I have pfSense DNS resolver & pfBlocker-ng setup. DNS resolver works for all of my devices (computers, phones, etc.).
However, when I logged into pfSense, I noticed it was not able to check of updates. Also, the list of available packages is empty.
As a side note, I also web pages take longer to load (I’m guessing it’s a misconfiguration on my part somewhere). This didn’t happen when I had my Pi-Hole setup.
I tried adding a firewall allow rule to see if that would fix it.
- [Normal] Reboot
/usr/local/share/pfSense/pkg/repos/pfSense-repo.conf to see if path was correct
- Disabling pfBlocker-ng
- Pinging (I can ping IP addresses, eg. 188.8.131.52, but not domains, eg. google.ca)
I have firewall rules to block external DNS servers, and explicitly allow to my DNS. I think silently forwarding requests to external DNS to my DNS, would be better, but I digress.
Any suggestions will be appreciated.
Not sure it that is related, but what is set under
System -> General Setup -> DNS Server Settings -> DNS Resolution Behavior?
Use local DNS (127.0.0.1), ignore remote DNS servers
Services -> DNS Resolver -> General Settings -> Network Interfaces, is the
Localhost option enabled?
This is a complete shot in the dark; I have a Netgate appliance with the same behavior running Tailscale. When I disable Tailscale, I get local DNS back.
This is weird. Now pfS can check for updates and load available packages in the package manager again.
There’s an update to pfBlockerNG Devel, so hopefully that should
I don’t have the Tailscale package installed, but I do have Wireguard installed, but not setup. I can try uninstalling it until I’m ready to set it up.
I am not an IT professional, and I manage many sites for my family and their business.
I wanted to transition to Tailscale, but it has caused local DNS issues on two firewalls. I was just curious if it was the same for someone else.
Sorry that didn’t help out.
No prob. Any suggestions & ideas help narrow down the issue.
As far as your family is concerned, you are the IT pro of the family. I was the same when my parents ran their businesses before they retired.
And despite becoming an electrician, family members still hire me for their computer/networking issues. So you’ll always be their IT Pro for the rest of your life. lol
@OP, first, fixe any DNS resolution for pfsense itself:
1- What are its own DNS ? (aka 184.108.40.206 & 220.127.116.11) in the System DNS settings?
2- On the pfsense CLI, can it resolves FQDN and ping those them? (What does nslookup returns as used DNS IP address?)
3- pfsense itself must use proper DNS resolver if it is not itself (best practice: for pfsense itself, use publicly known and resilient DNS (Google, Level1, etc), not pi-hole or other in-house DNS resolver)
4- Is pfsense at the latest stable release?
5- Do you still have any old rules (NATing rules) that steers requests to Pi-hole?
6- For you clients, they can you whatever you steer them into (pi-hole, pf-blocker, pfsense itself) - it is independant of what pfsense use unless you make them use the same as pfsense
The behavior you have looks like a timeout of the DNS used and then a fallback to something else because you are testing from a Windows machine (DNS are tried sequentially - bad implementation from Microsoft since forever - on a *nix/Linux machine DNS are tried in parallel and uses the first one that resolve - the right way to use DNS)
I mentioned 2 days ago that I managed to get it working again. I think one of the issues was Pi-Hole had issued accessing the internet.
I don’t know why, but it is now working again.
4- (Now that it can check again) Yes it is.
1- Dashboard says it’s 127.0.0.1 & 192.168.0.1.
3 & 6), the only way I can see you can set a different DNS for pfSense from the rest of the networks is if you set to public DNS servers in
General Setup, and manually defined your internal (Pi-Hole, etc.) DNS server(s) in the DHCP configuration for each network.
From what you explained about how Windows checks to see which DNS is up verses how *nix does it, it sounds like a holdover from some old limitation from the DOS or Windows 3.1 era that Microsoft never fixed and updated (If it ain’t broke…).
Thank you for your extensive list of troubleshooting.
I’m pretty sure if you set your general settings to local only DNS then your pfsense won’t be able to resolve.
When it comes to pfblocker all queries are ran back through the gateway address or the address you set in DHCP (like pihole) and then hit an upstream dns from there.
I ran into an issue with acme certificates on pfsense because I was trying to use local dns also. It seems that setting is specifically for pfsense only for its self resolution. I switch to quad 9 DNS servers and set the general DNS to “remote DNS only” or whatever it’s called and everything cleared right up.