DNS Resolver problems

Chrismallia · Mar 7, 2016, 9:05 PM

Hi I recently installed pdsense 2.2.6 and had 2 problems. 1 was when doing a speedtest.net using my isp server I get a latency error, and 2 with PLEX media server I could not use a ssl secure connection, I now disabled dns resolver and enabled dns forwarder and all my problems have gone, I now can do a speedtest fine and plex can use a secure connection. Are there any Ideas why? and what are the down sides in using forwarder then resolver?

KOM · Mar 7, 2016, 9:41 PM

I'm not sure as to how that would make a difference. DNS is DNS. If you can resolve hostnames to IP addresses, DNS has done its job. DNS has nothing to do with the latency of your connection, or SSL handshakes. Do you have forwarding mode enabled?

https://doc.pfsense.org/index.php/DNS_Forwarder

https://doc.pfsense.org/index.php/Unbound_DNS_Resolver

Chrismallia · Mar 7, 2016, 9:51 PM

@KOM:

I'm not sure as to how that would make a difference. DNS is DNS. If you can resolve hostnames to IP addresses, DNS has done its job. DNS has nothing to do with the latency of your connection, or SSL handshakes. Do you have forwarding mode enabled?

https://doc.pfsense.org/index.php/DNS_Forwarder

https://doc.pfsense.org/index.php/Unbound_DNS_Resolver

I do not know. All I know is that I never had these 2 problems with other router and untangle only with pfsense, I disabled the resolver and enabled forwarder and gave it opendns server. what fixed it? I do not know, all I know is that evrything is working fine under forwarder so something must be wrong in resolver

KOM · Mar 7, 2016, 9:56 PM

Do you have forwarding mode enabled?

Chrismallia · Mar 7, 2016, 10:05 PM

in resolver forwarding mode is disabled. Here is a update I re enabled resolver and went to dhcp server and gave the dns server of opendns there as in resolver the dns server/general does not get forwarded to the devices, this way I do not have the problem. so its not resolver but something wrong is happening when if I leave dns default

hda · Mar 7, 2016, 10:18 PM

If using DNS Resolver, assure that in DNS Forwarder there are no checkboxes checked. Correct it via enable/save methods.
And DNS Resolver does work without any other public DNS server. It does query with the Root's. So 127.0.0.1 is your DNS server for LAN.

Chrismallia · Mar 7, 2016, 10:35 PM

@hda:

If using DNS Resolver, assure that in DNS Forwarder there are no checkboxes checked. Correct it via enable/save methods.
And DNS Resolver does work without any other public DNS server. It does query with the Root's. So 127.0.0.1 is your DNS server for LAN.

I am sure forwarder is off I also did a clean installation last time of pfsense but with same problems, using a public dns solved them for me, and with plex I read in plex forums that with pfsense they can not use a secure conection for some reason I bet they have my same problem

johnpoz · Mar 7, 2016, 10:53 PM

Lets be clear here, dns has NOTHING to do with the latency of your connection. It can be a bit slower than just using a resolver because it is talking to the actual authoritative server of the domain, and not just pulling a cached entry from your isp or public dns that has 100 of thousands of queries going to it and more likely than not has what you were looking for cached.

The authoritative name server for a specific domain might be on the other side of the globe from you. And you have to find it by walking to down the tree from root.. from . to tld to domain, etc. So that initial query might be a bit slower than just your plain jane forwarder. Also resolver is using dnssec out of the box, which the forwarder is not.

With the resolver you are sure you have full dnssec support and are getting the info from the horses mouth, with a forwarder you have no idea if that IP you looked up is OLD or bad even.. Your just getting what is in the cache of that dns your using.

Now once the resolver has looked it up, it will cache it and the next time you query it as long as your inside the ttl of that record is will be FAST as anything else you look up from the forwarder that was locally cached.

This has nothing to do with SSL or latency of your actual connection.

As to using plex with ssl.. WTF does that have to do with dns?? And sure and the hell pfsense is not going to be doing anything with a https connection any different than any other packets. Unless your using squid with pfsense?? And trying to do ssl interception??

I have plex server and use pfsense have no issues at all. If you point me to this plex thread or give some details of what doesn't work I would be happy to test that.

As to using forwarder vs resolver - I can tell you if your internet connection is shitty, or your isp is shitty and does dns interception/blocking then yea resolver is not going to be for you. And your better off using the forwarder.

But in the big picture using the resolver is much better from a security standpoint than using a forwarder.

Where you can also have a problem with resolver is if the domain your trying to lookup has broken dnssec - then yeah those lookups will FAIL as they rightfully should.. Where if using the forwarder that is not doing dnssec they would lookup just fine.

If your stuff is working fine with forwarder, and your happy then there you go end of discussion. But there is nothing different in the end result with forwarder or resolver when ti comes to looking up something - in the end you look up www.domain.tld you get back an IP.. Those are the exactly the same - its just the security and method of how that actually happens is where there is a difference. And none of that would have any effect on the speed of your connection or ssl..

As to not being able to do speedtest - I use the resolver and can tell you for fact that speedtest works just fine..

If you want to figure out what your actual problem is, please go back to the resolver and post some actual info to what your problem is other than some mention of latency error?? To what speedtest? Something your ISP has setup?? That maybe only their dns resolves? What is the FQDN your trying to go to something.domain.tld ???

And are you trying to connect to your plex remotely with SSL?? Or what exactly?

Derelict · Mar 7, 2016, 11:05 PM

And if the forwarder works and you decide to stick with it I would try enabling forwarder mode of the resolver instead. Then you'll be using the currently-embraced unbound instead of the on-the-way-out dnsmasq.

Chrismallia · Mar 8, 2016, 8:29 AM

@johnpoz:

Lets be clear here, dns has NOTHING to do with the latency of your connection. It can be a bit slower than just using a resolver because it is talking to the actual authoritative server of the domain, and not just pulling a cached entry from your isp or public dns that has 100 of thousands of queries going to it and more likely than not has what you were looking for cached.

The authoritative name server for a specific domain might be on the other side of the globe from you. And you have to find it by walking to down the tree from root.. from . to tld to domain, etc. So that initial query might be a bit slower than just your plain jane forwarder. Also resolver is using dnssec out of the box, which the forwarder is not.

With the resolver you are sure you have full dnssec support and are getting the info from the horses mouth, with a forwarder you have no idea if that IP you looked up is OLD or bad even.. Your just getting what is in the cache of that dns your using.

Now once the resolver has looked it up, it will cache it and the next time you query it as long as your inside the ttl of that record is will be FAST as anything else you look up from the forwarder that was locally cached.

This has nothing to do with SSL or latency of your actual connection.

As to using plex with ssl.. WTF does that have to do with dns?? And sure and the hell pfsense is not going to be doing anything with a https connection any different than any other packets. Unless your using squid with pfsense?? And trying to do ssl interception??

I have plex server and use pfsense have no issues at all. If you point me to this plex thread or give some details of what doesn't work I would be happy to test that.

As to using forwarder vs resolver - I can tell you if your internet connection is shitty, or your isp is shitty and does dns interception/blocking then yea resolver is not going to be for you. And your better off using the forwarder.

But in the big picture using the resolver is much better from a security standpoint than using a forwarder.

Where you can also have a problem with resolver is if the domain your trying to lookup has broken dnssec - then yeah those lookups will FAIL as they rightfully should.. Where if using the forwarder that is not doing dnssec they would lookup just fine.

If your stuff is working fine with forwarder, and your happy then there you go end of discussion. But there is nothing different in the end result with forwarder or resolver when ti comes to looking up something - in the end you look up www.domain.tld you get back an IP.. Those are the exactly the same - its just the security and method of how that actually happens is where there is a difference. And none of that would have any effect on the speed of your connection or ssl..

As to not being able to do speedtest - I use the resolver and can tell you for fact that speedtest works just fine..

If you want to figure out what your actual problem is, please go back to the resolver and post some actual info to what your problem is other than some mention of latency error?? To what speedtest? Something your ISP has setup?? That maybe only their dns resolves? What is the FQDN your trying to go to something.domain.tld ???

And are you trying to connect to your plex remotely with SSL?? Or what exactly?

http://forums.sagetv.com/forums/showthread.php?t=62233
https://forums.plex.tv/discussion/175111/pfsense-plex-secure-plex-web-and-long-delay-at-startup

here is the plex problems I am not the only one. say that it can not be how much you like I know what problems I have I invite any admin for a rdp session and see whats going on. As for speedtest.net yes yes with only the resolver I get the error when I enter a opendns in the dhcp serve the problems go, I have had ddwrt,gargoylr,netgear,Asus and untangle and never had these 2 problems I install pfsense with resolver and I get these 2 problems and you say its from my end? if its from my end how come these problems happen only in pfsense using resolver?

Derelict · Mar 8, 2016, 8:31 AM

If you're having DNS problems learn to use DNS tools like dig/drill to figure out what's going on.

Chrismallia · Mar 8, 2016, 8:34 AM

@Derelict:

And if the forwarder works and you decide to stick with it I would try enabling forwarder mode of the resolver instead. Then you'll be using the currently-embraced unbound instead of the on-the-way-out dnsmasq.

Thanks will try it

Chrismallia · Mar 8, 2016, 11:11 AM

I removed the opendns and tried speed test here is a pic

hda · Mar 8, 2016, 11:26 AM

Your pfSense problems need pictures of:
System: General Setup,
Services: DNS forwarder,
Services: DNS Resolver,
Services: DHCP server,
and the clienthost IPaddress from where you test the speed. :)

Chrismallia · Mar 8, 2016, 12:01 PM

IP 192.168.1.14 AND 192.168.1.2

Thanks

hda · Mar 8, 2016, 12:18 PM

System: General Setup, you do not need "allow DNS serverlist overridden checked.."
Services: DNS Resolver, listening Network interfaces: select only the inside LAN's,

Both the clients have received a DHCP-lease, with DNS 127.0.0.1/192.168.1.1 right ? (So no static with own public DNS)
You have allowed firewall LAN all outgoing ? (at least you want [IPv4 TCP/UDP LAN net * This Firewall 53 (DNS)] )

johnpoz · Mar 8, 2016, 12:28 PM

That plex issue with secure plex sure seems to be rebinding protection.. Not DNS exactly.. Yeah public domains shouldn't resolve to rfc1918 address space..

So you could make an exception
server:
private-domain: "example.com"

For the domain your trying to hit, or you could just use a host override to point whatever your accessing outside locally so its not public lookup that returns rfc1918

Forwarder does rebinding protection as well you would need something like
rebind-domain-ok=/mydomain.com/

https://doc.pfsense.org/index.php/DNS_Rebinding_Protections

In the advanced section of the forwarder to allow your domain to return private IP space. or you could just turn off rebinding protection. How exactly are you trying to access plex??

More than likely your shitty off the shelf routers not going to provide rebinding protection. As to your speedtest… What is the url your using to access that speedtest??

Me personally I don't access my plex from outside other than with vpn.. Clickity Clickity on my vpn network, click open plex app on phone or ipad there you go.. Same goes for any computer, I just vpn in and hit the web page of my plex server.

Chrismallia · Mar 8, 2016, 1:26 PM

HI johnpoz

You are 100 percent right, the plex problem was the rebinding and ye lol you where again right shitty routers do not have dns rebinding protection and looks like untangle does not have it also so A++ to pfsense :P, I use the phone app or some users use the web browser to access plex, the problem seams to be in using browser but hey it is not worth loosing rebinding protection over it It makes much more sence as you say to use VPN. As for the speedtest I go to speedtest.net and choose my ISP server Madlina, strange part is if i user speedtest.net and select a different server other then my isp it works, and when I specify a public dns in dhcp server madlina works, I turned of dns overwrite in general setup but still same problem

Chrismallia · Mar 8, 2016, 1:33 PM

@hda:

System: General Setup, you do not need "allow DNS serverlist overridden checked.."
Services: DNS Resolver, listening Network interfaces: select only the inside LAN's,

Both the clients have received a DHCP-lease, with DNS 127.0.0.1/192.168.1.1 right ? (So no static with own public DNS)
You have allowed firewall LAN all outgoing ? (at least you want [IPv4 TCP/UDP LAN net * This Firewall 53 (DNS)] )

Hi I removed the overwrite in general
2 the 192.168.1.2 has a static dhcp set in the pfsense dhcp
3 resolver listining interface I can not select LAN on its own I get
The following input errors were detected:

This system is configured to use the DNS Resolver as its DNS server, so Localhost or All must be selected in Network Interfaces.
when I select local host I do ot get dns

hda · Mar 8, 2016, 1:49 PM

@Chrismallia:

resolver listining interface I can not select LAN on its own I get
The following input errors were detected:

This system is configured to use the DNS Resolver as its DNS server, so Localhost or All must be selected in Network Interfaces.
when I select local host I do ot get dns

Correct, I forgot to point for Localhost too. Use Ctrl+mouseclick to select LAN(s) and Localhost. (But 'All' should work OK)