pfSense DNS resolver error?

Notice: Page may contain affiliate links for which we may earn a small commission through services like Amazon Affiliates or Skimlinks.

drohack

New Member
Mar 29, 2023
4
0
1
I'm new to setting up a pfSense router and am having some odd cases where some URL's are not working. I do have pfBlockerNG setup, but I've tried disabling the firewall/removing rules and none of those helped. So my guess is that it's not the firewall, but some sort of DNS resolver issue.

My setup:
  • pfSense version 2.7.0-DEVELOPMENT (amd64)
  • DNS servers 1.1.1.1 and 1.0.0.1 are setup
  • DNS Server Override: Disabled
  • DNS Resolution Behavior: Use local DNS (127.0.0.1), fallback to remote DNS (default)
  • General DNS Resolver Options/(enabled) Enable DNS resolver
  • DNSSEC: (enabled) Enable DNSSEC Support
  • DNS Query Forwarding: (enabled) Enable Forwarding Mode
I think I've left basically everything as default settings.

I'm getting 2 very similar issues:
  1. DNS Resolves the URL, but I can't ping the URL
  2. DNS resolves, and I can ping/nslookup from pfSense, but on my PC it doesn't work.
For issue #1 I'm having issues with the following 2 URLs:
  • usw2.pure.cloud
  • restream.io
When I go to either of these sites in a browser (on my desktop) I get the following error:
This site can’t be reachedrestream.io’s server IP address could not be found.
When I ping I get the following error:
Ping request could not find host restream.io. Please check the name and try again.
When I do a nslookup i get the following error:
Server: [server name here]

Address: 192.168.1.1

*** [server name here] can't find restream.io: Server failed
In pfSense/Diagnostics/DNS Lookup I am able to hit both of the URLs just fine.
BUT when I do pfSense/Diagnostics/Ping I get the following error:
PING restream.io (3.233.7.160): 56 data bytes --- restream.io ping statistics --- 3 packets transmitted, 0 packets received, 100.0% packet loss
For issue #2 I'm having issues with the following url:
  • picrew.me
Inside pfSense GUI Command Prompt I can do a `nslookup picrew.me` and get the following result:
;; Got SERVFAIL reply from 127.0.0.1, trying next server
Server: 1.1.1.1
Address: 1.1.1.1#53

Non-authoritative answer:
Name: picrew.me
Address: 108.138.167.27
Name: picrew.me
Address: 108.138.167.56
Name: picrew.me
Address: 108.138.167.78
Name: picrew.me
Address: 108.138.167.114
;; Got SERVFAIL reply from 127.0.0.1, trying next server
But on my local PC trying `nslookup picrew.me` I get the following error:
Server: pfSense.[server name].net
Address: 192.168.1.1

*** pfSense.[server name].net can't find picrew.me: Server failed
Again I can do a DNS Lookup, and Ping from inside pfSense for picrew.me. But it doesn't appear to work on my local PC to resolve.

Because 1.1.1.1 seems to resolve it I've tried setting the "DNS Resolution Behavior" to "Use remote DNS Servers, ignore local DNS". But no luck. It removes the `Got SERVFAIL` error from the pfSense nslookup. But still same error on my local PC.

One thing that appears to fix this issue is to manually set the DNS Server on my local pc. When I set it to 1.1.1.1 and do a `nslookup picrew.me` I get the following response:
Server: one.one.one.one
Address: 1.1.1.1

Non-authoritative answer:
Name: picrew.me
Addresses: 108.138.167.114
108.138.167.78
108.138.167.56
108.138.167.27
But that defeats the purpose of using pfSense as the DNS router....

The only other "fix" is to set a Domain Override to use the Lookup Server IP Address as 1.1.1.1 But this is a crazy method as I would have to do this to every single domain that I run accross that has this problem.

What can I do to fix this? (if you need any more settings, or logs please let me know and I'll post them)
 

DavidWJohnston

Active Member
Sep 30, 2020
242
188
43
I think there may be a couple things going on...

I'm not able to ping restream.io either - That server just isn't answering pings. To eliminate this as a variable, stick to nslookup. If PING shows an IP address, it means the DNS resolution portion worked.

Also - Do you have "DNS Resolver" and "DNS Forwarder" services both enabled at the same time? I've never done that - The resolver service also does forwarding:
1680145271194.png

So try disabling the DNS FOrwarder service.

Also for pfBLockerNG - There is a checkbox that enables/disables the whole thing in one shot - Try that if you haven't already:
1680145434682.png

Also for some strange cases I needed a firewall rule in LAN allowing all LAN IPs to talk to port 53 on the pfSense LAN interface, even though they're the same subnet. Having an "allow all to all" rule should suffice:
1680145621460.png

Also in the DNS resolver settings, you will see "Network Interfaces" and "Outgoing network interfaces" - No selection defaults to all interfaces, but sometimes this is undesirable. In my case I had an IPv6 tunnel to Hurricane ELectric, and some of the DNS requests were round-robining over that and slowing down resolution. So if you need to, granularly select your interfaces.

Try disabling DNSSEC as a test and see what happens. WIth DNSSEC, the responses are a lot larger, and can use TCP instead, so perhaps your fails are occurring because it's switching over to TCP and that isn't possible for some reason.

If none of that helps, some packet capturing or log analysis will probably be necessary. Let me know and I'll help more.

Edit: FOrgot to mention - Your DNS cache on pfSense or your PC may be poisoned. In windows you can do ipconfig /flushdns - But browsers you'll have to close. On pfSense, have a look at this: Troubleshooting — Troubleshooting the DNS Cache | pfSense Documentation
 
Last edited:

drohack

New Member
Mar 29, 2023
4
0
1
I think there may be a couple things going on...

I'm not able to ping restream.io either - That server just isn't answering pings. To eliminate this as a variable, stick to nslookup. If PING shows an IP address, it means the DNS resolution portion worked.

Also - Do you have "DNS Resolver" and "DNS Forwarder" services both enabled at the same time? I've never done that - The resolver service also does forwarding:
View attachment 28175

So try disabling the DNS FOrwarder service.

Also for pfBLockerNG - There is a checkbox that enables/disables the whole thing in one shot - Try that if you haven't already:
View attachment 28176

Also for some strange cases I needed a firewall rule in LAN allowing all LAN IPs to talk to port 53 on the pfSense LAN interface, even though they're the same subnet. Having an "allow all to all" rule should suffice:
View attachment 28177

Also in the DNS resolver settings, you will see "Network Interfaces" and "Outgoing network interfaces" - No selection defaults to all interfaces, but sometimes this is undesirable. In my case I had an IPv6 tunnel to Hurricane ELectric, and some of the DNS requests were round-robining over that and slowing down resolution. So if you need to, granularly select your interfaces.

Try disabling DNSSEC as a test and see what happens. WIth DNSSEC, the responses are a lot larger, and can use TCP instead, so perhaps your fails are occurring because it's switching over to TCP and that isn't possible for some reason.

If none of that helps, some packet capturing or log analysis will probably be necessary. Let me know and I'll help more.

Edit: FOrgot to mention - Your DNS cache on pfSense or your PC may be poisoned. In windows you can do ipconfig /flushdns - But browsers you'll have to close. On pfSense, have a look at this: Troubleshooting — Troubleshooting the DNS Cache | pfSense Documentation
No I do not have both "DNS Forwarder" and "DNS Resolver" both enabled. I only have DNS Resolver enabled.

I have tried disabling pfBlockerNG and I am still getting the same issue. I have also disabled the Firewall rules just incase disabling pfBlockerNG wasn't good enough. Again no luck.

I do have the default Allow All rule in my LAN network:
1680186544684.png
I don't think I have any selection on my "Outgoing Network Interfaces". I do not have any tunnling/nor am I using IPv6 right now as my default ISP does not support it.
1680186696926.png

For testing I've been doing `ipconfig/release` and `ipconfig/renew` on my local PC, and doing a `ctrl + F5` on the browser. I will try the `ipconfig/flushdns` and restart the browser from now on.

But this doesn't reflect why I can't do a `nslookup picrew.me` on the pfSense box itself. It resolves on 1.1.1.1, but not on 127.0.0.1...

I'll also try the DNSSEC and report back.
 

DavidWJohnston

Active Member
Sep 30, 2020
242
188
43
Cool - Check if there's anything useful in here too:
1680189322856.png

If you can take a packet trace that would also help. You can do this in pfSense -> Diagnostics -> Packet capture. If you are willing to, post it to G-Drive, send me the link and I'll check it out for you. Set the interface to WAN, port to 53, length to 0, and count to 0 - Start the trace, do a few lookups including good and bad, then stop the trace and download the pcap. Note that PCAPs can contain personal info.
 

drohack

New Member
Mar 29, 2023
4
0
1
Oh my gosh disabling DNSSEC worked! I am able to access all 3 sites just fine now (in both the browser and nslookup).

I don't know much about it. But the few googlings say it's some sort of security against DNS attacks. For me personally since this has affected 3 sites already I'm inclined to disable it. But would love some opinion on if it should be enabled and just have these sites whitelisted.
 

DavidWJohnston

Active Member
Sep 30, 2020
242
188
43
Good to hear - Yeah the thing about DNSSEC is the response packets are much larger, and it can switch over to using TCP instead of UDP which can cause some issues. What it does is verify you're getting the correct IP for the domain you're trying to get to. (among other things)

Edit one more thing: There is a checkbox called "Harden DNSSEC data" - If you disable that, it might do what you want. Insecure queries might be allowed instead of blocked.

I'm sure it can be fixed though. Do you have the SSL (port 853 service) then you might need to disable DNSSEC, according to posts like this: https://www.reddit.com/r/PFSENSE/comments/vuhcni
 

drohack

New Member
Mar 29, 2023
4
0
1
I tried enabling DNSSEC again, with Harden DNSSEC disabled. The issue still persisted.

I don't believe I have any rules associated with the SSL port 853 service.
"Enable SSL/TLS Service" is disabled
"Use SSL/TLS for outgoing DNS Queries to Forwarding Servers" is disabled