DNS Resolver
-
Thanks Phil
So do you not have a domain set, and therefore your clients are not applying the suffix?
In the log I provided, I only did one NSLOOKUP to server.vpn - so either the client sent a second request without the DNS suffix or pfSense dropped the local domain portion after not getting a response from the public DNS servers.
-
The client will have tried server.vpn and server.vpn.local on your behalf. So the server sees 2 different requests.
My pfSenses have their domain as the same as our internal Windows Server AD domain - e.g. internal.mycompany.com - and then a domain override to point internal.mycompany.com to the nearest Active Directory DNS Server.Having just 1 internal domain will also resolve the issue you see - at the moment you have a ".vpn" domain and a ".local"domain happening. Then your domain override will be for the domain that pfSense itself is in.
-
working fine for me
-
Hmm - strange. I have had to use Phil's trick of directing the server.vpn.local requests to a non-existant server and then letting the server.vpn request go to the correct server. Without this I couldn't avoid the public DNS server being queried.
Maybe the issue is that I am not using AD? amunrara could you describe your set-up?
M
-
I'm a pretty novice user but wanted to provide some feedback and see if there are any suggestions. I'm currently using 2.2-BETA (i386) built on Thu Dec 04 08:23:23 CST 2014
when I check Status->Services several times in a row I see Unbound DNS Resolver running and stopped at various times so it seems like it's constantly stopping and restarting.
in the general setup, I have Allow "DNS server list to be overridden by DHCP/PPP on WAN" unchecked and "Do not use the DNS Forwarder as a DNS server for the firewall" checked.
not sure if I have something configured wrong…..
-
Check the posts near the end of previous page. Might be your issue.
-
Check the posts near the end of previous page. Might be your issue.
Specifically, this one…
https://forum.pfsense.org/index.php?topic=78356.msg464921#msg464921
-
i started using the new dns resolver but im having one issue, i have set to reset the pppoe connection ever night so when this happens, unbound stops working, i get these errors in system log continuously
Dec 11 09:44:44 unbound: [7669:0] error: can't bind socket: Can't assign requested address Dec 11 09:44:44 unbound: [7669:0] debug: failed address 92.98.234.229 port 61031 Dec 11 09:44:44 unbound: [7669:0] error: can't bind socket: Can't assign requested address Dec 11 09:44:44 unbound: [7669:0] debug: failed address 92.98.234.229 port 19660 Dec 11 09:44:44 unbound: [7669:0] error: can't bind socket: Can't assign requested address Dec 11 09:44:44 unbound: [7669:0] debug: failed address 92.98.234.229 port 26847 Dec 11 09:44:44 unbound: [7669:0] error: can't bind socket: Can't assign requested address Dec 11 09:44:44 unbound: [7669:0] debug: failed address 92.98.234.229 port 26531 Dec 11 09:44:44 unbound: [7669:0] error: can't bind socket: Can't assign requested address Dec 11 09:44:44 unbound: [7669:0] debug: failed address 92.98.234.229 port 65308 Dec 11 09:44:44 unbound: [7669:0] error: can't bind socket: Can't assign requested address Dec 11 09:44:44 unbound: [7669:0] debug: failed address 92.98.234.229 port 19113
-
Does the resolver also handle IPv6 dns requests?
-
-
We're running the December 10th build. I can confirm issues with a new WAN address breaking unbound. When our PPPoE WAN link gets a new IP address, the resolver will reply with internal IPs set via DHCP clientIDs, but any external DNS lookup made via a system on the LAN fails.
DNS resolving on the firewall continues to work, so it's clearly an issue with unbound.
-
We're running the December 10th build. I can confirm issues with a new WAN address breaking unbound. When our PPPoE WAN link gets a new IP address, the resolver will reply with internal IPs set via DHCP clientIDs, but any external DNS lookup made via a system on the LAN fails.
DNS resolving on the firewall continues to work, so it's clearly an issue with unbound.
https://redmine.pfsense.org/issues/4095
-
I'm not sure what a message consisting solely of a link to a similar bug report means…
-
I'm not sure what a message consisting solely of a link to a similar bug report means…
I think cmb means "it is a known issue and there is a bug report for it".
It does really need fixing - as you have described, DNS resolution can stop working on a WAN DHCP address change, if you have an "unfortunate" combination of Unbound in forwarder mode… settings. -
I'm not sure what a message consisting solely of a link to a similar bug report means…
I think cmb means "it is a known issue and there is a bug report for it".
Yes, figured that was clear.
-
Latest version broke unbound for me - it did not start after the upgrade. I had to uncheck "Enable DNSSEC Support" to get it to come up.
-
I have DNS resolver setup to use opendns via dnscrypt-proxy.
I then have firewall rules setup to only allow lan clients to query lan address on port 53,
and block requests to remote DNS'; Everything works in this regard (no dns leaks).But, if I query an unknown, none existant name, such as qwertyuiopas.dfghjklzxcvbnm
I get:
drill qwertyuiopas.dfghjklzxcvbnm
;; ->>HEADER<<- opcode: QUERY, rcode: NXDOMAIN, id: 40495
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 1, ADDITIONAL: 0
;; QUESTION SECTION:
;; qwertyuiopas.dfghjklzxcvbnm. IN A;; ANSWER SECTION:
;; AUTHORITY SECTION:
. 2918 IN SOA a.root-servers.net. nstld.verisign-grs.com. 2014122700 1800 900 604800 86400;; ADDITIONAL SECTION:
;; Query time: 28 msec
;; SERVER: 127.0.0.1
;; WHEN: Sat Dec 27 18:05:03 2014
;; MSG SIZE rcvd: 120And if I ping qwertyuiopas.dfghjklzxcvbnm; It resolves to my WAN ip… (I would expect an unknown host response)
I have "NAT Reflection mode for port forwards" set to Pure NAT, could this be the culprit?
-
I am trying to do the same - can your describe this further?
"I have DNS resolver setup to use opendns via dnscrypt-proxy.
I then have firewall rules setup to only allow lan clients to query lan address on port 53,
and block requests to remote DNS';"Right now I have DNS (53) blocked outbound from the LAN and Resolver in forwarding mode using OpenDNS. However DNSSEC is giving me issues.
What was the process to get dnscrypt-proxy going properly?
Best,
Dan
-
"I have DNS resolver setup to use opendns via dnscrypt-proxy.
Right now I have DNS (53) blocked outbound from the LAN and Resolver in forwarding mode using OpenDNS. However DNSSEC is giving me issues.DNSSEC != the OpenDNS nonsense that noone else uses. If you want DNSSEC, do not use OpenDNS.
-
I installed the dnscrypt-proxy package and setup unbound with a forward-zone to 127.0.0.1.
I then setup the dnscrypt-proxy, first using dnscrypt.eu-nl; which worked for a bit, but is unstable, so right now I have it querying opendns while I investigate the dnscrypt.eu issue…btw. I have dnssec checked. no problem.