back online. I am fairly sure the service stopping as I cannot connect to port 53 on internal LAN firewall service (not just not resolving correctly).

I am pretty sure the there is no issues with the upstream DNS as nothing changes on these I just restart the DNS forwarding service to restore access.

I understand that pfsense uses DNSMasq but I am unsure where I can find logging for this anywhere?

Is this a known problem with this release or am I the only one with this issue? Could it be related to the drivers used for the hardware in the network card (it has a 4 port adapter).

When the service goes down, I notice that from a ssh connection directly on the firewall I can still resolve correctly just that the internal machines can no longer use the service. I have this exact same setup on another site with the same firewall rules without this issue.

I have ticked the "Disable DNS Rebinding Checks" in advanced as I have had issues with this in the past.

Any pointers on what to check next would be appreciated.

Many thanks in advance,

wallabybob

@packetmonkey:

I have noticed that more times than not the DNS forwarding service is stopping (crashing?) which is preventing internal access to the LAN machines.

What do you see that leads you to the conclusion the DNS forwarding service is stopping?

@packetmonkey:

I am fairly sure the service stopping as I cannot connect to port 53 on internal LAN firewall service (not just not resolving correctly).

How do you attempt to connect and what is reported when you attempt to connect?

@packetmonkey:

I understand that pfsense uses DNSMasq but I am unsure where I can find logging for this anywhere?

In pfSense 2.0.3 shell command```
clog /var/log/system.log | grep dnsmasq

In pfSense 2.1 shell command```
clog /var/log/resolver.log
```will display dnsmasq log entries.

@packetmonkey:

> Could it be related to the drivers used for the hardware in the network card (it has a 4 port adapter).

What NICs are on the card?

packetmonkey

Hello,

Many thanks for assistance!

Q1.What do you see that leads you to the conclusion the DNS forwarding service is stopping?
A1. Unable to resolve from client machine on LAN using nslookup etc. Still able to resolve from firewall console (so upstream servers as good).

Q2. How do you attempt to connect and what is reported when you attempt to connect?
A2. Using nslookup and interactive nslookup, and also attempting to telnet to port 53 which does not connect when the service is down (port closed) ie not listening for DNS request. When the service is up and working then the port is open. Hence the thinking that dnsmasq is stopping.

Q3. What NICs are on the card?
A3. From dmesg:

Built-in LAN cards

em0: <intel(r) 1000="" pro="" network="" connection="" 7.3.2="">port 0x2020-0x203f mem 0xb8820000-0xb883ffff,0xb8400000-0xb87fffff irq 18 at device 0.0 on pci5
em0: Using an MSI interrupt
em0: [FILTER]
em1: <intel(r) 1000="" pro="" network="" connection="" 7.3.2="">port 0x2000-0x201f mem 0xb8800000-0xb881ffff,0xb8000000-0xb83fffff irq 19 at device 0.1 on pci5
em1: Using an MSI interrupt
em1: [FILTER]

4 Port Adapter

igb0: <intel(r) 1000="" pro="" network="" connection="" version="" -="" 2.3.1="">mem 0xb8d00000-0xb8d7ffff,0xb8f00000-0xb8f03fff irq 19 at device 0.0 on pci8
igb0: Unable to map MSIX table
igb0: Using MSI interrupt
igb0: [FILTER]
igb1: <intel(r) 1000="" pro="" network="" connection="" version="" -="" 2.3.1="">mem 0xb8d80000-0xb8dfffff,0xb8f04000-0xb8f07fff irq 18 at device 0.1 on pci8
igb1: Unable to map MSIX table
igb1: Using MSI interrupt
igb1: [FILTER]
igb2: <intel(r) 1000="" pro="" network="" connection="" version="" -="" 2.3.1="">mem 0xb8e00000-0xb8e7ffff,0xb8f08000-0xb8f0bfff irq 17 at device 0.2 on pci8
igb2: Unable to map MSIX table
igb2: Using MSI interrupt
igb2: [FILTER]
igb3: <intel(r) 1000="" pro="" network="" connection="" version="" -="" 2.3.1="">mem 0xb8e80000-0xb8efffff,0xb8f0c000-0xb8f0ffff irq 16 at device 0.3 on pci8
igb3: Unable to map MSIX table
igb3: Using MSI interrupt
igb3: [FILTER]

Had a look in dnsmasq log file (many thanks for this) but could not find anything other than the service starting. I'm not running 2.1 but rather 2.0.3.

Many thanks in advance for any additional pointers - perhaps do I need to enable a bit more logging for dnsmasq and if so how?</intel(r)></intel(r)></intel(r)></intel(r)></intel(r)></intel(r)>

packetmonkey

Ahh…

"How often have I said to you that when you have eliminated the impossible, whatever remains, however improbable, must be the truth?"
-Sherlock Holmes.

I am thinking it may be a duplicate IP on the network so shall decampt to another IP for the LAN address of the firewall and see what games are afoot!

packetmonkey

Hello,

That's exactly what it was - duplicated IP address of a PC on the LAN clashing with the firewall. Traced it by watching the mac address of the gateway (pfsense) appear to change from the perpective of the client as it dropped off the arp tables.

Did not notice it earlier as the admin was done via another interface and that stayed up.