Netgate Discussion Forum
    • Categories
    • Recent
    • Tags
    • Popular
    • Users
    • Search
    • Register
    • Login

    DNS Resolver doesn't work without forward mode enabled

    Scheduled Pinned Locked Moved General pfSense Questions
    12 Posts 5 Posters 4.6k Views
    Loading More Posts
    • Oldest to Newest
    • Newest to Oldest
    • Most Votes
    Reply
    • Reply as topic
    Log in to reply
    This topic has been deleted. Only users with topic management privileges can see it.
    • E
      emce
      last edited by

      I recently updated to 2.3-RC and am running the following build:

      2.3-RC (amd64) 
      built on Sat Apr 02 02:20:10 CDT 2016 
      FreeBSD 10.3-RELEASE 
      

      When the system came back up after rebooting, DNS resolution from client machines was not working, however, I was able to resolve directly from PFSense.  After playing around, I finally found that enabling DNS Forward mode allowed client machines to resolve correctly.  I didn't change any other settings in PFSense.

      The first screenshot shows my settings from the "System->General" settings page (I'm just using Google's servers) and the second screenshot shows my settings from the "Services->DNS" Resolver page.  Not seen is that "Localhost" is also selected in the "Network Interfaces" list on this page.

      Finally, I am doing some trickery in my firewall to allow certain hosts (ie, my Roku, whose DNS servers I handle differently through the DHCP assignment) to access different DNS servers for region unlock reasons.  Otherwise, I'm dropping other requests.

      Any ideas what might be going on?

      Thanks!
      general.png
      general.png_thumb
      dnsresolver.png
      dnsresolver.png_thumb
      firewall.png
      firewall.png_thumb

      1 Reply Last reply Reply Quote 0
      • jahonixJ
        jahonix
        last edited by

        Select "WAN" in Outgoing Network Interfaces.

        1 Reply Last reply Reply Quote 0
        • E
          emce
          last edited by

          Tried selecting "WAN" in the outgoing interfaces list and turning off forward mode again.  Unfortunately, it still isn't resolving for clients.

          Thanks!

          1 Reply Last reply Reply Quote 0
          • jahonixJ
            jahonix
            last edited by

            System Domain Local Zone Type is new to the config. Have you set something for your local zone?
            Just guessing, can't access my 2.3 test machine in the office currently.

            1 Reply Last reply Reply Quote 0
            • E
              emce
              last edited by

              I did, and it's a proper, resolvable domain I own.

              Thanks again!

              1 Reply Last reply Reply Quote 0
              • C
                cmb
                last edited by

                Could you post, or PM me, your Unbound config.xml? Everything from <unbound>to</unbound> .

                Generally speaking, when just enabling forwarding mode makes it work where it didn't previously, it's because your system can't do recursion for some reason (usually connectivity-related). Can't think of anything that would have changed between versions that would cause a behavior change like that, but it's not likely you'd stop being able to perform recursion post-upgrade.

                1 Reply Last reply Reply Quote 0
                • E
                  emce
                  last edited by

                  Sure thing, here you go:

                   <unbound><prefetch><prefetchkey><msgcachesize>4</msgcachesize>
                  	<outgoing_num_tcp>0</outgoing_num_tcp>
                  	<incoming_num_tcp>0</incoming_num_tcp>
                  	<edns_buffer_size>512</edns_buffer_size>
                  	<num_queries_per_thread>512</num_queries_per_thread>
                  	<jostle_timeout>100</jostle_timeout>
                  	 <cache_max_ttl><cache_min_ttl><infra_host_ttl>60</infra_host_ttl>
                  	<infra_lame_ttl>60</infra_lame_ttl>
                  	<infra_cache_numhosts>1000</infra_cache_numhosts>
                  	<unwanted_reply_threshold>disabled</unwanted_reply_threshold>
                  	<log_verbosity>1</log_verbosity>
                  	 <regdhcp><regdhcpstatic><active_interface>lan,_lloclan,lo0</active_interface>
                  	<outgoing_interface>all</outgoing_interface>
                  	 <custom_options><enable><port><system_domain_local_zone_type>transparent</system_domain_local_zone_type>
                  	 <forwarding></forwarding></port></enable></custom_options></regdhcpstatic></regdhcp></cache_min_ttl></cache_max_ttl></prefetchkey></prefetch></unbound> 
                  

                  Thanks!

                  1 Reply Last reply Reply Quote 0
                  • C
                    cmb
                    last edited by

                    Don't see any change in behavior between versions with that config. You have Snort or Suricata enabled with blocking? The other instance of subject issue that came up on 2.3 recently ended up being Suricata blocking a root server IP, which made recursion fail.

                    1 Reply Last reply Reply Quote 0
                    • E
                      emce
                      last edited by

                      Nope, I'm not currently running an IDS.  I did go ahead and disable forward mode to watch traffic, and saw connections being successfully established with the root servers.  While forwarding was turned off, I did some more lookups from the pfsense box, and found that it resolved correctly with my configured DNS servers, but did not resolve through itself. Instead, it just listed, "No Response".  This took a while to return, so I'm not sure if was a communication issue back to itself or it just wasn't able to resolve.

                      Thanks again for the help!

                      1 Reply Last reply Reply Quote 0
                      • johnpozJ
                        johnpoz LAYER 8 Global Moderator
                        last edited by

                        sniff on your wan, do some queries with normal unbound resolve mode…  You should see it go out and walk the dns trees, are you getting responses?

                        An intelligent man is sometimes forced to be drunk to spend time with his fools
                        If you get confused: Listen to the Music Play
                        Please don't Chat/PM me for help, unless mod related
                        SG-4860 24.11 | Lab VMs 2.8, 24.11

                        1 Reply Last reply Reply Quote 0
                        • J
                          jwsmiths
                          last edited by

                          @emce:

                          I recently updated to 2.3-RC and am running the following build:

                          2.3-RC (amd64) 
                          built on Sat Apr 02 02:20:10 CDT 2016 
                          FreeBSD 10.3-RELEASE 
                          

                          When the system came back up after rebooting, DNS resolution from client machines was not working, however, I was able to resolve directly from PFSense.  After playing around, I finally found that enabling DNS Forward mode allowed client machines to resolve correctly.  I didn't change any other settings in PFSense.

                          The first screenshot shows my settings from the "System->General" settings page (I'm just using Google's servers) and the second screenshot shows my settings from the "Services->DNS" Resolver page.  Not seen is that "Localhost" is also selected in the "Network Interfaces" list on this page.

                          Finally, I am doing some trickery in my firewall to allow certain hosts (ie, my Roku, whose DNS servers I handle differently through the DHCP assignment) to access different DNS servers for region unlock reasons.  Otherwise, I'm dropping other requests.

                          Any ideas what might be going on?

                          Thanks!

                          Out of curiosity do you have SNORT or SURICATA installed?  I had the same bug you are having and I later found that it was due to Suricata blocking access to the root DNS servers.  Once I cleared those blocks everything returned to functioning normally.

                          -Justin

                          1 Reply Last reply Reply Quote 0
                          • jahonixJ
                            jahonix
                            last edited by

                            @emce:

                            Nope, I'm not currently running an IDS.

                            1 Reply Last reply Reply Quote 0
                            • First post
                              Last post
                            Copyright 2025 Rubicon Communications LLC (Netgate). All rights reserved.