Project

General

Profile

Actions

Regression #14368

closed

Intermittent DNS failures

Added by Doug Miles 11 months ago. Updated 11 months ago.

Status:
Duplicate
Priority:
Normal
Assignee:
-
Category:
DNS Resolver
Target version:
-
Start date:
Due date:
% Done:

0%

Estimated time:
Plus Target Version:
Release Notes:
Default
Affected Version:
Affected Architecture:

Description

When DNS Resolver is set to forwarding mode and "Use SSL/TLS for outgoing DNS Queries to Forwarding Servers" is enabled, there are intermittent failures. I can't replicate it on demand, but I've noticed it most on iOS devices, often when opening the App Store and it said it is unable to connect. In the past, it does seem that macOS/iOS tends to cache and hang on to failed DNS resolutions, so maybe that's why I see it more there.

Anyway, this issue is discussed in the posts below:


Related issues

Is duplicate of Bug #14056: DNS Resolver experiences intermittent resolution failures with SSL over TLS due to ASLRClosedChristian McDonald

Actions
Actions #1

Updated by Doug Miles 11 months ago

This is actually for 23.01

That somehow posted before I had finished typing and checking everything. Here are the links I was trying to paste in:

https://forum.netgate.com/topic/177979/23-01-breaks-dns-resolver-and-pfblocker/23

https://forum.netgate.com/topic/178413/major-dns-bug-23-01-with-quad9-on-ssl

I'm using 1.1.1.2/1.0.0.2 as my upstream DNS servers, with "security.cloudflare-dns.com" for the TLS hostname. 9.9.9.9 is also commonly used in the threads I linked. After a week or so of testing, enabling and disabling "Use SSL/TLS for outgoing DNS Queries to Forwarding Servers" causes and resolves the issue, respectively. First noticed immediately after the upgrade to 23.01.

Actions #2

Updated by Brad Smith 11 months ago

I've noticed the same since 2.7 snapshots for a long time. At first, I suspected my WiFi system but I eventually ruled that out. I too have noticed that iOS devices seem to be worst affected for some reason (maybe something to do with the way they retry DNS requests).

I use 1.1.1.1/1.0.0.1 SSL/TLS

Actions #3

Updated by Jim Pingle 11 months ago

  • Status changed from New to Duplicate

Duplicate of #14056

Actions #4

Updated by Jim Pingle 11 months ago

  • Project changed from pfSense Plus to pfSense
  • Category changed from DNS Resolver to DNS Resolver
  • Affected Plus Version deleted (22.01)
Actions #5

Updated by Jim Pingle 11 months ago

  • Is duplicate of Bug #14056: DNS Resolver experiences intermittent resolution failures with SSL over TLS due to ASLR added
Actions

Also available in: Atom PDF