New Install DHCP WAN does not retrieve DNS



  • I recently installed pfSense embedded 2.1-RELEASE on a 8gb CF card in an Intel Atom board.  I setup two vlans, one for my LAN, one for my WAN(Comcast cable modem).  I setup the LAN IP address to 10.0.0.1.  After it boots, pfSense does not retrieve the DNS servers from my ISP.  They are not in the Status…Interfaces page, our /etc/resolv.conf.  I have "Allow DNS server list to be overridden by DHCP/PPP on WAN" checked.  The log shows dhclient editing resolv.conf, but it does not list any DNS servers.

    I also tried plugging the cable modem directly into a free network port on the machine, it still did not get DNS.

    I'm replacing an old router, from different hardware, and manually setup Ubuntu install as a router.  I can see on that machine the DHCP server on my ISP is sending DNS servers.

    I found similar posts and bug reports, but they were all for older versions.

    Does anyone know how to resolve this issue in 2.1-RELEASE?

    Mike



  • I did more investigation on this issue.

    I found dhclient is retreiving the name servers from my ISP.  I can see them in:

    • /var/db/dhclient.leases.em0_lan3

    • /var/etc/resolv.conf

    • /var/etc/nameserver_em0_vlan3

    I can retrieve local names.

    
    mknoll@host:~$ nslookup router
    Server:         10.0.0.1
    Address:        10.0.0.1#53
    
    Name:   router.localnet
    Address: 10.0.0.1
    
    

    However, when I attempt to lookup an external name.

    
    mknoll@host:~$ nslookup www.yahoo.com
    Server:         10.0.0.1
    Address:        10.0.0.1#53
    
    ** server can't find www.yahoo.com.localnet: REFUSED
    
    

    Anyone have any ideas why the DNS Forwarder isn't forwarding DNS requests to my ISP's DNS servers?

    Thanks,
    Mike


  • Netgate Administrator

    Hmm, interesting.
    Have you tried setting "Do not use the DNS Forwarder as a DNS server for the firewall" in System: General: ?

    Steve



  • You should try to run the Wizzard.

    Sounds like a misconfiguration in routing tables. Gateway maybe?

    Have you tried setting a dns manually to something like 8.8.8.8 (google dns.)?

    Also some modem will bind to the last connected MAC.  Power cycle should reset the modem, if it has an internal battery, (phone integrated modem) remove it for a a min.



  • I have been power cycling the modem with each switch.  It is connecting, and IP traffic is routed.  Only DNS is effected.

    Setting the DNS servers manually to 8.8.8.8 worked, but I would like to use the ISP's DHCP supplied DNS.

    I'll try the "Do not use the DNS Forwarder as a DNS server for the firewall" and the wizard tomorrow.

    Thanks,
    Mike



  • I tried setting "Do not use the DNS Forwarder as a DNS server for the firewall", with no effect on hosts on my network, or on the firewall's ability to resolve names(updater, diagnostic tool).

    I ran the Setup Wizard, with the same results.

    I also tried setting the local network domain to "home", from "localnet", since there is a note about using "local" as the name.

    I have been power cycling the modem every time.

    I was able to do a "nslookup www.yahoo.com 8.8.8.8" while having these problem, supporting that it is a DNS issue.

    I wanted to inspect dnsmasq's config file to see if I could spot a problem, but I have been unable to locate it.  Does anyone know where dnsmasq's configuration file is stored?

    Does anyone have any idea why I am unable to use my ISP's DNS servers supplied through DHCP?

    Thanks,
    Mike



  • I wanted to inspect dnsmasq's config file to see if I could spot a problem, but I have been unable to locate it.  Does anyone know where dnsmasq's configuration file is stored?

    In /etc/inc/services.inc

    function services_dnsmasq_configure() {
    ...
            /* run dnsmasq */
            $cmd = "/usr/local/sbin/dnsmasq --all-servers {$dns_rebind} {$args}";
    ...
    

    The configuration is built up as a long command line in {$args} It is not written out to a conf file. It would be easier to debug what is going on if the arguments were written to a conf file, and that conf file used as input to dnsmasq. Maybe that could be a minor feature request on RedMine - should not be too hard to implement.



  • I've run into what appears to be this exact same problem.

    I installed pfSense on a new ALIX.2d3, and followed the wizard setup.  The WAN interface pics up the IP address from the ISP (or from another internal router), but never picks up the DNS servers advertised with the DHCP lease.  (Clicking Status -> Dashboard in the UI never lists any DNS servers, and the time never updates indicating it's not reaching an NTP server)

    After a lot of trouble-shooting, the best I can figure is that there's something strange with DNS resolution on firewall itself.  Clients on the LAN side work fine, but even disabling the DNS forwarding and telling pfSense to only use external servers for DNS still does not resolve.

    Obviously not everyone is running into this, but I'm kind of stumped as to what to check next.  As I said, I ran through the wizard without any mods, the WAN net is 10.10.1.0/24, private is default 192.168.1.0/24.  (Also, not blocking RFC1918 private nets)

    [2.1-RELEASE][root@fw1.localdomain]/root(1): cd /var/etc
    [2.1-RELEASE][root@fw1.localdomain]/var/etc(2): cat resolv.conf
    domain localdomain
    nameserver 8.8.8.8
    nameserver 8.8.4.4
    [2.1-RELEASE][root@fw1.localdomain]/var/etc(3): dig www.yahoo.com

    ; <<>> DiG 9.6.-ESV-R5-P1 <<>> www.yahoo.com
    ;; global options: +cmd
    ;; connection timed out; no servers could be reached
    [2.1-RELEASE][root@fw1.localdomain]/var/etc(4): dig www.yahoo.com @8.8.8.8

    ; <<>> DiG 9.6.-ESV-R5-P1 <<>> www.yahoo.com @8.8.8.8
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 32964
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0

    ;; QUESTION SECTION:
    ;www.yahoo.com.                IN      A

    ;; ANSWER SECTION:
    www.yahoo.com.          293    IN      CNAME  fd-fp3.wg1.b.yahoo.com.
    fd-fp3.wg1.b.yahoo.com. 293    IN      CNAME  ds-fp3.wg1.b.yahoo.com.
    ds-fp3.wg1.b.yahoo.com. 53      IN      CNAME  ds-any-fp3-lfb.wa1.b.yahoo.com.
    ds-any-fp3-lfb.wa1.b.yahoo.com. 293 IN  CNAME  ds-any-fp3-real.wa1.b.yahoo.com.
    ds-any-fp3-real.wa1.b.yahoo.com. 53 IN  A      206.190.36.45
    ds-any-fp3-real.wa1.b.yahoo.com. 53 IN  A      206.190.36.105

    ;; Query time: 108 msec
    ;; SERVER: 8.8.8.8#53(8.8.8.8)
    ;; WHEN: Sat Jan  1 00:19:04 2000
    ;; MSG SIZE  rcvd: 174
    [2.1-RELEASE][root@fw1.localdomain]/var/etc(5): ps ax|grep dns
    50218  u0  S+    0:00.01 grep dns


  • Netgate Administrator

    One possibility:
    If the router you're behind is indicating any kind of IPv6 capability pfSense will try to use it. It probably doesn't actually have that capability so you end up with nothing. Try this:
    https://doc.pfsense.org/index.php/Controlling_IPv6_or_IPv4_Preference

    Steve



  • I found my problem. Some how the symlink at /etc/resolve.conf was not there. Manually adding a link back to/var/etc/resolve.conf fixed the issues I was having. I tried to recreate from a fresh image before entering a bug and did not find this issue in a second clean install.


  • Netgate Administrator

    Well spotted.  :)
    That's very odd. Just to certain which image exactly was it you used the first time? Did you use the same image the second time?

    Steve


Log in to reply