OPNsense Forum
Archive => 17.7 Legacy Series => Topic started by: Curly060 on August 11, 2017, 12:48:19 am
-
Hi,
first of all thanks a lot for the new release. Everything works like a charm, except DNS resolving of external hosts. I am using dnsmasq DNS. My settings are as follows:
- System: Settings: General: no manual DNS server entries
- System: Settings: General: [X] Allow DNS server list to be overridden by DHCP/PPP on WAN
Now I make a query to an external host:
ingo@router:~ % drill google.de
;; ->>HEADER<<- opcode: QUERY, rcode: REFUSED, id: 36706
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; google.de. IN A
;; ANSWER SECTION:
;; AUTHORITY SECTION:
;; ADDITIONAL SECTION:
;; Query time: 0 msec
;; SERVER: 127.0.0.1
;; WHEN: Fri Aug 11 00:35:47 2017
;; MSG SIZE rcvd: 27
Why am I getting rcode: REFUSED?
For hosts in the LAN everything works as expected.
If I manually add DNS servers in "System: Settings: General" then it also works, however, I did not have to do this in the 17.1 version.
Any suggestions (apart from switching to Unbound which currently is not yet an option for me).
Cheers, Ingo =;->
-
I spoke too soon. Over night DNS resolving stopped to work, so I guess I am having the same problem as others already reported...
Only way to make it work is to manually specify DNS servers and disable " Allow DNS server list to be overridden by DHCP/PPP on WAN"
Cheers, Curly060 =;->
-
Only way to make it work is to manually specify DNS servers and disable " Allow DNS server list to be overridden by DHCP/PPP on WAN"
Surely that should always be specified if you're running a DNS server on the firewall? Although I use my own DNS servers inside the LAN and not dnsmasq I should also ask (just in case), I assume that dnsmasq is not listening on the WAN interface as well is it?
-
refused in DNS usually means that your client is not allowed to query the server. Maybe an upstream issue or a misconfiguration.
-
Surely that should always be specified if you're running a DNS server on the firewall?
Why? The DNS servers come from my ISP and that's why I had enabled the setting "Allow DNS server list to be overridden by DHCP/PPP on WAN " in System: Settings: General.
In 16.7 and 17.1 this worked perfectly. Since I haven't changed anything during the upgrade from 17.1 to 17.7 I guess something changed in 17.7.
Although I use my own DNS servers inside the LAN and not dnsmasq I should also ask (just in case), I assume that dnsmasq is not listening on the WAN interface as well is it?
Indeed it is not listening on the WAN interface:
Services: Dnsmasq DNS: Settings: Interfaces: DMZ, LAN, Localhost, OpenVPN
Cheers, Curly060 =;->