2.1.4 Fresh Install DNS Not resolving



  • Admins – Please move if I'm posting in the incorrect location.  I believe it goes here in installs or in DNS.

    Summary: On a fresh install of 2.1.4 (and I tried 2.1.5) I can not resolve any domain or IP using the DNS Lookup tool.  NTP does not work nor does package listings

    This is a FRESH install of 2.1.4.

    Setup:
    WAN -- Static IP, IP4
      LAN  -- Static IP (No DHCP), IP4

    DNS servers are 8.8.8.8 (google) and I've tried others.

    I've used the packet capture tool and confirmed that the packets are "there". I'm not sure if that tool is pre-FW or post-FW.  I've proceeded to check the wire itself on the gateway and there is NO DNS traffic.

    Thinking that it was a FW rule issue, I've added rules on the WAN to PASS port 53 to\from my DNS servers. Turned on logging on all rules and FW log shows no related traffic.

    Based on other posts around the forum, I've set the DNS to query sequentially and to ignore 127.0.0.1 and not to include the DHCP addresses.

    In reviewing the logs. I see that the RESOLVER shows the system loading the config for the DNS and listing the IPs but nothing else.

    My theory is that DNS in pfsense won't work unless you have DHCP turned on. but I don't believe that could be it.

    I'm willing to post all the needed information, just let me know what's needed.



  • DNS Lookup for Google.com yields

    Server Query time
    8.8.8.8 No response
    8.8.4.4 No response
    208.67.222.222 No response
    208.67.220.220 No response

    I get the following in the Resolver log:

    Oct 29 01:00:54 dnsmasq[94525]: exiting on receipt of SIGTERM
    Oct 29 01:00:55 dnsmasq[1809]: started, version 2.68 cachesize 10000
    Oct 29 01:00:55 dnsmasq[1809]: compile time options: IPv6 GNU-getopt no-DBus i18n IDN DHCP DHCPv6 no-Lua TFTP no-conntrack no-ipset auth
    Oct 29 01:00:55 dnsmasq[1809]: reading /etc/resolv.conf
    Oct 29 01:00:55 dnsmasq[1809]: using nameserver 208.67.220.220#53
    Oct 29 01:00:55 dnsmasq[1809]: using nameserver 208.67.222.222#53
    Oct 29 01:00:55 dnsmasq[1809]: using nameserver 8.8.4.4#53
    Oct 29 01:00:55 dnsmasq[1809]: using nameserver 8.8.8.8#53
    Oct 29 01:00:55 dnsmasq[1809]: read /etc/hosts - 2 addresses

    In the routing table I see the routes for the DNS servers pointing out to the gateway using the WAN interface.

    I also see the states are open from the WAN interface out to the DNS servers.



  • Can you ping your configured DNS servers? The symptoms match a basic network connectivity problem. There is no requirement to have DHCP or anything else enabled for DNS to function.



  • I'll check that when I login tonight.

    Does pfSense attempt to ping the DNS servers before sending it's queries?


  • LAYER 8 Netgate

    No.



  • Are you sure your WAN and gateway are properly configured?



  • Thinking that it was a FW rule issue, I've added rules on the WAN to PASS port 53 to\from my DNS servers.

    Also you do not need to open anything on WAN for outgoing DNS queries to work. That rule will let the outside world use your DNS, which is not a good idea.



  • @phil.davis:

    Thinking that it was a FW rule issue, I've added rules on the WAN to PASS port 53 to\from my DNS servers.

    Also you do not need to open anything on WAN for outgoing DNS queries to work. That rule will let the outside world use your DNS, which is not a good idea.

    Yeah, I recognize that but I was trying to grasp as straws.

    @cmb:

    Can you ping your configured DNS servers? The symptoms match a basic network connectivity problem. There is no requirement to have DHCP or anything else enabled for DNS to function.

    I discounted that earlier due to some rules on the gw but I checked those and retested.

    pfsense  –> 8.8.8.8    == Failure
    gateway --> 8.8.8.8    == Success
    pfsense  --> gateway == Success
    gateway --> pfsense  == Success
    gateway --> next hop == Success
    pfsense --> next hop == Failure

    Using the Diagnostics: Routing Table I see that 8.8.8.8 uses the correct gateway.

    I'm not trying to be difficult but I must be missing some obvious.. so I'll ask the question.  How is the WAN and the gateway supposed to be configured?



  • Well - The gateway and wan IP should be on same subnet…

    Your wan should match what your ISP is providing.

    Example.  If they provide a /24 and you enter /16 it wouldn't work well maybe.

    Just little nit-noid things like that.

    Also, try it with nothing more than basic default default WAN and LAN rules at first.



  • @kejianshi:

    Example.  If they provide a /24 and you enter /16 it wouldn't work well maybe.

    Yeah, the WAN IP is using /24 and they are providing /16.  I'll tinker with that and see what happens.



  • I can't tell if you are being serious or sarcastic.  haha.
    But I really do hope it works.  I've seen typos like that on the wan before that people had missed.
    Not trying to suggest you can't set up a WAN.  I know I've made my share of mistakes.



  • @Thoro:

    How is the WAN and the gateway supposed to be configured?

    However your ISP tells you. Matching the IP, subnet mask, and gateway provided (for static IP connectivity, which sounds like what you have here).



  • @kejianshi:

    Well - The gateway and wan IP should be on same subnet…

    Example.  If they provide a /24 and you enter /16 it wouldn't work well maybe.

    Yes, the gateway was on /16 and the FW was on /24. After changing the GW to match still no dice.

    @kejianshi:

    I can't tell if you are being serious or sarcastic.  haha.

    No problem.. I've been banging my head against this with no luck for almost two weeks now.. so I'm more frustrated than anything else.

    Is there an easy way to test DNS in pfsense to ensure that "before the FW" there is connectivity?  I can not easily just plug in a computer on that port as it's remote.


  • LAYER 8 Netgate

    Is there an easy way to test DNS in pfsense to ensure that "before the FW" there is connectivity?

    Sure.  Create a static DNS entry (Host Override) in Services->DNS Forwarder then:

    dig @pfsenseip host_override_fqdn

    From behind pfSense (ie from LAN)

    If you don't have dig you'll need to use nslookup, or ping the hostname or something but you won't be specifically asking pfSense to resolve a name so you might not be testing what you want to be testing.

    I can not easily just plug in a computer on that port as it's remote.

    You might have to take a trip or get some remote hands going.



  • Cool, I'll try that.

    Is there a better place to track\log the activity of the DNS REsolver? In my screwing around with it now I'm getting nothing in the REsolver tab of the System Logs after using the DNS Resolver in Diagnostics.



  • @Derelict:

    Is there an easy way to test DNS in pfsense to ensure that "before the FW" there is connectivity?

    Sure.  Create a static DNS entry (Host Override) in Services->DNS Forwarder then:

    dig @pfsenseip host_override_fqdn

    From behind pfSense (ie from LAN)

    If you don't have dig you'll need to use nslookup, or ping the hostname or something but you won't be specifically asking pfSense to resolve a name so you might not be testing what you want to be testing.

    Awesome, using the override I have confirmed that the resolver can work.. but only internally.



  • I was able to get a box on the outside of the PFsense and test the DNS… no dice. So this is looking like a gateway issue.  I'll update when I know more.



  • Issue was found to be in the gateway. Thanks for all your help guys.



  • Cool - Hope its good now.


Log in to reply