pfSense not able to resolve its own DNS queries

Jossk · December 23, 2022, 10:12pm

I have pfSense DNS resolver & pfBlocker-ng setup. DNS resolver works for all of my devices (computers, phones, etc.).

However, when I logged into pfSense, I noticed it was not able to check of updates. Also, the list of available packages is empty.

As a side note, I also web pages take longer to load (I’m guessing it’s a misconfiguration on my part somewhere). This didn’t happen when I had my Pi-Hole setup.

Steps Taken:

I tried adding a firewall allow rule to see if that would fix it.

[Normal] Reboot
Checked /usr/local/share/pfSense/pkg/repos/pfSense-repo.conf to see if path was correct
Disabling pfBlocker-ng
Pinging (I can ping IP addresses, eg. 9.9.9.9, but not domains, eg. google.ca)

I have firewall rules to block external DNS servers, and explicitly allow to my DNS. I think silently forwarding requests to external DNS to my DNS, would be better, but I digress.

Any suggestions will be appreciated.

paolo · December 24, 2022, 10:20am

Not sure it that is related, but what is set under System -> General Setup -> DNS Server Settings -> DNS Resolution Behavior?

Jossk · December 24, 2022, 5:46pm

Use local DNS (127.0.0.1), ignore remote DNS servers

paolo · December 25, 2022, 6:30pm

Under Services -> DNS Resolver -> General Settings -> Network Interfaces, is the Localhost option enabled?

Jossk · December 25, 2022, 6:35pm

I have it set to All

182mhb · December 25, 2022, 6:56pm

This is a complete shot in the dark; I have a Netgate appliance with the same behavior running Tailscale. When I disable Tailscale, I get local DNS back.

Jossk · December 25, 2022, 7:09pm

This is weird. Now pfS can check for updates and load available packages in the package manager again.

There’s an update to pfBlockerNG Devel, so hopefully that should

I don’t have the Tailscale package installed, but I do have Wireguard installed, but not setup. I can try uninstalling it until I’m ready to set it up.

182mhb · December 25, 2022, 7:46pm

I am not an IT professional, and I manage many sites for my family and their business.

I wanted to transition to Tailscale, but it has caused local DNS issues on two firewalls. I was just curious if it was the same for someone else.

Sorry that didn’t help out.

Jossk · December 25, 2022, 8:07pm

No prob. Any suggestions & ideas help narrow down the issue.

As far as your family is concerned, you are the IT pro of the family. I was the same when my parents ran their businesses before they retired.

And despite becoming an electrician, family members still hire me for their computer/networking issues. So you’ll always be their IT Pro for the rest of your life. lol

pjdouillard · December 27, 2022, 3:51pm

@OP, first, fixe any DNS resolution for pfsense itself:
1- What are its own DNS ? (aka 8.8.8.8 & 1.1.1.1) in the System DNS settings?
2- On the pfsense CLI, can it resolves FQDN and ping those them? (What does nslookup returns as used DNS IP address?)
3- pfsense itself must use proper DNS resolver if it is not itself (best practice: for pfsense itself, use publicly known and resilient DNS (Google, Level1, etc), not pi-hole or other in-house DNS resolver)
4- Is pfsense at the latest stable release?
5- Do you still have any old rules (NATing rules) that steers requests to Pi-hole?
6- For you clients, they can you whatever you steer them into (pi-hole, pf-blocker, pfsense itself) - it is independant of what pfsense use unless you make them use the same as pfsense

The behavior you have looks like a timeout of the DNS used and then a fallback to something else because you are testing from a Windows machine (DNS are tried sequentially - bad implementation from Microsoft since forever - on a *nix/Linux machine DNS are tried in parallel and uses the first one that resolve - the right way to use DNS)

Good luck!

Jossk · December 27, 2022, 6:32pm

I mentioned 2 days ago that I managed to get it working again. I think one of the issues was Pi-Hole had issued accessing the internet.

I don’t know why, but it is now working again.

4- (Now that it can check again) Yes it is.

1- Dashboard says it’s 127.0.0.1 & 192.168.0.1.

3 & 6), the only way I can see you can set a different DNS for pfSense from the rest of the networks is if you set to public DNS servers in General Setup, and manually defined your internal (Pi-Hole, etc.) DNS server(s) in the DHCP configuration for each network.

From what you explained about how Windows checks to see which DNS is up verses how *nix does it, it sounds like a holdover from some old limitation from the DOS or Windows 3.1 era that Microsoft never fixed and updated (If it ain’t broke…).

Thank you for your extensive list of troubleshooting.

xMAXIMUSx · January 27, 2023, 2:00am

I’m pretty sure if you set your general settings to local only DNS then your pfsense won’t be able to resolve.

When it comes to pfblocker all queries are ran back through the gateway address or the address you set in DHCP (like pihole) and then hit an upstream dns from there.

I ran into an issue with acme certificates on pfsense because I was trying to use local dns also. It seems that setting is specifically for pfsense only for its self resolution. I switch to quad 9 DNS servers and set the general DNS to “remote DNS only” or whatever it’s called and everything cleared right up.