OPNsense Forum

Archive => 17.7 Legacy Series => Topic started by: Curly060 on August 11, 2017, 12:48:19 am

Title: dnsmasq: cannot resolve external hosts
Post by: Curly060 on August 11, 2017, 12:48:19 am
Hi,

first of all thanks a lot for the new release. Everything works like a charm, except DNS resolving of external hosts. I am using dnsmasq DNS. My settings are as follows:

Now I make a query to an external host:
Code: [Select]
ingo@router:~ % drill google.de
;; ->>HEADER<<- opcode: QUERY, rcode: REFUSED, id: 36706
;; flags: qr rd ra ; QUERY: 1, ANSWER: 0, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;; google.de. IN A

;; ANSWER SECTION:

;; AUTHORITY SECTION:

;; ADDITIONAL SECTION:

;; Query time: 0 msec
;; SERVER: 127.0.0.1
;; WHEN: Fri Aug 11 00:35:47 2017
;; MSG SIZE  rcvd: 27

Why am I getting rcode: REFUSED?

For hosts in the LAN everything works as expected.

If I manually add DNS servers in "System: Settings: General" then it also works, however, I did not have to do this in the 17.1 version.

Any suggestions (apart from switching to Unbound which currently is not yet an option for me).

Cheers, Ingo =;->
Title: Re: dnsmasq: cannot resolve external hosts
Post by: Curly060 on August 12, 2017, 01:55:17 am
I spoke too soon. Over night DNS resolving stopped to work, so I guess I am having the same problem as others already reported...

Only way to make it work is to manually specify DNS servers and disable " Allow DNS server list to be overridden by DHCP/PPP on WAN"

Cheers, Curly060 =;->
Title: Re: dnsmasq: cannot resolve external hosts
Post by: phoenix on August 12, 2017, 08:46:43 am
Only way to make it work is to manually specify DNS servers and disable " Allow DNS server list to be overridden by DHCP/PPP on WAN"
Surely that should always be specified if you're running a DNS server on the firewall? Although I use my own DNS servers inside the LAN and not dnsmasq I should also ask (just in case), I assume that dnsmasq is not listening on the WAN interface as well is it?
Title: Re: dnsmasq: cannot resolve external hosts
Post by: fabian on August 12, 2017, 12:13:29 pm
refused in DNS usually means that your client is not allowed to query the server. Maybe an upstream issue or a misconfiguration.
Title: Re: dnsmasq: cannot resolve external hosts
Post by: Curly060 on August 13, 2017, 09:50:26 am
Surely that should always be specified if you're running a DNS server on the firewall?

Why? The DNS servers come from my ISP and that's why I had enabled the setting "Allow DNS server list to be overridden by DHCP/PPP on WAN " in System: Settings: General.
In 16.7 and 17.1 this worked perfectly. Since I haven't changed anything during the upgrade from 17.1 to 17.7 I guess something changed in 17.7.

Although I use my own DNS servers inside the LAN and not dnsmasq I should also ask (just in case), I assume that dnsmasq is not listening on the WAN interface as well is it?

Indeed it is not listening on the WAN interface:
Services: Dnsmasq DNS: Settings: Interfaces: DMZ, LAN, Localhost, OpenVPN

Cheers, Curly060 =;->