DNS not working from firewall, OK from LAN

[an74ho]

Hello,

I have a fresh installation (OPNsense 22.7.10_2-amd64). I configured my WAN and my LAN, the computers on the LAN side have proper internet access.

I put cloudflare DNS into the DHCP settings for LAN, because the OPNsense computer is not able to resolve DNS:

If I try

Code Select Expand

host opnsense.org 1.1.1.1

I get:

Code Select Expand

;; connection timed out; no servers could be reached

Although pinging 1.1.1.1 and pinging opnsense.org by ip adress both work fine.

Doing

Code Select Expand

nslookup opnsense.org 1.1.1.1
from a LAN computer works fine as well.

I tried adding PASS rules for DNS requests, disabling pf, and messing up with opnsense configuration, but I could not solve the problem.

What can I try to diagnose the issue?

Thanks

[phoenix]

I put cloudflare DNS into the DHCP settings for LAN, because the OPNsense computer is not able to resolve DNS:

Are your LAN computers given IP addresses & DNS server IPs via DHCP? What do you mean by "OPNsense computer is not able to resolve DNS:"?

[an74ho]

Are your LAN computers given IP addresses & DNS server IPs via DHCP? What do you mean by "OPNsense computer is not able to resolve DNS:"?

Hi,

Yes LAN computers are recieving ip adresses and DNS servers as configured in the dhcp settings.

By opnsense computer I mean the computer with both the WAN and LAN interfaces on which opnsense is running.

From the shell on said computer I can ping ip addresses but not hostnames. Furthermore, both the host and drill commands are failling.

[phoenix]

Just for confirmation, do you have a DNS server entry in System/Settings/General?

[Vilhonator]

There are few reasons that I know of, which could cause this, so let's break things to parts, so we can try to figure out which it could be.

Diagnostics:

Go to Interfaces ---> Diagnostics ---> DNS lookup and type google.com on "Hostname or IP" (leave "server" field empty) then click apply. If under "server" you see list of public IPv4 and / or IPv6 addresses and under "Answer" has correct google.com addresses, then your WAN receives response on DNS and quite possibly, culprit is having enabled IPv6 on LAN, in which case you have to enable IPv6 on unbound settings.

On windows, you can confirm this by opening command prompt, type "nslookup" without quotations and press enter, if you get time out and finally server is Unknown with IPv6 address, your machine is trying to use IPv6 DNS, instead of IPv4.

If DNS lookup on Opnsense gives incorrect responds on address and/or host:

First check that you have setup correct DNS servers in System ---> Settings ---> General, there should be at least 1 IPv4 and 1 IPv6 DNS server. If you don't know (or care) any DNS servers you want to use, leave DNS server fields empty and check "Allow DNS server list to be overridden by DHCP/PPP on WAN" option, choose all interfaces except WAN, under "exclude interfaces", if you have your own local DNS records (not that essential unless you are hosting multiple servers and want to avoid having to remember local IPs of each one) save and apply changes and run same diagnostic again explained in diagnostics section.

If you want to (or have to) use specific DNS servers, type the IPv4 and IPv6 addresses of each server on dns server field and uncheck "Allow DNS server list to be overridden by DHCP/PPP on WAN", save and apply changes and run diagnostics explained in diagnostics section again.

Servers are fine, but still I get randomly IPv4 and IPv6 time out thingy when running nslookup on my computer:

Check the option "Prefer to use IPv4 even if IPv6 is available" option if you still need IPv6, if you don't need IPv6, disable it from WAN and LAN in Interfaces ---> LAN/WAN and choose "none" next to "IPv6 Configuration Type", save and apply changes, go to your computers ethernet / wifi settings, and disable IPv6 and run diagnostics explained in diagnostics section again.

Issue I explain above happens, whenever you have enabled IPv6 and there's a conflict with IPv6 DNS, meaning your computer for some reason, receives response first from IPv6 and either IPv6 DHCP or IPv6 DNS isn't configured properly, or something similar.

Funny thing with networking, is that your computer will connect to first host which belongs to domain hosting multiple servers you try to connect to, unless specified otherwise (either by separation of host names and public / local IPs or different ports) DNS default port is 53 for both IPv6 and IPv4, so obviously you might run into situation, where IPv6 DNS just so happens to be more faster to respond, than IPv4

Same thing can happen when you are hosting let's say webserver on 443 https port and don't have local ip address of host of that webserver included in local DNS records, when trying to connect to it typing domain name, your computer will connect to opnsense instead (unless you have port forwarded port 443 to local IP of your webserver and network it is connected is being blocked gaining access to opnsense web gui)

[an74ho]

Just for confirmation, do you have a DNS server entry in System/Settings/General?

I tried with my ISP DNS, with cloudflare DNS, and without any DNS.

The result is the same.

Anyways, using host opnsense.org 1.1.1.1 should query 1.1.1.1 DNS server regardless of the settings, no?

[an74ho]

If you want to (or have to) use specific DNS servers, type the IPv4 and IPv6 addresses of each server on dns server field and uncheck "Allow DNS server list to be overridden by DHCP/PPP on WAN", save and apply changes and run diagnostics explained in diagnostics section again.

Servers are fine, but still I get randomly IPv4 and IPv6 time out thingy when running nslookup on my computer

Thanks for the detailed rundown. I didn't mention it in my post, but actually everything works fine with ipv6. I disable all ipv6 configuration (wan / ipv6 set to None and lan / ipv6 set to None).

I am trying to debug specifically reaching an ipv4 DNS.

Diagnostics:

Go to Interfaces ---> Diagnostics ---> DNS lookup and type google.com on "Hostname or IP" (leave "server" field empty) then click apply. If under "server" you see list of public IPv4 and / or IPv6 addresses and under "Answer" has correct google.com addresses, then your WAN receives response on DNS and quite possibly, culprit is having enabled IPv6 on LAN, in which case you have to enable IPv6 on unbound settings.

The DNS lookup from opnsense is not working, I either get no response (when I leave the server field empty), either get Error: error sending query: Error creating socket when I add a DNS ip address (1.1.1.1)

On windows, you can confirm this by opening command prompt, type "nslookup" without quotations and press enter, if you get time out and finally server is Unknown with IPv6 address, your machine is trying to use IPv6 DNS, instead of IPv4.

That's the weird part, nslookup is working fine from a LAN computer (directly to a third party DNS server).
nslookup targeting unbound running on opnsense give me Server failed. (which make sense, because opnsense can't resolve DNS name, see above).

[Vilhonator]

Try adding google dns 8.8.8.8 and 8.8.4.4 or leave them empty and check "Allow DNS server list to be overridden by DHCP/PPP on WAN".

After that, reboot opnsense or reload all services via ssh and see if that works.

Reason might be DNSSEC (if 1.1.1.1 has that and you have enabled it).

Another way you might fix the issue is to go to NAT ---> Port forwarding and create rule which has interface as LAN, TCP/IP version set to IPv4, prtocol TCP/UDP, source any, destination LAN address, destination port DNS, redirect address 127.0.0.1, click save and apply changes, move to Firewall ---> rules ---> LAN and move the dns forward rule the top of the rule list then apply changes.

[JL]

how about

host -v opnsense.org

?

or

host -U -v opnsense.org

?

[Vilhonator]

From the shell on said computer I can ping ip addresses but not hostnames. Furthermore, both the host and drill commands are failling.

Sorry noticed this just now, I have had similar problems with my opnsense from time to time (in addition, when this happens, I can't connect to my webservers using hostnames instead of IPs.)

Reason why this happens is because you have either domain which public IP is the public IP of your opnsense and your opnsense DNS is missing the local IP address of hosts, which conflict with public DNS, or you are running webservers etc. on a machine which has different hostname than the server host is and that local DNS record is missing.

Way I manage to usually fix this, is to first let any machine receive their own IPs via DHCP. then check the IP server receives, then go to DHCP ---> Leases and add the IP in question to static reserves.

After that, I go to Services ---> Unbound DNS ---> Overrides and add new host override (see picture for my truenas).

When you connect machines to your network, the machine name (unless running server OS like truenas) becomes hostname.youropnsensedomain.tld and you have to either change the name of the server machine, add static DHCP record and input hostname and domain manually, or add dns override)

way you are able to see if this is the issue, is to open command prompt, and type nslookup [local IP of any machine you want to check the record for] (for example with default settings, nslookup 192.168.1.1 should give you answer of hostname and domain of your opnsense and both, it's public and local IP, that's because you configure them the first time you login to web gui, if that displays more than one public IP, then hostname in question is found on public DNS with outdated or secondary public IP)