Netgate SG-1000 microFirewall

Author Topic: DNS resolver & DHCP  (Read 248 times)

0 Members and 1 Guest are viewing this topic.

Offline mtk

  • Jr. Member
  • **
  • Posts: 39
  • Karma: +1/-0
    • View Profile
DNS resolver & DHCP
« on: February 09, 2018, 08:28:26 am »
Hey,
My pfSense (2.4.2-RELEASE-p1) to use DNS Resolver in Forwarding Mode.
In the general settings I have Quad9's IPs:
  • P: 9.9.9.9
  • S: 149.112.112.112

The DHCP server is indeed setting the clients to use 192.168.1.1 (the pfSense IP) as the router, but every now and then (very often lately) the clients cannot resolve address for a few minutes, which really feels like lost of internet access.
Checking ping to any direct IP (i.e 8.8.8.8) does get a response during that "DNS resolution outage" time.

I can't find anything in the logs regarding this problem and pfSense itself seems to be able to route when I check in Diagnose -> Traceroute.

Any idea what could be the problem?

Thanks,
M.

Offline jtodd

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: DNS resolver & DHCP
« Reply #1 on: February 10, 2018, 04:57:22 pm »
Hi -
  Saw you seem to be having problems with Quad9 addresses - we're interested in seeing if it's a problem with us, with pfsense, or the network.  I happen to be involved in that project. Can you send us a few bits of debug data (support@quad9.net) done from the command line of your pfsense box:

dig @9.9.9.9  id.server txt ch +short

Also, when those issues are happening, see if you can get responses back from "ping" to 9.9.9.9.  If not, then what does "traceroute 9.9.9.9" show?

I'd be interested in seeing if you get different results from a host "inside" your NAT on those ping and traceroute tests as from directly from pfsense which I assume has a "real" external IP.

Offline mtk

  • Jr. Member
  • **
  • Posts: 39
  • Karma: +1/-0
    • View Profile
Re: DNS resolver & DHCP
« Reply #2 on: February 19, 2018, 03:48:53 am »
Hi -
  Saw you seem to be having problems with Quad9 addresses - we're interested in seeing if it's a problem with us, with pfsense, or the network.  I happen to be involved in that project. Can you send us a few bits of debug data (support@quad9.net) done from the command line of your pfsense box:

dig @9.9.9.9  id.server txt ch +short
Thanks for stepping in!

From inside the pfsense box, this would reply with: "res100.ams.rrdns.pch.net"
(btw, it's the same from a MacBook connected to the same network)

Also, when those issues are happening, see if you can get responses back from "ping" to 9.9.9.9.  If not, then what does "traceroute 9.9.9.9" show?

I'd be interested in seeing if you get different results from a host "inside" your NAT on those ping and traceroute tests as from directly from pfsense which I assume has a "real" external IP.
The issue didn't happen (or at least I wan't able to "catch" it), but I did check a simple traceroute from the MacBook, the pfSense box and the modem itself, I got interesting results:

This is from inside the modem (provided by the local ISP):
Code: [Select]
traceroute to 9.9.9.9, 30 hops max through WAN1 protocol ICMP
  1  85.144.96.1           10 ms
  2  10.10.10.105          10 ms
  3  80.249.208.250        10 ms
  4  9.9.9.9               10 ms
Trace complete.

This is from both a MacBook connected to the same network:
Code: [Select]
traceroute 9.9.9.9
traceroute to 9.9.9.9 (9.9.9.9), 64 hops max, 52 byte packets
 1  my.pfsense.box (192.168.1.1)  1.552 ms  0.952 ms  1.017 ms
 2  192.168.5.1 (192.168.5.1)  2.531 ms  1.203 ms  0.851 ms
 3  1-96-144-85.ftth.glasoperator.nl (85.144.96.1)  8.260 ms  6.270 ms  7.725 ms
 4  10.10.10.105 (10.10.10.105)  6.469 ms  7.018 ms  6.727 ms
 5  amsix.pch.net (80.249.208.250)  7.173 ms  7.313 ms  7.158 ms
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * *

And this is from the pfSense box itself:
Code: [Select]
/root: traceroute 9.9.9.9
traceroute to 9.9.9.9 (9.9.9.9), 64 hops max, 40 byte packets
 1  192.168.5.1 (192.168.5.1)  0.355 ms  0.211 ms  0.150 ms
 2  1-96-144-85.ftth.glasoperator.nl (85.144.96.1)  5.439 ms  5.280 ms  5.268 ms
 3  10.10.10.105 (10.10.10.105)  5.369 ms  5.457 ms  5.440 ms
 4  amsix.pch.net (80.249.208.250)  6.757 ms  6.978 ms  11.428 ms
 5  * * *
 6  * * *
 7  * * *
 8  * * *
 9  * * *
10  * * *
11  * * *
12  * * *
13  * * *
14  * * *
15  * * *
16  * * *
17  * * *
18  * * *
19  * * *
20  * * *
21  * * *
22  * * *
23  * * *



Are there any issue in AMS I should know about?

Offline jtodd

  • Newbie
  • *
  • Posts: 7
  • Karma: +0/-0
    • View Profile
Re: DNS resolver & DHCP
« Reply #3 on: February 19, 2018, 11:10:47 pm »
Nothing is wrong with AMS servers in recent weeks that I can find... but let's add some debugging.

Your first test from the modem is using ICMP as the "traceroute" protocol, and the Macbook-based tests use standard (for traceroute) UDP packets to high-value ports, which receive an ICMP destination unreachable reply (which is the "right" way to do it.)  In any case, Im not sure that the traceroutes show enough detail for me to do a lot of debugging, but it is interesting that they don't get all the way to 9.9.9.9 with UDP, but I'm pretty sure that isn't related to any intermittent failures that you might be seeing (though it's still curious.)

What is the "outside" address of your pfSense box?  If you don't want to reveal that here, that's fine -just send mail to support@quad9.net and we can pick up the discussion there.

I know this isn't the answer you're looking for, but we haven't seen any complaints about AMS and it's one of our most-used POPs.  Now, that doesn't mean there is nothing wrong - it just might be that it's intermittent enough that nobody is noticing.  I'm really interested in any failures or significant delays that you're seeing, and if at that time there are any packets lost to 9.9.9.9 (maybe set up a slow steady ICMP echo that is always running in a window so you don't have to start it?) during the times that you see problems, and some of the domain names that you're looking up during the service interruption.

Also: unbound should "just work" with DNS-over-TLS that we operate on Quad9.  There's a few threads here on that (https://forum.pfsense.org/index.php?topic=138966.0 for starters) Perhaps don't try to mix this in just yet, but it might be interesting in the future for you to encrypt your outbound queries.

JT

Offline Visseroth

  • Sr. Member
  • ****
  • Posts: 332
  • Karma: +7/-1
    • View Profile
Re: DNS resolver & DHCP
« Reply #4 on: February 21, 2018, 12:32:18 am »
I've noticed it on my box. I'm still waiting to see if the problem persists after disabling DNSBL Feeds in PfBlocker. I put some feeds in and holy cow! Devices start getting DNS lags and my phone throws a fit from time to time.
But I'll step back and watch this thread and chime in if I have something useful to add.

Offline mtk

  • Jr. Member
  • **
  • Posts: 39
  • Karma: +1/-0
    • View Profile
Re: DNS resolver & DHCP
« Reply #5 on: February 21, 2018, 04:29:32 am »
Nothing is wrong with AMS servers in recent weeks that I can find... but let's add some debugging.

Your first test from the modem is using ICMP as the "traceroute" protocol, and the Macbook-based tests use standard (for traceroute) UDP packets to high-value ports, which receive an ICMP destination unreachable reply (which is the "right" way to do it.)  In any case, Im not sure that the traceroutes show enough detail for me to do a lot of debugging, but it is interesting that they don't get all the way to 9.9.9.9 with UDP, but I'm pretty sure that isn't related to any intermittent failures that you might be seeing (though it's still curious.)

What is the "outside" address of your pfSense box?  If you don't want to reveal that here, that's fine -just send mail to support@quad9.net and we can pick up the discussion there.

I know this isn't the answer you're looking for, but we haven't seen any complaints about AMS and it's one of our most-used POPs.  Now, that doesn't mean there is nothing wrong - it just might be that it's intermittent enough that nobody is noticing.  I'm really interested in any failures or significant delays that you're seeing, and if at that time there are any packets lost to 9.9.9.9 (maybe set up a slow steady ICMP echo that is always running in a window so you don't have to start it?) during the times that you see problems, and some of the domain names that you're looking up during the service interruption.

Also: unbound should "just work" with DNS-over-TLS that we operate on Quad9.  There's a few threads here on that (https://forum.pfsense.org/index.php?topic=138966.0 for starters) Perhaps don't try to mix this in just yet, but it might be interesting in the future for you to encrypt your outbound queries.

JT
Here is the UDP traceroute from the modem itself:
Code: [Select]
traceroute to 9.9.9.9, 30 hops max through WAN1 protocol UDP
  1  85.144.96.1           20 ms
  2  10.10.10.105          10 ms
  3  80.249.208.250        10 ms
  4  9.9.9.9               10 ms
Trace complete.
not much of a change... :/

Offline mtk

  • Jr. Member
  • **
  • Posts: 39
  • Karma: +1/-0
    • View Profile
Re: DNS resolver & DHCP
« Reply #6 on: February 21, 2018, 04:31:14 am »
I've noticed it on my box. I'm still waiting to see if the problem persists after disabling DNSBL Feeds in PfBlocker. I put some feeds in and holy cow! Devices start getting DNS lags and my phone throws a fit from time to time.
But I'll step back and watch this thread and chime in if I have something useful to add.
Yes, disabling DNSBL made the connection more stable, or at least users don't get the feeling they get disconnected from the internet.

Offline mtk

  • Jr. Member
  • **
  • Posts: 39
  • Karma: +1/-0
    • View Profile
Re: DNS resolver & DHCP
« Reply #7 on: February 21, 2018, 04:32:05 am »
Any chance this is related to the way the modem is connected to the pfSense box?
The ISP's modem doesn't have a Bridge-mode...