pfSense Support Subscription

Author Topic: 2.4.1: local DNS not working  (Read 1218 times)

0 Members and 1 Guest are viewing this topic.

Offline Gertjan

  • Hero Member
  • *****
  • Posts: 2074
  • Karma: +166/-9
    • View Profile
Re: 2.4.1: local DNS not working
« Reply #45 on: November 10, 2017, 10:11:19 am »
After that I checked  /var/unbound/root.key and found it zero sized. .....
From what I make of it, this file is related to the DNSSEC unbound housekeeping.
The file is auto re-created rather often it seems.

unbound is unable to write to this pace ? A problem with the file system ?

Btw: this my file :
Code: [Select]
; autotrust trust anchor file
;;id: . 1
;;last_queried: 1510324020 ;;Fri Nov 10 15:27:00 2017
;;last_success: 1510324020 ;;Fri Nov 10 15:27:00 2017
;;next_probe_time: 1510363838 ;;Sat Nov 11 02:30:38 2017
;;query_failed: 0
;;query_interval: 43200
;;retry_time: 8640
. 172800 IN DNSKEY 257 3 8 AwEAAagAIKlVZrpC6Ia7gEzahOR+9W29euxhJhVVLOyQbSEW0O8gcCjFFVQUTf6v58fLjwBd0YI0EzrAcQqBGCzh/RStIoO8g0NfnfL2MTJRkxoXbfDaUeVPQuYEhg37NZWAJQ9VnMVDxP/VHL496M/QZxkjf5/Efucp2gaDX6RS6CXpoY68LsvPVjR0ZSwzz1apAzvN9dlzEheX7ICJBBtuA6G3LQpzW5hOA2hzCTMjJPJ8LbqF6dsV6DoBQzgul0sGIcGOYl7OyQdXfZ57relSQageu+ipAdTTJ25AsRTAoub8ONGcLmqrAmRLKBP1dfwhYB4N7knNnulqQxA+Uk1ihz0= ;{id = 19036 (ksk), size = 2048b} ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1422533205 ;;Thu Jan 29 13:06:45 2015
. 172800 IN DNSKEY 257 3 8 AwEAAaz/tAm8yTn4Mfeh5eyI96WSVexTBAvkMgJzkKTOiW1vkIbzxeF3+/4RgWOq7HrxRixHlFlExOLAJr5emLvN7SWXgnLh4+B5xQlNVz8Og8kvArMtNROxVQuCaSnIDdD5LKyWbRd2n9WGe2R8PzgCmr3EgVLrjyBxWezF0jLHwVN8efS3rCj/EWgvIWgb9tarpVUDK/b58Da+sqqls3eNbuv7pr+eoZG+SrDK6nWeL3c6H5Apxz7LjVc1uTIdsIXxuOLYA4/ilBmSVIzuDWfdRUfhHdY6+cn8HFRm+2hM8AnXGXws9555KrUB5qihylGa8subX2Nn6UwNR1AkUTV74bU= ;{id = 20326 (ksk), size = 2048b} ;;state=2 [  VALID  ] ;;count=0 ;;lastchange=1502688003 ;;Mon Aug 14 07:20:03 2017


Also : DNSSEC is checked in my unbound setup (some of my sites are already DNSSEC comptabile - all of them will be seen as soon as I fully understand how this all works  AND how to automatize the maintenance of it (which is rather daunting).
Example : http://dnsviz.net/d/test-domaine.fr/dnssec/

edit : or may be this : you checked DNSSEC, but your unbound can not connect to DNS servers to establish DNSSEC traffic (if that even exists - other then basic port 53 UDP and TCP streams)

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14295
  • Karma: +1330/-193
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: 2.4.1: local DNS not working
« Reply #46 on: November 10, 2017, 10:17:33 am »
@Gertjan if your looking to automatic signing of your domains, etc.. the article here was quite informative on setup and creation of zonesigner script that you can just cron to update, etc.

https://www.digitalocean.com/community/tutorials/how-to-setup-dnssec-on-an-authoritative-bind-dns-server--2
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x 2.4.2-RELEASE on VM esxi 6.5 (home)

Offline 0xis

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: 2.4.1: local DNS not working
« Reply #47 on: November 11, 2017, 09:08:46 am »
I too have experienced problems with the DNS Resolver since upgrading to 2.4.1. It was timed just about perfectly with the Comcast outage that happened this week so I wasn't sure if the problem was on my end or not. At the time, I was also attempting to set up LAGG/LACP and had a good amount of problems with that (the reason for upgrading from 2.3) but that's another story.

After reading through the thread and running the dig commands Derelict suggested earlier, I noticed that 192.168.1.1 would resolve google.com but 192.168.10.1 (the VLAN) and 8.8.8.8/8.8.4.4 would not. I edited the desktop pc's resolv.conf file to nameserver 192.168.1.1 and the resolver now works as expected.

Previously, the resolv.conf nameserver entry was pointing to VLAN 10 which this pc is on. (192.168.10.1)

What would have caused the previous configuration to not work anymore?

For reference, I followed this guide on setting up the vpn and firewall: https://nguvu.org/pfsense/pfsense-baseline-setup/

Dude.

Enable the resolver.

Go to the client that doesn't work.

What are the configured name servers on that client? Probably in /etc/resolv.conf. There is a lot of disparity in how this is done now. In ubuntu it's all generated by resolvconf, YDMV.

Query each of them individually as in:

dig @192.168.1.1 www.google.com A
dig @192.168.1.1 www.google.com AAAA
dig @192.168.10.1 www.google.com A
dig @192.168.10.1 www.google.com AAAA

dig @8.8.8.8 www.google.com A
dig @8.8.8.8 www.google.com AAAA
dig @8.8.4.4 www.google.com A
dig @8.8.4.4 www.google.com AAAA

See if you can see where the problem is.
Dell r210ii - Intel Xeon E3-1220 V2 - 8Gb Ram

Offline johnpoz

  • Hero Member
  • *****
  • Posts: 14295
  • Karma: +1330/-193
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: 2.4.1: local DNS not working
« Reply #48 on: November 11, 2017, 09:20:23 am »
"What would have caused the previous configuration to not work anymore?"

Unbound was not listening on that vlan IP.. Your firewall rules do not allow access to the vlan IP on 53..

What are you firewall rules on your vlan 10 interface?  Your device still in vlan 10?  Can you ping the pfsense vlan 10 IP.  Is unbound set to listen on the vlan 10 interface.

Look in the unbound log, when it starts up did it have problem binding to the IP.. Look at the output of netstat -an you run on pfsense does it show listening?
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.3.4_p1 (work)
1x 2.4.2-RELEASE on VM esxi 6.5 (home)

Offline 0xis

  • Newbie
  • *
  • Posts: 2
  • Karma: +0/-0
    • View Profile
Re: 2.4.1: local DNS not working
« Reply #49 on: November 11, 2017, 10:30:16 am »
Like you mentioned, I think it may be a firewall rule issue. I am slowly getting better at understanding the logic to them but still struggle from time to time.

VL10 Rules
Before posting this reply, I created a rule at the top of VL10:
Code: [Select]
Source: VL10 net
Port: *
Destination: VL10 address
Port: 53(DNS)

I have previously been successful using this rule which was created from the tutorial I linked above:
Code: [Select]
Source: VL10 net
Port: *
Destination: LOCAL_SUBNETS (an alias with all VLAN Subnets)
Port: Allowed_OUT_LAN (an alias with DNS in it)



General DNS Resolver Options
Code: [Select]
Network Interfaces: VL10 is highlighted


Ping
Code: [Select]
$ ping -c 5 192.168.10.1
PING 192.168.10.1 (192.168.10.1) 56(84) bytes of data.
64 bytes from 192.168.10.1: icmp_seq=1 ttl=64 time=0.243 ms
64 bytes from 192.168.10.1: icmp_seq=2 ttl=64 time=0.206 ms
64 bytes from 192.168.10.1: icmp_seq=3 ttl=64 time=0.222 ms
64 bytes from 192.168.10.1: icmp_seq=4 ttl=64 time=0.189 ms
64 bytes from 192.168.10.1: icmp_seq=5 ttl=64 time=0.211 ms

--- 192.168.10.1 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 4049ms
rtt min/avg/max/mdev = 0.189/0.214/0.243/0.020 ms



netstat -an
Code: [Select]
Proto Recv-Q Send-Q Local Address          Foreign Address        (state)
tcp4       0      0 192.168.10.1.53        *.*                    LISTEN



DNS Resolver logs
I changed the verbosity level to 5, restarted the service and checked the logs setting so it would show 600 logs. I didn't see anything about binding to the IP. I searched for 192.168.10.1 as well.



I ordered 2 SuperMicro SATA SSDs and will be re-installing in a few days but would like to understand where I am going wrong.

Also, thanks for the help. I'm learning a good amount from this thread. Networking is one of my weaknesses



EDIT I found the issue with mine. I had set a NAT rule to forward 5353 to 53 when the DNSResolver "broke" so I could use the DNSForwarder. While troubleshooting, I deleted the firewall rule in the VL10 rules page but forgot to delete the VL10 NAT rule. Deleted the VL10 NAT rule and all is well now.

I feel accomplished and like a dumbass at the same time!
« Last Edit: November 11, 2017, 12:49:34 pm by 0xis »
Dell r210ii - Intel Xeon E3-1220 V2 - 8Gb Ram