DNS_PROBE_FINISHED_NXDOMAIN the first time i open any link.



  • Hopefully someone here can point me in the rite direction because i haven't been able to find any info about this issue.

    The problem:
    Whenever i open any web page i haven't visited for a while i get a DNS_PROBE_FINISHED_NXDOMAIN error. If i reload the page the error goes away and the page works normally.

    The same thing happens with downloads. Whenever i try to download a new file i instantly fails. Then if i hit retry it downloads normally.

    This is really starting to get annoying and so far i haven't found any answers online.

    Im guessing the issue may be related to my extremely high latency (800ms+)

    Im using pfSense version 2.2.6-RELEASE (amd64) with the following packages.
    -squid3  (With transparent proxy enabled)
    -Lightsquid
    -bandwidthd



  • A little googling indicates this is related to DNS configuration from your pc;  basically you're doing a DNS lookup and it fails.  What is your DNS configuration?  What DNS servers are you pointing to?  Where are you seeing this, from a windows pc behind a pfsense box, from the pfsense box itself?



  • This shows up on all computers connected to the router whenever they try to access a web page. It dosnt show the error when downloads fail but im guessing its the same thing.
    Im pretty sure all my DNS settings are still default. Am i supposed to have DNS servers listed on the general setup page? http://puu.sh/mMGVk/09a3fbdc21.png



  • Sorry, I wasn't clear.  I was referring more to the client DNS settings, not the ones on pfSense box itself.  Are they pointing at the pfSense box or something beyond that, like Google DNS or OpenDNS servers?

    DNS servers:  it depends.  Do you have the DNS Resolver enabled?  Services->DNS Resolver tab.  If you have that enabled, then the pfSense box will do DNS lookups for you if you point your clients at the pfSense box (pfSense will be a local caching DNS server for your internal network).  If your pfSense is also serving DHCP you should be able to have the DHCP reply include pfSense as the DNS server (It may do this automatically based on what you configure).

    Check to see if you have pfSense DNS Resolver enabled, make sure it's only listening on your internal interface(s) like LAN, then point one of your clients to the pfSense internal address as the DNS server.  Can't guarantee it helps your specific situation, but it gives you a data point.  It sounds like the error you are seeing is because of DNS lookup timeouts;  could be the DNS servers your clients are pointing to are overloaded, a bad network connection, etc.



  • The first thing to check, like mer said, is that your computers/clients are using pfSense for DNS (if they're using DHCP, they should be, but check to make sure). However beyond that, I offer a different possibility for the cause of your issues…

    I think that your problem is likely caused by pfSense's DNS Resolver taking too long to look up the IP address for a site, causing your client to time out the first time you try to access the site. The second time is successful because by that time, the result for the first request has been resolved, so pfSense knows that IP address now and can provide it to your computer.

    If you have 800ms latency on your connection, then recursive DNS (the default configuration for pfSense) is NOT what you want to be doing. RDNS has your server start at the root for a domain - i.e. .com, .org, etc. - then recurse through the name requesting info from each DNS server along the way. With the latency you have, you're looking at a response time of at least 1.6 seconds just for a standard domain (i.e. google.com). The progression of recursive DNS goes like this:

    .com -> google.com -> www.google.com = x.x.x.x

    The faster way would be for your pfSense box to forward a DNS request to another DNS server that can do all of the heavy work faster, and just sends you back the IP address you need. So when you look up www.google.com, your request goes to just one DNS server, not two or three different ones spread around the internet.

    My recommendation would be to find two DNS servers that are quick to respond for you, put those servers in System > General, then turn on forwarding and see if that improves your situation. You can either go to the DNS Resolver settings and check the box to enable forwarding mode, or you can disable DNS Resolver and enable DNS Forwarder (make sure you follow that order).



  • @virgiliomi:

    The first thing to check, like mer said, is that your computers/clients are using pfSense for DNS (if they're using DHCP, they should be, but check to make sure). However beyond that, I offer a different possibility for the cause of your issues…

    I think that your problem is likely caused by pfSense's DNS Resolver taking too long to look up the IP address for a site, causing your client to time out the first time you try to access the site. The second time is successful because by that time, the result for the first request has been resolved, so pfSense knows that IP address now and can provide it to your computer.

    If you have 800ms latency on your connection, then recursive DNS (the default configuration for pfSense) is NOT what you want to be doing. RDNS has your server start at the root for a domain - i.e. .com, .org, etc. - then recurse through the name requesting info from each DNS server along the way. With the latency you have, you're looking at a response time of at least 1.6 seconds just for a standard domain (i.e. google.com). The progression of recursive DNS goes like this:

    .com -> google.com -> www.google.com = x.x.x.x

    The faster way would be for your pfSense box to forward a DNS request to another DNS server that can do all of the heavy work faster, and just sends you back the IP address you need. So when you look up www.google.com, your request goes to just one DNS server, not two or three different ones spread around the internet.

    My recommendation would be to find two DNS servers that are quick to respond for you, put those servers in System > General, then turn on forwarding and see if that improves your situation. You can either go to the DNS Resolver settings and check the box to enable forwarding mode, or you can disable DNS Resolver and enable DNS Forwarder (make sure you follow that order).

    Sorry i missed your post i had given up on this. Im pretty sure your rite about the cause but unfortunately the fix you suggested did not work. Although now it says "ERR_NAME_NOT_RESOLVED" before loading a few seconds later. And It may be my imagination but it dose seem to be a little faster now. I wasn't able to get the DNS Resolver working with forwarding so im using the DNS Forwarder.


Log in to reply