Jump to content
Not connected, Your IP: 18.191.192.109
hbs

AirDNS stopped working unexpectedly after two months of use on pfSense

Recommended Posts

make sure you assign a DNS server to WAN.  and change 10.4.0.1 to the Airvpn tunnel on the  system general page.

 

have you configured  firewall > NAT > outbound correctly?

Share this post


Link to post

AirVPN was set up with the pfsense-Tutorial here in the forum.

 

Hi everyone,

 

Here's what happened.

 

I have set up my pfSense Firewall Appliance almost two months ago. Using the pfSense Tutorial that AirVPN provides.

 

It worked flawlessly until last Thursday.

 

Suddenly my pfSense router wasn't transferring data anymore and I went on doing some tweaking and noticed that AirDNS (10.4.0.1 wasn't resolving DNS queries anymore. I replaced it with Google, Cisco, Cloudfare, you name DNSs and was back online.

(..)

Same Problem here last week.

The unbound DNS-Resolver-Log in pfsense showed this error "info: failed to prime trust anchor -- could not fetch DNSKEY rrset".

After disabling DNSSEC in the DNS-Resolver config of pfsense the DNS-Resolving-issue disappeared. Until today DNS-resolving doesn't work mit DNSSEC enabled on 10.4.0.1.

Share this post


Link to post

I did (I think) what you told me.

 

I have an internet connection again on my lan.

 

But it is leaking DNS. Here's the ipleak.net page. (AFAIK it should only appear there one DNS server)

 

 

Following are two more screenshots of the changes I made.

 

PS: I reboted. Now is leaking ips from my country.

Share this post


Link to post

i don't know the best solution.  but i do have a solution that works for me....   and its not fun

 

under

DHCP Static Mappings for this Interface:   i created static entry's for each of my devices.  then clicked edit and under DNS servers put in 10.4.0.1

 

i would remove the one you added before.  i would have though it would have worked... but i guess not

Share this post


Link to post

 

AirVPN was set up with the pfsense-Tutorial here in the forum.

 

Hi everyone,

 

Here's what happened.

 

I have set up my pfSense Firewall Appliance almost two months ago. Using the pfSense Tutorial that AirVPN provides.

 

It worked flawlessly until last Thursday.

 

Suddenly my pfSense router wasn't transferring data anymore and I went on doing some tweaking and noticed that AirDNS (10.4.0.1 wasn't resolving DNS queries anymore. I replaced it with Google, Cisco, Cloudfare, you name DNSs and was back online.

(..)

Same Problem here last week.

The unbound DNS-Resolver-Log in pfsense showed this error "info: failed to prime trust anchor -- could not fetch DNSKEY rrset".

After disabling DNSSEC in the DNS-Resolver config of pfsense the DNS-Resolving-issue disappeared. Until today DNS-resolving doesn't work mit DNSSEC enabled on 10.4.0.1.

 

This is very interesting.

 

You had the issue about the same time I started to have.

 

Could you please take a screenshot or paste the configuration of your VPN client?

 

Thanks

Share this post


Link to post

This is very interesting.

 

You had the issue about the same time I started to have.

 

Could you please take a screenshot or paste the configuration of your VPN client?

 

Thanks

The config under "Services > DNS Resolver" is exactly the same like the one in step8 of pfsense_fan's tutorial

https://airvpn.org/topic/17444-how-to-set-up-pfsense-23-for-airvpn/?do=findComment&comment=40144

 

I unchecked DNSSEC and pfsense turned again to resolve DNS with 10.4.0.1 (set up in "System > General Setup: DNS-Servers)

 

for viewing the DNS Resolve log in pfsense log go to: Status > System Logs > DNS Resolver

The support informed me, that DNSSEC is not implemented and there is no need for DNSSEC enabled for the AirVPN-DNS-Servers.

Share this post


Link to post

See. I understand. Looks promising.

 

But I have to restore my configuration to make sure I will be the closest from my setttings of last week.

 

I will keep you guys posted.

Share this post


Link to post

Please read the how to for pfsense

 

WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

Dec 28 16:53:12 openvpn 33200 /sbin/route add -net 128.0.0.0 10.14.192.1 128.0.0.0

Dec 28 16:53:12 openvpn 33200 /sbin/route add -net 0.0.0.0 10.14.192.1 128.0.0.0

Dec 28 16:53:12 openvpn 33200 ERROR: FreeBSD route add command failed: external program exited with error status: 1

Dec 28 16:53:12 openvpn 33200 /sbin/route add -net 96.47.229.58 192.168.1.1 255.255.255.255

Dec 28 16:53:12 openvpn 33200 /usr/local/sbin/ovpn-linkup ovpnc1 1500 1553 10.14.192.252 255.255.255.0 init

Dec 28 16:53:12 openvpn 33200 /sbin/route add -net 10.14.192.0 10.14.192.1 255.255.255.0

Dec 28 16:53:12 openvpn 33200 /sbin/ifconfig ovpnc1 10.14.192.252 10.14.192.1 mtu 1500 netmask 255.255.255.0 up

 

For pfsense it isnt correct dont get routes etc.

 

WARNING: 'cipher' is used inconsistently, local='cipher AES-256-GCM', remote='cipher AES-256-CBC'

 

 

The only way i get airvpn DNS to work is in the DNS resolver Option (incl. DNSSEC) no forwarding

 

Advanced Option Box: forward-addr: 10.4.0.1

 

System DNS as an Example OpenDNS with no Gateway

Share this post


Link to post

Air4141841

 

On ipleak.net using this configuration, how many DNS servers do you see?

it shows me connected to Airvpn ip  which says Exit, Volans

 

ONE DNS server.   which says Volans

Share this post


Link to post

And i See

 

DNS Addresses - 2 servers

178.162.209.171

Germany

Germany

AirVPN Server (Exit, Serpens)

185.189.112.27

Germany

Germany

AirVPN Server (Exit, Cervantes)

 

Dnsleaktest

 

178.162.209.171 27.112.189.185.in-addr.arpa Leaseweb Deutschland GmbH Germany

185.189.112.27 none UK Web.Solutions Direct Ltd Germany

Share this post


Link to post

 

This is very interesting.

 

You had the issue about the same time I started to have.

 

Could you please take a screenshot or paste the configuration of your VPN client?

 

Thanks

The config under "Services > DNS Resolver" is exactly the same like the one in step8 of pfsense_fan's tutorial

https://airvpn.org/topic/17444-how-to-set-up-pfsense-23-for-airvpn/?do=findComment&comment=40144

 

I unchecked DNSSEC and pfsense turned again to resolve DNS with 10.4.0.1 (set up in "System > General Setup: DNS-Servers)

 

for viewing the DNS Resolve log in pfsense log go to: Status > System Logs > DNS Resolver

The support informed me, that DNSSEC is not implemented and there is no need for DNSSEC enabled for the AirVPN-DNS-Servers.

 

 

After reinstalling my old config I followed these steps. It worked.

 

But there is a catch. If I reboot, my internet connection is lost.

 

Did you reboot after you found this workaround?

 

I had to reinstall the configuration with this workaround to make it work again.

Share this post


Link to post

Please read the how to for pfsense

 

WARNING: this configuration may cache passwords in memory -- use the auth-nocache option to prevent this

Dec 28 16:53:12 openvpn 33200 /sbin/route add -net 128.0.0.0 10.14.192.1 128.0.0.0

Dec 28 16:53:12 openvpn 33200 /sbin/route add -net 0.0.0.0 10.14.192.1 128.0.0.0

Dec 28 16:53:12 openvpn 33200 ERROR: FreeBSD route add command failed: external program exited with error status: 1

Dec 28 16:53:12 openvpn 33200 /sbin/route add -net 96.47.229.58 192.168.1.1 255.255.255.255

Dec 28 16:53:12 openvpn 33200 /usr/local/sbin/ovpn-linkup ovpnc1 1500 1553 10.14.192.252 255.255.255.0 init

Dec 28 16:53:12 openvpn 33200 /sbin/route add -net 10.14.192.0 10.14.192.1 255.255.255.0

Dec 28 16:53:12 openvpn 33200 /sbin/ifconfig ovpnc1 10.14.192.252 10.14.192.1 mtu 1500 netmask 255.255.255.0 up

 

For pfsense it isnt correct dont get routes etc.

 

WARNING: 'cipher' is used inconsistently, local='cipher AES-256-GCM', remote='cipher AES-256-CBC'

 

 

The only way i get airvpn DNS to work is in the DNS resolver Option (incl. DNSSEC) no forwarding

 

Advanced Option Box: forward-addr: 10.4.0.1

 

System DNS as an Example OpenDNS with no Gateway

 

what do you mean by that?

 

Disabling DNS Query Forwarding

Enable Forwarding Mode

Share this post


Link to post

After reinstalling my old config I followed these steps. It worked.

 

But there is a catch. If I reboot, my internet connection is lost.

 

Did you reboot after you found this workaround?

 

I had to reinstall the configuration with this workaround to make it work again.

 

 

 

DNS-Forwarder is disabled: Enable [  ] Enable DNS forwarder is unchecked.

DNS-Resolving worked immediately after disabling DNSSEC in the DNS-Resolver-config. After disabling DNSSEC there you got to restart the DNS-Resolver.

Enabling DNSSEC + restarting the DNS-Resolver leads again to the error.

 

In the meantime I restarted the pfsense-box too. With DNSSEC disabled everything is working fine now.

Share this post


Link to post

Sure i rebooted a few times after that and it worked with dnssec

 

What are your Main DNS in System?

With or without a Gateway?

 

Dont youse 10.4.0.1 for Gateway monitoring!

Share this post


Link to post

 

After reinstalling my old config I followed these steps. It worked.

 

But there is a catch. If I reboot, my internet connection is lost.

 

Did you reboot after you found this workaround?

 

I had to reinstall the configuration with this workaround to make it work again.

 

 

 

DNS-Forwarder is disabled: Enable [  ] Enable DNS forwarder is unchecked.

DNS-Resolving worked immediately after disabling DNSSEC in the DNS-Resolver-config. After disabling DNSSEC there you got to restart the DNS-Resolver.

Enabling DNSSEC + restarting the DNS-Resolver leads again to the error.

 

In the meantime I restarted the pfsense-box too. With DNSSEC disabled everything is working fine now.

 

This is my configuration (DNS Resolver) as of the moment it is working.

 

 

The only thing I did to make this work was unchecking DNSSSEC 

 

and save it. And Apply settings.

 

Do you want me to disable DNS resolver. Then Enable DNS Forwarder?

 

Didn't get that part

Share this post


Link to post

Sure i rebooted a few times after that and it worked with dnssec

 

What are your Main DNS in System?

With or without a Gateway?

 

Dont youse 10.4.0.1 for Gateway monitoring!

 

Share this post


Link to post

DNS resolver is ok

If it works for you it s your choice

 

I have no DNS Query Forwarding

and i have in the Advanced Box some other Option not 127.0.0.1

 

 

Sorry and you dont read my Messages

 

Main DNS Not 10.4.0.1

 

Mine are

 

208.67.222.222

208.67.220.220

Share this post


Link to post

these are mine options

 

Thanks for replying.

 

I tried to use your DNS Resolver custom options for my DNS Resolver but they are ending in error.

 

Could you please, copy and paste it here?

Share this post


Link to post

this thread has made my head hurt bad.

 

i have tried to set mine up the way others are explaining and i can not get it to work.      i guess i am working with a broken Pfsense box as well   

Share this post


Link to post
Air4141841 sorry to hear that.

 

But I assure you. If you follow the pfsense Tutorial from AirVPN it will work.

 

For that, to work you only need to disable DNSSEC like mentioned above.

 

Only that.

 

But you will end up like me. Without the possibility to reboot.

 

I'm waiting to hear what else cr00 can tell us.

Share this post


Link to post

DNS-Forwarder is disabled: Enable [  ] Enable DNS forwarder is unchecked.

DNS-Resolving worked immediately after disabling DNSSEC in the DNS-Resolver-config. After disabling DNSSEC there you got to restart the DNS-Resolver.

Enabling DNSSEC + restarting the DNS-Resolver leads again to the error.

 

In the meantime I restarted the pfsense-box too. With DNSSEC disabled everything is working fine now.

This is my configuration (DNS Resolver) as of the moment it is working.

 

attachicon.gifscreencapture-192-168-0-1-services_unbound-php-2018-12-28-17_30_15.png

 

The only thing I did to make this work was unchecking DNSSSEC 

 

and save it. And Apply settings.

 

Do you want me to disable DNS resolver. Then Enable DNS Forwarder?

 

Didn't get that part

Hi hbs,

maybe I have not expressed myself clearly. sorry for that.

 

My current settings for the

DNS-Resolver (DNS-Resolver activated, DNSSEC disabled) and the

DNS-Forwarder (disabled) are identical to pfsense_fan's tutorial, except the DNSSEC, which in the tutorial ist wrongly enabled.

 

AirVPN support informed me, that there is no need of DNSSEC in case you use the AirVPN-DNS-Servers (a.e. 10.4.0.1).

Under this configuration I have no DNS-Resolving issues.

 

Indead it is strange, that the enabled DNSSEC option was working until last week, although the AirVPN DNS-servers are not configured for DNSSEC.

The support couldn't explain this yet, the tech-support will investigate further.

 

I hope your config is working with these settings now, like my pfsense-box does.

Share this post


Link to post

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...
  • Security Check
    Play CAPTCHA Audio
    Refresh Image

×
×
  • Create New...