Firewall IP Aliases sporadically not being resolved

[Senten]

Hi there,

I already posted about this issue in the german sub forum but didn't get any response there, so I am reposting in the international section.

Translated from original post:

Hello dear community,

I recently set up a logging server and through this i stumbled upon the following problem:

The pf firewall randomly does not resolve FQDN firewall aliases. Milliseconds later the same name is resolved correctly:

Code: [Select]

2024-01-18 08:25:06.560 resolving 1 hostnames (1 addresses) for ##### took 0.02 seconds
2024-01-18 08:19:08.284 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 08:18:32.324 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 08:18:05.878 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 08:12:08.150 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 08:12:07.930 resolving 1 hostnames (0 addresses) for ##### took 2.03 seconds
2024-01-18 08:12:07.910 The DNS query name does not exist: ##### [for #####]
2024-01-18 08:07:03.941 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 08:01:07.082 resolving 1 hostnames (1 addresses) for ##### took 0.02 seconds
2024-01-18 08:01:06.983 resolving 1 hostnames (0 addresses) for ##### took 2.03 seconds
2024-01-18 08:01:06.973 The DNS query name does not exist: ##### [for #####]
2024-01-18 07:55:09.124 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 07:50:04.179 resolving 1 hostnames (1 addresses) for ##### took 0.02 seconds
2024-01-18 07:44:08.971 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 07:44:08.300 resolving 1 hostnames (0 addresses) for ##### took 2.03 seconds
2024-01-18 07:44:08.284 The DNS query name does not exist: ##### [for #####]
2024-01-18 07:38:06.104 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 07:38:06.002 resolving 1 hostnames (0 addresses) for ##### took 2.04 seconds
2024-01-18 07:38:05.982 The DNS query name does not exist: ##### [for #####]
2024-01-18 07:32:06.035 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
2024-01-18 07:26:06.578 resolving 1 hostnames (1 addresses) for ##### took 0.01 seconds
The above logs are filtered for the same Alias (even though others are affected too). The FQDN can be resolved using dig or nslookup just fine without any errors or timeouts or whatsoever.

My system is running OPNsense 23.7.12 24.1_1, the error existed already with 23.7.10 and likely even before that.

The dns server used is the local unbound service.

At System>Settings>General the following settings are *not* checked:

Code: [Select]

DNS server options
[ ] Allow DNS server list to be overridden by DHCP/PPP on WAN
[ ] Do not use the local DNS service as a nameserver for this system

Does anybody here have an idea what the cause could possibly be or what I could take a more detailed look at?

Thank you in advance!

Regards,
Senten

[karlkrnl]

Hi,
I have the same issue with a free duckdns.org domain (the nameservers have high latency) and TTL is 60 seconds,
enabling Advanced > Serve Expired Responses seems to solve the problem.

Not sure if it's the right approach.

[Senten]

Hi and thanks for sharing your experience!

Was your problem with local dns resolving, too?
Sounds like you are using external dns servers:

I have the same issue with a free duckdns.org domain (the nameservers have high latency)

If so, you likely had a different issue, as my problem only exists with locally hosted RRs in my xyz.local domain.

I tried your suggested setting though but the same error logs are still appearing with every ip alias resolving period.

[karlkrnl]

Hi,
yeah my problem was with a firewall alias resolved by Unbound DNS,
the record A is on an external DNS duckdns.org (high latency), the problem occured when the DNS query took more than 5 seconds (but not always), probably timeout, in that case Unbound returned (0 addresses), after enabling Advanced > Serve Expired Responses, the problem was resolved; It could still fail on first DNS query after firewall restart / reboot (but for now no problems).

Here's my log, before:

2024-02-04T11:30:02   Notice   firewall    resolving 1 hostnames (1 addresses) for WAN_EXT took 2.13 seconds
2024-02-04T11:24:06   Notice   firewall    resolving 1 hostnames (1 addresses) for WAN_EXT took 5.48 seconds
2024-02-04T11:18:02   Notice   firewall    resolving 1 hostnames (1 addresses) for WAN_EXT took 2.13 seconds
2024-02-04T11:12:05   Notice   firewall    resolving 1 hostnames (1 addresses) for WAN_EXT took 5.45 seconds
2024-02-04T11:06:03   Notice   firewall    resolving 1 hostnames (1 addresses) for WAN_EXT took 3.43 seconds
2024-02-04T11:00:05   Notice   firewall    resolving 1 hostnames (1 addresses) for WAN_EXT took 5.48 seconds
2024-02-04T10:54:05   Notice   firewall    resolving 1 hostnames (0 addresses) for WAN_EXT took 5.45 seconds
2024-02-04T10:48:01   Notice   firewall    resolving 1 hostnames (1 addresses) for WAN_EXT took 0.69 seconds
2024-02-04T10:42:05   Notice   firewall    resolving 1 hostnames (1 addresses) for WAN_EXT took 4.95 seconds
2024-02-04T10:36:01   Notice   firewall    resolving 1 hostnames (1 addresses) for WAN_EXT took 0.95 seconds
2024-02-04T10:30:04   Notice   firewall    resolving 1 hostnames (1 addresses) for WAN_EXT took 3.75 seconds
2024-02-04T10:24:03   Notice   firewall    resolving 1 hostnames (1 addresses) for WAN_EXT took 2.67 seconds
2024-02-04T10:18:04   Notice   firewall    resolving 1 hostnames (1 addresses) for WAN_EXT took 4.36 seconds
2024-02-04T10:12:05   Notice   firewall    resolving 1 hostnames (0 addresses) for WAN_EXT took 5.13 seconds
2024-02-04T10:06:04   Notice   firewall    resolving 1 hostnames (1 addresses) for WAN_EXT took 4.10 seconds

Here's my log after:

2024-02-10T09:46:00   Notice   firewall    resolving 1 hostnames (1 addresses) for WAN_EXT took 0.28 seconds
2024-02-10T09:40:00   Notice   firewall    resolving 1 hostnames (1 addresses) for WAN_EXT took 0.01 seconds
2024-02-10T09:35:00   Notice   firewall    resolving 1 hostnames (1 addresses) for WAN_EXT took 0.01 seconds
2024-02-10T09:29:00   Notice   firewall    resolving 1 hostnames (1 addresses) for WAN_EXT took 0.01 seconds
2024-02-10T09:23:00   Notice   firewall    resolving 1 hostnames (1 addresses) for WAN_EXT took 0.01 seconds
2024-02-10T09:17:00   Notice   firewall    resolving 1 hostnames (1 addresses) for WAN_EXT took 0.01 seconds
2024-02-10T09:11:00   Notice   firewall    resolving 1 hostnames (1 addresses) for WAN_EXT took 0.01 seconds
2024-02-10T09:05:00   Notice   firewall    resolving 1 hostnames (1 addresses) for WAN_EXT took 0.01 seconds
2024-02-10T08:59:00   Notice   firewall    resolving 1 hostnames (1 addresses) for WAN_EXT took 0.01 seconds
2024-02-10T08:53:01   Notice   firewall    resolving 1 hostnames (1 addresses) for WAN_EXT took 0.56 seconds
first query after reboot >>> 2024-02-10T08:47:49   Notice   firewall    resolving 1 hostnames (1 addresses) for WAN_EXT took 2.17 seconds

Let me know if you need more info.

Thanks.