1
16.7 Legacy Series / DNS resolving takes seconds, caching does not work
« on: January 20, 2017, 03:36:42 pm »
Hi,
I ran into a series of strange problems with the DNS resolver and the firewall. DNS queries take ~5 sec to resolve and it seems like the caching does not work since the same query issued immediately after takes 5 secs again. When querying 8.8.8.8 directly, the query only takes 53 msec.
Then I took a look in the firewall log and saw these very strange packets on my WAN interface:
pass - wan(OUT) - from: 79.221.XXX.XXX:31056 - to: 10.4.0.1:53 - UDP
Neither do I use the destination IP range 10.4.0.0/16 anywhere on my internal net, nor did I specify it anywhere to be used for DNS lookups. Furthermore have I enabled to block bogons on my WAN interface and I have in addition setup custom quick rules to block martian packets on WAN - including 10.0.0.0/8. When I clicked the pass button to find out what rule allowed the packet to pass it says:
@93 pass out log inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
Apart from that this rule is for inet6 and the packet in question was a IPv4 packet, I cannot find the location where this rule is defined.
Some additional information:
running 16.7.13 with the latest updates installed
using the DNS resolver from the Services tab (unbound 1.5.7)
Thanks
I ran into a series of strange problems with the DNS resolver and the firewall. DNS queries take ~5 sec to resolve and it seems like the caching does not work since the same query issued immediately after takes 5 secs again. When querying 8.8.8.8 directly, the query only takes 53 msec.
Then I took a look in the firewall log and saw these very strange packets on my WAN interface:
pass - wan(OUT) - from: 79.221.XXX.XXX:31056 - to: 10.4.0.1:53 - UDP
Neither do I use the destination IP range 10.4.0.0/16 anywhere on my internal net, nor did I specify it anywhere to be used for DNS lookups. Furthermore have I enabled to block bogons on my WAN interface and I have in addition setup custom quick rules to block martian packets on WAN - including 10.0.0.0/8. When I clicked the pass button to find out what rule allowed the packet to pass it says:
@93 pass out log inet6 all flags S/SA keep state allow-opts label "let out anything IPv6 from firewall host itself"
Apart from that this rule is for inet6 and the packet in question was a IPv4 packet, I cannot find the location where this rule is defined.
Some additional information:
running 16.7.13 with the latest updates installed
using the DNS resolver from the Services tab (unbound 1.5.7)
Thanks