Re: [pfSense Support] DNS Issues with 1.2 RC2
On Sat 27 Oct 2007 05:00:21 NZDT +1300, Paul M wrote: > surely it's easier to simply run your own caching resolvers? that way > you can force a cache flush if you're changing your own DNS. Nope, not enough. I run pfsense in 2 places (1.0.1 and 1.2beta-some), with caching dns enabled. Several times a day browsers just give a bogus "domain doesn't exist". With a particular banking website I have yet to see a name resolution first time; as it's blowing up in <<1s I conclude something, somewhere, doesn't even *try* to resolve. An immediate browser reload is always successful. This with various ISPs' nameservers. Volker -- Volker Kuhlmann is list0570 with the domain in header http://volker.dnsalias.net/ Please do not CC list postings to me. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] DNS Issues with 1.2 RC2
I try and stay away from ISP's that do that kind of stuff as much as possible (even though I use comcast which got nailed for throttling BitTorrent traffic). I know some areas don't have an alternative ISP to dump to. If you are using this for a business service then that is something you might be able to get a Service Level Agreement worked out with them to unrestrict the ports. Home users will pretty much always be boned on that front though. -Sean > Date: Fri, 26 Oct 2007 17:00:21 +0100> From: [EMAIL PROTECTED]> To: > support@pfsense.com> Subject: Re: [pfSense Support] DNS Issues with 1.2 RC2> > > Sean Cavanaugh wrote:> > I personally use OpenDNS for everything since > theyre outside of what the> > ISP handles.> > surely it's easier to simply > run your own caching resolvers? that way> you can force a cache flush if > you're changing your own DNS.> > the only time either your or my strategy > fails is when you have an ISP> like NTL in the UK who do udp:53 hijacking > (just like they force all web> traffic through their proxies, they do similar > with DNS!). the only way> I found round that was to put my own resolver on a > public lan at work on> a different port and hack my local bind9 config to > resolve off it! > > > -> To > unsubscribe, e-mail: [EMAIL PROTECTED]> For additional commands, e-mail: > [EMAIL PROTECTED]> _ Peek-a-boo FREE Tricks & Treats for You! http://www.reallivemoms.com?ocid=TXT_TAGHM&loc=us
Re: [pfSense Support] DNS Issues with 1.2 RC2
Sean Cavanaugh wrote: > I personally use OpenDNS for everything since theyre outside of what the > ISP handles. surely it's easier to simply run your own caching resolvers? that way you can force a cache flush if you're changing your own DNS. the only time either your or my strategy fails is when you have an ISP like NTL in the UK who do udp:53 hijacking (just like they force all web traffic through their proxies, they do similar with DNS!). the only way I found round that was to put my own resolver on a public lan at work on a different port and hack my local bind9 config to resolve off it! - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: [pfSense Support] DNS Issues with 1.2 RC2
I personally use OpenDNS for everything since theyre outside of what the ISP handles. only "downside" is that if it cannot resolve a domain for HTTP, it pulls up their search page instead. -Sean > From: [EMAIL PROTECTED]> To: support@pfsense.com> Date: Fri, 26 Oct 2007 > 09:20:52 -0400> Subject: Re: [pfSense Support] DNS Issues with 1.2 RC2> > I > will try this later to see what the result is. Scott's suggestion of using > > a static route worked perfectly. The trouble seemed to come from using OPT1 > > and OPT2 DNS servers as the default. The pfsense machine was trying to > > resolve with those DNS servers using the WAN interface. I added entries for > > the LAN section of the firewall rules. This set the correct outbound > > interface for machines on the LAN but did not seem to help the pfsense > > machine itself. If the ISP used on the WAN interface did not has lousy DNS > > servers, I would never have noticed this issue. > > Robert> > On Friday 26 > October 2007 05:36, Paul M wrote:> > Robert Goley wrote:> > > based routing. > DNS refuses to work. This is because the pfsense machine> > > can> >> > I > have no answer for you, but an idea to try.> >> > run "tcpdump -l -n -i xxx > udp and port 53" on the firewall for each> > interface xxx in turn whilst > trying to resolve and see if any packets> > are seen.> >> >> >> >> > > -> > To > unsubscribe, e-mail: [EMAIL PROTECTED]> > For additional commands, e-mail: > [EMAIL PROTECTED]> > > -> To > unsubscribe, e-mail: [EMAIL PROTECTED]> For additional commands, e-mail: > [EMAIL PROTECTED]> _ Help yourself to FREE treats served up daily at the Messenger Café. Stop by today. http://www.cafemessenger.com/info/info_sweetstuff2.html?ocid=TXT_TAGLM_OctWLtagline
Re: [pfSense Support] DNS Issues with 1.2 RC2
I will try this later to see what the result is. Scott's suggestion of using a static route worked perfectly. The trouble seemed to come from using OPT1 and OPT2 DNS servers as the default. The pfsense machine was trying to resolve with those DNS servers using the WAN interface. I added entries for the LAN section of the firewall rules. This set the correct outbound interface for machines on the LAN but did not seem to help the pfsense machine itself. If the ISP used on the WAN interface did not has lousy DNS servers, I would never have noticed this issue. Robert On Friday 26 October 2007 05:36, Paul M wrote: > Robert Goley wrote: > > based routing. DNS refuses to work. This is because the pfsense machine > > can > > I have no answer for you, but an idea to try. > > run "tcpdump -l -n -i xxx udp and port 53" on the firewall for each > interface xxx in turn whilst trying to resolve and see if any packets > are seen. > > > > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] DNS Issues with 1.2 RC2
Robert Goley wrote: > based routing. DNS refuses to work. This is because the pfsense machine can I have no answer for you, but an idea to try. run "tcpdump -l -n -i xxx udp and port 53" on the firewall for each interface xxx in turn whilst trying to resolve and see if any packets are seen. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] DNS Issues with 1.2 RC2
Thanks Scott! I was using the policybased_multiwan.pdf howto by Daniel Solsona. It does not mention DNS servers or static routes. It is working great now. Thanks for all of your hard work. The 1.2 release looks good. Robert On Thursday 25 October 2007 16:17, Scott Ullrich wrote: > On 10/25/07, Robert Goley <[EMAIL PROTECTED]> wrote: > [snip] > > > What am I missing? > > Static routes. See the multi-wan tutorials. > > Scott > > - > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: [pfSense Support] DNS Issues with 1.2 RC2
On 10/25/07, Robert Goley <[EMAIL PROTECTED]> wrote: [snip] > What am I missing? Static routes. See the multi-wan tutorials. Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
[pfSense Support] DNS Issues with 1.2 RC2
I have a multi wan setup with 3 WAN interfaces and 1 LAN. It is using policy based routing. DNS refuses to work. This is because the pfsense machine can not resolve anything. The DNS servers are correct. They are pingable from the pfsense machine. They are accessible from machines on the LAN. A traceroute shows that the pfsense machine is trying to access DNS servers for OPT1 and OPT2 using the WAN interface instead. I setup rules for the LAN interface so that all connections to the specific DNS server must go out over specific interfaces. This works for the LAN but does not work for the pfsense machine itself. Can some one provide some insight to this? Do I need to add static routes for these instead of LAN firewall entries? The warnings on the static routes page seems to indicate that I should not. I am sure that others are using multiple DNS servers from multiple ISPs in a multi-wan setup. What am I missing? Robert - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
