Re: [pfSense] Firewall > Aliases: DNS resolving of domains broken
On 2014-02-14 18:51, Chris Bagnall wrote: On 14/2/14 4:48 pm, Thinker Rix wrote: Any ideas what could be the problem? Have you tried entering the DNS servers your ISP supplies via PPP or DHCP (look on the Status -> Interfaces page, they should be listed on there) manually on the General settings page, then disabling DNS via PPP/DHCP? You might need to restart to force the URLs to be looked up again... Would be interesting to see what effect that has on things. Kind regards, Chris Chris, I went to General Setup > DNS Servers and 1. Entered the 2 DNS IPs of my ISP 2. Deactivated "Allow DNS server list to be overridden by DHCP/PPP on WAN" 3. Rebooted As soon as I delete one of the IPs in the aliases and just leave the domain names, it is broken. So it seems that pfsense still is unable to resolve the IPs of the domains. Best regards Thinkerix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Firewall > Aliases: DNS resolving of domains broken
On 14/02/2014 16:48, Thinker Rix wrote: - Everything works fine, pfsense can resolve IPs. Examples: The dashboard says that I am on the latest version (=url is resolved), diagnostics>ping and diagnostics>traceroute work with domain names. ... Any ideas what could be the problem? I suggest that you go to the command line, run # tcpdump -i bce0 -nnv -s0 udp port 53 # replace bce0 as appropriate and then reload the aliases, and see what DNS traffic is generated. Look carefully at source and destination IPs. I'd also try adding 8.8.8.8 and 8.8.4.4, at least temporarily, as your hard-coded DNS servers, and see if that makes a difference. ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Firewall > Aliases: DNS resolving of domains broken
On 14/2/14 4:48 pm, Thinker Rix wrote: Any ideas what could be the problem? Have you tried entering the DNS servers your ISP supplies via PPP or DHCP (look on the Status -> Interfaces page, they should be listed on there) manually on the General settings page, then disabling DNS via PPP/DHCP? You might need to restart to force the URLs to be looked up again... Would be interesting to see what effect that has on things. Kind regards, Chris -- This email is made from 100% recycled electrons ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Firewall > Aliases: DNS resolving of domains broken
On 2014-02-14 17:57, Chris Bagnall wrote: On 14/2/14 3:37 pm, Thinker Rix wrote: I have had entered some domain names there in the past, which always worked flawlessly. Recently I changed ISP and since then the domain names are not resolved anymore to IPs, so that the traffic using those aliases gets blocked by the firewall. When resolving the IPs manually via the pfsense logs, it works fine. But for some reason pfsense can not resolve the domain names inside the aliases anymore. Has anybody got an idea what the fault could be? Are you manually specifying the ISP resolvers in your config, and is it possible they're still set to the old ISP's config? Probably a question for the devs: is it possible that lookups for aliases use what's on the general config page rather than anything overridden by PPP/DHCP? Kind regards, Chris Hi Chris, Thank you for your time! Here are some details: - As long I was with the old ISP, I had manually specified the DNS server of this provider in pfsense and deactivated the "Allow DNS server list to be overridden by DHCP/PPP on WAN". The reason for this was a bug in 2.0.2 which prevented pfsense to receive the DNS data from the ISP. - At some later point I updated to 2.1 and although it has the bug corrected, I left the manually specified DNS IPs in pfsense - I then changed to a new ISP. DNS was broken then, because the old provider did not leave me use his DNS anymore when not being his customer. I then activated "Allow DNS server list to be overridden by DHCP/PPP on WAN" which fixed DNS again, since I got the DNS IPs from the new provider, too. But since I still had not erased the 2 old IPs from the list, I now had 4 DNS IPs: 2 old-ISP + 2 new-ISP - Last I went and erased the 2 IPs from the old ISP, so that I now have an empty list and only ""Allow DNS server list to be overridden by DHCP/PPP on WAN" activated. As a result pfsense has only the 2 IPs from the new ISP in the dashboard. - Everything works fine, pfsense can resolve IPs. Examples: The dashboard says that I am on the latest version (=url is resolved), diagnostics>ping and diagnostics>traceroute work with domain names. Now: - The only thing that I have found for now that is not working is the automatic resolve of domain names inside Firewall:Aliases. Since these aliases are used in my firewall rules, I can see blocked traffic in the system logs. When I use the button "Reverse resolve with DNS" on the blocked traffic IP, it resolves the domain names that I have in my aliases. - As a work arround I am currently entering the IP adresses in my aliases instead of a domain name. This makes my rules work again, but is very error prone, since the IP adresses change frequently. So I need to have the domain names work again somehow. Any ideas what could be the problem? Thank you Thinkerix ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list
Re: [pfSense] Firewall > Aliases: DNS resolving of domains broken
On 14/2/14 3:37 pm, Thinker Rix wrote: I have had entered some domain names there in the past, which always worked flawlessly. Recently I changed ISP and since then the domain names are not resolved anymore to IPs, so that the traffic using those aliases gets blocked by the firewall. When resolving the IPs manually via the pfsense logs, it works fine. But for some reason pfsense can not resolve the domain names inside the aliases anymore. Has anybody got an idea what the fault could be? Are you manually specifying the ISP resolvers in your config, and is it possible they're still set to the old ISP's config? Probably a question for the devs: is it possible that lookups for aliases use what's on the general config page rather than anything overridden by PPP/DHCP? Kind regards, Chris -- This email is made from 100% recycled electrons ___ List mailing list List@lists.pfsense.org http://lists.pfsense.org/mailman/listinfo/list