DNS Resolver problems



  • Hi I recently installed pdsense 2.2.6 and had  2 problems. 1 was when doing a speedtest.net using my isp server I  get a latency error, and 2 with PLEX media server I could not use a ssl  secure connection, I now disabled dns resolver and enabled dns forwarder and all my problems have gone, I now can do a speedtest fine and plex can use a secure connection. Are there any Ideas why? and what are the down sides in using forwarder then resolver?



  • I'm not sure as to how that would make a difference.  DNS is DNS.  If you can resolve hostnames to IP addresses, DNS has done its job.  DNS has nothing to do with the latency of your connection, or SSL handshakes.  Do you have forwarding mode enabled?

    https://doc.pfsense.org/index.php/DNS_Forwarder

    https://doc.pfsense.org/index.php/Unbound_DNS_Resolver



  • @KOM:

    I'm not sure as to how that would make a difference.  DNS is DNS.  If you can resolve hostnames to IP addresses, DNS has done its job.  DNS has nothing to do with the latency of your connection, or SSL handshakes.  Do you have forwarding mode enabled?

    https://doc.pfsense.org/index.php/DNS_Forwarder

    https://doc.pfsense.org/index.php/Unbound_DNS_Resolver

    I do not know. All I know is that I never had these 2 problems with other router and untangle only with pfsense, I disabled the resolver and enabled forwarder and gave it opendns server. what fixed it? I do not know, all I know is that evrything is working fine under forwarder  so something must be wrong in resolver



  • Do you have forwarding mode enabled?



  • in resolver forwarding mode is disabled. Here is a update I re enabled resolver and went to dhcp server and gave the dns server of opendns there as in resolver the dns server/general  does not get forwarded to the devices, this way I do not have the problem. so its not resolver but something wrong is happening when if I leave dns default



  • If using DNS Resolver, assure that in DNS Forwarder there are no checkboxes checked. Correct it via enable/save methods.
    And DNS Resolver does work without any other public DNS server. It does query with the Root's. So 127.0.0.1 is your DNS server for LAN.



  • @hda:

    If using DNS Resolver, assure that in DNS Forwarder there are no checkboxes checked. Correct it via enable/save methods.
    And DNS Resolver does work without any other public DNS server. It does query with the Root's. So 127.0.0.1 is your DNS server for LAN.

    I am sure forwarder is off I also did a clean installation last time of pfsense but with same problems, using a public dns solved them for me, and with plex I read in plex forums that with pfsense they can not use a secure conection for some reason I bet they have my same problem


  • LAYER 8 Global Moderator

    Lets be clear here, dns has NOTHING to do with the latency of your connection.  It can be a bit slower than just using a resolver because it is talking to the actual authoritative server of the domain, and not just pulling a cached entry from your isp or public dns that has 100 of thousands of queries going to it and more likely than not has what you were looking for cached.

    The authoritative name server for a specific domain might be on the other side of the globe from you.  And you have to find it by walking to down the tree from root.. from . to tld to domain, etc.  So that initial query might be a bit slower than just your plain jane forwarder.  Also resolver is using dnssec out of the box, which the forwarder is not.

    With the resolver you are sure you have full dnssec support and are getting the info from the horses mouth, with a forwarder you have no idea if that IP you looked up is OLD or bad even.. Your just getting what is in the cache of that dns your using.

    Now once the resolver has looked it up, it will cache it and the next time you query it as long as your inside the ttl of that record is will be FAST as anything else you look up from the forwarder that was locally cached.

    This has nothing to do with SSL or latency of your actual connection.

    As to using plex with ssl..  WTF does that have to do with dns??  And sure and the hell pfsense is not going to be doing anything with a https connection any different than any other packets.  Unless your using squid with pfsense??  And trying to do ssl interception??

    I have plex server and use pfsense have no issues at all.  If you point me to this plex thread or give some details of what doesn't work I would be happy to test that.

    As to using forwarder vs resolver - I can tell you if your internet connection is shitty, or your isp is shitty and does dns interception/blocking then yea resolver is not going to be for you.  And your better off using the forwarder.

    But in the big picture using the resolver is much better from a security standpoint than using a forwarder.

    Where you can also have a problem with resolver is if the domain your trying to lookup has broken dnssec - then yeah those lookups will FAIL as they rightfully should.. Where if using the forwarder that is not doing dnssec they would lookup just fine.

    If your stuff is working fine with forwarder, and your happy then there you go end of discussion.  But there is nothing different in the end result with forwarder or resolver when ti comes to looking up something - in the end you look up www.domain.tld you get back an IP..  Those are the exactly the same - its just the security and method of how that actually happens is where there is a difference.  And none of that would have any effect on the speed of your connection or ssl..

    As to not being able to do speedtest - I use the resolver and can tell you for fact that speedtest works just fine..

    If you want to figure out what your actual problem is, please go back to the resolver and post some actual info to what your problem is other than some mention of latency error??  To what speedtest?  Something your ISP has setup??  That maybe only their dns resolves?  What is the FQDN your trying to go to something.domain.tld ???

    And are you trying to connect to your plex remotely with SSL??  Or what exactly?


  • LAYER 8 Netgate

    And if the forwarder works and you decide to stick with it I would try enabling forwarder mode of the resolver instead. Then you'll be using the currently-embraced unbound instead of the on-the-way-out dnsmasq.



  • @johnpoz:

    Lets be clear here, dns has NOTHING to do with the latency of your connection.  It can be a bit slower than just using a resolver because it is talking to the actual authoritative server of the domain, and not just pulling a cached entry from your isp or public dns that has 100 of thousands of queries going to it and more likely than not has what you were looking for cached.

    The authoritative name server for a specific domain might be on the other side of the globe from you.  And you have to find it by walking to down the tree from root.. from . to tld to domain, etc.  So that initial query might be a bit slower than just your plain jane forwarder.  Also resolver is using dnssec out of the box, which the forwarder is not.

    With the resolver you are sure you have full dnssec support and are getting the info from the horses mouth, with a forwarder you have no idea if that IP you looked up is OLD or bad even.. Your just getting what is in the cache of that dns your using.

    Now once the resolver has looked it up, it will cache it and the next time you query it as long as your inside the ttl of that record is will be FAST as anything else you look up from the forwarder that was locally cached.

    This has nothing to do with SSL or latency of your actual connection.

    As to using plex with ssl..  WTF does that have to do with dns??  And sure and the hell pfsense is not going to be doing anything with a https connection any different than any other packets.  Unless your using squid with pfsense??  And trying to do ssl interception??

    I have plex server and use pfsense have no issues at all.  If you point me to this plex thread or give some details of what doesn't work I would be happy to test that.

    As to using forwarder vs resolver - I can tell you if your internet connection is shitty, or your isp is shitty and does dns interception/blocking then yea resolver is not going to be for you.  And your better off using the forwarder.

    But in the big picture using the resolver is much better from a security standpoint than using a forwarder.

    Where you can also have a problem with resolver is if the domain your trying to lookup has broken dnssec - then yeah those lookups will FAIL as they rightfully should.. Where if using the forwarder that is not doing dnssec they would lookup just fine.

    If your stuff is working fine with forwarder, and your happy then there you go end of discussion.  But there is nothing different in the end result with forwarder or resolver when ti comes to looking up something - in the end you look up www.domain.tld you get back an IP..  Those are the exactly the same - its just the security and method of how that actually happens is where there is a difference.  And none of that would have any effect on the speed of your connection or ssl..

    As to not being able to do speedtest - I use the resolver and can tell you for fact that speedtest works just fine..

    If you want to figure out what your actual problem is, please go back to the resolver and post some actual info to what your problem is other than some mention of latency error??  To what speedtest?  Something your ISP has setup??  That maybe only their dns resolves?  What is the FQDN your trying to go to something.domain.tld ???

    And are you trying to connect to your plex remotely with SSL??  Or what exactly?

    http://forums.sagetv.com/forums/showthread.php?t=62233
    https://forums.plex.tv/discussion/175111/pfsense-plex-secure-plex-web-and-long-delay-at-startup

    here is  the plex problems I am not the only one.  say that it can not be how much you like I know what problems I have I invite any admin for a rdp session and see whats going on. As for speedtest.net yes yes with only the resolver I get the error when I enter a opendns in the dhcp serve the problems go, I have had ddwrt,gargoylr,netgear,Asus and untangle and never had these 2 problems I install pfsense with resolver and I get these 2 problems and you say its from my end? if its from my end how come these problems happen only in pfsense using resolver?


  • LAYER 8 Netgate

    If you're having DNS problems learn to use DNS tools like dig/drill to figure out what's going on.



  • @Derelict:

    And if the forwarder works and you decide to stick with it I would try enabling forwarder mode of the resolver instead. Then you'll be using the currently-embraced unbound instead of the on-the-way-out dnsmasq.

    Thanks will try it



  • I removed the opendns and tried speed test here is a pic




  • Your pfSense problems need pictures of:
    System: General Setup,
    Services: DNS forwarder,
    Services: DNS Resolver,
    Services: DHCP server,
    and the clienthost IPaddress from where you test the speed. :)



  • IP 192.168.1.14 AND 192.168.1.2

    Thanks














  • System: General Setup, you do not need "allow DNS serverlist overridden checked.."
    Services: DNS Resolver, listening Network interfaces: select only the inside LAN's,

    Both the clients have received a DHCP-lease, with DNS 127.0.0.1/192.168.1.1 right ? (So no static with own public DNS)
    You have allowed firewall LAN all outgoing ? (at least you want [IPv4 TCP/UDP LAN net * This Firewall 53 (DNS)] )


  • LAYER 8 Global Moderator

    That plex issue with secure plex sure seems to be rebinding protection.. Not DNS exactly..  Yeah public domains shouldn't resolve to rfc1918 address space..

    So you could make an exception
    server:
    private-domain: "example.com"

    For the domain your trying to hit, or you could just use a host override to point whatever your accessing outside locally so its not public lookup that returns rfc1918

    Forwarder does rebinding protection as well you would need something like
    rebind-domain-ok=/mydomain.com/

    https://doc.pfsense.org/index.php/DNS_Rebinding_Protections

    In the advanced section of the forwarder to allow your domain to return private IP space.  or you could just turn off rebinding protection.  How exactly are you trying to access plex??

    More than likely your shitty off the shelf routers not going to provide rebinding protection. As to your speedtest… What is the url your using to access that speedtest??

    Me personally I don't access my plex from outside other than with vpn..  Clickity Clickity on my vpn network, click open plex app on phone or ipad there you go.. Same goes for any computer, I just vpn in and hit the web page of my plex server.




  • HI johnpoz

    You are 100 percent right, the plex problem was the rebinding and ye lol you where again right shitty routers do not have dns rebinding protection and looks like untangle does not have it  also so A++ to pfsense  :P, I use the phone app or some users use the web browser to access plex, the problem seams to be in using browser but hey it is not worth loosing rebinding protection over it It makes much more sence as you say to use VPN. As for the speedtest I go to speedtest.net and choose my ISP server Madlina, strange part is if i user speedtest.net and select a different server other then my isp it works, and when I specify a public dns in dhcp server madlina works, I turned of dns overwrite in general setup but still same problem



  • @hda:

    System: General Setup, you do not need "allow DNS serverlist overridden checked.."
    Services: DNS Resolver, listening Network interfaces: select only the inside LAN's,

    Both the clients have received a DHCP-lease, with DNS 127.0.0.1/192.168.1.1 right ? (So no static with own public DNS)
    You have allowed firewall LAN all outgoing ? (at least you want [IPv4 TCP/UDP LAN net * This Firewall 53 (DNS)] )

    Hi I removed the overwrite in general
    2 the 192.168.1.2 has a static dhcp set in the pfsense dhcp
    3 resolver listining interface I can not select LAN on its own I get
    The following input errors were detected:

    This system is configured to use the DNS Resolver as its DNS server, so Localhost or All must be selected in Network Interfaces.
    when I select local host I do ot get dns



  • @Chrismallia:

    resolver listining interface I can not select LAN on its own I get
    The following input errors were detected:

    This system is configured to use the DNS Resolver as its DNS server, so Localhost or All must be selected in Network Interfaces.
    when I select local host I do ot get dns

    Correct, I forgot to point for Localhost too. Use Ctrl+mouseclick to select LAN(s) and Localhost. (But 'All' should work OK)



  • @hda:

    @Chrismallia:

    resolver listining interface I can not select LAN on its own I get
    The following input errors were detected:

    This system is configured to use the DNS Resolver as its DNS server, so Localhost or All must be selected in Network Interfaces.
    when I select local host I do ot get dns

    Correct, I forgot to point for Localhost too. Use Ctrl+mouseclick to select LAN(s) and Localhost. (But 'All' should work OK)

    here are the pic same problem






  • Then to me it looks like DNSSEC-support problem at test-site.
    You could test this with unchecking DNSSEC support. But not recommended for the ultimate Resolver use ;)

    N.B. There is another tough criterium, see Services: DNS Resolver: Advanced (Harden DNSSEC data).



  • @hda:

    Then to me it looks like DNSSEC-support problem at test-site.
    You could test this with unchecking DNSSEC support. But not recommended for the ultimate Resolver use ;)

    N.B. There is another tough criterium, see Services: DNS Resolver: Advanced (Harden DNSSEC data).

    Hi unchecked both but same problem. lol its a mystery


  • LAYER 8 Global Moderator

    How do you pick "Madlina"

    in speedtest?  I want to look to what IP/FQDN your testing too..

    What city are you using that allows you to select Madlina?  Can you post a screen shot showing you picking this - see example below




  • Hi I am from Malta so in Malta and Madlina is where my isp servers are Melita plc



  • LAYER 8 Global Moderator

    Ok I am using resolver and have no issues testing to that server.

    I would suggest you do a sniff on your machine when you try and test to that server, vs when you test to a server that works.  Or even easier enable debug..  So click on your map before you start test and type debug and you should get a window - see attached… What errors/info do you get in there?




  • @johnpoz:

    Ok I am using resolver and have no issues testing to that server.

    I would suggest you do a sniff on your machine when you try and test to that server, vs when you test to a server that works

    No idea I installed pfsense on a different pc and same results it only works when I use public dns.  sorry what do you mean by doing a sniff?


  • LAYER 8 Global Moderator

    see my edit, enable debug.

    Does this resolve, do a nslookup or dig, use dns diag in pfsense

    ; <<>> DiG 9.9.5-3ubuntu0.7-Ubuntu <<>> speedtest.melita.com
    ;; global options: +cmd
    ;; Got answer:
    ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 49494
    ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 2, ADDITIONAL: 1

    ;; OPT PSEUDOSECTION:
    ; EDNS: version: 0, flags:; udp: 4096
    ;; QUESTION SECTION:
    ;speedtest.melita.com.          IN      A

    ;; ANSWER SECTION:
    speedtest.melita.com.  100    IN      A      212.56.138.60

    ;; AUTHORITY SECTION:
    melita.com.            2714    IN      NS      ns1.melitacable.com.
    melita.com.            2714    IN      NS      ns.melitacable.com.

    ;; Query time: 153 msec
    ;; SERVER: 192.168.9.253#53(192.168.9.253)
    ;; WHEN: Tue Mar 08 09:47:37 CST 2016
    ;; MSG SIZE  rcvd: 112




  • Here is what I got



  • LAYER 8 Global Moderator

    there is going to more to it than that - scroll through it… Can you resolve what I posted speedtest.melita.com

    So I show socket latency fails as well, but then it goes to http latency

    5780  INFO: socket-latency Test started at 1457451815780
    15781  WARNING: REPLACE ME: Handle SubTest Start - socket-latency
    30784  ERROR: Latency test returned an error: [AnchorEvent type="error" bubbles=false cancelable=false eventPhase=2] timeout
    30785  DEBUG: test started: false
    30786  INFO: cleaning up: socket-latency
    30787  INFO: MethodId set to: 1
    30887  INFO: Starting: latency
    30889  INFO: Method: 2/2
    30890  INFO: Method Used: http
    30890  INFO: Starting subtest: http-latency
    30892  INFO: http-latency Test started at 1457451830892
    30894  WARNING: REPLACE ME: Handle SubTest Start - http-latency
    31619  INFO: progress: 0.1  current: 719  time left: 7434  test: http-latency

    You will have to look through the debug where it loads the file and see if you can load it..

    Here is from their troubleshooting info

    See I can load this - can you
    http://speedtest.melita.com/speedtest/latency.txt






  • sorry here is all of it. and no I get a page error going to that url
    12528  INFO: calculateDistances: 3100
    12559  INFO: calculateDistances: 3200
    12579  INFO: calculateDistances: 3300
    12594  INFO: calculateDistances: 3400
    12607  INFO: calculateDistances: 3500
    12619  INFO: calculateDistances: 3600
    12634  INFO: calculateDistances: 3700
    12648  INFO: calculateDistances: 3800
    12671  INFO: calculateDistances: 3900
    12700  INFO: calculateDistances: 4000
    12729  INFO: calculateDistances: 4100
    12748  INFO: calculateDistances: 4200
    12759  INFO: calculateDistances: 4300
    12765  INFO: calculateDistances: 4400
    12767  INFO: Distances loaded: 39164
    12947  INFO: Distances sorted
    12947  INFO: TileMapContainer.placeMarkers
    12950  INFO: place markers: 6
    12951  INFO: Current Zoom Level: 6 - max Distance: 20 distance pairs: 39164
    12965  INFO: getMarkers Done
    12965  INFO: Groups: 4484
    13250  INFO: markers placed: 4487
    13251  INFO: Table Map Dragger Loaded
    13252  INFO: load topmap
    13252  INFO: object Added: topmap
    13252  INFO: [object _-Ei]
    13252  INFO: 114.5 11.45
    13252  INFO: 5
    13253  INFO: wavehash:undefined
    14367  INFO: bring to front
    14376  INFO: 2495,2497,2492,2494,2498
    14376  INFO: 2496,2498,2493,2495,2499
    44290  INFO: onRelease Dragger
    44290  INFO: Stopped panning, top left: 38.34277,8.96346, center: 35.93469,14.47860, bottom right: 33.45097,19.99374, zoom: 6
    52290  INFO: Showing debug window
    59086  INFO: bring to front
    59100  INFO: 2495,2497,2492,2494,2498
    59101  INFO: 2496,2498,2493,2495,2499
    60765  INFO: onRelease Dragger
    60767  INFO: serverflyoutbutton click
    60769  INFO: removed old dragger
    60773  INFO: wavehash:undefined
    60774  INFO: stopTimer current Count:8310865169
    60775  INFO: stopTimer desired Count:8310866837
    60775  INFO: ServerId set to: 2493
    60981  INFO: trackEvent: test_started
    60984  INFO: serverflyout click
    61297  INFO: delete object: [object _-9W]
    61530  INFO: Tile Map Container Loaded
    61535  INFO: object Added: tabletilemapcontainer
    61565  INFO: y: 103  factor: 1.819078947368421
    61565  INFO: y: 105  factor: 1.838815789473684
    62044  INFO: object Added: test
    62045  INFO: object Added: speedtest
    62047  INFO: object Added: speedtest-download-graph
    62049  INFO: object Added: finalresults
    62051  INFO: object Added: speedtest-download-graph-final
    62531  INFO: MethodId set to: 0
    62531  INFO: Vars: preferredserverid=2992
    62532  INFO: Vars: startmode=serverclick
    62533  INFO: Vars: promo=
    62534  INFO: Starting test
    62537  INFO: Starting: throttling
    62541  INFO: Method: 1/2
    62542  INFO: Method Used: tcp
    62545  INFO: Method: 1/2
    62546  INFO: Method Used: tcp
    62547  INFO: Starting: latency
    62549  INFO: Method: 1/2
    62550  INFO: Method Used: tcp
    62553  INFO: Starting subtest: socket-latency
    62558  INFO: socket-latency Test started at 1457451962558
    62561  WARNING: REPLACE ME: Handle SubTest Start - socket-latency
    77562  ERROR: Latency test returned an error: [AnchorEvent type="error" bubbles=false cancelable=false eventPhase=2] timeout
    77565  DEBUG: test started: false
    77567  INFO: cleaning up: socket-latency
    77569  INFO: MethodId set to: 1
    77662  INFO: Starting: latency
    77666  INFO: Method: 2/2
    77667  INFO: Method Used: http
    77668  INFO: Starting subtest: http-latency
    77671  INFO: http-latency Test started at 1457451977671
    77676  WARNING: REPLACE ME: Handle SubTest Start - http-latency
    82562  ERROR: SocketConnection 0 securityErrorHandler: [SecurityErrorEvent type="securityError" bubbles=false cancelable=false eventPhase=2 text="Error #2048"]
    88997  ERROR: Latency test returned an error while trying to read the latency file.
    88998  DEBUG: test started: false
    89003  INFO: Loading Error Strings
    89005  INFO: MethodId set to: 0
    89006  INFO: Vars: preferredserverid=2992
    89007  INFO: Vars: startmode=serverclick
    89010  INFO: Vars: promo=
    89012  INFO: Closing all TCP connections
    89014  INFO: Connections closed: 0
    89017  WARNING: REPLACE ME: HandleFatal - http-latency
    89021  INFO: EndTestHandler Loaded
    89027  INFO: object Added: endtest
    89045  INFO: trackEvent: test_error
    89999  ERROR: UNCAUGHT ERROR
    90002  ERROR: ArgumentError: Error #2109
    90011  ERROR: UNCAUGHT ERROR
    90013  ERROR: ArgumentError: Error #2109
    65989  ERROR: UNCAUGHT ERROR
    65991  ERROR: ArgumentError: Error #2109
    66008  ERROR: UNCAUGHT ERROR
    66012  ERROR: ArgumentError: Error #2109
    66027  ERROR: UNCAUGHT ERROR
    66029  ERROR: ArgumentError: Error #2109
    11535  ERROR: UNCAUGHT ERROR
    11539  ERROR: ArgumentError: Error #2109
    11746  ERROR: UNCAUGHT ERROR
    11747  ERROR: ArgumentError: Error #2109
    11838  ERROR: UNCAUGHT ERROR
    11839  ERROR: ArgumentError: Error #2109
    13307  ERROR: UNCAUGHT ERROR
    13308  ERROR: ArgumentError: Error #2109
    13329  ERROR: UNCAUGHT ERROR
    13331  ERROR: ArgumentError: Error #2109
    13338  ERROR: UNCAUGHT ERROR
    13341  ERROR: ArgumentError: Error #2109
    19624  ERROR: UNCAUGHT ERROR
    19627  ERROR: ArgumentError: Error #2109
    19682  ERROR: UNCAUGHT ERROR
    19683  ERROR: ArgumentError: Error #2109
    19705  ERROR: UNCAUGHT ERROR
    19706  ERROR: ArgumentError: Error #2109
    20744  ERROR: UNCAUGHT ERROR
    20747  ERROR: ArgumentError: Error #2109
    20757  ERROR: UNCAUGHT ERROR
    20760  ERROR: ArgumentError: Error #2109
    84523  ERROR: UNCAUGHT ERROR
    84527  ERROR: ArgumentError: Error #2109


  • LAYER 8 Global Moderator

    I don't see in there where your even getting the server name you want to test too..

    Looks to be more an error in your speedtest applet than any sort of network problem.. Not sure how you can get any test to work if you don't get the server url to go to.. See in my debug where it use the url http://speedtest.melita.com/

    I don't see any server url anywhere in that debug log.. did you start it after you click on the server?  Start the debug before you pick your server, and try it with a server that works.  You should see the url your going to for test when you pick a different server.

    Also validate that you can resolve

    speedtest.melita.com

    can you load this
    http://speedtest.melita.com/speedtest/latency.txt

    just direct in your browser?



  • @johnpoz:

    can you load this
    http://speedtest.melita.com/speedtest/latency.txt

    just direct in your browser?

    No I get a page error in my browser, do you want logs of server that works? I tried other browsers PCs and phone still the same error


  • LAYER 8 Global Moderator

    what do you get when you try and resolve it.. Use nslookup, or dig or drill or even the diag lookup page on pfsense.

    Try to ping the name - does it come back with IP or unknown host, etc.

    Let me see if that domain has dnssec enabled that is broken

    edit: I don't show them having dnssec available… But its quite possible your having issue with connectivity to their authoritative servers..

    But I do show their dns to be hosed from online testers

    I show their 1 server for sure not answering

    ;; ANSWER SECTION:
    melita.com.            3600    IN      NS      ns1.melitacable.com.
    melita.com.            3600    IN      NS      ns.melitacable.com.

    ;; ADDITIONAL SECTION:
    ns.melitacable.com.    3600    IN      A      212.56.128.132
    ns1.melitacable.com.    3600    IN      A      212.56.128.196

    so while .196 answers, I can not get a response from .132

    ; <<>> DiG 9.9.5-3ubuntu0.7-Ubuntu <<>> @212.56.128.132 melita.com NS
    ; (1 server found)
    ;; global options: +cmd
    ;; connection timed out; no servers could be reached

    So it would seem they have issues.. Might be connectivity from parts of the world, etc.

    Well now another query works... So they could be having issues.. If your resolving and having problems talking to their NS then yes that could explain why using forwarder works since your just asking for something that a NS already has cached.




  • In the browser I get
    This webpage is not available

    DNS_PROBE_FINISHED_NXDOMAIN

    In pfsense dns lookup I get

    Host must be a valid hostname or IP address.

    In cmd ipconfig I get

    Ping request could not find host http://speedtest.melita.com/speedtest/latency.txt. Please check the name and try again.


  • LAYER 8 Global Moderator

    yeah your having issues resolving their dns… you could try a trace in say nslookup or dig.

    But that explains your problem - your having problems resolving that domain..  You could try putting in a host over ride.

    I show that server resolving to.. 212.56.138.60

    So in the resolver create a host override for speedtest with melita.com as domain and that IP.. then see if you can ping by name

    Where I see a major issue is they have a TTL of 100 seconds

    So when they do resolve, it doesn't stay cached long

    ;; ANSWER SECTION:
    speedtest.melita.com100    IN      A      212.56.138.60

    ;; AUTHORITY SECTION:
    melita.com.            3600    IN      NS      ns.melitacable.com.
    melita.com.            3600    IN      NS      ns1.melitacable.com.

    ;; ADDITIONAL SECTION:
    ns.melitacable.com.    3600    IN      A      212.56.128.132
    ns1.melitacable.com.    3600    IN      A      212.56.128.196

    Trying to query their servers seems to be hit and miss.. Sometimes it works, and then it fails… So even when you do get it resolved, it only stays cached for 100 seconds.

    If they are your isp you might want to contact them their dns is messed up!!!

    Their SOA is WRONG too...

    ;; QUESTION SECTION:
    ;speedtest.melita.com.          IN      SOA

    ;; AUTHORITY SECTION:
    melita.com.            3561    IN      SOA    helium.melitacable.com. domains.melitacable.com. 2016022500 28800 7200 2419200 86400

    SOA should point to 1 of their name servers..



  • wow your Great so that explains it you should come to Malta and give them a lecture lol ye they are my ISP  that might explane some issues they are having with internet disconnects and slow downs ? everyone is complaining and they say they have no problems lol.  Please how can I donate something to Thank  you for the hole day you spent with me and for all the work?



  • And btw for plex under advance alternative host name I put plex.direct and it is now working great. I can't thank you enough



  • I just gave $20 to free bsd from your link https://www.freebsdfoundation.org/donate/ and have the email to prove it if you would like to see. I also thankt you in the comment  box. Regards friend and thank you again


  • LAYER 8 Global Moderator

    No problem - thanks for the donation.. You use to be able to donate direct to pfsense, but this is how they want donations now.

    I do this for fun, I like tech problems and helping people resolve them.  Getting useful info is normally the hard part.

    Yeah I would say they are having all kinds of issues.  Is that the dns they hand out to their subscribers?  Or is that just their authoritative dns for their own domain?  When you let pfsense get dns from your isp what IPs do you get?  It doesn't seem to be an open resolver so that is good ;)  I get a refused when try and query say google.com off of them.

    What I can see as problems is that SOA helium.melitacable.com is not even a valid record in their nameservers.  I see that both the name servers are on the same ASN (same network) looks to be the same class C.  This is BAD IDEA!!!  If problem with that network both nameservers are down..  Most likely they are in the same location too, this is bad - what happens if location has outage?

    The SOA expire is quite long at 2419200, this should be more like 1 week, 2 weeks tops not 28 days (4 weeks)

    Doesn't look like their MX accepts mail for postmaster, which is BAD..  And breaks all kinds of rfc's and there isn't even a SPF record.. Some fly by night shitty little ISP to be sure ;)


Log in to reply