DNS timeouts



  • I noticed there are a lot of DNS timeout in my Windows event log, about one every 10-15 minutes and it can happen to any site I visit. I checked the pfSense log for resolver but none of the entries match the time of the DNS timeouts. Should I do to find out why the DNS is timing out?

    Setup: ATT Uverse gateway - pfsense (DMZ) - switch - AP



  • Should I do to find out why the DNS is timing out?

    Yes, you should!  ;D

    But seriously, start at the client.  What is it using for DNS?  If it is using pfSense for DNS then you could check Diagnostics - DNS Lookup.  This will show you how fast pfSense is doing resolves with the DNS servers it knows about.  Do you have your config set to query DNS sequentially or in parallel? (Services - DNS Forwarder - DNS Query Forwarding - Query DNS servers sequentially)



  • @KOM:

    Should I do to find out why the DNS is timing out?

    Yes, you should!  ;D

    But seriously, start at the client.  What is it using for DNS?  If it is using pfSense for DNS then you could check Diagnostics - DNS Lookup.  This will show you how fast pfSense is doing resolves with the DNS servers it knows about.  Do you have your config set to query DNS sequentially or in parallel? (Services - DNS Forwarder - DNS Query Forwarding - Query DNS servers sequentially)

    The client is set to auto for the DNS, and pfSense has no value in the settings so it's using AT&T's DNS. The "query DNS servers sequentially" setting is unchecked. The time outs are random and after a couple of minutes I can access the site again.



  • Perhaps an ISP DNS problem?  I would add some public DNS to pfSense like Google, Level 3 or others, and have them checked in parallel.


  • LAYER 8 Global Moderator

    so your using forwarder or resolver in pfsense?  Are you on 2.1.x or 2.2?

    So your client is auto, how about simple ipconfig /all will show you what its using for dns.




  • Ipconfig shows the DNS is the pfSense box (attachment). Currently using 2.1.3 build. The "DNS forwarder" setting is checked under "Service - DNS Forwarder". I don't know if I'm using DNS forwarder or resolver, the install was set up according using the wizard.

    @KOM
    What do you mean by checking the DNS in parallel? Does it simple mean I put a DNS server into the DHCP server setting one by one?



  • LAYER 8 Global Moderator

    That shows you using ipv6 as well to talk to pfsense?  On that fdec:fd86:354::1 address - is that actually correct and working?  Do you have ipv6 setup on pfsense, do you have it enabled in the lan rules to be able to talk to pfsense on IPv6 for dns?



  • What do you mean by checking the DNS in parallel? Does it simple mean I put a DNS server into the DHCP server setting one by one?

    No.  Put your DNS servers (including some 3rd-party like Google or Level3) into pfSense and then go to Services - DNS Forwarder - DNS Query Forwarding and ensure that Query DNS servers sequentially is unchecked.



  • I looked under lan rule and ipv6 is enabled (just default setting, I didn't change it), please see attachment. Should I disable ipv6?

    @KOM: Is the attached picture showing the correct place I would put in a third party DNS server?

    ![lan rule.png](/public/imported_attachments/1/lan rule.png)
    ![lan rule.png_thumb](/public/imported_attachments/1/lan rule.png_thumb)


  • LAYER 8 Global Moderator

    No that is not where you put them, that hands those out to the dhcp clients of that dhcp server.

    As to removing ipv6 on your lan interface rules - do you want to allow IPv6, do you use IPv6?  If you remove it and you have clients trying to use ipv6 it will generate noise in your logs because it would be blocked by default rule vs allowed via your allow rule there.



  • @johnpoz:

    No that is not where you put them, that hands those out to the dhcp clients of that dhcp server.

    As to removing ipv6 on your lan interface rules - do you want to allow IPv6, do you use IPv6?  If you remove it and you have clients trying to use ipv6 it will generate noise in your logs because it would be blocked by default rule vs allowed via your allow rule there.

    I won't touch the ipv6 stuff for now, since it's the default. I've put the alternative DNS sever into the settings page as suggested and I will monitor how well it works. Thanks to all who helped.

    PS. Looks like I can only click "Thanks" for 1 person  :-\



Log in to reply