Odd behavior of package install and update in 2.2.3
-
I am not sure if this is the right place to post the following, but quite a few people had problems with package installation that were reported here - and this may be related. Otherwise, dear moderator, please move this to the right place.
When I installed 2.2.3 on an internal firewall (ALIX with nanobsd), it was unable to check for updates in the dashboard and could not install any package. My initial investigation showed that the firewall was able to access the internet (through my internet firewall) and could access external DNS servers. I then looked through the GUI code and finally instrumented the download_file_with_progress_bar() function in pfsense-utils.inc . For both update check and package installation the call to curl_exec() yielded a http return code of 0 - which is actually undefined. The filter logs of the internet firewall showed that https connections were made to the pfsense servers. A check with a second internal firewall running on 2.2.2 showed the same connections to the pfsense servers - but they were successful!
In the end I enabled all connections to the internet from the afflicted firewall - my internet firewall normally only allows connections to the "usual" services. Now both the check for updates and installations were working on the internal firewall. The firewall logs from the internet firewall then showed a very odd behavior: the internal firewall issued a large number of DNS requests to different IP addresses, none of them present in the firewall configuration. My firewall rules only allow access to certain trusted DNS servers, so these requests were blocked and caused curl_exec() to fail. These DNS requests were not present in in the filter logs when I crosschecked with my internal 2.2.2 firewall.
Now I think that this behavior is somewhat fishy, as I do not think that these DNS requests are necessary to perform the desired operations of update check or package install - and 2.2.2 behavior demonstrates that they are not necessary. Can anyone in the know comment on this?
-
Perhaps you should configure the DNS resolver to forward the queries to your trusted DNS servers if you have the need to restrict DNS?
-
That's the default behavior of DNS Resolver, it does its own recursion. Enable forwarding mode if you don't want it to do that. That's always been the default behavior of Resolver. DNS Forwarder can only do forwarding. Guessing you switched between Forwarder and Resolver, otherwise you had forwarding mode enabled and disabled it.
-
To cmb: Thank you, that was the information I needed! Things are running smoothly now after checking the Forwarding Mode button.
To doktornotor: This is exactly what I do. Additionally restricting by filter rules helps me enforce the DNS policy as DNS requests by misconfigured clients will pop up in the firewall logs. And malware that subverts a client's DNS configuration will fall nicely short of its objectives.