Netgate Store

Author Topic: DNS not resolving some sites  (Read 155 times)

0 Members and 1 Guest are viewing this topic.

Offline HankB

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
DNS not resolving some sites
« on: May 15, 2018, 05:19:39 pm »
Problem:

Hosts on my LAN cannot resolve "coder.show" Most other sites seem to be OK.

If I type "coder.show" (w/out the quotes of course) into https://192.168.1.1/diag_dns.php it resolves to the correct  address.

My configuration is fairly vanilla except that I've configured to use Cloudflare DNS by using the following Custom options
Code: [Select]
server:
forward-zone:
name: "."
forward-ssl-upstream: yes
forward-addr: 1.1.1.1@853
forward-addr: 1.0.0.1@853
in https://192.168.1.1/services_unbound.php

Other settings are:
Network Interfaces: ALL
Outgoing Network Interfaces: WAN
System Domain Local Zone Type: Transparent
DNSSEC: Enabled
DNS Query Forwarding: disabled
DHCP Registration (Register DHCP leases in the DNS Resolver): Enabled
Static DHCP: enabled
OpenVPN Clients: disabled

I'm pretty sure that Advanced Settings and Access Lists are unchanged from default.

I updated earlier today from 2.4.3 to 2.4.3_1 (which now identifies itself as 2.4.3-RELEASE-p1) and results are unchanged.

From the command line (on other PCs on my LAN) this host cannot be resolved.

Code: [Select]
hbarta@olive:~/Documents/purchase$ nslookup coder.show
;; Got SERVFAIL reply from 192.168.1.1, trying next server
Server: 2601:249:e00:3813:201:2eff:fe6f:f9f9
Address: 2601:249:e00:3813:201:2eff:fe6f:f9f9#53

** server can't find coder.show: SERVFAIL

hbarta@olive:~/Documents/purchase$ nslookup coder.show 1.1.1.1
Server: 1.1.1.1
Address: 1.1.1.1#53

Non-authoritative answer:
coder.show canonical name = hosted.fireside.fm.
Name: hosted.fireside.fm
Address: 96.126.99.139

hbarta@olive:~/Documents/purchase$ nslookup coder.show 192.168.1.1
Server: 192.168.1.1
Address: 192.168.1.1#53

** server can't find coder.show: SERVFAIL

hbarta@olive:~/Documents/purchase$ nslookup google.com
Server: 192.168.1.1
Address: 192.168.1.1#53

Non-authoritative answer:
Name: google.com
Address: 108.177.112.100
Name: google.com
Address: 108.177.112.101
Name: google.com
Address: 108.177.112.102
Name: google.com
Address: 108.177.112.113
Name: google.com
Address: 108.177.112.138
Name: google.com
Address: 108.177.112.139

I'm baffled by what could cause this and how to proceed with debugging. I looked in the general and DNS logs and don't see anything that gives me a clue about what is going on.

Thanks for any suggestions.

Online Gertjan

  • Hero Member
  • *****
  • Posts: 2696
  • Karma: +218/-9
    • View Profile
Re: DNS not resolving some sites
« Reply #1 on: May 16, 2018, 06:31:55 am »
Hi,

Code: [Select]
C:\Users\Réception-Gauche>nslookup coder.show
Serveur :   pfsense.brit-hotel-fumel.net
Address:  2001:470:1f13:5c0:2::1

Réponse ne faisant pas autorité :
Nom :    hosted.fireside.fm
Address:  96.126.99.139
Aliases:  coder.show

Who is "192.168.1.1" ? make your DNS work on that device, because the PC where you are running nslookup was told to use it.

Note : it's ok to move from the default Resolver, and set up something different - using "8..8.8.8" or Cloudfare or whatever. But : finish the setup  ;)

Offline HankB

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: DNS not resolving some sites
« Reply #2 on: May 16, 2018, 01:59:49 pm »
Hi,


Who is "192.168.1.1" ? make your DNS work on that device, because the PC where you are running nslookup was told to use it.

Note : it's ok to move from the default Resolver, and set up something different - using "8..8.8.8" or Cloudfare or whatever. But : finish the setup  ;)
Sorry, I should have mentioned that the pfsense host is at 192.168.1.1 and it does resolve coder.show using the management web page https://192.168.1.1/diag_dns.php.

thanks,
hank

Offline vjizzle

  • Newbie
  • *
  • Posts: 8
  • Karma: +0/-0
    • View Profile
Re: DNS not resolving some sites
« Reply #3 on: May 17, 2018, 09:09:54 am »
Hi,

I have set up DNS resolver on pfsense and can see the same behavior. When I point my client to pfsense for DNS resolving, sometimes certain websites will not resolve. When I try the diagnostic option in pfsense the domain resolve just fine. I am not running anything particular like pfblocker or squid. Just basic pfsense with DNS resolver enabled. Logs don't show anything special. When I restart DNS resolver on pfsense everything is fine.

Online johnpoz

  • Hero Member
  • *****
  • Posts: 16026
  • Karma: +1529/-221
  • Not a pfSense employee, they cannot fire me...
    • View Profile
Re: DNS not resolving some sites
« Reply #4 on: May 17, 2018, 09:53:20 am »
I would suggest you troubleshoot the specific fqdn your having issues with by looking at unbound has cached for this record and NS for that domain, etc.

Look to the unbound documentation on how to troubleshoot resolving issues.

If your just forwarding - then lack of resolution is out of your hands and you are at the mercy of who your forwarding to to correctly resolve something.  And have no way to troubleshoot what their problem might be.
- An intelligent man is sometimes forced to be drunk to spend time with his fools.
- Please don't PM me for personal help
- if you want to say thanks applaud or https://www.freebsdfoundation.org/donate/
1x SG-2440 2.4.3-RELEASE (work)
1x SG-3100 2.4.3-RELEASE (work)
1x SG-4860 2.4.3-RELEASE-p1 (home)

Offline HankB

  • Newbie
  • *
  • Posts: 4
  • Karma: +0/-0
    • View Profile
Re: DNS not resolving some sites
« Reply #5 on: Yesterday at 11:23:02 am »
I would suggest you troubleshoot the specific fqdn your having issues with by looking at unbound has cached for this record and NS for that domain, etc.

Look to the unbound documentation on how to troubleshoot resolving issues.
Hi johnpoz,
Thank you for the suggestion. I bumped the log level by 1 for the resolver and found the following in the log when I tried the troublesome name.
Code: [Select]
May 20 10:34:52 unbound 6706:3 info: Could not establish a chain of trust to keys for coder.show. DNSKEY IN
May 20 10:34:52 unbound 6706:3 info: query response was nodata ANSWER
May 20 10:34:52 unbound 6706:3 info: reply from <.> 1.1.1.1#853
May 20 10:34:52 unbound 6706:3 info: response for coder.show. DS IN
May 20 10:34:52 unbound 6706:2 info: Could not establish a chain of trust to keys for coder.show. DNSKEY IN
May 20 10:34:52 unbound 6706:2 info: query response was nodata ANSWER
May 20 10:34:52 unbound 6706:2 info: reply from <.> 1.1.1.1#853
May 20 10:34:52 unbound 6706:2 info: response for coder.show. DS IN
May 20 10:34:52 unbound 6706:3 info: resolving coder.show. DS IN
May 20 10:34:52 unbound 6706:3 info: query response was CNAME
May 20 10:34:52 unbound 6706:3 info: reply from <.> 1.1.1.1#853
May 20 10:34:52 unbound 6706:3 info: response for coder.show. DS IN
May 20 10:34:52 unbound 6706:2 info: resolving coder.show. DS IN
May 20 10:34:52 unbound 6706:2 info: query response was CNAME
May 20 10:34:52 unbound 6706:2 info: reply from <.> 1.1.1.1#853
May 20 10:34:52 unbound 6706:2 info: response for coder.show. DS IN
May 20 10:34:52 unbound 6706:3 info: resolving coder.show. DS IN
May 20 10:34:52 unbound 6706:3 info: query response was nodata ANSWER
May 20 10:34:52 unbound 6706:3 info: reply from <.> 1.0.0.1#853
May 20 10:34:52 unbound 6706:3 info: response for coder.show. DS IN
May 20 10:34:52 unbound 6706:2 info: resolving coder.show. DS IN
May 20 10:34:52 unbound 6706:2 info: query response was nodata ANSWER
May 20 10:34:52 unbound 6706:2 info: reply from <.> 1.0.0.1#853
May 20 10:34:52 unbound 6706:2 info: response for coder.show. DS IN
May 20 10:34:52 unbound 6706:3 info: resolving coder.show. DS IN
May 20 10:34:52 unbound 6706:3 info: query response was CNAME
May 20 10:34:52 unbound 6706:3 info: reply from <.> 1.0.0.1#853
May 20 10:34:52 unbound 6706:3 info: response for coder.show. DS IN
May 20 10:34:52 unbound 6706:2 info: resolving coder.show. DS IN
May 20 10:34:52 unbound 6706:2 info: query response was CNAME
May 20 10:34:52 unbound 6706:2 info: reply from <.> 1.1.1.1#853
May 20 10:34:52 unbound 6706:2 info: response for coder.show. DS IN
May 20 10:34:52 unbound 6706:3 info: resolving coder.show. DS IN
May 20 10:34:52 unbound 6706:3 info: query response was nodata ANSWER
May 20 10:34:52 unbound 6706:2 info: resolving coder.show. DS IN
May 20 10:34:52 unbound 6706:3 info: reply from <.> 1.0.0.1#853
May 20 10:34:52 unbound 6706:3 info: response for coder.show. DS IN
May 20 10:34:52 unbound 6706:2 info: query response was nodata ANSWER
May 20 10:34:52 unbound 6706:2 info: reply from <.> 1.0.0.1#853
May 20 10:34:52 unbound 6706:2 info: response for coder.show. DS IN
May 20 10:34:52 unbound 6706:2 info: resolving coder.show. DS IN
May 20 10:34:52 unbound 6706:2 info: query response was CNAME
May 20 10:34:52 unbound 6706:2 info: reply from <.> 1.1.1.1#853
May 20 10:34:52 unbound 6706:2 info: response for coder.show. DS IN
May 20 10:34:52 unbound 6706:3 info: resolving coder.show. DS IN
May 20 10:34:52 unbound 6706:3 info: query response was CNAME
May 20 10:34:52 unbound 6706:3 info: reply from <.> 1.0.0.1#853
May 20 10:34:52 unbound 6706:3 info: response for coder.show. DS IN
May 20 10:34:52 unbound 6706:2 info: resolving coder.show. DS IN
May 20 10:34:52 unbound 6706:2 info: query response was nodata ANSWER
May 20 10:34:52 unbound 6706:2 info: reply from <.> 1.0.0.1#853
May 20 10:34:52 unbound 6706:2 info: response for coder.show. DS IN
May 20 10:34:52 unbound 6706:3 info: resolving coder.show. DS IN
May 20 10:34:52 unbound 6706:3 info: query response was nodata ANSWER
May 20 10:34:52 unbound 6706:3 info: reply from <.> 1.1.1.1#853
May 20 10:34:52 unbound 6706:3 info: response for coder.show. DS IN
May 20 10:34:51 unbound 6706:2 info: resolving coder.show. DS IN
May 20 10:34:51 unbound 6706:2 info: query response was CNAME
May 20 10:34:51 unbound 6706:2 info: reply from <.> 1.0.0.1#853
May 20 10:34:51 unbound 6706:2 info: response for coder.show. DS IN
May 20 10:34:51 unbound 6706:3 info: resolving coder.show. DS IN
May 20 10:34:51 unbound 6706:3 info: query response was CNAME
May 20 10:34:51 unbound 6706:3 info: reply from <.> 1.1.1.1#853
May 20 10:34:51 unbound 6706:3 info: response for coder.show. DS IN
May 20 10:34:51 unbound 6706:2 info: resolving coder.show. DS IN
May 20 10:34:51 unbound 6706:2 info: query response was nodata ANSWER
May 20 10:34:51 unbound 6706:2 info: reply from <.> 1.0.0.1#853
May 20 10:34:51 unbound 6706:2 info: response for coder.show. DS IN
May 20 10:34:51 unbound 6706:3 info: resolving coder.show. DS IN
May 20 10:34:51 unbound 6706:3 info: query response was nodata ANSWER
May 20 10:34:51 unbound 6706:3 info: reply from <.> 1.0.0.1#853
May 20 10:34:51 unbound 6706:3 info: response for coder.show. DS IN
May 20 10:34:51 unbound 6706:3 info: resolving coder.show. DS IN
May 20 10:34:51 unbound 6706:3 info: query response was CNAME
May 20 10:34:51 unbound 6706:3 info: reply from <.> 1.1.1.1#853
May 20 10:34:51 unbound 6706:3 info: response for coder.show. DS IN
May 20 10:34:51 unbound 6706:2 info: resolving coder.show. DS IN
May 20 10:34:51 unbound 6706:2 info: query response was CNAME
May 20 10:34:51 unbound 6706:2 info: reply from <.> 1.0.0.1#853
May 20 10:34:51 unbound 6706:2 info: response for coder.show. DS IN
May 20 10:34:51 unbound 6706:3 info: resolving coder.show. DS IN
May 20 10:34:51 unbound 6706:3 info: query response was nodata ANSWER
May 20 10:34:51 unbound 6706:3 info: reply from <.> 1.1.1.1#853
May 20 10:34:51 unbound 6706:3 info: response for coder.show. DS IN
May 20 10:34:51 unbound 6706:2 info: resolving coder.show. DS IN
May 20 10:34:51 unbound 6706:2 info: query response was nodata ANSWER
May 20 10:34:51 unbound 6706:2 info: reply from <.> 1.0.0.1#853
May 20 10:34:51 unbound 6706:2 info: response for coder.show. DS IN
May 20 10:34:51 unbound 6706:2 info: resolving coder.show. DS IN
May 20 10:34:51 unbound 6706:2 info: query response was CNAME
May 20 10:34:51 unbound 6706:2 info: reply from <.> 1.1.1.1#853
May 20 10:34:51 unbound 6706:2 info: response for coder.show. DS IN
May 20 10:34:51 unbound 6706:3 info: resolving coder.show. DS IN
May 20 10:34:51 unbound 6706:3 info: query response was CNAME
May 20 10:34:51 unbound 6706:3 info: reply from <.> 1.0.0.1#853
May 20 10:34:51 unbound 6706:3 info: response for coder.show. DS IN
May 20 10:34:51 unbound 6706:2 info: resolving coder.show. DS IN
May 20 10:34:51 unbound 6706:2 info: validated DNSKEY show. DNSKEY IN
May 20 10:34:51 unbound 6706:2 info: query response was ANSWER
May 20 10:34:51 unbound 6706:2 info: reply from <.> 1.1.1.1#853
May 20 10:34:51 unbound 6706:2 info: response for show. DNSKEY IN
May 20 10:34:51 unbound 6706:3 info: resolving coder.show. DS IN
May 20 10:34:51 unbound 6706:3 info: validated DNSKEY show. DNSKEY IN
May 20 10:34:51 unbound 6706:3 info: query response was ANSWER
May 20 10:34:51 unbound 6706:3 info: reply from <.> 1.1.1.1#853
May 20 10:34:51 unbound 6706:3 info: response for show. DNSKEY IN
May 20 10:34:51 unbound 6706:2 info: resolving show. DNSKEY IN
May 20 10:34:51 unbound 6706:2 info: validated DS show. DS IN
May 20 10:34:51 unbound 6706:2 info: query response was ANSWER
May 20 10:34:51 unbound 6706:2 info: reply from <.> 1.0.0.1#853
May 20 10:34:51 unbound 6706:2 info: response for show. DS IN
May 20 10:34:51 unbound 6706:3 info: resolving show. DNSKEY IN
May 20 10:34:51 unbound 6706:3 info: validated DS show. DS IN
May 20 10:34:51 unbound 6706:3 info: query response was ANSWER
May 20 10:34:51 unbound 6706:3 info: reply from <.> 1.0.0.1#853
May 20 10:34:51 unbound 6706:3 info: response for show. DS IN
May 20 10:34:51 unbound 6706:2 info: resolving show. DS IN
May 20 10:34:51 unbound 6706:2 info: query response was ANSWER
May 20 10:34:51 unbound 6706:2 info: reply from <.> 1.1.1.1#853
May 20 10:34:51 unbound 6706:2 info: response for coder.show. A IN
May 20 10:34:51 unbound 6706:3 info: resolving show. DS IN
May 20 10:34:51 unbound 6706:3 info: query response was ANSWER
May 20 10:34:51 unbound 6706:3 info: reply from <.> 1.0.0.1#853
May 20 10:34:51 unbound 6706:3 info: response for coder.show. A IN
May 20 10:34:51 unbound 6706:2 info: resolving coder.show. A IN
May 20 10:34:51 unbound 6706:2 info: query response was CNAME
May 20 10:34:51 unbound 6706:2 info: reply from <.> 1.0.0.1#853
May 20 10:34:51 unbound 6706:2 info: response for coder.show. A IN
May 20 10:34:51 unbound 6706:3 info: resolving coder.show. A IN
May 20 10:34:51 unbound 6706:3 info: query response was CNAME
May 20 10:34:51 unbound 6706:3 info: reply from <.> 1.1.1.1#853
May 20 10:34:51 unbound 6706:3 info: response for coder.show. A IN
May 20 10:34:50 unbound 6706:2 info: resolving coder.show. A IN
May 20 10:34:50 unbound 6706:3 info: resolving coder.show. A IN
Can I presume that this is a DNSSEC misconfiguration somewhere along the line?

Can I also presume that the Diagnostics -> DNS Lookup page ignores the "Enable DNSSEC Support" setting on the Services -> DNS Resolver page? That would seem to explain why I can resolve from the diagnostics page but not from other hosts on my LAN?

One more bit of the puzzle... The problem may be intermittent. This is a podcast host. The podcast client on my phone did manage to update podcasts from this host some time overnight. It is configured to only update podcasts over WiFi and I don't think it associated with an outside AP during this time, though I cannot rule this out.

I've looked at https://dnslookup.org/coder.show/A/#dnssec and don't really understand the output. At the bottom left of the screen I see "Result is Insecure", but I see the same if I lookup google.com.

What should be my next step?