DNS Resolver doesn't work without forward mode enabled

emce

I recently updated to 2.3-RC and am running the following build:

2.3-RC (amd64) 
built on Sat Apr 02 02:20:10 CDT 2016 
FreeBSD 10.3-RELEASE 

When the system came back up after rebooting, DNS resolution from client machines was not working, however, I was able to resolve directly from PFSense.  After playing around, I finally found that enabling DNS Forward mode allowed client machines to resolve correctly.  I didn't change any other settings in PFSense.

The first screenshot shows my settings from the "System->General" settings page (I'm just using Google's servers) and the second screenshot shows my settings from the "Services->DNS" Resolver page.  Not seen is that "Localhost" is also selected in the "Network Interfaces" list on this page.

Finally, I am doing some trickery in my firewall to allow certain hosts (ie, my Roku, whose DNS servers I handle differently through the DHCP assignment) to access different DNS servers for region unlock reasons.  Otherwise, I'm dropping other requests.

Any ideas what might be going on?

Thanks!

jahonix

Select "WAN" in Outgoing Network Interfaces.

emce

Tried selecting "WAN" in the outgoing interfaces list and turning off forward mode again.  Unfortunately, it still isn't resolving for clients.

Thanks!

jahonix

System Domain Local Zone Type is new to the config. Have you set something for your local zone?
Just guessing, can't access my 2.3 test machine in the office currently.

emce

I did, and it's a proper, resolvable domain I own.

Thanks again!

cmb

Could you post, or PM me, your Unbound config.xml? Everything from <unbound>to</unbound> .

Generally speaking, when just enabling forwarding mode makes it work where it didn't previously, it's because your system can't do recursion for some reason (usually connectivity-related). Can't think of anything that would have changed between versions that would cause a behavior change like that, but it's not likely you'd stop being able to perform recursion post-upgrade.

emce

Sure thing, here you go:

 <unbound><prefetch><prefetchkey><msgcachesize>4</msgcachesize>
	<outgoing_num_tcp>0</outgoing_num_tcp>
	<incoming_num_tcp>0</incoming_num_tcp>
	<edns_buffer_size>512</edns_buffer_size>
	<num_queries_per_thread>512</num_queries_per_thread>
	<jostle_timeout>100</jostle_timeout>
	 <cache_max_ttl><cache_min_ttl><infra_host_ttl>60</infra_host_ttl>
	<infra_lame_ttl>60</infra_lame_ttl>
	<infra_cache_numhosts>1000</infra_cache_numhosts>
	<unwanted_reply_threshold>disabled</unwanted_reply_threshold>
	<log_verbosity>1</log_verbosity>
	 <regdhcp><regdhcpstatic><active_interface>lan,_lloclan,lo0</active_interface>
	<outgoing_interface>all</outgoing_interface>
	 <custom_options><enable><port><system_domain_local_zone_type>transparent</system_domain_local_zone_type>
	 <forwarding></forwarding></port></enable></custom_options></regdhcpstatic></regdhcp></cache_min_ttl></cache_max_ttl></prefetchkey></prefetch></unbound> 

Thanks!

cmb

Don't see any change in behavior between versions with that config. You have Snort or Suricata enabled with blocking? The other instance of subject issue that came up on 2.3 recently ended up being Suricata blocking a root server IP, which made recursion fail.

emce

Nope, I'm not currently running an IDS.  I did go ahead and disable forward mode to watch traffic, and saw connections being successfully established with the root servers.  While forwarding was turned off, I did some more lookups from the pfsense box, and found that it resolved correctly with my configured DNS servers, but did not resolve through itself. Instead, it just listed, "No Response".  This took a while to return, so I'm not sure if was a communication issue back to itself or it just wasn't able to resolve.

Thanks again for the help!

johnpoz

sniff on your wan, do some queries with normal unbound resolve mode…  You should see it go out and walk the dns trees, are you getting responses?

jwsmiths

@emce:

I recently updated to 2.3-RC and am running the following build:

2.3-RC (amd64) 
built on Sat Apr 02 02:20:10 CDT 2016 
FreeBSD 10.3-RELEASE 

When the system came back up after rebooting, DNS resolution from client machines was not working, however, I was able to resolve directly from PFSense.  After playing around, I finally found that enabling DNS Forward mode allowed client machines to resolve correctly.  I didn't change any other settings in PFSense.

The first screenshot shows my settings from the "System->General" settings page (I'm just using Google's servers) and the second screenshot shows my settings from the "Services->DNS" Resolver page.  Not seen is that "Localhost" is also selected in the "Network Interfaces" list on this page.

Finally, I am doing some trickery in my firewall to allow certain hosts (ie, my Roku, whose DNS servers I handle differently through the DHCP assignment) to access different DNS servers for region unlock reasons.  Otherwise, I'm dropping other requests.

Any ideas what might be going on?

Thanks!

Out of curiosity do you have SNORT or SURICATA installed?  I had the same bug you are having and I later found that it was due to Suricata blocking access to the root DNS servers.  Once I cleared those blocks everything returned to functioning normally.

-Justin

jahonix

@emce:

Nope, I'm not currently running an IDS.