I do have an dns issue.
The name is resolved fine (Interfaces: Diagnostics: DNS Lookup) A and AAAA record returned with an in CNAME ..
But the ping (Interfaces: Diagnostics: Ping) returns cannot resolve artifactory.<removed>.com: No address associated with name
As result the hosts alias is not resolved correctly and the firewall blocks the traffic.
BTW. This is only valid for a few addresses not all.
In the firewall:
x.mycomp.com ... is ok
y.mycomp.com ... is not ok
The host behind the firewall can resolve BOTH addresses and starts pinging. Both FW and Host using the same dns
A few more tests results from commandline
root@OPNsense:/usr/bin # drill heise.de
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 26134
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 14
;; QUESTION SECTION:
;; heise.de. IN A
;; ANSWER SECTION:
heise.de. 86400 IN A 193.99.144.80
;; AUTHORITY SECTION:
. 90643 IN NS h.root-servers.net.
. 90643 IN NS m.root-servers.net.
. 90643 IN NS l.root-servers.net.
. 90643 IN NS b.root-servers.net.
. 90643 IN NS d.root-servers.net.
. 90643 IN NS a.root-servers.net.
. 90643 IN NS g.root-servers.net.
. 90643 IN NS f.root-servers.net.
. 90643 IN NS i.root-servers.net.
. 90643 IN NS e.root-servers.net.
. 90643 IN NS k.root-servers.net.
. 90643 IN NS j.root-servers.net.
. 90643 IN NS c.root-servers.net.
;; ADDITIONAL SECTION:
m.root-servers.net. 324886 IN A 202.12.27.33
h.root-servers.net. 76865 IN A 198.97.190.53
a.root-servers.net. 263107 IN A 198.41.0.4
c.root-servers.net. 138868 IN A 192.33.4.12
e.root-servers.net. 260655 IN A 192.203.230.10
i.root-servers.net. 264776 IN A 192.36.148.17
k.root-servers.net. 324975 IN A 193.0.14.129
j.root-servers.net. 325372 IN A 192.58.128.30
f.root-servers.net. 325953 IN A 192.5.5.241
l.root-servers.net. 325451 IN A 199.7.83.42
g.root-servers.net. 260656 IN A 192.112.36.4
d.root-servers.net. 326171 IN A 199.7.91.13
b.root-servers.net. 326860 IN A 170.247.170.2
m.root-servers.net. 264777 IN AAAA 2001:dc3::35
;; Query time: 260 msec
;; SERVER: 10.255.1.50
;; WHEN: Mon Jan 15 16:56:08 2024
;; MSG SIZE rcvd: 489
root@OPNsense:/usr/bin # drill artifactory.my-comp.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 7072
;; flags: qr rd ra ; QUERY: 1, ANSWER: 2, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; artifactory.my-comp.com. IN A
;; ANSWER SECTION:
artifactory.my-comp.com. 1471 IN CNAME artifactory.global.my-comp.com.
artifactory.global.my-comp.com. 3643 IN A 172.22.51.78
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 0 msec
;; SERVER: 10.160.5.6
;; WHEN: Mon Jan 15 16:56:17 2024
;; MSG SIZE rcvd: 89
root@OPNsense:/usr/bin # drill artifactory-berlin1.my-comp.com
;; ->>HEADER<<- opcode: QUERY, rcode: NOERROR, id: 15703
;; flags: qr rd ra ; QUERY: 1, ANSWER: 1, AUTHORITY: 13, ADDITIONAL: 14
;; QUESTION SECTION:
;; artifactory-berlin1.my-comp.com. IN A
;; ANSWER SECTION:
artifactory-berlin1.my-comp.com. 1781 IN A 172.20.48.164
;; AUTHORITY SECTION:
. 90621 IN NS e.root-servers.net.
. 90621 IN NS h.root-servers.net.
. 90621 IN NS a.root-servers.net.
. 90621 IN NS d.root-servers.net.
. 90621 IN NS c.root-servers.net.
. 90621 IN NS k.root-servers.net.
. 90621 IN NS l.root-servers.net.
. 90621 IN NS b.root-servers.net.
. 90621 IN NS j.root-servers.net.
. 90621 IN NS i.root-servers.net.
. 90621 IN NS g.root-servers.net.
. 90621 IN NS m.root-servers.net.
. 90621 IN NS f.root-servers.net.
;; ADDITIONAL SECTION:
m.root-servers.net. 324864 IN A 202.12.27.33
h.root-servers.net. 76843 IN A 198.97.190.53
a.root-servers.net. 263085 IN A 198.41.0.4
c.root-servers.net. 138846 IN A 192.33.4.12
e.root-servers.net. 260633 IN A 192.203.230.10
i.root-servers.net. 264754 IN A 192.36.148.17
k.root-servers.net. 324953 IN A 193.0.14.129
j.root-servers.net. 325350 IN A 192.58.128.30
f.root-servers.net. 325931 IN A 192.5.5.241
l.root-servers.net. 325429 IN A 199.7.83.42
g.root-servers.net. 260634 IN A 192.112.36.4
d.root-servers.net. 326149 IN A 199.7.91.13
b.root-servers.net. 326838 IN A 170.247.170.2
m.root-servers.net. 264755 IN AAAA 2001:dc3::35
;; Query time: 134 msec
;; SERVER: 10.255.1.50
;; WHEN: Mon Jan 15 16:56:31 2024
;; MSG SIZE rcvd: 511
root@OPNsense:/usr/bin # ping artifactory-berlin1.my-comp.com
ping: Unknown host
root@OPNsense:/usr/bin # ping heise.de
PING heise.de (193.99.144.80): 56 data bytes
64 bytes from 193.99.144.80: icmp_seq=0 ttl=243 time=13.168 ms
^C
--- heise.de ping statistics ---
1 packets transmitted, 1 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 13.168/13.168/13.168/0.000 ms
root@OPNsense:/usr/bin # ping artifactory.my-comp.com
ping: Unknown host
root@OPNsense:/usr/bin #
No Idea at all ?
Any known issue tracker for this ?
I found the github issue list and added
https://github.com/opnsense/core/issues/7157
for this
Hi there,
I think I have the same issue and posted in the german sub forum about it (unfortunately no anwers yet):
Translated from original post:
QuoteHello dear community,
I recently set up a logging server and through this i stumbled upon the following problem:
The pf firewall does not resolve FQDN firewall aliases once every ~6 Minutes. Milliseconds later the same name is resolved correctly:
2024-01-18 08:25:06.560 resolving 1 hostnames (1 addresses) for ##### took 0.02 seconds
2024-01-18 08:19:08.284 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 08:18:32.324 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 08:18:05.878 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 08:12:08.150 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 08:12:07.930 resolving 1 hostnames (0 addresses) for ##### took 2.03 seconds
2024-01-18 08:12:07.910 The DNS query name does not exist: ##### [for #####]
2024-01-18 08:07:03.941 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 08:01:07.082 resolving 1 hostnames (1 addresses) for ##### took 0.02 seconds
2024-01-18 08:01:06.983 resolving 1 hostnames (0 addresses) for ##### took 2.03 seconds
2024-01-18 08:01:06.973 The DNS query name does not exist: ##### [for #####]
2024-01-18 07:55:09.124 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 07:50:04.179 resolving 1 hostnames (1 addresses) for ##### took 0.02 seconds
2024-01-18 07:44:08.971 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 07:44:08.300 resolving 1 hostnames (0 addresses) for ##### took 2.03 seconds
2024-01-18 07:44:08.284 The DNS query name does not exist: ##### [for #####]
2024-01-18 07:38:06.104 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 07:38:06.002 resolving 1 hostnames (0 addresses) for ##### took 2.04 seconds
2024-01-18 07:38:05.982 The DNS query name does not exist: ##### [for #####]
2024-01-18 07:32:06.035 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 07:26:06.578 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
The above logs are filtered for the same Alias (even though others are affected too). The FQDN can be resolved using dig or nslookup just fine without any errors or timeouts or whatsoever.
My system is running OPNsense 23.7.12, the error existed already with 23.7.10 and likely even before that.
The dns server used is the local unbound service.
At System>Settings>General the following settings are *not* checked:
DNS server options
[ ] Allow DNS server list to be overridden by DHCP/PPP on WAN
[ ] Do not use the local DNS service as a nameserver for this system
In my case I am talking about A/AAAA records and not necessarily CNAMEs.
Is this the same issue as yours? If not so, please tell me so I can open a new thread in the English forum :-)
Regards,
Senten
Seems to be a different issue :(
I'm a bit unclear as to what the problem is. You're using a domain alias in a firewall rule and that's not working correctly?
Can you post screenshots of your alias, the DNS and ping diagnostic pages, and your DNS settings?